npm - @stamhoofd/backend - Versions diffs - 2.101.0 → 2.103.0 - Mend

@stamhoofd/backend 2.101.0 → 2.103.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/src/endpoints/global/registration/RegisterMembersEndpoint.test.ts CHANGED Viewed

@@ -1,12 +1,15 @@
 import { Request } from '@simonbackx/simple-endpoints';
 import { EmailMocker } from '@stamhoofd/email';
 import { BalanceItemFactory, Group, GroupFactory, MemberFactory, MemberWithRegistrations, Organization, OrganizationFactory, OrganizationRegistrationPeriodFactory, Registration, RegistrationFactory, RegistrationPeriod, RegistrationPeriodFactory, Token, UserFactory } from '@stamhoofd/models';
-import { BalanceItemCartItem, BalanceItemType, Company, GroupOption, GroupOptionMenu, IDRegisterCart, IDRegisterCheckout, IDRegisterItem, OrganizationPackages, PaymentCustomer, PaymentMethod, PermissionLevel, Permissions, ReduceablePrice, RegisterItemOption, STPackageStatus, STPackageType, UserPermissions, Version } from '@stamhoofd/structures';
+import { BalanceItemCartItem, BalanceItemStatus, BalanceItemType, BooleanStatus, Company, GroupOption, GroupOptionMenu, IDRegisterCart, IDRegisterCheckout, IDRegisterItem, OrganizationPackages, PaymentCustomer, PaymentMethod, PermissionLevel, Permissions, PermissionsResourceType, ReduceablePrice, RegisterItemOption, ResourcePermissions, STPackageStatus, STPackageType, UserPermissions, Version } from '@stamhoofd/structures';
 import { STExpect, TestUtils } from '@stamhoofd/test-utils';
 import { v4 as uuidv4 } from 'uuid';
 import { testServer } from '../../../../tests/helpers/TestServer';
 import { initPayconiq } from '../../../../tests/init/initPayconiq';
 import { RegisterMembersEndpoint } from './RegisterMembersEndpoint';
+import { assertBalances } from '../../../../tests/assertions/assertBalances';
+import PersistentFile from 'formidable/PersistentFile';
+import { PatchMap } from '@simonbackx/simple-encoding';
 const baseUrl = `/v${Version}/members/register`;
@@ -15,6 +18,7 @@ describe('Endpoint.RegisterMembers', () => {
     const endpoint = new RegisterMembersEndpoint();
     let period: RegistrationPeriod;
     let defaultPermissionLevel = PermissionLevel.None;
+    let defaultLinkMembersToUser = true;
     const post = async (body: IDRegisterCheckout, organization: Organization, token: Token) => {
         const request = Request.buildJson('POST', baseUrl, organization.getApiHost(), body);
         request.headers.authorization = 'Bearer ' + token.accessToken;
@@ -52,7 +56,7 @@ describe('Endpoint.RegisterMembers', () => {
         return { organization, organizationRegistrationPeriod };
     };
-    async function initData({ otherMemberAmount = 0, permissionLevel = defaultPermissionLevel }: { otherMemberAmount?: number; permissionLevel?: PermissionLevel } = {}) {
+    async function initData({ otherMemberAmount = 0, groupPermissionLevel = PermissionLevel.None, memberPermissionLevel = PermissionLevel.None, permissionLevel = defaultPermissionLevel, linkMembersToUser = defaultLinkMembersToUser }: { otherMemberAmount?: number; memberPermissionLevel?: PermissionLevel; groupPermissionLevel?: PermissionLevel; permissionLevel?: PermissionLevel; linkMembersToUser?: boolean } = {}) {
         const { organization, organizationRegistrationPeriod } = await initOrganization(period);
         const user = await new UserFactory({
@@ -67,23 +71,73 @@ describe('Endpoint.RegisterMembers', () => {
         const token = await Token.createToken(user);
-        const member = await new MemberFactory({ organization, user })
+        const member = await new MemberFactory({ organization, user: linkMembersToUser ? user : undefined })
             .create();
         const otherMembers: MemberWithRegistrations[] = [];
         for (let i = 0; i < otherMemberAmount; i++) {
-            otherMembers.push(await new MemberFactory({ organization, user })
+            otherMembers.push(await new MemberFactory({ organization, user: linkMembersToUser ? user : undefined })
                 .create());
         }
+        if (!linkMembersToUser && (permissionLevel !== PermissionLevel.None || memberPermissionLevel !== null)) {
+            // Give write permission to the member by registering them for another group
+            const genericGroup = await new GroupFactory({
+                organization,
+                price: 0,
+            })
+                .create();
+            await new RegistrationFactory({
+                member,
+                group: genericGroup,
+                groupPrice: genericGroup.settings.prices[0],
+            }).create();
+            if (memberPermissionLevel !== PermissionLevel.None) {
+                // Grant permissions to this genericGroup
+                user.permissions = user.permissions ?? UserPermissions.create({});
+                let org = user.permissions.organizationPermissions.get(organization.id) ?? Permissions.create({});
+                const p = Permissions.patch({});
+                p.resources.set(PermissionsResourceType.Groups, new PatchMap([[
+                    genericGroup.id, ResourcePermissions.patch({
+                        level: memberPermissionLevel,
+                    }),
+                ]]));
+                org = org.patch(p);
