EventApiController

alfio-event · Dec 13, 2023 · 16c57e5 · 16c57e5
1 parent e10b4d0
commit 16c57e5
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/src/main/java/alfio/controller/api/admin/EventApiController.java b/src/main/java/alfio/controller/api/admin/EventApiController.java
@@ -874,8 +874,10 @@ private ZonedDateTime parseDate(String dateToParse,
 
     @DeleteMapping("/events/{eventName}/reservation/{reservationId}/transaction/{transactionId}/discard")
     public ResponseEntity<String> discardMatchingPayment(@PathVariable("eventName") String eventName,
-                                                       @PathVariable("reservationId") String reservationId,
-                                                       @PathVariable("transactionId") int transactionId) {
+                                                         @PathVariable("reservationId") String reservationId,
+                                                         @PathVariable("transactionId") int transactionId,
+                                                         Principal principal) {
+        accessService.checkEventAndReservationAndTransactionOwnership(principal, eventName, reservationId, transactionId);
         var result = ticketReservationManager.discardMatchingPayment(eventName, reservationId, transactionId);
         if(result.isSuccess()) {
             return ResponseEntity.ok("OK");

diff --git a/src/main/java/alfio/manager/AccessService.java b/src/main/java/alfio/manager/AccessService.java
@@ -471,4 +471,12 @@ public void checkEventAndReservationOwnership(Principal principal, String eventN
             throw new AccessDeniedException();
         };
     }
+
+    public void checkEventAndReservationAndTransactionOwnership(Principal principal, String eventName, String reservationId, int transactionId) {
+        checkEventAndReservationOwnership(principal, eventName, Set.of(reservationId));
+        if (!reservationRepository.hasReservationWithTransactionId(reservationId, transactionId)) {
+         log.warn("Reservation id {} does not have transaction id {}", reservationId, transactionId);
+            throw new AccessDeniedException();
+        }
+    }
 }
diff --git a/src/main/java/alfio/repository/TicketReservationRepository.java b/src/main/java/alfio/repository/TicketReservationRepository.java
@@ -301,4 +301,7 @@ int updateVatStatus(@Bind("reservationId") String reservationId,
 
     @Query("select count(id) from tickets_reservation where id in (:ids) and event_id_fk = :eventId")
     int countReservationsWithEventId(@Bind("ids") Set<String> reservationIds, @Bind("eventId") int eventId);
+
+    @Query("select exists(select id from b_transaction where id = :transactionId and reservation_id = reservationId)")
+    boolean hasReservationWithTransactionId(@Bind("reservationId") String reservationId, @Bind("transactionId") int transactionId);
 }