From ea7f8d1acc709b54d10aad38a54ada6ab35e7cf2 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Sat, 14 Feb 2026 16:44:51 +0100
Subject: [PATCH] =?UTF-8?q?Verbessere=20die=20Sicherheits=C3=BCberpr=C3=BC?=
 =?UTF-8?q?fung=20der=20Benutzermerkmale=20in=20der=20Geschenksuche:=20F?=
 =?UTF-8?q?=C3=BCge=20eine=20sichere=20Trait-Filterung=20hinzu,=20um=20Feh?=
 =?UTF-8?q?ler=20bei=20undefinierten=20Eigenschaften=20zu=20vermeiden.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 backend/services/falukantService.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/backend/services/falukantService.js b/backend/services/falukantService.js
index e23da4e..aa7c321 100644
--- a/backend/services/falukantService.js
+++ b/backend/services/falukantService.js
@@ -3226,13 +3226,17 @@ class FalukantService extends BaseService {
             err.meta = { retryAt: retryAt.toISOString() };
             throw err;
         }
-        const gift = await PromotionalGift.findOne({
+    // prepare a safe trait filter: user.character.traits may be undefined
+    const userTraitIds = Array.isArray(user.character?.traits) ? user.character.traits.map(t => t.id) : [];
+    const traitWhere = userTraitIds.length ? { traitId: { [Op.in]: userTraitIds } } : { traitId: { [Op.in]: [-1] } };
+
+    const gift = await PromotionalGift.findOne({
             where: { id: giftId },
             include: [
                 {
                     model: PromotionalGiftCharacterTrait,
                     as: 'characterTraits',
-                    where: { traitId: { [Op.in]: user.character.traits.map(t => t.id) } },
+            where: traitWhere,
                     required: false
                 },
                 {