fix(events): enforce series-pass, hidden, and deadline gates
Pre-launch P0 fixes surfaced by docs/specs/events-functional-test-matrix.md (Findings 1, 2, 3). 1. Series-pass bypass (Finding 1 / matrix S1 P3): register.post.js now loads the linked Series when tickets.requiresSeriesTicket is set and rejects drop-in registration unless series.allowIndividualEventTickets is true or the user has a valid pass. Data-integrity 500 if the referenced series is missing. 2. Hidden-event leak (Finding 2 / matrix E11): extract loadPublicEvent into server/utils/loadEvent.js. All five public event endpoints ([id].get, register, tickets/available, tickets/reserve, tickets/purchase) now go through the helper, which 404s when isVisible === false and the requester is not an admin. Admin detection uses a new non-throwing getOptionalMember() in server/utils/auth.js (extracted from the pattern already inlined in api/auth/status.get.js). 3. Deadline enforcement + legacy pricing retirement (Finding 3 / matrix E8): register.post.js and tickets/reserve.post.js delegate gating to validateTicketPurchase (which already covers deadline, cancelled, started, members-only, sold-out, and already-registered); tickets/available.get.js gets an explicit registrationDeadline check. Legacy pricing.paymentRequired 402 branch removed from register.post.js.
This commit is contained in:
parent
6a6c567fd5
commit
f34b062f2a
11 changed files with 746 additions and 247 deletions
55
server/utils/loadEvent.js
Normal file
55
server/utils/loadEvent.js
Normal file
|
|
@ -0,0 +1,55 @@
|
|||
import mongoose from 'mongoose'
|
||||
import Event from '../models/event.js'
|
||||
import { connectDB } from './mongoose.js'
|
||||
import { getOptionalMember } from './auth.js'
|
||||
|
||||
/**
|
||||
* Load an event by ObjectId or slug for public (non-admin) endpoints.
|
||||
* Enforces the isVisible gate: hidden events 404 for everyone except admins.
|
||||
*
|
||||
* @param {Object} reqEvent - h3 event (for auth/cookie access)
|
||||
* @param {String} identifier - ObjectId string or slug
|
||||
* @param {Object} [options]
|
||||
* @param {Boolean} [options.lean] - apply .lean() to the query
|
||||
* @param {String} [options.select] - apply .select() to the query
|
||||
* @returns {Promise<Object>} the event document
|
||||
*/
|
||||
export async function loadPublicEvent(reqEvent, identifier, options = {}) {
|
||||
if (!identifier) {
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
statusMessage: 'Event identifier is required'
|
||||
})
|
||||
}
|
||||
|
||||
await connectDB()
|
||||
|
||||
const { lean = false, select = null } = options
|
||||
|
||||
const applyOptions = (query) => {
|
||||
if (select) query = query.select(select)
|
||||
if (lean) query = query.lean()
|
||||
return query
|
||||
}
|
||||
|
||||
let eventDoc
|
||||
if (mongoose.Types.ObjectId.isValid(identifier)) {
|
||||
eventDoc = await applyOptions(Event.findById(identifier))
|
||||
}
|
||||
if (!eventDoc) {
|
||||
eventDoc = await applyOptions(Event.findOne({ slug: identifier }))
|
||||
}
|
||||
|
||||
if (!eventDoc) {
|
||||
throw createError({ statusCode: 404, statusMessage: 'Event not found' })
|
||||
}
|
||||
|
||||
if (eventDoc.isVisible === false) {
|
||||
const requester = await getOptionalMember(reqEvent)
|
||||
if (requester?.role !== 'admin') {
|
||||
throw createError({ statusCode: 404, statusMessage: 'Event not found' })
|
||||
}
|
||||
}
|
||||
|
||||
return eventDoc
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue