From 6b59262e3e792162512e470b4b089e04137cf5e3 Mon Sep 17 00:00:00 2001 From: Sabe Jones Date: Thu, 13 Jun 2019 09:27:47 -0500 Subject: [PATCH] Challenge privacy fix (#11222) * fix(challenges): filter out private content API-side * fix(challenges): cleaner fix + test --- .../challenges/GET-challenges_user.test.js | 24 ++++++++++++++++++- .../server/controllers/api-v3/challenges.js | 4 ++-- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/test/api/v3/integration/challenges/GET-challenges_user.test.js b/test/api/v3/integration/challenges/GET-challenges_user.test.js index 9aa06541de..c42510f640 100644 --- a/test/api/v3/integration/challenges/GET-challenges_user.test.js +++ b/test/api/v3/integration/challenges/GET-challenges_user.test.js @@ -171,7 +171,7 @@ describe('GET challenges/user', () => { }); }); - it('should return not return challenges in user groups if we send member true param', async () => { + it('should not return challenges in user groups if we send member true param', async () => { let challenges = await member.get(`/challenges/user?member=${true}`); let foundChallenge1 = _.find(challenges, { _id: challenge._id }); @@ -214,6 +214,28 @@ describe('GET challenges/user', () => { let foundChallenge = _.find(challenges, { _id: privateChallenge._id }); expect(foundChallenge).to.not.exist; }); + + it('should not return challenges user doesn\'t have access to, even with query parameters', async () => { + let { group, groupLeader } = await createAndPopulateGroup({ + groupDetails: { + name: 'TestPrivateGuild', + summary: 'summary for TestPrivateGuild', + type: 'guild', + privacy: 'private', + }, + }); + + let privateChallenge = await generateChallenge(groupLeader, group, {categories: [{ + name: 'academics', + slug: 'academics', + }]}); + await groupLeader.post(`/challenges/${privateChallenge._id}/join`); + + let challenges = await nonMember.get('/challenges/user?categories=academics&owned=not_owned'); + + let foundChallenge = _.find(challenges, { _id: privateChallenge._id }); + expect(foundChallenge).to.not.exist; + }); }); context('official challenge is present', () => { diff --git a/website/server/controllers/api-v3/challenges.js b/website/server/controllers/api-v3/challenges.js index 214f3baf78..87a530fcf1 100644 --- a/website/server/controllers/api-v3/challenges.js +++ b/website/server/controllers/api-v3/challenges.js @@ -366,11 +366,11 @@ api.getUserChallenges = { if (owned) { if (owned === 'not_owned') { - query.$and = [{leader: {$ne: user._id}}]; + query.$and.push({leader: {$ne: user._id}}); } if (owned === 'owned') { - query.$and = [{leader: user._id}]; + query.$and.push({leader: user._id}); } }