checkCategoryOwnershipAndTicket

alfio-event · Dec 13, 2023 · d5eb3fd · d5eb3fd
1 parent 03747df
commit d5eb3fd
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 0 deletions.
diff --git a/src/main/java/alfio/controller/api/admin/EventApiController.java b/src/main/java/alfio/controller/api/admin/EventApiController.java
@@ -674,6 +674,7 @@ public boolean toggleTicketLocking(@PathVariable("eventName") String eventName,
                                        @PathVariable("categoryId") int categoryId,
                                        @PathVariable("ticketId") int ticketId,
                                        Principal principal) {
+        accessService.checkCategoryOwnershipAndTicket(principal, eventName, categoryId, ticketId);
         return eventManager.toggleTicketLocking(eventName, categoryId, ticketId, principal.getName());
     }
 

diff --git a/src/main/java/alfio/manager/AccessService.java b/src/main/java/alfio/manager/AccessService.java
@@ -455,4 +455,12 @@ public void checkEventOwnershipAndTicketAdditionalFieldIds(Principal principal,
             throw new AccessDeniedException();
         }
     }
+
+    public void checkCategoryOwnershipAndTicket(Principal principal, String eventName, int categoryId, int ticketId) {
+        checkCategoryOwnership(principal, eventName, categoryId);
+        if (!ticketRepository.isInCategory(ticketId, categoryId)) {
+            log.warn("Ticket with id {} is not in category id {}", ticketId, categoryId);
+            throw new AccessDeniedException();
+        }
+    }
 }
diff --git a/src/main/java/alfio/manager/EventManager.java b/src/main/java/alfio/manager/EventManager.java
@@ -956,6 +956,7 @@ public AdditionalService getAdditionalServiceById(int id, int eventId) {
     public boolean toggleTicketLocking(String eventName, int categoryId, int ticketId, String username) {
         EventAndOrganizationId event = getEventAndOrganizationId(eventName, username);
         checkOwnership(event, username, event.getOrganizationId());
+        // FIXME: can search directly by id
         var existingCategory = ticketCategoryRepository.findAllTicketCategories(event.getId()).stream().filter(tc -> tc.getId() == categoryId).findFirst();
         if(existingCategory.isPresent()) {
             Ticket ticket = ticketRepository.findById(ticketId, categoryId);

diff --git a/src/main/java/alfio/repository/TicketRepository.java b/src/main/java/alfio/repository/TicketRepository.java
@@ -282,6 +282,9 @@ int updateTicketPrice(@Bind("ids") List<Integer> ids,
     @Query("select * from ticket where id = :id and category_id = :categoryId")
     Ticket findById(@Bind("id") int ticketId, @Bind("categoryId") int categoryId);
 
+    @Query("select exists(select id from ticket where id = :id and category_id = :categoryId)")
+    boolean isInCategory(@Bind("id") int id, @Bind("categoryId") int categoryId);
+
     @Query("select * from ticket where id in (:ids)")
     List<Ticket> findByIds(@Bind("ids") List<Integer> ticketIds);