Skip to content

Commit

Permalink
feat: Filter attendees when ticket holder is not ticket purchaser
Browse files Browse the repository at this point in the history
  • Loading branch information
Suneet Srivastava committed Nov 26, 2020
1 parent 280ac5b commit 9098e01
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 1 deletion.
2 changes: 2 additions & 0 deletions app/api/attendees.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,8 @@ def query(self, view_kwargs):
):
raise ForbiddenError({'source': ''}, 'Access Forbidden')
query_ = query_.join(Order).filter(Order.id == order.id)
if current_user.id != order.user_id:
query_ = query_.filter(TicketHolder.user == current_user)

if view_kwargs.get('ticket_id'):
ticket = safe_query_kwargs(Ticket, view_kwargs, 'ticket_id')
Expand Down
2 changes: 1 addition & 1 deletion app/api/schema/orders.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ def initial_values(self, data):
)

attendees = Relationship(
attribute='ticket_holders',
attribute='filtered_ticket_holders',
self_view='v1.order_attendee',
self_view_kwargs={'order_identifier': '<identifier>'},
related_view='v1.attendee_list',
Expand Down
8 changes: 8 additions & 0 deletions app/models/order.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import time

from flask_jwt_extended import current_user
from sqlalchemy.sql import func

from app.api.helpers.db import get_new_identifier
Expand Down Expand Up @@ -154,6 +155,13 @@ def invoice_pdf_path(self) -> str:
+ '.pdf'
)

@property
def filtered_ticket_holders(self):
query_ = TicketHolder.query.filter_by(order_id=self.id, deleted_at=None)
if current_user.id != self.user_id:
query_ = query_.filter(TicketHolder.user == current_user)
return query_.all()

@property
def site_view_link(self) -> str:
frontend_url = get_settings()['frontend_url']
Expand Down

0 comments on commit 9098e01

Please sign in to comment.