From 8de93fbfaf4fb30e7268b8b7658ebb1d9cfd727a Mon Sep 17 00:00:00 2001
From: Thomas Kranitsas <kranitsasthomas@gmail.com>
Date: Sat, 8 Aug 2020 00:16:14 +0300
Subject: [PATCH] one more fix

---
 src/services/ChallengeService.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/services/ChallengeService.js b/src/services/ChallengeService.js
index 70a0eac4..c0f1d93b 100644
--- a/src/services/ChallengeService.js
+++ b/src/services/ChallengeService.js
@@ -923,7 +923,7 @@ async function getChallenge (currentUser, id) {
 
   // Check if challenge is task and apply security rules
   if (_.get(challenge, 'task.isTask', false) && _.get(challenge, 'task.isAssigned', false)) {
-    if (!currentUser || !(currentUser.isMachine || helper.hasAdminRole(currentUser)) || _.toString(currentUser.userId) !== _.toString(_.get(challenge, 'task.memberId'))) {
+    if (!currentUser || (!currentUser.isMachine && !helper.hasAdminRole(currentUser) && _.toString(currentUser.userId) !== _.toString(_.get(challenge, 'task.memberId')))) {
       throw new errors.ForbiddenError(`You don't have access to view this challenge`)
     }
   }