From 2b4ffdf27fea3bcd1ffc8a694d0d93157feac898 Mon Sep 17 00:00:00 2001
From: negue <eugen.bolz@gmail.com>
Date: Wed, 13 Jul 2022 00:54:14 +0200
Subject: [PATCH] filter out bank challenge if is not userSupport

---
 website/server/controllers/api-v4/members.js | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/website/server/controllers/api-v4/members.js b/website/server/controllers/api-v4/members.js
index 04050e9192..c4a49c09d1 100644
--- a/website/server/controllers/api-v4/members.js
+++ b/website/server/controllers/api-v4/members.js
@@ -64,9 +64,15 @@ api.purchaseHistory = {
     req.checkParams('memberId', res.t('memberIdRequired')).notEmpty().isUUID();
     const validationErrors = req.validationErrors();
     if (validationErrors) throw validationErrors;
-    const transactions = await Transaction
+    let transactions = await Transaction
       .find({ userId: req.params.memberId })
-      .sort({ createdAt: -1 });
+      .sort({ createdAt: -1 })
+      .exec();
+
+    if (!res.locals.user.hasPermission('userSupport')) {
+      transactions = transactions.filter(t => t.transactionType !== 'create_bank_challenge');
+    }
+
     res.respond(200, transactions);
   },
 };