From 6b214e4e3fcfadcf0361e1fbe8fffafb6eaaf8d1 Mon Sep 17 00:00:00 2001
From: Matteo Pagliazzi <matteopagliazzi@gmail.com>
Date: Tue, 31 May 2016 11:09:32 +0200
Subject: [PATCH] sanitize task when updating in v2

---
 website/server/controllers/api-v2/user.js | 15 ++++++++++++++-
 website/server/models/task.js             |  2 +-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/website/server/controllers/api-v2/user.js b/website/server/controllers/api-v2/user.js
index 656a48c908..20c147aab9 100644
--- a/website/server/controllers/api-v2/user.js
+++ b/website/server/controllers/api-v2/user.js
@@ -867,7 +867,20 @@ api.updateTask = function(req, res, next) {
     if(!task) return res.status(404).json({err: 'Task not found.'})
 
     try {
-      _.assign(task, shared.ops.updateTask(task.toObject(), req)[0]);
+      // we have to convert task to an object because otherwise things don't get merged correctly. Bad for performances?
+      let [updatedTaskObj] = shared.ops.updateTask(task.toObject(), req);
+
+      // Sanitize differently user tasks linked to a challenge
+      let sanitizedObj;
+
+      if (task.userId && task.challenge && task.challenge.id) {
+        sanitizedObj = Tasks.Task.sanitizeUserChallengeTask(updatedTaskObj);
+      } else {
+        sanitizedObj = Tasks.Task.sanitize(updatedTaskObj);
+      }
+
+      _.assign(task, sanitizedObj);
+
       task.save(function(err, task){
         if(err) return next(err);
 
diff --git a/website/server/models/task.js b/website/server/models/task.js
index 2882e0530d..0664fab855 100644
--- a/website/server/models/task.js
+++ b/website/server/models/task.js
@@ -12,7 +12,7 @@ let discriminatorOptions = {
 };
 let subDiscriminatorOptions = _.defaults(_.cloneDeep(discriminatorOptions), {
   _id: false,
-  minimize: false,
+  minimize: false, // So empty objects are returned
 });
 
 export let tasksTypes = ['habit', 'daily', 'todo', 'reward'];