@stamhoofd/backend 2.102.0 → 2.103.0

package/src/endpoints/global/registration/RegisterMembersEndpoint.ts

@@ -67,8 +67,25 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
         const organization = await Context.setOrganizationScope();
         const { user } = await Context.authenticate();
 
-        if (request.body.asOrganizationId && request.body.asOrganizationId !== organization.id) {
-            if (!await Context.auth.canManageFinances(request.body.asOrganizationId)) {
+        // Who is going to pay?
+        let whoWillPayNow: 'member' | 'organization' | 'nobody' = 'member'; // if this is set to 'organization', there will also be created separate balance items so the member can pay back the paying organization
+
+        if (request.body.asOrganizationId && request.body.asOrganizationId === organization.id) {
+            // Fast fail
+            if (!await Context.auth.hasSomeAccess(request.body.asOrganizationId)) {
+                throw new SimpleError({
+                    code: 'forbidden',
+                    message: 'No permission to register members manually',
+                    human: $t(`62fe6e39-f6b0-4836-b0f7-dc84d22a81e3`),
+                    statusCode: 403,
+                });
+            }
+
+            // We won't create a payment. The balance will get added to the outstanding amount of the member / already paying organization
+            whoWillPayNow = 'nobody';
+        }
+        else if (request.body.asOrganizationId && request.body.asOrganizationId !== organization.id) {
+            if (!await Context.auth.hasFullAccess(request.body.asOrganizationId)) {
                 throw new SimpleError({
                     code: 'forbidden',
                     message: 'No permission to register as this organization for a different organization',
@@ -76,6 +93,9 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
                     statusCode: 403,
                 });
             }
+
+            // The organization will pay to the organizing organization, and it will get added to the outstanding amount of the member towards the paying organization
+            whoWillPayNow = 'organization';
         }
 
         // For non paid organizations, limit amount of tests
@@ -145,7 +165,10 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
         }
 
         for (const member of members) {
-            if (!await Context.auth.canAccessMember(member, PermissionLevel.Write)) {
+            if (!await Context.auth.canAccessMember(
+                member,
+                request.body.asOrganizationId ? PermissionLevel.Read : PermissionLevel.Write,
+            )) {
                 throw new SimpleError({
                     code: 'forbidden',
                     message: 'No permission to register this member',
@@ -170,7 +193,7 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
             for (const memberId of memberIds) {
                 const familyMembers = (await Member.getFamilyWithRegistrations(memberId));
                 members.push(...familyMembers);
-                const blob = await AuthenticatedStructures.membersBlob(familyMembers, true);
+                const blob = await AuthenticatedStructures.membersBlob(familyMembers, true, undefined, { forAdminCartCalculation: true });
                 const family = PlatformFamily.create(blob, {
                     platform: platformStruct,
                     contextOrganization,
@@ -225,22 +248,18 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
         const totalPrice = checkout.totalPrice;
 
         if (totalPrice !== request.body.totalPrice) {
-            throw new SimpleError({
-                code: 'changed_price',
-                message: $t(`e424d549-2bb8-4103-9a14-ac4063d7d454`, { total: Formatter.price(totalPrice) }),
-            });
-        }
-
-        // Who is going to pay?
-        let whoWillPayNow: 'member' | 'organization' | 'nobody' = 'member'; // if this is set to 'organization', there will also be created separate balance items so the member can pay back the paying organization
-
-        if (request.body.asOrganizationId && request.body.asOrganizationId === organization.id) {
-            // Will get added to the outstanding amount of the member / already paying organization
-            whoWillPayNow = 'nobody';
-        }
-        else if (request.body.asOrganizationId && request.body.asOrganizationId !== organization.id) {
-            // The organization will pay to the organizing organization, and it will get added to the outstanding amount of the member towards the paying organization
-            whoWillPayNow = 'organization';
+            if (whoWillPayNow === 'nobody') {
+                // Safe and important to ignore: we are only updating the outstanding amounts
+                // If we would throw here, that could leak personal data (e.g. that the user uses financial support)
+            }
+            else {
+                // when whoWillPay = organization/member, we should throw or the payment amount could be different / incorrect.
+                // This never leaks information because in this case the user already has full access to the organization (asOrganizationId) or the member
+                throw new SimpleError({
+                    code: 'changed_price',
+                    message: $t(`e424d549-2bb8-4103-9a14-ac4063d7d454`, { total: Formatter.price(totalPrice) }),
+                });
+            }
         }
 
         const registrationMemberRelation = new ManyToOneRelation(Member, 'member');
@@ -763,6 +782,7 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
         }
 
         let paymentUrl: string | null = null;
+        let paymentQRCode: string | null = null;
         let payment: Payment | null = null;
 
         // Delay marking as valid as late as possible so any errors will prevent creating valid balance items
@@ -814,6 +834,7 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
 
                 if (response) {
                     paymentUrl = response.paymentUrl;
+                    paymentQRCode = response.paymentQRCode;
                     payment = response.payment;
                 }
             }
@@ -841,6 +862,7 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
             members: await AuthenticatedStructures.membersBlob(updatedMembers),
             registrations: registrations.map(r => Member.getRegistrationWithTinyMemberStructure(r)),
             paymentUrl,
+            paymentQRCode,
         }));
     }
 