+                user.permissions.organizationPermissions.set(organization.id, org);
+                // Save
+                await user.save();
+            }
+        }
         const group = await new GroupFactory({
             organization,
             price: 25_00,
+            reducedPrice: 12_50,
             stock: 500,
         })
             .create();
+        if (groupPermissionLevel !== PermissionLevel.None) {
+            // Grant permissions to this genericGroup
+            user.permissions = user.permissions ?? UserPermissions.create({});
+            let org = user.permissions.organizationPermissions.get(organization.id) ?? Permissions.create({});
+            const p = Permissions.patch({});
+            p.resources.set(PermissionsResourceType.Groups, new PatchMap([[
+                group.id, ResourcePermissions.patch({
+                    level: groupPermissionLevel,
+                }),
+            ]]));
+            org = org.patch(p);
+            user.permissions.organizationPermissions.set(organization.id, org);
+            // Save
+            await user.save();
+        }
         const groupPrice = group.settings.prices[0];
         return {
@@ -101,6 +155,7 @@ describe('Endpoint.RegisterMembers', () => {
     describe('Register as member', () => {
         beforeEach(() => {
             defaultPermissionLevel = PermissionLevel.None;
+            defaultLinkMembersToUser = true;
         });
         test('Should fail if demo limit reached', async () => {
@@ -1161,6 +1216,7 @@ describe('Endpoint.RegisterMembers', () => {
     describe('Register as organization', () => {
         beforeEach(() => {
             defaultPermissionLevel = PermissionLevel.Full;
+            defaultLinkMembersToUser = false;
         });
         test('Should reuse recently deactivated registration', async () => {
@@ -1246,15 +1302,272 @@ describe('Endpoint.RegisterMembers', () => {
                     code: 'cannot_pay_balance_items',
                 }));
         });
+        /**
+         * Case: you have write permission - but no access to financial data.
+         */
+        test('Registering members with financial support', async () => {
+            const { member, user, groupPrice, group, organization, token } = await initData({
+                permissionLevel: PermissionLevel.Write,
+            });
+            // Set member financial data status
+            member.details.requiresFinancialSupport = BooleanStatus.create({ value: true });
+            await member.save();
+            const body = IDRegisterCheckout.create({
+                cart: IDRegisterCart.create({
+                    items: [
+                        IDRegisterItem.create({
+                            id: uuidv4(),
+                            replaceRegistrationIds: [],
+                            options: [],
+                            groupPrice,
+                            organizationId: organization.id,
+                            groupId: group.id,
+                            memberId: member.id,
+                        }),
+                    ],
+                    balanceItems: [
+                    ],
+                    deleteRegistrationIds: [],
+                }),
+                administrationFee: 0,
+                freeContribution: 0,
+                paymentMethod: PaymentMethod.PointOfSale,
+                totalPrice: 25_00, // This is wrong, but the admin should not know that since he/she does not know the actual financial status of the member
+                asOrganizationId: organization.id,
+            });
+            const response = await post(body, organization, token);
+            expect(response.body.registrations.length).toBe(1);
+            // No balance information leaks
+            expect(response.body.registrations[0].balances.length).toEqual(0);
+            // Check acual charged amount
+            const registration = (await Registration.getByID(response.body.registrations[0].id))!;
+            expect(registration).toBeDefined();
+            expect(registration.discounts).toMatchMap(new Map([]));
+            // Check balance has been added
+            await assertBalances({ member }, [
+                {
+                    type: BalanceItemType.Registration,
+                    registrationId: registration.id,
+                    amount: 1,
+                    price: 12_50,
+                    status: BalanceItemStatus.Due,
+                    priceOpen: 12_50,
+                    pricePending: 0,
+                },
+            ]);
+            // Check member in response doesn't include sensitive data
+            const memberInResponse = response.body.members.members.find(m => m.id === member.id)!;
+            expect(memberInResponse).toBeDefined();
+            expect(memberInResponse.details.requiresFinancialSupport).toBe(null);
+            const returnedRegistration = memberInResponse.registrations.find(r => r.id === registration.id)!;
+            expect(returnedRegistration).toBeDefined();
+            expect(returnedRegistration.balances.length).toBe(0);
+        });
+        /**
+         * Negative test for previous test
+         */
+        test('Can register a member as full admin', async () => {
