From fe53d067195c59a0553d7d567d749795c1751a41 Mon Sep 17 00:00:00 2001 From: Areeb Jamal Date: Thu, 3 Dec 2020 02:36:18 +0530 Subject: [PATCH] fix: Give access to order tickets and attendees to organizers --- app/api/attendees.py | 14 ++++++++------ app/models/order.py | 10 +++++++++- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/app/api/attendees.py b/app/api/attendees.py index 616e807aef..650ca7b87e 100644 --- a/app/api/attendees.py +++ b/app/api/attendees.py @@ -132,17 +132,19 @@ def query(self, view_kwargs): 'order_identifier', 'identifier', ) + + is_coorganizer = has_access( + 'is_coorganizer', + event_id=order.event_id, + ) if not ( - has_access( - 'is_coorganizer_or_user_itself', - event_id=order.event_id, - user_id=order.user_id, - ) + is_coorganizer + or current_user.id == order.user_id or order.is_attendee(current_user) ): raise ForbiddenError({'source': ''}, 'Access Forbidden') query_ = query_.join(Order).filter(Order.id == order.id) - if current_user.id != order.user_id: + if not is_coorganizer and current_user.id != order.user_id: query_ = query_.filter(TicketHolder.user == current_user) if view_kwargs.get('ticket_id'): diff --git a/app/models/order.py b/app/models/order.py index ac2470e222..ed6f1e8f64 100644 --- a/app/models/order.py +++ b/app/models/order.py @@ -157,8 +157,16 @@ def invoice_pdf_path(self) -> str: @property def filtered_ticket_holders(self): + from app.api.helpers.permission_manager import has_access + query_ = TicketHolder.query.filter_by(order_id=self.id, deleted_at=None) - if current_user.id != self.user_id: + if ( + not has_access( + 'is_coorganizer', + event_id=self.event_id, + ) + and current_user.id != self.user_id + ): query_ = query_.filter(TicketHolder.user == current_user) return query_.all()