fix(events): enforce series-pass, hidden, and deadline gates

Pre-launch P0 fixes surfaced by docs/specs/events-functional-test-matrix.md (Findings 1, 2, 3). 1. Series-pass bypass (Finding 1 / matrix S1 P3): register.post.js now loads the linked Series when tickets.requiresSeriesTicket is set and rejects drop-in registration unless series.allowIndividualEventTickets is true or the user has a valid pass. Data-integrity 500 if the referenced series is missing. 2. Hidden-event leak (Finding 2 / matrix E11): extract loadPublicEvent into server/utils/loadEvent.js. All five public event endpoints ([id].get, register, tickets/available, tickets/reserve, tickets/purchase) now go through the helper, which 404s when isVisible === false and the requester is not an admin. Admin detection uses a new non-throwing getOptionalMember() in server/utils/auth.js (extracted from the pattern already inlined in api/auth/status.get.js). 3. Deadline enforcement + legacy pricing retirement (Finding 3 / matrix E8): register.post.js and tickets/reserve.post.js delegate gating to validateTicketPurchase (which already covers deadline, cancelled, started, members-only, sold-out, and already-registered); tickets/available.get.js gets an explicit registrationDeadline check. Legacy pricing.paymentRequired 402 branch removed from register.post.js.
2026-04-20 19:03:34 +01:00 · 2026-04-20 19:03:34 +01:00 · f34b062f2a
commit f34b062f2a
parent 6a6c567fd5
11 changed files with 746 additions and 247 deletions
--- a/server/api/events/[id].get.js
+++ b/server/api/events/[id].get.js
@ -1,65 +1,29 @@
-import Event from '../../models/event.js'
-import { connectDB } from '../../utils/mongoose.js'
-import mongoose from 'mongoose'
+import { loadPublicEvent } from '../../utils/loadEvent.js'

 export default defineEventHandler(async (event) => {
  try {
-    // Ensure database connection
-    await connectDB()
    const identifier = getRouterParam(event, 'id')
-    
-    if (!identifier) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'Event identifier is required'
-      })
-    }
-    
-    // Fetch event from database - try by slug first, then by ID
-    let eventData
-    
-    // Check if identifier is a valid MongoDB ObjectId
-    if (mongoose.Types.ObjectId.isValid(identifier)) {
-      eventData = await Event.findById(identifier)
-        .select('-registrations.email') // Hide emails for privacy
-        .lean()
-    }
-    
-    // If not found by ID or not a valid ObjectId, try by slug
-    if (!eventData) {
-      eventData = await Event.findOne({ slug: identifier })
-        .select('-registrations.email') // Hide emails for privacy
-        .lean()
-    }
-    
-    if (!eventData) {
-      throw createError({
-        statusCode: 404,
-        statusMessage: 'Event not found'
-      })
-    }
-    
-    // Add computed fields
-    const eventWithMeta = {
+    const eventData = await loadPublicEvent(event, identifier, {
+      lean: true,
+      select: '-registrations.email'
+    })
+
+    return {
      ...eventData,
      id: eventData._id.toString(),
      registeredCount: eventData.registrations?.length || 0,
-      isFull: eventData.maxAttendees ? 
-        (eventData.registrations?.length || 0) >= eventData.maxAttendees : 
-        false
+      isFull: eventData.maxAttendees
+        ? (eventData.registrations?.length || 0) >= eventData.maxAttendees
+        : false
    }
-    
-    return eventWithMeta
  } catch (error) {
-    console.error('Error fetching event:', error)
-    
    if (error.statusCode) {
      throw error
    }
-    
+    console.error('Error fetching event:', error)
    throw createError({
      statusCode: 500,
      statusMessage: 'Failed to fetch event'
    })
  }
-})
+})