+            const { member, groupPrice, group, organization, token } = await initData({});
+            const body = IDRegisterCheckout.create({
+                cart: IDRegisterCart.create({
+                    items: [
+                        IDRegisterItem.create({
+                            id: uuidv4(),
+                            replaceRegistrationIds: [],
+                            options: [],
+                            groupPrice,
+                            organizationId: organization.id,
+                            groupId: group.id,
+                            memberId: member.id,
+                        }),
+                    ],
+                    balanceItems: [
+                    ],
+                    deleteRegistrationIds: [],
+                }),
+                administrationFee: 0,
+                freeContribution: 0,
+                paymentMethod: PaymentMethod.PointOfSale,
+                totalPrice: 25_00,
+                asOrganizationId: organization.id,
+            });
+            const response = await post(body, organization, token);
+            expect(response.body.registrations.length).toBe(1);
+            // Check acual charged amount
+            const registration = (await Registration.getByID(response.body.registrations[0].id))!;
+            expect(registration).toBeDefined();
+            expect(registration.discounts).toMatchMap(new Map([]));
+            // Check balance has been added
+            await assertBalances({ member }, [
+                {
+                    type: BalanceItemType.Registration,
+                    registrationId: registration.id,
+                    amount: 1,
+                    price: 25_00,
+                    status: BalanceItemStatus.Due,
+                    priceOpen: 25_00,
+                    pricePending: 0,
+                },
+            ]);
+            // Check member in response does include financial data
+            const memberInResponse = response.body.members.members.find(m => m.id === member.id)!;
+            expect(memberInResponse).toBeDefined();
+            const returnedRegistration = memberInResponse.registrations.find(r => r.id === registration.id)!;
+            expect(returnedRegistration).toBeDefined();
+            expect(returnedRegistration.balances.length).not.toBe(0);
+        });
+        test('Can register a member as admin with write permission to new group only', async () => {
+            // read permission to existing member, write permission to new group you want to register the member in
+            const { member, groupPrice, group, organization, token } = await initData({
+                permissionLevel: PermissionLevel.None,
+                groupPermissionLevel: PermissionLevel.Write,
+                memberPermissionLevel: PermissionLevel.Read,
+            });
+            const body = IDRegisterCheckout.create({
+                cart: IDRegisterCart.create({
+                    items: [
+                        IDRegisterItem.create({
+                            id: uuidv4(),
+                            replaceRegistrationIds: [],
+                            options: [],
+                            groupPrice,
+                            organizationId: organization.id,
+                            groupId: group.id,
+                            memberId: member.id,
+                        }),
+                    ],
+                    balanceItems: [
+                    ],
+                    deleteRegistrationIds: [],
+                }),
+                administrationFee: 0,
+                freeContribution: 0,
+                paymentMethod: PaymentMethod.PointOfSale,
+                totalPrice: 25_00,
+                asOrganizationId: organization.id,
+            });
+            const response = await post(body, organization, token);
+            expect(response.body.registrations.length).toBe(1);
+            // No balance information leaks
+            expect(response.body.registrations[0].balances.length).toEqual(0);
+            // Check acual charged amount
+            const registration = (await Registration.getByID(response.body.registrations[0].id))!;
+            expect(registration).toBeDefined();
+            expect(registration.discounts).toMatchMap(new Map([]));
+            // Check balance has been added
+            await assertBalances({ member }, [
+                {
+                    type: BalanceItemType.Registration,
+                    registrationId: registration.id,
+                    amount: 1,
+                    price: 25_00,
+                    status: BalanceItemStatus.Due,
+                    priceOpen: 25_00,
+                    pricePending: 0,
+                },
+            ]);
+        });
+        test('Cannot register a member with only read permissions', async () => {
+            const { member, groupPrice, group, organization, token } = await initData({
+                permissionLevel: PermissionLevel.None,
+                groupPermissionLevel: PermissionLevel.Read,
+                memberPermissionLevel: PermissionLevel.Read,
+            });
+            const body = IDRegisterCheckout.create({
+                cart: IDRegisterCart.create({
+                    items: [
+                        IDRegisterItem.create({
