Only allow m2m to modify task information on challenges

ThomasKranitsas · ThomasKranitsas · commit 7fa2075fea71 · 2020-09-26T18:04:46.000+03:00
diff --git a/src/services/ChallengeService.js b/src/services/ChallengeService.js
@@ -1452,6 +1452,15 @@ async function update (currentUser, challengeId, data, userToken, isFull) {
 
   const { track, type } = await validateChallengeData(_.pick(challenge, ['trackId', 'typeId']))
 
+  // Only m2m tokens are allowed to modify the `task.*` information on a challenge
+  if (!_.isUndefined(_.get(data, 'task')) && !currentUser.isMachine) {
+    if (!_.isUndefined(_.get(challenge, 'task'))) {
+      data.task = challenge.task
+    } else {
+      delete data.task
+    }
+  }
+
   if (_.get(type, 'isTask')) {
     if (!_.isEmpty(_.get(data, 'task.memberId'))) {
       const challengeResources = await helper.getChallengeResources(challengeId)
