Skip to content

Commit

Permalink
fix: Give access to order tickets and attendees to organizers
Browse files Browse the repository at this point in the history
  • Loading branch information
@iamareebjamal
iamareebjamal committed Dec 2, 2020
1 parent fcaf432 commit fe53d06
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 7 deletions.
14 changes: 8 additions & 6 deletions app/api/attendees.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,17 +132,19 @@ def query(self, view_kwargs):
'order_identifier',
'identifier',
)

is_coorganizer = has_access(
'is_coorganizer',
event_id=order.event_id,
)
if not (
has_access(
'is_coorganizer_or_user_itself',
event_id=order.event_id,
user_id=order.user_id,
)
is_coorganizer
or current_user.id == order.user_id
or order.is_attendee(current_user)
):
raise ForbiddenError({'source': ''}, 'Access Forbidden')
query_ = query_.join(Order).filter(Order.id == order.id)
if current_user.id != order.user_id:
if not is_coorganizer and current_user.id != order.user_id:
query_ = query_.filter(TicketHolder.user == current_user)

if view_kwargs.get('ticket_id'):
Expand Down
10 changes: 9 additions & 1 deletion app/models/order.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,8 +157,16 @@ def invoice_pdf_path(self) -> str:

@property
def filtered_ticket_holders(self):
from app.api.helpers.permission_manager import has_access

query_ = TicketHolder.query.filter_by(order_id=self.id, deleted_at=None)
if current_user.id != self.user_id:
if (
not has_access(
'is_coorganizer',
event_id=self.event_id,
)
and current_user.id != self.user_id
):
query_ = query_.filter(TicketHolder.user == current_user)
return query_.all()

Expand Down

0 comments on commit fe53d06

Please sign in to comment.