@@ -1956,7 +1956,6 @@ async function searchChallenges(currentUser, criteria) {
19561956 const requestedMemberId = ! _ . isNil ( criteria . memberId ) ? _ . toString ( criteria . memberId ) : null ;
19571957 const currentUserMemberId =
19581958 currentUser && ! _hasAdminRole && ! _isMachineToken ? _ . toString ( currentUser . userId ) : null ;
1959- const memberIdForTaskFilter = requestedMemberId || currentUserMemberId ;
19601959 const isSelfMemberSearch = Boolean (
19611960 requestedMemberId && currentUserMemberId && requestedMemberId === currentUserMemberId ,
19621961 ) ;
@@ -2078,27 +2077,11 @@ async function searchChallenges(currentUser, criteria) {
20782077 } ) ;
20792078 }
20802079
2081- // FIXME: Tech Debt
2082- let excludeTasks = true ;
2083- if ( requestedMemberId ) {
2084- // When we already restrict the result set to a specific member,
2085- // rerunning the generic task visibility filter is redundant.
2086- excludeTasks = false ;
2087- } else if (
2088- currentUser &&
2089- ( _hasAdminRole || _isMachineToken || hasProjectManagerAccessForSearch )
2090- ) {
2091- // if you're an admin or m2m, security rules wont be applied
2092- excludeTasks = false ;
2093- }
2094-
20952080 /**
2096- * For non-authenticated users:
2097- * - Only unassigned tasks will be returned
2098- * For authenticated users (non-admin):
2099- * - Only unassigned tasks and tasks assigned to the logged in user will be returned
2100- * For admins/m2m:
2101- * - All tasks will be returned
2081+ * Task challenges are visible to ordinary authenticated users only when they
2082+ * have a resource on the task. Anonymous users never receive tasks. Admin,
2083+ * machine-token and project-manager searches retain their operational access.
2084+ * A requested memberId narrows results but never grants the caller task access.
21022085 */
21032086 if ( currentUser && ( _hasAdminRole || _isMachineToken ) ) {
21042087 // For admins/m2m, allow filtering based on task properties
@@ -2117,28 +2100,16 @@ async function searchChallenges(currentUser, criteria) {
21172100 taskMemberId : criteria . taskMemberId ,
21182101 } ) ;
21192102 }
2120- } else if ( excludeTasks ) {
2121- const taskFilter = [ ] ;
2122- if ( memberIdForTaskFilter ) {
2103+ } else if ( ! hasProjectManagerAccessForSearch ) {
2104+ const taskFilter = [ { taskIsTask : false } ] ;
2105+ if ( currentUserMemberId ) {
21232106 taskFilter . push ( {
2107+ taskIsTask : true ,
21242108 memberAccesses : {
2125- some : { memberId : memberIdForTaskFilter } ,
2109+ some : { memberId : currentUserMemberId } ,
21262110 } ,
21272111 } ) ;
21282112 }
2129- taskFilter . push ( {
2130- taskIsTask : false ,
2131- } ) ;
2132- taskFilter . push ( {
2133- taskIsTask : true ,
2134- taskIsAssigned : false ,
2135- taskMemberId : null ,
2136- } ) ;
2137- if ( currentUser && ! _hasAdminRole && ! _isMachineToken ) {
2138- taskFilter . push ( {
2139- taskMemberId : currentUser . userId ,
2140- } ) ;
2141- }
21422113 prismaFilter . where . AND . push ( {
21432114 OR : taskFilter ,
21442115 } ) ;
0 commit comments