fix(events): enforce series-pass, hidden, and deadline gates
Pre-launch P0 fixes surfaced by docs/specs/events-functional-test-matrix.md (Findings 1, 2, 3). 1. Series-pass bypass (Finding 1 / matrix S1 P3): register.post.js now loads the linked Series when tickets.requiresSeriesTicket is set and rejects drop-in registration unless series.allowIndividualEventTickets is true or the user has a valid pass. Data-integrity 500 if the referenced series is missing. 2. Hidden-event leak (Finding 2 / matrix E11): extract loadPublicEvent into server/utils/loadEvent.js. All five public event endpoints ([id].get, register, tickets/available, tickets/reserve, tickets/purchase) now go through the helper, which 404s when isVisible === false and the requester is not an admin. Admin detection uses a new non-throwing getOptionalMember() in server/utils/auth.js (extracted from the pattern already inlined in api/auth/status.get.js). 3. Deadline enforcement + legacy pricing retirement (Finding 3 / matrix E8): register.post.js and tickets/reserve.post.js delegate gating to validateTicketPurchase (which already covers deadline, cancelled, started, members-only, sold-out, and already-registered); tickets/available.get.js gets an explicit registrationDeadline check. Legacy pricing.paymentRequired 402 branch removed from register.post.js.
This commit is contained in:
parent
6a6c567fd5
commit
f34b062f2a
11 changed files with 746 additions and 247 deletions
|
|
@ -1,11 +1,13 @@
|
|||
import Event from "../../../../models/event.js";
|
||||
import Member from "../../../../models/member.js";
|
||||
import { connectDB } from "../../../../utils/mongoose.js";
|
||||
import { loadPublicEvent } from "../../../../utils/loadEvent.js";
|
||||
import { validateBody } from "../../../../utils/validateBody.js";
|
||||
import { ticketReserveSchema } from "../../../../utils/schemas.js";
|
||||
import {
|
||||
calculateTicketPrice,
|
||||
hasMemberAccess,
|
||||
reserveTicket,
|
||||
validateTicketPurchase,
|
||||
} from "../../../../utils/tickets.js";
|
||||
import mongoose from "mongoose";
|
||||
|
||||
/**
|
||||
* POST /api/events/[id]/tickets/reserve
|
||||
|
|
@ -14,47 +16,28 @@ import mongoose from "mongoose";
|
|||
*/
|
||||
export default defineEventHandler(async (event) => {
|
||||
try {
|
||||
await connectDB();
|
||||
const identifier = getRouterParam(event, "id");
|
||||
const body = await validateBody(event, ticketReserveSchema);
|
||||
|
||||
if (!identifier) {
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
statusMessage: "Event identifier is required",
|
||||
});
|
||||
}
|
||||
const eventData = await loadPublicEvent(event, identifier);
|
||||
|
||||
// Fetch the event
|
||||
let eventData;
|
||||
if (mongoose.Types.ObjectId.isValid(identifier)) {
|
||||
eventData = await Event.findById(identifier);
|
||||
}
|
||||
if (!eventData) {
|
||||
eventData = await Event.findOne({ slug: identifier });
|
||||
}
|
||||
|
||||
if (!eventData) {
|
||||
throw createError({
|
||||
statusCode: 404,
|
||||
statusMessage: "Event not found",
|
||||
});
|
||||
}
|
||||
|
||||
// Check if user is a member
|
||||
const member = await Member.findOne({ email: body.email.toLowerCase() });
|
||||
|
||||
// Calculate ticket type
|
||||
const ticketInfo = calculateTicketPrice(eventData, member);
|
||||
// Gate on deadline, cancellation, start, members-only, sold-out, and
|
||||
// already-registered before reserving.
|
||||
const validation = validateTicketPurchase(eventData, {
|
||||
email: body.email,
|
||||
member: hasMemberAccess(member) ? member : null,
|
||||
});
|
||||
|
||||
if (!ticketInfo) {
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
statusMessage: "No tickets available for your membership status",
|
||||
});
|
||||
if (!validation.valid) {
|
||||
const statusCode = /members only/i.test(validation.reason) ? 403 : 400;
|
||||
throw createError({ statusCode, statusMessage: validation.reason });
|
||||
}
|
||||
|
||||
// Reserve the ticket
|
||||
const ticketInfo =
|
||||
validation.ticketInfo || calculateTicketPrice(eventData, member);
|
||||
|
||||
const reservation = await reserveTicket(eventData, ticketInfo.ticketType);
|
||||
|
||||
if (!reservation.success) {
|
||||
|
|
@ -73,12 +56,10 @@ export default defineEventHandler(async (event) => {
|
|||
},
|
||||
};
|
||||
} catch (error) {
|
||||
console.error("Error reserving ticket:", error);
|
||||
|
||||
if (error.statusCode) {
|
||||
throw error;
|
||||
}
|
||||
|
||||
console.error("Error reserving ticket:", error);
|
||||
throw createError({
|
||||
statusCode: 500,
|
||||
statusMessage: "Failed to reserve ticket",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue