@stamhoofd/backend 2.100.1 → 2.102.0

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.100.1",
+    "version": "2.102.0",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -45,14 +45,14 @@
         "@simonbackx/simple-encoding": "2.22.0",
         "@simonbackx/simple-endpoints": "1.20.1",
         "@simonbackx/simple-logging": "^1.0.1",
-        "@stamhoofd/backend-i18n": "2.100.1",
-        "@stamhoofd/backend-middleware": "2.100.1",
-        "@stamhoofd/email": "2.100.1",
-        "@stamhoofd/models": "2.100.1",
-        "@stamhoofd/queues": "2.100.1",
-        "@stamhoofd/sql": "2.100.1",
-        "@stamhoofd/structures": "2.100.1",
-        "@stamhoofd/utility": "2.100.1",
+        "@stamhoofd/backend-i18n": "2.102.0",
+        "@stamhoofd/backend-middleware": "2.102.0",
+        "@stamhoofd/email": "2.102.0",
+        "@stamhoofd/models": "2.102.0",
+        "@stamhoofd/queues": "2.102.0",
+        "@stamhoofd/sql": "2.102.0",
+        "@stamhoofd/structures": "2.102.0",
+        "@stamhoofd/utility": "2.102.0",
         "archiver": "^7.0.1",
         "axios": "^1.8.2",
         "cookie": "^0.7.0",
@@ -70,5 +70,5 @@
     "publishConfig": {
         "access": "public"
     },
-    "gitHead": "989981a387ceddd505dc757d2e0a3dacd492b733"
+    "gitHead": "0dcf9d704578c9f1972f7068b8727a5572c723c7"
 }

package/src/crons.ts

@@ -124,7 +124,7 @@ async function checkWebshopDNS() {
 // Keep checking pending paymetns for 3 days
 async function checkPayments() {
     if (STAMHOOFD.environment === 'development') {
-        return;
+        // return;
     }
 
     const timeout = 60 * 1000 * 31;

package/src/email-recipient-loaders/receivable-balances.ts

@@ -14,7 +14,7 @@ async function fetch(query: LimitedFilteredRequest, subfilter: StamhoofdFilter |
 
     const recipients: EmailRecipient[] = [];
     for (const balance of result.results) {
-        const balanceItemModels = await CachedBalance.balanceForObjects(balance.organizationId, [balance.object.id], balance.objectType, true);
+        const balanceItemModels = balance.objectType === ReceivableBalanceType.organization ? (await CachedBalance.balanceForObjects(balance.organizationId, [balance.object.id], balance.objectType)) : [];
         const balanceItems = balanceItemModels.map(i => i.getStructure());
 
         const filteredContacts = balance.object.contacts.filter(c => compiledFilter(c));
@@ -22,7 +22,7 @@ async function fetch(query: LimitedFilteredRequest, subfilter: StamhoofdFilter |
             for (const email of contact.emails) {
                 const recipient = EmailRecipient.create({
                     objectId: balance.id, // Note: not set member, user or organization id here - should be the queryable balance id
-                    userId: balance.objectType === ReceivableBalanceType.user ? balance.object.id : null,
+                    userId: balance.objectType === ReceivableBalanceType.user || balance.objectType === ReceivableBalanceType.userWithoutMembers ? balance.object.id : null,
                     memberId: balance.objectType === ReceivableBalanceType.member ? balance.object.id : null,
                     firstName: contact.firstName,
                     lastName: contact.lastName,
@@ -32,15 +32,22 @@ async function fetch(query: LimitedFilteredRequest, subfilter: StamhoofdFilter |
                             token: 'objectName',
                             value: balance.object.name,
                         }),
-                        Replacement.create({
-                            token: 'outstandingBalance',
-                            value: Formatter.price(balance.amountOpen),
-                        }),
-                        Replacement.create({
-                            token: 'balanceTable',
-                            value: '',
-                            html: BalanceItemStruct.getDetailsHTMLTable(balanceItems),
-                        }),
+                        ...(
+                            balance.objectType === ReceivableBalanceType.organization
+                                ? [
+                                        Replacement.create({
+                                            token: 'outstandingBalance',
+                                            value: Formatter.price(balance.amountOpen),
+                                        }),
+                                        Replacement.create({
+                                            token: 'balanceTable',
+                                            value: '',
+                                            html: BalanceItemStruct.getDetailsHTMLTable(balanceItems),
+                                        }),
+                                    ]
+                                : []
+                        ),
+
                         ...(contact.meta && contact.meta.url && typeof contact.meta.url === 'string'
                             ? [Replacement.create({
                                     token: 'paymentUrl',

package/src/endpoints/global/events/PatchEventsEndpoint.ts

@@ -59,6 +59,7 @@ export class PatchEventsEndpoint extends Endpoint<Params, Query, Body, ResponseB
                 putGroup,
                 putGroup.organizationId,
                 period,
+                { allowedIds: [putGroup.id] },
             );
         }
         else {

package/src/endpoints/global/members/helpers/validateGroupFilter.ts

@@ -1,5 +1,4 @@
 import { SimpleError } from '@simonbackx/simple-errors';
-import { Group } from '@stamhoofd/models';
 import { FilterWrapperMarker, PermissionLevel, StamhoofdFilter, unwrapFilter, WrapperFilter } from '@stamhoofd/structures';
 import { Context } from '../../../../helpers/Context';
 
@@ -55,17 +54,22 @@ export async function validateGroupFilter({ filter, permissionLevel, key }: { fi
         }
     }
 
-    const groups = await Group.getByIDs(...groupIds as string[]);
-    Context.auth.cacheGroups(groups);
+    const groups = await Context.auth.getGroups(groupIds as string[]);
 
-    console.log('Fetching members for groups', groups.map(g => g.settings.name.toString()));
+    console.log('Fetching members for groups before', groups.map(g => g.settings.name.toString()));
 
     for (const group of groups) {
         if (!await Context.auth.canAccessGroup(group, permissionLevel)) {
-            throw Context.auth.error({
-                message: 'You do not have access to this group',
-                human: $t(`45eedf49-0f0a-442c-a0bd-7881c2682698`, { groupName: group.settings.name }),
-            });
+            if (permissionLevel !== PermissionLevel.Read || !group.settings.implicitlyAllowViewRegistrations) {
+                throw Context.auth.error({
+                    message: 'You do not have access to this group',
+                    human: $t(`45eedf49-0f0a-442c-a0bd-7881c2682698`, { groupName: group.settings.name }),
+                });
+            }
+            else {
+                // Return false so we add additional scope filters (only view overlap)
+                return false;
+            }
         }
     }
 

package/src/endpoints/global/registration/GetRegistrationsEndpoint.ts

@@ -99,14 +99,26 @@ export class GetRegistrationsEndpoint extends Endpoint<Params, Query, Body, Resp
                     if (await Context.auth.hasFullAccess(organization.id, permissionLevel)) {
                         // Can access full history for now
                         scopeFilter = {
-                            organizationId: organization.id,
+                            member: {
+                                registrations: {
+                                    $elemMatch: {
+                                        organizationId: organization.id,
+                                    },
+                                },
+                            },
                         };
                     }
                     else {
                         // Can only access current period
                         scopeFilter = {
-                            organizationId: organization.id,
-                            periodId: organization.periodId,
+                            member: {
+                                registrations: {
+                                    $elemMatch: {
+                                        organizationId: organization.id,
+                                        periodId: organization.periodId,
+                                    },
+                                },
+                            },
                         };
                     }
                 }
@@ -130,8 +142,14 @@ export class GetRegistrationsEndpoint extends Endpoint<Params, Query, Body, Resp
                     }
 
                     scopeFilter = {
-                        groupId: {
-                            $in: groupIds,
+                        member: {
+                            registrations: {
+                                $elemMatch: {
+                                    groupId: {
+                                        $in: groupIds,
+                                    },
+                                },
+                            },
                         },
                     };
                 }
@@ -196,8 +214,13 @@ export class GetRegistrationsEndpoint extends Endpoint<Params, Query, Body, Resp
         }
 
         for (const registration of data) {
-            if (!await Context.auth.canAccessRegistration(registration, permissionLevel)) {
-                throw Context.auth.error();
+            if (registration.group.settings.implicitlyAllowViewRegistrations) {
+                // okay, only need to check if we can access the members (next step)
+            }
+            else {
+                if (!await Context.auth.canAccessRegistration(registration, permissionLevel)) {
+                    throw Context.auth.error();
+                }
             }
         }
 

package/src/endpoints/global/registration/GetUserPayableBalanceEndpoint.ts

@@ -1,6 +1,6 @@
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { CachedBalance, Organization } from '@stamhoofd/models';
-import { PayableBalance, PayableBalanceCollection } from '@stamhoofd/structures';
+import { PayableBalance, PayableBalanceCollection, ReceivableBalanceType } from '@stamhoofd/structures';
 
 import { Formatter } from '@stamhoofd/utility';
 import { AuthenticatedStructures } from '../../../helpers/AuthenticatedStructures';
@@ -31,12 +31,12 @@ export class GetUserPayableBalanceEndpoint extends Endpoint<Params, Query, Body,
         const organization = await Context.setUserOrganizationScope();
         const { user } = await Context.authenticate();
 
-        return new Response(await GetUserPayableBalanceEndpoint.getBillingStatusForObjects([user.id], organization));
+        return new Response(await GetUserPayableBalanceEndpoint.getBillingStatusForObjects([user.id], organization, ReceivableBalanceType.user));
     }
 
-    static async getBillingStatusForObjects(objectIds: string[], organization?: Organization | null) {
+    static async getBillingStatusForObjects(objectIds: string[], organization: Organization | null, objectType: ReceivableBalanceType) {
         // Load cached balances
-        const receivableBalances = await CachedBalance.getForObjects(objectIds, organization?.id);
+        const receivableBalances = await CachedBalance.getForObjects(objectIds, organization?.id, objectType);
 
         const organizationIds = Formatter.uniqueArray(receivableBalances.map(b => b.organizationId));
 

package/src/endpoints/global/registration/RegisterMembersEndpoint.ts

@@ -5,7 +5,7 @@ import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-
 import { SimpleError } from '@simonbackx/simple-errors';
 import { Email } from '@stamhoofd/email';
 import { BalanceItem, BalanceItemPayment, CachedBalance, Group, Member, MemberWithRegistrations, MolliePayment, MollieToken, Organization, PayconiqPayment, Payment, Platform, RateLimiter, Registration, User } from '@stamhoofd/models';
-import { BalanceItemRelation, BalanceItemRelationType, BalanceItemStatus, BalanceItem as BalanceItemStruct, BalanceItemType, IDRegisterCheckout, PaymentCustomer, PaymentMethod, PaymentMethodHelper, PaymentProvider, PaymentStatus, Payment as PaymentStruct, PaymentType, PermissionLevel, PlatformFamily, PlatformMember, RegisterItem, RegisterResponse, TranslatedString, Version } from '@stamhoofd/structures';
+import { BalanceItemRelation, BalanceItemRelationType, BalanceItemStatus, BalanceItem as BalanceItemStruct, BalanceItemType, IDRegisterCheckout, PaymentCustomer, PaymentMethod, PaymentMethodHelper, PaymentProvider, PaymentStatus, Payment as PaymentStruct, PaymentType, PermissionLevel, PlatformFamily, PlatformMember, ReceivableBalanceType, RegisterItem, RegisterResponse, TranslatedString, Version } from '@stamhoofd/structures';
 import { Formatter } from '@stamhoofd/utility';
 
 import { AuthenticatedStructures } from '../../../helpers/AuthenticatedStructures';
@@ -315,7 +315,7 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
                 );
 
                 // Never reuse a registration that has a balance - that means they had a cancellation fee and not all balance items were canceled (we don't want to merge in that state)
-                const balances = await CachedBalance.getForObjects(possibleReuseRegistrations.map(r => r.id), null);
+                const balances = await CachedBalance.getForObjects(possibleReuseRegistrations.map(r => r.id), null, ReceivableBalanceType.registration);
 
                 reuseRegistration = possibleReuseRegistrations.find((r) => {
                     const balance = balances.filter(b => b.objectId === r.id).reduce((a, b) => a + b.amountOpen + b.amountPaid + b.amountPending, 0);

package/src/endpoints/organization/dashboard/billing/GetOrganizationPayableBalanceEndpoint.ts

@@ -1,5 +1,5 @@
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
-import { PayableBalanceCollection } from '@stamhoofd/structures';
+import { PayableBalanceCollection, ReceivableBalanceType } from '@stamhoofd/structures';
 
 import { Context } from '../../../../helpers/Context';
 import { GetUserPayableBalanceEndpoint } from '../../../global/registration/GetUserPayableBalanceEndpoint';
@@ -34,6 +34,6 @@ export class GetOrganizationPayableBalanceEndpoint extends Endpoint<Params, Quer
             throw Context.auth.error();
         }
 
-        return new Response(await GetUserPayableBalanceEndpoint.getBillingStatusForObjects([organization.id], null));
+        return new Response(await GetUserPayableBalanceEndpoint.getBillingStatusForObjects([organization.id], null, ReceivableBalanceType.organization));
     }
 }

package/src/endpoints/organization/dashboard/receivable-balances/GetReceivableBalanceEndpoint.ts

@@ -1,11 +1,12 @@
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { DetailedReceivableBalance, PaymentStatus, ReceivableBalanceType } from '@stamhoofd/structures';
 
-import { BalanceItem, BalanceItemPayment, CachedBalance, Payment } from '@stamhoofd/models';
+import { BalanceItem, BalanceItemPayment, CachedBalance, MemberUser, Payment } from '@stamhoofd/models';
 import { Context } from '../../../../helpers/Context';
 import { AuthenticatedStructures } from '../../../../helpers/AuthenticatedStructures';
 import { SQL } from '@stamhoofd/sql';
 import { BalanceItemService } from '../../../../services/BalanceItemService';
+import { Formatter } from '@stamhoofd/utility';
 
 type Params = { id: string; type: ReceivableBalanceType };
 type Query = undefined;
@@ -38,14 +39,13 @@ export class GetReceivableBalanceEndpoint extends Endpoint<Params, Query, Body,
             throw Context.auth.error();
         }
 
-        // Flush caches (this makes sure that we do a reload in the frontend after a registration or change, we get the newest balances)
-        await BalanceItemService.flushCaches(organization.id);
-
-        const balanceItemModels = await CachedBalance.balanceForObjects(organization.id, [request.params.id], request.params.type, true);
         let paymentModels: Payment[] = [];
 
         switch (request.params.type) {
             case ReceivableBalanceType.organization: {
+                // Force cache updates, because sometimes the cache could be out of date
+                BalanceItemService.scheduleOrganizationUpdate(organization.id, request.params.id);
+
                 paymentModels = await Payment.select()
                     .where('organizationId', organization.id)
                     .andWhere(
@@ -66,6 +66,9 @@ export class GetReceivableBalanceEndpoint extends Endpoint<Params, Query, Body,
             }
 
             case ReceivableBalanceType.member: {
+                // Force cache updates, because sometimes the cache could be out of date
+                BalanceItemService.scheduleMemberUpdate(organization.id, request.params.id);
+
                 paymentModels = await Payment.select()
                     .where('organizationId', organization.id)
                     .join(
@@ -86,7 +89,17 @@ export class GetReceivableBalanceEndpoint extends Endpoint<Params, Query, Body,
             }
 
             case ReceivableBalanceType.user: {
-                paymentModels = await Payment.select()
+                const memberUsers = await MemberUser.select().where('usersId', request.params.id).fetch();
+                const memberIds = Formatter.uniqueArray(memberUsers.map(mu => mu.membersId));
+
+                // Force cache updates, because sometimes the cache could be out of date
+                BalanceItemService.scheduleUserUpdate(organization.id, request.params.id);
+
+                for (const memberId of memberIds) {
+                    BalanceItemService.scheduleMemberUpdate(organization.id, memberId);
+                }
+
+                const q = Payment.select()
                     .where('organizationId', organization.id)
                     .join(
                         SQL.join(BalanceItemPayment.table)
@@ -95,8 +108,44 @@ export class GetReceivableBalanceEndpoint extends Endpoint<Params, Query, Body,
                     .join(
                         SQL.join(BalanceItem.table)
                             .where(SQL.column(BalanceItemPayment.table, 'balanceItemId'), SQL.column(BalanceItem.table, 'id')),
+                    );
+
+                if (memberIds.length === 0) {
+                    q.where(SQL.column(BalanceItem.table, 'userId'), request.params.id);
+                }
+                else {
+                    q.where(
+                        SQL.where(SQL.column(BalanceItem.table, 'userId'), request.params.id)
+                            .or(SQL.column(BalanceItem.table, 'memberId'), memberIds),
+                    );
+                }
+
+                paymentModels = await q
+                    .andWhere(
+                        SQL.whereNot('status', PaymentStatus.Failed),
                     )
-                    .where(SQL.column(BalanceItem.table, 'userId'), request.params.id)
+                    .groupBy(SQL.column(Payment.table, 'id'))
+                    .fetch();
+                break;
+            }
+
+            case ReceivableBalanceType.userWithoutMembers: {
+                // Force cache updates, because sometimes the cache could be out of date
+                BalanceItemService.scheduleUserUpdate(organization.id, request.params.id);
+
+                const q = Payment.select()
+                    .where('organizationId', organization.id)
+                    .join(
+                        SQL.join(BalanceItemPayment.table)
+                            .where(SQL.column(BalanceItemPayment.table, 'paymentId'), SQL.column(Payment.table, 'id')),
+                    )
+                    .join(
+                        SQL.join(BalanceItem.table)
+                            .where(SQL.column(BalanceItemPayment.table, 'balanceItemId'), SQL.column(BalanceItem.table, 'id')),
+                    )
+                    .where(SQL.column(BalanceItem.table, 'userId'), request.params.id);
+
+                paymentModels = await q
                     .andWhere(
                         SQL.whereNot('status', PaymentStatus.Failed),
                     )
@@ -126,10 +175,13 @@ export class GetReceivableBalanceEndpoint extends Endpoint<Params, Query, Body,
             }
         }
 
+        // Flush caches (this makes sure that we do a reload in the frontend after a registration or change, we get the newest balances)
+        await BalanceItemService.flushCaches(organization.id);
+        const balanceItemModels = await CachedBalance.balanceForObjects(organization.id, [request.params.id], request.params.type);
         const balanceItems = await BalanceItem.getStructureWithPayments(balanceItemModels);
         const payments = await AuthenticatedStructures.paymentsGeneral(paymentModels, false);
 
-        const balances = await CachedBalance.getForObjects([request.params.id], organization.id);
+        const balances = await CachedBalance.getForObjects([request.params.id], organization.id, request.params.type);
 
         const created = new CachedBalance();
         created.amountOpen = 0;

package/src/endpoints/organization/dashboard/receivable-balances/GetReceivableBalancesEndpoint.ts

@@ -83,7 +83,12 @@ export class GetReceivableBalancesEndpoint extends Endpoint<Params, Query, Body,
                     },
                     {
                         users: {
-                            $elemMatch: { name: { $contains: q.search } },
+                            $elemMatch: {
+                                $or: {
+                                    name: { $contains: q.search },
+                                    email: { $contains: q.search },
+                                },
+                            },
                         },
                     },
                 ],

package/src/endpoints/organization/dashboard/registration-periods/PatchOrganizationRegistrationPeriodsEndpoint.ts

@@ -37,7 +37,7 @@ export class PatchOrganizationRegistrationPeriodsEndpoint extends Endpoint<Param
         const organization = await Context.setOrganizationScope();
         await Context.authenticate();
 
-        if (!await Context.auth.hasFullAccess(organization.id)) {
+        if (!await Context.auth.hasSomeAccess(organization.id)) {
             throw Context.auth.error();
         }
 
@@ -214,6 +214,14 @@ export class PatchOrganizationRegistrationPeriodsEndpoint extends Endpoint<Param
             for (const groupPut of patch.groups.getPuts()) {
                 shouldUpdateSetupSteps = true;
                 groupPut.put.settings.throwIfInvalidPrices();
+                if (groupPut.put.type === GroupType.EventRegistration) {
+                    throw new SimpleError({
+                        code: 'invalid_group_type',
+                        message: 'Cannot create groups for events via this endpoint',
+                        human: $t(`40dde58e-47fb-4adb-971a-537b16c479d5`),
+                    });
+                }
+
                 const group = await PatchOrganizationRegistrationPeriodsEndpoint.createGroup(groupPut.put, organization.id, period, { allowedIds });
                 deleteUnreachable = true;
                 forceGroupIds.push(group.id);
@@ -528,14 +536,9 @@ export class PatchOrganizationRegistrationPeriodsEndpoint extends Endpoint<Param
     static async createGroup(struct: GroupStruct, organizationId: string, period: RegistrationPeriod, options?: { allowedIds?: string[] }): Promise<Group> {
         const allowedIds = options?.allowedIds ?? [];
 
-        if (struct.type === GroupType.Membership || struct.type === GroupType.WaitingList) {
+        if (struct.type !== GroupType.EventRegistration && !allowedIds.includes(struct.id)) {
             if (!await Context.auth.hasFullAccess(organizationId)) {
-                if (allowedIds.includes(struct.id)) {
-                    // Ok
-                }
-                else {
-                    throw Context.auth.error($t(`153a7443-e2d9-4126-8e10-089b54964fb8`));
-                }
+                throw Context.auth.error($t(`153a7443-e2d9-4126-8e10-089b54964fb8`));
             }
         }
         else {
@@ -587,7 +590,7 @@ export class PatchOrganizationRegistrationPeriodsEndpoint extends Endpoint<Param
         model.settings.registeredMembers = 0;
         model.settings.reservedMembers = 0;
 
-        if (!await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
+        if (struct.type !== GroupType.EventRegistration && !await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
             // Create a temporary permission role for this user
             const organizationPermissions = user.permissions?.organizationPermissions?.get(organizationId);
             if (!organizationPermissions) {

package/src/excel-loaders/receivable-balances.ts

@@ -1,5 +1,5 @@
 import { XlsxBuiltInNumberFormat, XlsxTransformerColumn, XlsxTransformerConcreteColumn } from '@stamhoofd/excel-writer';
-import { BalanceItemRelationType, BalanceItemWithPayments, DetailedReceivableBalance, ExcelExportType, getBalanceItemRelationTypeName, getBalanceItemStatusName, getBalanceItemTypeName, getReceivableBalanceTypeNameNotTranslated, PaginatedResponse, ReceivableBalance } from '@stamhoofd/structures';
+import { BalanceItemRelationType, BalanceItemWithPayments, DetailedReceivableBalance, ExcelExportType, getBalanceItemRelationTypeName, getBalanceItemStatusName, getBalanceItemTypeName, getReceivableBalanceTypeName, PaginatedResponse, ReceivableBalance } from '@stamhoofd/structures';
 import { Formatter } from '@stamhoofd/utility';
 import { ExportToExcelEndpoint } from '../endpoints/global/files/ExportToExcelEndpoint';
 import { GetReceivableBalancesEndpoint } from '../endpoints/organization/dashboard/receivable-balances/GetReceivableBalancesEndpoint';
@@ -287,7 +287,7 @@ function getGeneralColumns(): XlsxTransformerConcreteColumn<ReceivableBalance>[]
             name: $t(`a0dfe596-0670-48bc-a5f3-2c9308c70a17`),
             width: 10,
             getValue: (object: ReceivableBalance) => ({
-                value: getReceivableBalanceTypeNameNotTranslated(object.objectType),
+                value: getReceivableBalanceTypeName(object.objectType),
             }),
         },
     ];

package/src/helpers/AdminPermissionChecker.ts

@@ -1,7 +1,7 @@
 import { AutoEncoderPatchType, PatchMap } from '@simonbackx/simple-encoding';
 import { isSimpleError, isSimpleErrors, SimpleError } from '@simonbackx/simple-errors';
 import { BalanceItem, CachedBalance, Document, Email, EmailTemplate, Event, EventNotification, Group, Member, MemberPlatformMembership, MemberWithRegistrations, Order, Organization, OrganizationRegistrationPeriod, Payment, Registration, User, Webshop } from '@stamhoofd/models';
-import { AccessRight, EmailTemplate as EmailTemplateStruct, EventPermissionChecker, FinancialSupportSettings, GroupCategory, GroupStatus, GroupType, MemberWithRegistrationsBlob, PermissionLevel, PermissionsResourceType, Platform as PlatformStruct, RecordSettings, ResourcePermissions } from '@stamhoofd/structures';
+import { AccessRight, EmailTemplate as EmailTemplateStruct, EventPermissionChecker, FinancialSupportSettings, GroupCategory, GroupStatus, GroupType, MemberWithRegistrationsBlob, PermissionLevel, PermissionsResourceType, Platform as PlatformStruct, ReceivableBalanceType, RecordSettings, ResourcePermissions } from '@stamhoofd/structures';
 import { Formatter } from '@stamhoofd/utility';
 import { MemberRecordStore } from '../services/MemberRecordStore';
 import { addTemporaryMemberAccess, hasTemporaryMemberAccess } from './TemporaryMemberAccess';
@@ -70,6 +70,7 @@ export class AdminPermissionChecker {
             return await cache;
         }
 
+        console.log('Get group', groupId);
         const promise = Group.select()
             .where('id', groupId)
             .first(false);
@@ -80,6 +81,46 @@ export class AdminPermissionChecker {
         return group;
     }
 
+    async getGroups(groupIds: string[]): Promise<Group[]> {
+        const cached: Group[] = [];
+        const remainingIds: string[] = [];
+
+        for (const groupId of groupIds) {
+            const cache = this.groupsCache.get(groupId);
+            if (cache !== undefined) {
+                const resolved = await cache;
+                if (resolved) {
+                    cached.push(resolved);
+                }
+                else {
+                    // Not found, no need to readd
+                }
+            }
+            else {
+                remainingIds.push(groupId);
+            }
+        }
+
+        if (remainingIds.length > 0) {
+            console.log('Get groups', remainingIds);
+            const promise = Group.select()
+                .where('id', remainingIds)
+                .fetch();
+
+            for (const groupId of remainingIds) {
+                this.groupsCache.set(groupId, promise.then(list => list.find(l => l.id === groupId) ?? null));
+            }
+            const groups = await promise;
+            cached.push(...groups);
+
+            for (const groupId of remainingIds) {
+                this.groupsCache.set(groupId, groups.find(l => l.id === groupId) ?? null);
+            }
+        }
+
+        return cached;
+    }
+
     cacheGroup(group: Group) {
         this.groupsCache.set(group.id, group);
     }
@@ -178,7 +219,7 @@ export class AdminPermissionChecker {
     async canAccessGroup(group: Group, permissionLevel: PermissionLevel = PermissionLevel.Read): Promise<boolean> {
         // Check permissions aren't scoped to a specific organization, and they mismatch
         if (!this.checkScope(group.organizationId)) {
-            return false;
+            // return false;
         }
         const organization = await this.getOrganization(group.organizationId);
 
@@ -246,8 +287,13 @@ export class AdminPermissionChecker {
             return true;
         }
         if (asOrganizationId) {
-            if (group.settings.allowRegistrationsByOrganization) {
-                return await this.hasFullAccess(asOrganizationId);
+            if (group.settings.allowRegistrationsByOrganization && !group.getStructure().closed) {
+                if (group.organizationId !== asOrganizationId) {
+                    return await this.hasFullAccess(asOrganizationId);
+                }
+                else {
+                    return await this.hasSomeAccess(asOrganizationId);
+                }
             }
         }
         return false;
@@ -337,7 +383,7 @@ export class AdminPermissionChecker {
         }
 
         for (const registration of member.registrations) {
-            if (await this.canAccessRegistration(registration, permissionLevel)) {
+            if (await this.canAccessRegistration(registration, permissionLevel, false)) {
                 return true;
             }
         }
@@ -359,7 +405,7 @@ export class AdminPermissionChecker {
      */
     async canDeleteMember(member: MemberWithRegistrations) {
         if (member.registrations.length === 0 && this.isUserManager(member)) {
-            const cachedBalance = await CachedBalance.getForObjects([member.id]);
+            const cachedBalance = await CachedBalance.getForObjects([member.id], null, ReceivableBalanceType.member);
             if (cachedBalance.length === 0 || (cachedBalance[0].amountOpen === 0 && cachedBalance[0].amountPending === 0)) {
                 const platformMemberships = await MemberPlatformMembership.where({ memberId: member.id });
                 if (platformMemberships.length === 0) {
@@ -378,7 +424,7 @@ export class AdminPermissionChecker {
     /**
      * Note: only checks admin permissions. Users that 'own' this member can also access it but that does not use the AdminPermissionChecker
      */
-    async canAccessRegistration(registration: Registration, permissionLevel: PermissionLevel = PermissionLevel.Read) {
+    async canAccessRegistration(registration: Registration, permissionLevel: PermissionLevel = PermissionLevel.Read, checkMember = true) {
         if (registration.deactivatedAt || !registration.registeredAt) {
             // No full access: cannot access deactivated registrations
             return false;
@@ -404,7 +450,7 @@ export class AdminPermissionChecker {
             }
         }
 
-        const group = await this.getGroup(registration.groupId);
+        const group = Registration.group.isLoaded(registration) ? ((registration as any).group as Group) : await this.getGroup(registration.groupId);
         if (!group || group.deletedAt) {
             return false;
         }
@@ -413,6 +459,17 @@ export class AdminPermissionChecker {
             return true;
         }
 
+        if (permissionLevel === PermissionLevel.Read && checkMember && group.settings.implicitlyAllowViewRegistrations) {
+            // We can also view this registration if we have access to the member
+            const members = await Member.getBlobByIds(registration.memberId);
+
+            if (members.length === 1) {
+                if (await this.canAccessMember(members[0], permissionLevel)) {
+                    return true;
+                }
+            }
+        }
+
         return false;
     }
 
@@ -1298,6 +1355,7 @@ export class AdminPermissionChecker {
         }
 
         if (hasTemporaryMemberAccess(this.user.id, member.id, PermissionLevel.Full)) {
+            // You created this member, so temporary can read all records in order to set the member up correctly
             return {
                 canAccess: true,
                 record: record.record,

package/src/helpers/AuthenticatedStructures.ts

@@ -399,10 +399,10 @@ export class AuthenticatedStructures {
         if (Context.organization) {
             await BalanceItemService.flushCaches(Context.organization.id);
         }
-        const balances = await CachedBalance.getForObjects(registrationIds, null);
+        const balances = await CachedBalance.getForObjects(registrationIds, null, ReceivableBalanceType.registration);
         const memberIds = members.map(m => m.id);
         const allMemberBalances = Context.organization
-            ? (await CachedBalance.getForObjects(memberIds, Context.organization.id))
+            ? (await CachedBalance.getForObjects(memberIds, Context.organization.id, ReceivableBalanceType.member))
             : [];
 
         if (includeUser) {
@@ -468,7 +468,12 @@ export class AuthenticatedStructures {
                     }
                 }
                 if (organizations.get(registration.organizationId)?.active || (Context.auth.organization && Context.auth.organization.active && registration.organizationId === Context.auth.organization.id) || await Context.auth.hasFullAccess(registration.organizationId)) {
+                    /* if ( // Causes issues with bundle discount calculations
+                        registration.group.settings.implicitlyAllowViewRegistrations
+                        || await Context.auth.canAccessRegistration(registration, PermissionLevel.Read)
+                    ) { */
                     filtered.push(registration);
+                    // }
                 }
             }
             member.registrations = filtered;
@@ -619,7 +624,7 @@ export class AuthenticatedStructures {
                 const balancesPermission = member ? (await Context.auth.hasFinancialMemberAccess(member, PermissionLevel.Read, Context.organization?.id)) : false;
                 r = registration.getStructure();
                 r.balances = balancesPermission
-                    ? ((await CachedBalance.getForObjects([registration.id], null)).map((b) => {
+                    ? ((await CachedBalance.getForObjects([registration.id], null, ReceivableBalanceType.registration)).map((b) => {
                             return GenericBalance.create(b);
                         }))
                     : [];
@@ -863,7 +868,7 @@ export class AuthenticatedStructures {
         const members = memberIds.length > 0 ? await Member.getByIDs(...memberIds) : [];
 
         const userIds = Formatter.uniqueArray([
-            ...balances.filter(b => b.objectType === ReceivableBalanceType.user).map(b => b.objectId),
+            ...balances.filter(b => b.objectType === ReceivableBalanceType.user || b.objectType === ReceivableBalanceType.userWithoutMembers).map(b => b.objectId),
         ]);
         const users = userIds.length > 0 ? await User.getByIDs(...userIds) : [];
 
@@ -988,7 +993,7 @@ export class AuthenticatedStructures {
                     });
                 }
             }
-            else if (balance.objectType === ReceivableBalanceType.user) {
+            else if (balance.objectType === ReceivableBalanceType.user || balance.objectType === ReceivableBalanceType.userWithoutMembers) {
                 const user = users.find(m => m.id === balance.objectId) ?? null;
                 if (user) {
                     const url = Context.organization && Context.organization.id === balance.organizationId ? 'https://' + Context.organization.getHost() : '';
@@ -1024,7 +1029,7 @@ export class AuthenticatedStructures {
         const results: DetailedReceivableBalance[] = [];
 
         for (const { balance, object } of items) {
-            const balanceItems = await CachedBalance.balanceForObjects(organizationId, [balance.objectId], balance.objectType, true);
+            const balanceItems = await CachedBalance.balanceForObjects(organizationId, [balance.objectId], balance.objectType);
             const balanceItemsWithPayments = await BalanceItem.getStructureWithPayments(balanceItems);
 
             const result = DetailedReceivableBalance.create({

package/src/helpers/MemberUserSyncer.ts

@@ -1,7 +1,7 @@
 import { CachedBalance, Member, MemberResponsibilityRecord, MemberWithUsers, Organization, Platform, User } from '@stamhoofd/models';
 import { QueueHandler } from '@stamhoofd/queues';
 import { SQL } from '@stamhoofd/sql';
-import { AuditLogSource, MemberDetails, PermissionRole, Permissions, UserPermissions } from '@stamhoofd/structures';
+import { AuditLogSource, MemberDetails, PermissionRole, Permissions, ReceivableBalanceType, UserPermissions } from '@stamhoofd/structures';
 import { Formatter } from '@stamhoofd/utility';
 import basex from 'base-x';
 import crypto from 'crypto';
@@ -416,7 +416,7 @@ export class MemberUserSyncerStatic {
      */
     async updateUserBalance(userId: string, memberId: string) {
         // Update balance of this user, as it could have changed
-        const memberBalances = await CachedBalance.getForObjects([memberId]);
+        const memberBalances = await CachedBalance.getForObjects([memberId], null, ReceivableBalanceType.member);
         if (memberBalances.length > 0) {
             const organizationIds = Formatter.uniqueArray(memberBalances.map(b => b.organizationId));
             for (const organizationId of organizationIds) {

package/src/seeds/{1735577912-update-cached-outstanding-balance-from-items.ts → 1760535589-update-cached-outstanding-balance-from-items.ts}

@@ -21,6 +21,8 @@ export default new Migration(async () => {
         }
     });
 
+    await BalanceItemService.flushAll();
+
     console.log('Updated outstanding balance for ' + c + ' items');
 
     // Do something here

package/src/services/BalanceItemService.ts

@@ -163,6 +163,18 @@ export const BalanceItemService = {
         }
     },
 
+    scheduleUserUpdate(organizationId: string, userId: string) {
+        userUpdateQueue.addItem(organizationId, userId);
+    },
+
+    scheduleMemberUpdate(organizationId: string, memberId: string) {
+        memberUpdateQueue.addItem(organizationId, memberId);
+    },
+
+    scheduleOrganizationUpdate(organizationId: string, payingOrganizationId: string) {
+        organizationUpdateQueue.addItem(organizationId, payingOrganizationId);
+    },
+
     async markDue(balanceItem: BalanceItem) {
         if (balanceItem.status === BalanceItemStatus.Hidden) {
             balanceItem.status = BalanceItemStatus.Due;

package/src/sql-filters/base-registration-filter-compilers.ts

@@ -1,6 +1,59 @@
+import { SimpleError } from '@simonbackx/simple-errors';
 import { baseSQLFilterCompilers, createColumnFilter, createExistsFilter, SQL, SQLFilterDefinitions, SQLValueType } from '@stamhoofd/sql';
+import { FilterWrapperMarker, PermissionLevel, StamhoofdFilter, unwrapFilter } from '@stamhoofd/structures';
+import { Context } from '../helpers/Context';
 import { organizationFilterCompilers } from './organizations';
 
+async function checkGroupIdFilterAccess(filter: StamhoofdFilter, permissionLevel: PermissionLevel) {
+    const groupIds = typeof filter === 'string'
+        ? [filter]
+        : unwrapFilter(filter as StamhoofdFilter, {
+            $in: FilterWrapperMarker,
+        })?.markerValue;
+
+    if (!Array.isArray(groupIds)) {
+        throw new SimpleError({
+            code: 'invalid_field',
+            field: 'filter',
+            message: 'You must filter on a group of the organization you are trying to access',
+            human: $t(`d0ef2e12-dfa2-4d2a-9ee7-793e52e6b94f`),
+        });
+    }
+
+    if (groupIds.length === 0) {
+        return;
+    }
+
+    for (const groupId of groupIds) {
+        if (typeof groupId !== 'string') {
+            throw new SimpleError({
+                code: 'invalid_field',
+                field: 'filter',
+                message: 'Invalid group ID in filter',
+            });
+        }
+    }
+
+    const groups = await Context.auth.getGroups(groupIds as string[]);
+
+    console.log('Filtering registrations on groups', groups.map(g => g.settings.name.toString()));
+
+    for (const group of groups) {
+        if (!await Context.auth.canAccessGroup(group, permissionLevel)) {
+            if (permissionLevel === PermissionLevel.Read && group.settings.implicitlyAllowViewRegistrations) {
+                // Allowed to filter on this group, since we have view access.
+                continue;
+            }
+            throw Context.auth.error({
+                message: 'You do not have access to this group',
+                human: $t(`45eedf49-0f0a-442c-a0bd-7881c2682698`, { groupName: group.settings.name }),
+            });
+        }
+    }
+
+    return;
+}
+
 export const baseRegistrationFilterCompilers: SQLFilterDefinitions = {
     ...baseSQLFilterCompilers,
     id: createColumnFilter({
@@ -38,6 +91,9 @@ export const baseRegistrationFilterCompilers: SQLFilterDefinitions = {
         expression: SQL.column('groupId'),
         type: SQLValueType.String,
         nullable: false,
+        async checkPermission(filter) {
+            await checkGroupIdFilterAccess(filter, PermissionLevel.Read);
+        },
     }),
     registeredAt: createColumnFilter({
         expression: SQL.column('registeredAt'),
@@ -60,6 +116,9 @@ export const baseRegistrationFilterCompilers: SQLFilterDefinitions = {
             expression: SQL.column('groupId'),
             type: SQLValueType.String,
             nullable: false,
+            async checkPermission(filter) {
+                await checkGroupIdFilterAccess(filter, PermissionLevel.Read);
+            },
         }),
         type: createColumnFilter({
             expression: SQL.column('groups', 'type'),

