Prevent the removal of a quest owner from a group, take 2 (#12695)

* add cannotRemoveQuestLeader string

* throw error when member is quest leader

* add the new apidoc error

* change i18n key name

* fix apidoc formatting and change key in throw()

* add test for preventing removing quest owner

* patch(groups): change error codes

test/api/v3/integration/groups/POST-groups_id_removeMember.test.js

@@ -251,6 +251,29 @@ describe('POST /groups/:groupId/removeMember/:memberId', () => {
       expect(party.quest.members[partyMember._id]).to.not.exist;
     });
 
+    it('prevents user from being removed if they are the quest owner', async () => {
+      const petQuest = 'whale';
+      await partyMember.update({
+        [`items.quests.${petQuest}`]: 1,
+      });
+
+      await partyMember.post(`/groups/${party._id}/quests/invite/${petQuest}`);
+      await partyLeader.post(`/groups/${party._id}/quests/accept`);
+
+      await party.sync();
+
+      expect(party.quest.members[partyLeader._id]).to.be.true;
+      expect(party.quest.members[partyMember._id]).to.be.true;
+
+      await party.sync();
+
+      expect(leader.post(`/groups/${party._id}/removeMember/${partyMember._id}`))
+        .to.eventually.be.rejected.and.eql({
+          code: 401,
+          text: t('cannotRemoveQuestOwner'),
+        });
+    });
+
     it('sends email to user with rescinded invite', async () => {
       await partyLeader.post(`/groups/${party._id}/removeMember/${partyInvitedUser._id}`);
 

website/common/locales/en/groups.json

@@ -147,6 +147,7 @@
   "cannotLeaveWhileActiveQuest": "You cannot leave Party during an active quest. Please leave the quest first.",
   "onlyLeaderCanRemoveMember": "Only group leader can remove a member!",
   "cannotRemoveCurrentLeader": "You cannot remove the group leader. Assign a new a leader first.",
+  "cannotRemoveQuestOwner": "You cannot remove the owner of the active quest. Abort the quest first.",
   "memberCannotRemoveYourself": "You cannot remove yourself!",
   "groupMemberNotFound": "User not found among group's members",
   "mustBeGroupMember": "Must be member of the group.",

website/server/controllers/api-v3/groups.js

@@ -908,9 +908,11 @@ function _sendMessageToRemoved (group, removedUser, message, isInGroup) {
  *     /api/v3/groups/party/removeMember/[User's ID]?message=Bye
  *
  * @apiError (400) {BadRequest} userIdrequired "memberId" cannot be empty or not a UUID
- * @apiError (400) {NotAuthorized} onlyLeaderCanRemoveMember Only the group
+ * @apiError (401) {NotAuthorized} onlyLeaderCanRemoveMember Only the group
                                                              leader can remove members.
- * @apiError (400) {NotAuthorized} memberCannotRemoveYourself Group leader cannot remove themselves
+ * @apiError (401) {NotAuthorized} memberCannotRemoveYourself Group leader cannot remove themselves
+ * @apiError (401) {NotAuthorized} cannotRemoveQuestOwner Group leader cannot remove
+                                                          the owner of an active quest
  * @apiError (404) {NotFound} groupMemberNotFound Group member was not found
  *
  * @apiSuccess {Object} data An empty object
@@ -976,8 +978,7 @@ api.removeGroupMember = {
       }
 
       if (group.quest && group.quest.leader === member._id) {
-        group.quest.key = undefined;
-        group.quest.leader = undefined;
+        throw new NotAuthorized(res.t('cannotRemoveQuestOwner'));
       } else if (group.quest && group.quest.members) {
         // remove member from quest
         delete group.quest.members[member._id];