jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(events): gate members-only events in calculateTicketPrice

Browse source 
Legacy events (tickets.enabled=false) with membersOnly=true were
returning a free guest ticket for unauthenticated callers, causing
GET /api/events/[id]/tickets/available to report available:true. The
UI then rendered the registration form and register.post.js 403'd on
submit. Short-circuit early when membersOnly && !hasMemberAccess so the
availability endpoint's existing null-ticketInfo branch surfaces the
correct "members only" reason.
This commit is contained in:
Jennie Robinson Faber 2026-04-20 20:12:24 +01:00
parent dc9c868f75
commit 53331cc190
2 changed files with 54 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
server/utils/tickets.js
View file

@ -19,6 +19,14 @@ export const calculateTicketPrice = (event, member = null) => {
// Members without access (guest/suspended/cancelled) get public pricing only.
const accessMember = hasMemberAccess(member) ? member : null;
// Members-only gate applies to both legacy and ticketed paths. Without this,
// a legacy event (tickets.enabled=false) with membersOnly=true returns a
// free guest ticket and the availability endpoint shows a registration form
// that the server then 403s on submit.
if (event.membersOnly && !accessMember) {
return null;
}
if (!event.tickets?.enabled) {
// Legacy pricing model
if (event.pricing?.paymentRequired && !event.pricing?.isFree) {