package/src/sql-filters/orders.ts

@@ -1,4 +1,4 @@
-import { baseSQLFilterCompilers, createColumnFilter, SQL, SQLCast, SQLConcat, SQLJsonUnquote, SQLFilterDefinitions, SQLValueType, SQLScalar } from '@stamhoofd/sql';
+import { baseSQLFilterCompilers, createColumnFilter, SQL, SQLCast, SQLConcat, SQLJsonUnquote, SQLFilterDefinitions, SQLValueType, SQLScalar, createExistsFilter, createWildcardColumnFilter, SQLJsonExtract } from '@stamhoofd/sql';
 
 export const orderFilterCompilers: SQLFilterDefinitions = {
     ...baseSQLFilterCompilers,
@@ -106,4 +106,100 @@ export const orderFilterCompilers: SQLFilterDefinitions = {
         type: SQLValueType.Datetime,
         nullable: true,
     }),
+
+    items: createExistsFilter(
+        /**
+         * There is a bug in MySQL 8 that is fixed in 9.3
+         * where EXISTS (select * from json_table(...)) does not work
+         * To fix this, we do a double select with join inside the select
+         * It is a bit slower, but it works for now.
+         */
+        SQL.select()
+            .from('webshop_orders', 'innerOrders')
+            .join(
+                SQL.join(
+                    SQL.jsonTable(
+                        SQL.jsonValue(SQL.column('innerOrders', 'data'), '$.value.cart.items'),
+                        'items',
+                    )
+                        .addColumn(
+                            'amount',
+                            'INT',
+                            '$.amount',
+                        )
+                        .addColumn(
+                            'productId',
+                            'TEXT',
+                            '$.product.id',
+                        )
+                        .addColumn(
+                            'productPriceId',
+                            'TEXT',
+                            '$.productPrice.id',
+                        ),
+                ),
+            )
+            .where(SQL.column('innerOrders', 'id'), SQL.column('webshop_orders', 'id')),
+        {
+            ...baseSQLFilterCompilers,
+            amount: createColumnFilter({
+                expression: SQL.column('items', 'amount'),
+                type: SQLValueType.Number,
+                nullable: false,
+            }),
+            product: {
+                ...baseSQLFilterCompilers,
+                id: createColumnFilter({
+                    expression: SQL.column('items', 'productId'),
+                    type: SQLValueType.String,
+                    nullable: false,
+                }),
+            },
+            productPrice: {
+                ...baseSQLFilterCompilers,
+                id: createColumnFilter({
+                    expression: SQL.column('items', 'productPriceId'),
+                    type: SQLValueType.String,
+                    nullable: false,
+                }),
+            },
+        },
+    ),
+
+    recordAnswers: createWildcardColumnFilter(
+        (key: string) => ({
+            expression: SQL.jsonValue(SQL.column('data'), `$.value.recordAnswers.${SQLJsonExtract.escapePathComponent(key)}`, true),
+            type: SQLValueType.JSONObject,
+            nullable: true,
+        }),
+        (key: string) => ({
+            ...baseSQLFilterCompilers,
+            selected: createColumnFilter({
+                expression: SQL.jsonValue(SQL.column('data'), `$.value.recordAnswers.${SQLJsonExtract.escapePathComponent(key)}.selected`, true),
+                type: SQLValueType.JSONBoolean,
+                nullable: true,
+            }),
+            selectedChoice: {
+                ...baseSQLFilterCompilers,
+                id: createColumnFilter({
+                    expression: SQL.jsonValue(SQL.column('data'), `$.value.recordAnswers.${SQLJsonExtract.escapePathComponent(key)}.selectedChoice.id`, true),
+                    type: SQLValueType.JSONString,
+                    nullable: true,
+                }),
+            },
+            selectedChoices: {
+                ...baseSQLFilterCompilers,
+                id: createColumnFilter({
+                    expression: SQL.jsonValue(SQL.column('data'), `$.value.recordAnswers.${SQLJsonExtract.escapePathComponent(key)}.selectedChoices[*].id`, true),
+                    type: SQLValueType.JSONArray,
+                    nullable: true,
+                }),
+            },
+            value: createColumnFilter({
+                expression: SQL.jsonValue(SQL.column('data'), `$.value.recordAnswers.${SQLJsonExtract.escapePathComponent(key)}.value`, true),
+                type: SQLValueType.JSONString,
+                nullable: true,
+            }),
+        }),
+    ),
 };

package/src/sql-filters/receivable-balances.ts

@@ -97,7 +97,8 @@ export const receivableBalanceFilterCompilers: SQLFilterDefinitions = {
                 SQL.column('cached_outstanding_balances', 'objectId'),
             ).where(
                 SQL.column('cached_outstanding_balances', 'objectType'),
-                'user'),
+                ['user', 'userWithoutMembers'],
+            ),
         {
             ...baseSQLFilterCompilers,
             name: createColumnFilter({
@@ -109,6 +110,11 @@ export const receivableBalanceFilterCompilers: SQLFilterDefinitions = {
                 type: SQLValueType.String,
                 nullable: false,
             }),
+            email: createColumnFilter({
+                expression: SQL.column('email'),
+                type: SQLValueType.String,
+                nullable: false,
+            }),
         },
     ),