+                            id: uuidv4(),
+                            replaceRegistrationIds: [],
+                            options: [],
+                            groupPrice,
+                            organizationId: organization.id,
+                            groupId: group.id,
+                            memberId: member.id,
+                        }),
+                    ],
+                    balanceItems: [
+                    ],
+                    deleteRegistrationIds: [],
+                }),
+                administrationFee: 0,
+                freeContribution: 0,
+                paymentMethod: PaymentMethod.PointOfSale,
+                totalPrice: 25_00,
+                asOrganizationId: organization.id,
+            });
+            // send request and check occupancy
+            await expect(async () => await post(body, organization, token)).rejects.toThrow('No permission to register in this group');
+        });
+        test('Cannot register a member with only read permissions even when having full permissions to the specific member', async () => {
+            const { member, groupPrice, group, organization, token } = await initData({
+                // No global organization permissions
+                permissionLevel: PermissionLevel.None,
+                groupPermissionLevel: PermissionLevel.Read, // Only read access to the new group
+                memberPermissionLevel: PermissionLevel.Full, // Full access to the member
+            });
+            const body = IDRegisterCheckout.create({
+                cart: IDRegisterCart.create({
+                    items: [
+                        IDRegisterItem.create({
+                            id: uuidv4(),
+                            replaceRegistrationIds: [],
+                            options: [],
+                            groupPrice,
+                            organizationId: organization.id,
+                            groupId: group.id,
+                            memberId: member.id,
+                        }),
+                    ],
+                    balanceItems: [
+                    ],
+                    deleteRegistrationIds: [],
+                }),
+                administrationFee: 0,
+                freeContribution: 0,
+                paymentMethod: PaymentMethod.PointOfSale,
+                totalPrice: 25_00,
+                asOrganizationId: organization.id,
+            });
+            // send request and check occupancy
+            await expect(async () => await post(body, organization, token)).rejects.toThrow('No permission to register in this group');
+        });
     });
     describe('Register by other organization', () => {
         beforeEach(() => {
             defaultPermissionLevel = PermissionLevel.Full;
+            defaultLinkMembersToUser = false;
         });
         async function initDualData(options?: Parameters<typeof initData>[0]) {
-            const base = await initData(options);
+            const base = await initData({ ...options, permissionLevel: PermissionLevel.None });
             base.group.settings.allowRegistrationsByOrganization = true;
             await base.group.save();
@@ -1270,6 +1583,18 @@ describe('Endpoint.RegisterMembers', () => {
             });
             await base.user.save();
+            // Give the user permission to the original member
+            const genericGroup = await new GroupFactory({
+                organization: organization2,
+                price: 0,
+            }).create();
+            await new RegistrationFactory({
+                member: base.member,
+                group: genericGroup,
+                groupPrice: genericGroup.settings.prices[0],
+            }).create();
             return {
                 ...base,
                 organization2,
@@ -1760,9 +2085,11 @@ describe('Endpoint.RegisterMembers', () => {
             // #endregion
         });
-        test('Move registration should fail if admin of same organization', async () => {
-            // #region arrange
-            const { organization, group: group1, groupPrice: groupPrice1, token, member } = await initData();
+        test('Move registration should fail via member portal (no asOrganizationId set)', async () => {
+            const { organization, group: group1, groupPrice: groupPrice1, token, member } = await initData({
+                permissionLevel: defaultPermissionLevel,
+                linkMembersToUser: true,
+            });
             const registration = await new RegistrationFactory({
                 member,
@@ -1801,14 +2128,9 @@ describe('Endpoint.RegisterMembers', () => {
                 totalPrice: 5,
                 customer: null,
             });
-            // #endregion
-            // #region act and assert
             // send request and check occupancy
             await expect(async () => await post(body, organization, token)).rejects.toThrow('Not allowed to move registrations');
-            // #endregion
         });
     });
@@ -1885,8 +2207,10 @@ describe('Endpoint.RegisterMembers', () => {
         });
         test('Should throw error if deleting registrations as normal member', async () => {
-            // #region arrange
