guard project managers accesses to prevent errors

12 months ago · a73717b1ca
1 changed files with 6 additions and 2 deletions
--- a/app/controllers/task.js
+++ b/app/controllers/task.js
@ -44,7 +44,9 @@ export default class TaskController extends SiteController {
    });

    async function checkTaskOwnership (req, res, next) {
-      res.locals.manager = res.locals.task.project.managers.find((manager) => manager._id.equals(req.user._id));
+      if (Array.isArray(res.locals.task.project.managers) && (res.locals.task.project.managers.length > 0)) {
+        res.locals.manager = res.locals.task.project.managers.find((manager) => manager._id.equals(req.user._id));
+      }
      if (!res.locals.manager && !res.locals.task.user._id.equals(req.user._id)) {
        return next(new SiteError(401, 'This is not your task'));
      }
@ -52,7 +54,9 @@ export default class TaskController extends SiteController {
    }

    async function checkSessionOwnership (req, res, next) {
-      res.locals.manager = res.locals.task.project.managers.find((manager) => manager._id.equals(req.user._id));
+      if (Array.isArray(res.locals.task.project.managers) && (res.locals.task.project.managers.length > 0)) {
+        res.locals.manager = res.locals.task.project.managers.find((manager) => manager._id.equals(req.user._id));
+      }
      if (!res.locals.manager && !res.locals.session.user._id.equals(req.user._id)) {
        throw new SiteError(401, 'This is not your session');
      }