v3: limit fields of challenge tasks that can be updated

2025-12-19 07:37:25 +01:00 · 2016-05-18 23:27:49 +02:00
parent 65c739f7de
commit e98930cd4a
3 changed files with 110 additions and 4 deletions
--- a/website/server/models/task.js
+++ b/website/server/models/task.js
@@ -57,7 +57,7 @@ export let TaskSchema = new Schema({
 }, discriminatorOptions));

 TaskSchema.plugin(baseModel, {
-  noSet: ['challenge', 'userId', 'completed', 'history', 'dateCompleted', 'completed'],
+  noSet: ['challenge', 'userId', 'completed', 'history', 'dateCompleted', '_legacyId'],
  sanitizeTransform (taskObj) {
    if (taskObj.type && taskObj.type !== 'reward') { // value should be settable directly only for rewards
      delete taskObj.value;
@@ -69,6 +69,14 @@ TaskSchema.plugin(baseModel, {
  timestamps: true,
 });

+// Sanitize user tasks linked to a challenge
+// See http://habitica.wikia.com/wiki/Challenges#Challenge_Participant.27s_Permissions for more info
+TaskSchema.statics.sanitizeUserChallengeTask = function sanitizeUserChallengeTask (taskObj) {
+  let initialSanitization = this.sanitize(taskObj);
+
+  return _.pick(initialSanitization, ['streak', 'checklist', 'attribute', 'reminders', 'tags', 'notes']);
+};
+
 // Sanitize checklist objects (disallowing id)
 TaskSchema.statics.sanitizeChecklist = function sanitizeChecklist (checklistObj) {
  delete checklistObj.id;