mirror of
https://github.com/sudoxnym/habitica.git
synced 2026-05-22 05:38:46 +00:00
fix(group-plans): shared completion, URL exploit
This commit is contained in:
SabreCat
parent
87944c45c3
commit
0b1907fe07
4 changed files with 35 additions and 21 deletions
|
|
@ -225,6 +225,11 @@ export default {
|
|||
this.group = await this.$store.dispatch('guilds:getGroup', {
|
||||
groupId: this.searchId,
|
||||
});
|
||||
if (!this.group?.purchased?.active) {
|
||||
if (this.group.type === 'guild') this.$router.push(`/groups/guild/${this.group._id}`);
|
||||
if (this.group.type === 'party') this.$router.push('/party');
|
||||
return;
|
||||
}
|
||||
this.$store.dispatch('common:setTitle', {
|
||||
subSection: this.group.name,
|
||||
section: this.$route.path.startsWith('/group-plans') ? this.$t('groupPlans') : this.$t('group'),
|
||||
|
|
|
|||
|
|
@ -1280,12 +1280,17 @@ export default {
|
|||
createTag: 'tags:createTag',
|
||||
}),
|
||||
async syncTask () {
|
||||
if (this.task && this.task.group && this.task.group.managerNotes) {
|
||||
if (this.task?.group?.managerNotes) {
|
||||
this.managerNotes = this.task.group.managerNotes;
|
||||
}
|
||||
if (this.groupId && this.task.group && this.task.group.approval) {
|
||||
if (this.groupId && this.task.group?.approval) {
|
||||
this.requiresApproval = this.task.group.approval.required;
|
||||
}
|
||||
if (this.task?.group?.sharedCompletion) {
|
||||
this.sharedCompletion = this.task.group.sharedCompletion;
|
||||
} else if (this.task.group) {
|
||||
this.sharedCompletion = 'singleCompletion';
|
||||
}
|
||||
|
||||
if (this.groupId) {
|
||||
const members = await this.$store.dispatch('members:getGroupMembers', {
|
||||
|
|
@ -1306,9 +1311,6 @@ export default {
|
|||
if (this.task.group && this.task.group.assignedUsers) {
|
||||
this.assignedMembers = this.task.group.assignedUsers;
|
||||
}
|
||||
if (this.task.group) {
|
||||
this.sharedCompletion = this.task.group.sharedCompletion || 'singleCompletion';
|
||||
}
|
||||
}
|
||||
|
||||
// @TODO: This whole component is mutating a prop
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import {
|
|||
canNotEditTasks,
|
||||
createTasks,
|
||||
getTasks,
|
||||
groupSubscriptionNotFound,
|
||||
} from '../../../libs/tasks';
|
||||
import {
|
||||
moveTask,
|
||||
|
|
@ -50,9 +51,9 @@ api.createGroupTasks = {
|
|||
|
||||
const { user } = res.locals;
|
||||
|
||||
const fields = requiredGroupFields.concat(' managers');
|
||||
const fields = requiredGroupFields.concat(' purchased managers');
|
||||
const group = await Group.getGroup({ user, groupId: req.params.groupId, fields });
|
||||
if (!group) throw new NotFound(res.t('groupNotFound'));
|
||||
if (groupSubscriptionNotFound(group)) throw new NotFound(res.t('groupNotFound'));
|
||||
|
||||
if (canNotEditTasks(group, user)) throw new NotAuthorized(res.t('onlyGroupLeaderCanEditTasks'));
|
||||
|
||||
|
|
@ -99,9 +100,9 @@ api.getGroupTasks = {
|
|||
const group = await Group.getGroup({
|
||||
user,
|
||||
groupId: req.params.groupId,
|
||||
fields: requiredGroupFields,
|
||||
fields: requiredGroupFields.concat(' purchased'),
|
||||
});
|
||||
if (!group) throw new NotFound(res.t('groupNotFound'));
|
||||
if (groupSubscriptionNotFound(group)) throw new NotFound(res.t('groupNotFound'));
|
||||
|
||||
const tasks = await getTasks(req, res, { user, group });
|
||||
res.respond(200, tasks);
|
||||
|
|
@ -152,9 +153,9 @@ api.groupMoveTask = {
|
|||
const group = await Group.getGroup({
|
||||
user,
|
||||
groupId: task.group.id,
|
||||
fields: requiredGroupFields,
|
||||
fields: requiredGroupFields.concat(' purchased'),
|
||||
});
|
||||
if (!group) throw new NotFound(res.t('groupNotFound'));
|
||||
if (groupSubscriptionNotFound(group)) throw new NotFound(res.t('groupNotFound'));
|
||||
|
||||
if (group.leader !== user._id) throw new NotAuthorized(res.t('onlyGroupLeaderCanEditTasks'));
|
||||
|
||||
|
|
@ -219,9 +220,9 @@ api.assignTask = {
|
|||
throw new NotAuthorized(res.t('onlyGroupTasksCanBeAssigned'));
|
||||
}
|
||||
|
||||
