jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(events): gate members-only events in calculateTicketPrice

Browse source 
Legacy events (tickets.enabled=false) with membersOnly=true were
returning a free guest ticket for unauthenticated callers, causing
GET /api/events/[id]/tickets/available to report available:true. The
UI then rendered the registration form and register.post.js 403'd on
submit. Short-circuit early when membersOnly && !hasMemberAccess so the
availability endpoint's existing null-ticketInfo branch surfaces the
correct "members only" reason.
This commit is contained in:
Jennie Robinson Faber 2026-04-20 20:12:24 +01:00
parent dc9c868f75
commit 53331cc190
2 changed files with 54 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
server/utils/tickets.js
View file

@ -19,6 +19,14 @@ export const calculateTicketPrice = (event, member = null) => {
// Members without access (guest/suspended/cancelled) get public pricing only. // Members without access (guest/suspended/cancelled) get public pricing only.
const accessMember = hasMemberAccess(member) ? member : null; const accessMember = hasMemberAccess(member) ? member : null;
// Members-only gate applies to both legacy and ticketed paths. Without this,
// a legacy event (tickets.enabled=false) with membersOnly=true returns a
// free guest ticket and the availability endpoint shows a registration form
// that the server then 403s on submit.
if (event.membersOnly && !accessMember) {
return null;
}
if (!event.tickets?.enabled) { if (!event.tickets?.enabled) {
// Legacy pricing model // Legacy pricing model
if (event.pricing?.paymentRequired && !event.pricing?.isFree) { if (event.pricing?.paymentRequired && !event.pricing?.isFree) {

46
tests/server/utils/tickets.test.js
View file

@ -394,6 +394,52 @@ describe('calculateTicketPrice', () => {
expect(result).toBeNull() expect(result).toBeNull()
}) })
}) })
describe('members-only gating', () => {
it('returns null for unauthenticated user on members-only legacy event', () => {
const event = legacyFreeEvent({ membersOnly: true })
const result = calculateTicketPrice(event, null)
expect(result).toBeNull()
})
it('returns null for unauthenticated user on members-only ticketed event', () => {
const event = ticketedEvent({ membersOnly: true })
const result = calculateTicketPrice(event, null)
expect(result).toBeNull()
})
it('returns null for guest-status member on members-only event', () => {
const event = ticketedEvent({ membersOnly: true })
const result = calculateTicketPrice(event, baseMember({ status: 'guest' }))
expect(result).toBeNull()
})
it('returns null for suspended member on members-only event', () => {
const event = ticketedEvent({ membersOnly: true })
const result = calculateTicketPrice(event, baseMember({ status: 'suspended' }))
expect(result).toBeNull()
})
it('returns member pricing for active member on members-only event', () => {
const event = ticketedEvent({ membersOnly: true })
const result = calculateTicketPrice(event, baseMember())
expect(result).not.toBeNull()
expect(result.ticketType).toBe('member')
})
it('returns member pricing for pending_payment member on members-only event', () => {
const event = ticketedEvent({ membersOnly: true })
const result = calculateTicketPrice(event, baseMember({ status: 'pending_payment' }))
expect(result).not.toBeNull()
expect(result.ticketType).toBe('member')
})
})
}) })
// =========================================================================== // ===========================================================================