ghostguild-org

jennie/ghostguild-org

Fork 0

Commit graph

Author	SHA1	Message	Date
Jennie Robinson Faber	8f0648de57	fix(events): surface series-pass-required in ticket availability response Some checks failed Test / vitest (push) Successful in 10m52s Details Test / playwright (push) Failing after 9m35s Details Test / visual (push) Failing after 9m32s Details Test / Notify on failure (push) Successful in 2s Details When a series requires a pass and doesn't allow drop-ins, the per-event availability endpoint returned a generic "No tickets available" reason, leaving the UI to render an "Event Sold Out" block for guests (logged-in users short-circuit via check-series-access first). Detect the gate server-side and return {available:false, reason:"series_pass_required", requiresSeriesPass:true, series:{id,title,slug}} so EventTicketPurchase's existing requiresSeriesPass branch renders a pass-required CTA with a link to the series page. The register and purchase handlers already enforce the gate server-side; this is a messaging fix only.	2026-04-20 20:13:36 +01:00
Jennie Robinson Faber	f34b062f2a	fix(events): enforce series-pass, hidden, and deadline gates Pre-launch P0 fixes surfaced by docs/specs/events-functional-test-matrix.md (Findings 1, 2, 3). 1. Series-pass bypass (Finding 1 / matrix S1 P3): register.post.js now loads the linked Series when tickets.requiresSeriesTicket is set and rejects drop-in registration unless series.allowIndividualEventTickets is true or the user has a valid pass. Data-integrity 500 if the referenced series is missing. 2. Hidden-event leak (Finding 2 / matrix E11): extract loadPublicEvent into server/utils/loadEvent.js. All five public event endpoints ([id].get, register, tickets/available, tickets/reserve, tickets/purchase) now go through the helper, which 404s when isVisible === false and the requester is not an admin. Admin detection uses a new non-throwing getOptionalMember() in server/utils/auth.js (extracted from the pattern already inlined in api/auth/status.get.js). 3. Deadline enforcement + legacy pricing retirement (Finding 3 / matrix E8): register.post.js and tickets/reserve.post.js delegate gating to validateTicketPurchase (which already covers deadline, cancelled, started, members-only, sold-out, and already-registered); tickets/available.get.js gets an explicit registrationDeadline check. Legacy pricing.paymentRequired 402 branch removed from register.post.js.	2026-04-20 19:03:34 +01:00
Jennie Robinson Faber	bce86ee840	Add landing page	2025-11-03 11:17:51 +00:00

Author

SHA1

Message

Date

Jennie Robinson Faber

8f0648de57

fix(events): surface series-pass-required in ticket availability response

Test / vitest (push) Successful in 10m52s

Details

Test / playwright (push) Failing after 9m35s

Details

Test / visual (push) Failing after 9m32s

Details

Test / Notify on failure (push) Successful in 2s

Details

When a series requires a pass and doesn't allow drop-ins, the
per-event availability endpoint returned a generic "No tickets
available" reason, leaving the UI to render an "Event Sold Out"
block for guests (logged-in users short-circuit via
check-series-access first).

Detect the gate server-side and return
{available:false, reason:"series_pass_required", requiresSeriesPass:true,
series:{id,title,slug}} so EventTicketPurchase's existing
requiresSeriesPass branch renders a pass-required CTA with a link to
the series page. The register and purchase handlers already enforce
the gate server-side; this is a messaging fix only.

2026-04-20 20:13:36 +01:00

Jennie Robinson Faber

f34b062f2a

fix(events): enforce series-pass, hidden, and deadline gates

Pre-launch P0 fixes surfaced by docs/specs/events-functional-test-matrix.md
(Findings 1, 2, 3).

1. Series-pass bypass (Finding 1 / matrix S1 P3): register.post.js now
   loads the linked Series when tickets.requiresSeriesTicket is set and
   rejects drop-in registration unless series.allowIndividualEventTickets
   is true or the user has a valid pass. Data-integrity 500 if the
   referenced series is missing.

2. Hidden-event leak (Finding 2 / matrix E11): extract loadPublicEvent
   into server/utils/loadEvent.js. All five public event endpoints
   ([id].get, register, tickets/available, tickets/reserve,
   tickets/purchase) now go through the helper, which 404s when
   isVisible === false and the requester is not an admin. Admin detection
   uses a new non-throwing getOptionalMember() in server/utils/auth.js
   (extracted from the pattern already inlined in api/auth/status.get.js).

3. Deadline enforcement + legacy pricing retirement (Finding 3 / matrix
   E8): register.post.js and tickets/reserve.post.js delegate gating to
   validateTicketPurchase (which already covers deadline, cancelled,
   started, members-only, sold-out, and already-registered);
   tickets/available.get.js gets an explicit registrationDeadline check.
   Legacy pricing.paymentRequired 402 branch removed from register.post.js.

2026-04-20 19:03:34 +01:00

Jennie Robinson Faber

bce86ee840

Add landing page

2025-11-03 11:17:51 +00:00

3 commits