const groupFields = `${requiredGroupFields} chat managers`;
|
||||
const groupFields = `${requiredGroupFields} purchased chat managers`;
|
||||
const group = await Group.getGroup({ user, groupId: task.group.id, fields: groupFields });
|
||||
if (!group) throw new NotFound(res.t('groupNotFound'));
|
||||
if (groupSubscriptionNotFound(group)) throw new NotFound(res.t('groupNotFound'));
|
||||
|
||||
if (canNotEditTasks(group, user, assignedUserId)) throw new NotAuthorized(res.t('onlyGroupLeaderCanEditTasks'));
|
||||
|
||||
|
|
@ -294,9 +295,9 @@ api.unassignTask = {
|
|||
throw new NotAuthorized(res.t('onlyGroupTasksCanBeAssigned'));
|
||||
}
|
||||
|
||||
const fields = requiredGroupFields.concat(' managers');
|
||||
const fields = requiredGroupFields.concat(' purchased managers');
|
||||
const group = await Group.getGroup({ user, groupId: task.group.id, fields });
|
||||
if (!group) throw new NotFound(res.t('groupNotFound'));
|
||||
if (groupSubscriptionNotFound(group)) throw new NotFound(res.t('groupNotFound'));
|
||||
|
||||
if (canNotEditTasks(group, user, assignedUserId)) throw new NotAuthorized(res.t('onlyGroupLeaderCanEditTasks'));
|
||||
|
||||
|
|
@ -350,9 +351,9 @@ api.approveTask = {
|
|||
throw new NotFound(res.t('messageTaskNotFound'));
|
||||
}
|
||||
|
||||
const fields = requiredGroupFields.concat(' managers');
|
||||
const fields = requiredGroupFields.concat(' purchased managers');
|
||||
const group = await Group.getGroup({ user, groupId: task.group.id, fields });
|
||||
if (!group) throw new NotFound(res.t('groupNotFound'));
|
||||
if (groupSubscriptionNotFound(group)) throw new NotFound(res.t('groupNotFound'));
|
||||
|
||||
if (canNotEditTasks(group, user)) throw new NotAuthorized(res.t('onlyGroupLeaderCanEditTasks'));
|
||||
if (task.group.approval.approved === true) throw new NotAuthorized(res.t('canOnlyApproveTaskOnce'));
|
||||
|
|
@ -458,9 +459,9 @@ api.taskNeedsWork = {
|
|||
throw new NotFound(res.t('messageTaskNotFound'));
|
||||
}
|
||||
|
||||
const fields = requiredGroupFields.concat(' managers');
|
||||
const fields = requiredGroupFields.concat(' purchased managers');
|
||||
const group = await Group.getGroup({ user, groupId: task.group.id, fields });
|
||||
if (!group) throw new NotFound(res.t('groupNotFound'));
|
||||
if (groupSubscriptionNotFound(group)) throw new NotFound(res.t('groupNotFound'));
|
||||
|
||||
if (canNotEditTasks(group, user)) throw new NotAuthorized(res.t('onlyGroupLeaderCanEditTasks'));
|
||||
if (task.group.approval.approved === true) throw new NotAuthorized(res.t('canOnlyApproveTaskOnce'));
|
||||
|
|
@ -538,9 +539,9 @@ api.getGroupApprovals = {
|
|||
const { user } = res.locals;
|
||||
const { groupId } = req.params;
|
||||
|
||||
const fields = requiredGroupFields.concat(' managers');
|
||||
const fields = requiredGroupFields.concat(' purchased managers');
|
||||
const group = await Group.getGroup({ user, groupId, fields });
|
||||
if (!group) throw new NotFound(res.t('groupNotFound'));
|
||||
if (groupSubscriptionNotFound(group)) throw new NotFound(res.t('groupNotFound'));
|
||||
|
||||
let approvals;
|
||||
if (canNotEditTasks(group, user)) {
|
||||
|
|
|
|||
|
|
@ -245,6 +245,11 @@ function canNotEditTasks (group, user, assignedUserId) {
|
|||
return isNotGroupLeader && !isManager && !userIsAssigningToSelf;
|
||||
}
|
||||
|
||||
function groupSubscriptionNotFound (group) {
|
||||
return !group || !group.purchased || !group.purchased.plan || !group.purchased.plan.customerId
|
||||
|| (group.purchased.plan.dateTerminated && group.purchased.plan.dateTerminated < new Date());
|
||||
}
|
||||
|
||||
async function getGroupFromTaskAndUser (task, user) {
|
||||
if (task.group.id && !task.userId) {
|
||||
const fields = requiredGroupFields.concat(' managers');
|
||||
|
|
@ -550,5 +555,6 @@ export {
|
|||
canNotEditTasks,
|
||||
getGroupFromTaskAndUser,
|
||||
getChallengeFromTask,
|
||||
groupSubscriptionNotFound,
|
||||
verifyTaskModification,
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in a new issue