EventApiController add checks for ticket categories

alfio-event · Dec 13, 2023 · 03747df · 03747df
1 parent ec31224
commit 03747df
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 5 deletions.
diff --git a/src/main/java/alfio/controller/api/admin/EventApiController.java b/src/main/java/alfio/controller/api/admin/EventApiController.java
@@ -58,6 +58,7 @@
 import org.springframework.dao.DataAccessException;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.util.Assert;
 import org.springframework.util.StreamUtils;
 import org.springframework.validation.Errors;
 import org.springframework.web.bind.annotation.*;
@@ -283,34 +284,41 @@ public String activateEvent(@PathVariable("id") int id, @RequestParam("active")
 
     @PostMapping("/events/{id}/header/update")
     public ValidationResult updateHeader(@PathVariable("id") int id, @RequestBody EventModification eventModification, Errors errors,  Principal principal) {
+        accessService.checkEventOwnership(principal, id);
         Event event = eventManager.getSingleEventById(id, principal.getName());
         return validateEventHeader(Optional.of(event), eventModification, getDescriptionLength(), errors).ifSuccess(() -> eventManager.updateEventHeader(event, eventModification, principal.getName()));
     }
 
     @PostMapping("/events/{id}/prices/update")
     public ValidationResult updatePrices(@PathVariable("id") int id, @RequestBody EventModification eventModification, Errors errors,  Principal principal) {
+        accessService.checkEventOwnership(principal, id);
         Event event = eventManager.getSingleEventById(id, principal.getName());
         return validateEventPrices(eventModification, errors).ifSuccess(() -> eventManager.updateEventPrices(event, eventModification, principal.getName()));
     }
 
     @PostMapping("/events/{eventId}/categories/{categoryId}/update")
     public ValidationResult updateExistingCategory(@PathVariable("eventId") int eventId, @PathVariable("categoryId") int categoryId, @RequestBody TicketCategoryModification category, Errors errors, Principal principal) {
+        accessService.checkCategoryOwnership(principal, eventId, categoryId);
+        Assert.isTrue(categoryId == category.getId().intValue(), "categoryId must be equal to category.getId()");
         return validateCategory(category, errors, getDescriptionLength()).ifSuccess(() -> eventManager.updateCategory(categoryId, eventId, category, principal.getName()));
     }
 
     @PostMapping("/events/{eventId}/categories/new")
     public ValidationResult createCategory(@PathVariable("eventId") int eventId, @RequestBody TicketCategoryModification category, Errors errors, Principal principal) {
+        accessService.checkEventOwnership(principal, eventId);
         return validateCategory(category, errors, getDescriptionLength()).ifSuccess(() -> eventManager.insertCategory(eventId, category, principal.getName()));
     }
 
     @PutMapping("/events/reallocate")
-    public String reallocateTickets(@RequestBody TicketAllocationModification form) {
+    public String reallocateTickets(@RequestBody TicketAllocationModification form, Principal principal) {
+        accessService.checkCategoryOwnership(principal, form.getEventId(), Set.of(form.getSrcCategoryId(), form.getTargetCategoryId()));
         eventManager.reallocateTickets(form.getSrcCategoryId(), form.getTargetCategoryId(), form.getEventId());
         return OK;
     }
 
     @PutMapping("/events/{eventName}/category/{categoryId}/unbind-tickets")
     public String unbindTickets(@PathVariable("eventName") String eventName, @PathVariable("categoryId") int categoryId, Principal principal) {
+        accessService.checkCategoryOwnership(principal, eventName, categoryId);
         eventManager.unbindTickets(eventName, categoryId, principal.getName());
         return OK;
     }
@@ -324,6 +332,7 @@ public String deleteCategory(@PathVariable("eventName") String eventName, @PathV
 
     @PutMapping("/events/{eventName}/rearrange-categories")
     public ResponseEntity<String> rearrangeCategories(@PathVariable("eventName") String eventName, @RequestBody List<CategoryOrdinalModification> categories, Principal principal) {
+        accessService.checkCategoryOwnership(principal, eventName, categories.stream().map(CategoryOrdinalModification::getId).collect(Collectors.toSet()));
         if(CollectionUtils.isEmpty(categories)) {
             return ResponseEntity.badRequest().build();
         }

diff --git a/src/main/java/alfio/manager/AccessService.java b/src/main/java/alfio/manager/AccessService.java
@@ -177,20 +177,30 @@ public EventAndOrganizationId checkEventOwnership(Principal principal, String ev
     }
 
     public EventAndOrganizationId checkCategoryOwnership(Principal principal, int eventId, int categoryId) {
+        return checkCategoryOwnership(principal, eventId, Set.of(categoryId));
+    }
+
+    public EventAndOrganizationId checkCategoryOwnership(Principal principal, int eventId, Set<Integer> categoryIds) {
         var eventAndOrganizationId = checkEventOwnership(principal, eventId);
-        if (!Boolean.TRUE.equals(ticketCategoryRepository.checkCategoryExistsForEvent(categoryId, eventAndOrganizationId.getId()))) {
+        if (categoryIds.size() != ticketCategoryRepository.countCategoryForEvent(categoryIds, eventAndOrganizationId.getId())) {
             throw new AccessDeniedException();
         }
         return eventAndOrganizationId;
     }
 
-    public void checkCategoryOwnership(Principal principal, String eventShortName, int categoryId) {
+    public EventAndOrganizationId checkCategoryOwnership(Principal principal, String eventShortName, Set<Integer> categoryIds) {
         var eventAndOrganizationId = checkEventOwnership(principal, eventShortName);
-        if (!Boolean.TRUE.equals(ticketCategoryRepository.checkCategoryExistsForEvent(categoryId, eventAndOrganizationId.getId()))) {
+        if (categoryIds.size() != ticketCategoryRepository.countCategoryForEvent(categoryIds, eventAndOrganizationId.getId())) {
             throw new AccessDeniedException();
         }
+        return eventAndOrganizationId;
     }
 
+    public EventAndOrganizationId checkCategoryOwnership(Principal principal, String eventShortName, int categoryId) {
+        return checkCategoryOwnership(principal, eventShortName, Set.of(categoryId));
+    }
+
+
     public void checkEventReservationCreationRequest(Principal principal,
                                                      String eventShortName,
                                                      ReservationCreate<? extends ReservationRequest> createRequest) {

diff --git a/src/main/java/alfio/repository/TicketCategoryRepository.java b/src/main/java/alfio/repository/TicketCategoryRepository.java
@@ -193,5 +193,8 @@ default Map<Integer, TicketCategoryStatisticView> findStatisticsForEventIdByCate
     Integer countActiveByEventId(@Bind("eventId") int eventId);
 
     @Query("select count(*) from ticket_field_configuration where event_id_fk = :eventId and id in (:additionalFieldIds)")
-    int countMatchingAdditionalFieldsWithEventId(@Bind("eventId") int id, @Bind("additionalFieldIds") Set<Integer> additionalFieldIds);
+    int countMatchingAdditionalFieldsWithEventId(@Bind("eventId") int eventId, @Bind("additionalFieldIds") Set<Integer> additionalFieldIds);
+
+    @Query("select count(*) from ticket_category where event_id = :eventId and id in (:categoryIds)")
+    int countCategoryForEvent(@Bind("categoryIds") Set<Integer> categoryIds, @Bind("eventId") int eventId);
 }