-            const { member, group: group1, groupPrice: groupPrice1, organization: organization1, token } = await initData();
+            const { member, group: group1, groupPrice: groupPrice1, organization: organization1, token } = await initData({
+                permissionLevel: PermissionLevel.Full,
+                linkMembersToUser: true,
+            });
             await initPayconiq({ organization: organization1 });
             const registration = await new RegistrationFactory({
@@ -1933,7 +2257,6 @@ describe('Endpoint.RegisterMembers', () => {
         });
         test('Should deactivate registration', async () => {
-            // #region arrange
             const { member, group: group1, groupPrice: groupPrice1, organization, token } = await initData();
             const registration = await new RegistrationFactory({
@@ -1973,15 +2296,12 @@ describe('Endpoint.RegisterMembers', () => {
                 asOrganizationId: organization.id,
                 customer: null,
             });
-            // #endregion
-            // #region act and assert
             await post(body, organization, token);
             const updatedRegistration = await Registration.getByID(registration.id);
             expect(updatedRegistration).toBeDefined();
             expect(updatedRegistration!.deactivatedAt).not.toBe(null);
-            // #endregion
         });
         test('Should fail if invalid cancelation fee', async () => {
@@ -2059,9 +2379,10 @@ describe('Endpoint.RegisterMembers', () => {
             }
         });
-        test('Delete by member should fail if no permission to delete registration', async () => {
-            // #region arrange
-            const { member, group: group1, groupPrice: groupPrice1, organization, token } = await initData();
+        test('Cannot delete registrations via the member portal', async () => {
+            const { member, group: group1, groupPrice: groupPrice1, organization, token } = await initData({
+                linkMembersToUser: true,
+            });
             const registration = await new RegistrationFactory({
                 member,
@@ -2099,18 +2420,51 @@ describe('Endpoint.RegisterMembers', () => {
                 totalPrice: 5,
                 customer: null,
             });
-            // #endregion
-            // #region act and assert
             await expect(async () => await post(body, organization, token))
                 .rejects
                 .toThrow(new RegExp('Permission denied: you are not allowed to delete registrations'));
-            // #endregion
         });
-        test('Delete by organization should fail if no permission to delete registration', async () => {
-            // #region arrange
-            const { member, group: group1, groupPrice: groupPrice1, organization, token } = await initData({ permissionLevel: PermissionLevel.Read });
+        test('Cannot delete registrations as admin if no write permission to group', async () => {
+            const { member, group: group1, groupPrice: groupPrice1, organization, token } = await initData({
+                permissionLevel: PermissionLevel.None,
+                groupPermissionLevel: PermissionLevel.Read,
+                memberPermissionLevel: PermissionLevel.Full,
+                linkMembersToUser: false,
+            });
+            const registration = await new RegistrationFactory({
+                member,
+                group: group1,
+                groupPrice: groupPrice1,
+            }).create();
+            const body = IDRegisterCheckout.create({
+                cart: IDRegisterCart.create({
+                    items: [],
+                    balanceItems: [],
+                    deleteRegistrationIds: [registration.id],
+                }),
+                administrationFee: 0,
+                freeContribution: 0,
+                paymentMethod: PaymentMethod.PointOfSale,
+                totalPrice: 0,
+                customer: null,
+                asOrganizationId: organization.id,
+            });
+            await expect(async () => await post(body, organization, token)).rejects.toThrow(/No permission to delete this registration/);
+        });
+        /**
+         * userManager does not allow unregistering your own members, even when you have some admin permissions and set asOrganizationId
+         */
+        test('Cannot delete registrations as admin if no write permission to group but does have userManager permissions', async () => {
+            const { member, group: group1, groupPrice: groupPrice1, organization, token } = await initData({
+                permissionLevel: PermissionLevel.Read,
+                linkMembersToUser: true,
+            });
             const registration = await new RegistrationFactory({
                 member,
@@ -2131,11 +2485,8 @@ describe('Endpoint.RegisterMembers', () => {
                 customer: null,
                 asOrganizationId: organization.id,
             });
-            // #endregion
-            // #region act and assert
             await expect(async () => await post(body, organization, token)).rejects.toThrow(/No permission to delete this registration/);
-            // #endregion
         });
         test('Should fail if registration does not exist anymore', async () => {