@@ -1047,6 +1069,7 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
         const description = $t(`33a926ea-9bc7-444e-becc-c0f2f70e1f0e`) + ' ' + organization.name;
 
         let paymentUrl: string | null = null;
+        let paymentQRCode: string | null = null;
 
         try {
             // Update balance items
@@ -1144,7 +1167,7 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
                     await dbPayment.save();
                 }
                 else if (payment.provider === PaymentProvider.Payconiq) {
-                    paymentUrl = await PayconiqPayment.createPayment(payment, organization, description, redirectUrl, webhookUrl);
+                    ({ paymentUrl, paymentQRCode } = await PayconiqPayment.createPayment(payment, organization, description, redirectUrl, webhookUrl));
                 }
                 else if (payment.provider == PaymentProvider.Buckaroo) {
                     // Increase request timeout because buckaroo is super slow (in development)
@@ -1175,6 +1198,7 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
             provider,
             stripeAccount,
             paymentUrl,
+            paymentQRCode,
         };
     }
 }

package/src/endpoints/organization/webshops/PlaceOrderEndpoint.ts

@@ -224,7 +224,8 @@ export class PlaceOrderEndpoint extends Endpoint<Params, Query, Body, ResponseBo
                 balanceItemPayments.push(balanceItemPayment.setRelation(BalanceItemPayment.balanceItem, balanceItem));
 
                 let paymentUrl: string | null = null;
-                const description = webshop.meta.name + ' - ' + payment.id;
+                let paymentQRCode: string | null = null;
+                const description = webshop.meta.name + ' - ' + organization.name;
 
                 if (payment.method === PaymentMethod.Transfer) {
                     await order.markValid(payment, []);
@@ -324,7 +325,7 @@ export class PlaceOrderEndpoint extends Endpoint<Params, Query, Body, ResponseBo
                         await dbPayment.save();
                     }
                     else if (payment.provider == PaymentProvider.Payconiq) {
-                        paymentUrl = await PayconiqPayment.createPayment(payment, organization, description, redirectUrl, exchangeUrl);
+                        ({ paymentUrl, paymentQRCode } = await PayconiqPayment.createPayment(payment, organization, description, redirectUrl, exchangeUrl));
                     }
                     else if (payment.provider == PaymentProvider.Buckaroo) {
                         // Increase request timeout because buckaroo is super slow
@@ -351,6 +352,7 @@ export class PlaceOrderEndpoint extends Endpoint<Params, Query, Body, ResponseBo
 
                 return new Response(OrderResponse.create({
                     paymentUrl: paymentUrl,
+                    paymentQRCode,
                     order: OrderStruct.create({ ...order, payment: PaymentStruct.create(payment) }),
                 }));
             }

package/src/helpers/AdminPermissionChecker.ts

@@ -424,7 +424,7 @@ export class AdminPermissionChecker {
     /**
      * Note: only checks admin permissions. Users that 'own' this member can also access it but that does not use the AdminPermissionChecker
      */
-    async canAccessRegistration(registration: Registration, permissionLevel: PermissionLevel = PermissionLevel.Read, checkMember = true) {
+    async canAccessRegistration(registration: Registration, permissionLevel: PermissionLevel = PermissionLevel.Read, checkMember: boolean | MemberWithRegistrations = true) {
         if (registration.deactivatedAt || !registration.registeredAt) {
             // No full access: cannot access deactivated registrations
             return false;
@@ -461,7 +461,7 @@ export class AdminPermissionChecker {
 
         if (permissionLevel === PermissionLevel.Read && checkMember && group.settings.implicitlyAllowViewRegistrations) {
             // We can also view this registration if we have access to the member
-            const members = await Member.getBlobByIds(registration.memberId);
+            const members = checkMember === true ? await Member.getBlobByIds(registration.memberId) : [checkMember];
 
             if (members.length === 1) {
                 if (await this.canAccessMember(members[0], permissionLevel)) {
@@ -1416,7 +1416,7 @@ export class AdminPermissionChecker {
     /**
      * Changes data inline
      */
-    async filterMemberData(member: MemberWithRegistrations, data: MemberWithRegistrationsBlob): Promise<MemberWithRegistrationsBlob> {
+    async filterMemberData(member: MemberWithRegistrations, data: MemberWithRegistrationsBlob, options?: { forAdminCartCalculation?: boolean }): Promise<MemberWithRegistrationsBlob> {
         const cloned = data.clone();
 
         for (const [key, value] of cloned.details.recordAnswers.entries()) {
@@ -1444,7 +1444,7 @@ export class AdminPermissionChecker {
         }
 
         // Has financial read access?
-        if (!await this.hasFinancialMemberAccess(member, PermissionLevel.Read)) {
+        if (!options?.forAdminCartCalculation && !await this.hasFinancialMemberAccess(member, PermissionLevel.Read)) {
             cloned.details.requiresFinancialSupport = null;
             cloned.details.uitpasNumber = null;
             cloned.outstandingBalance = 0;

package/src/helpers/AuthenticatedStructures.ts

@@ -388,7 +388,7 @@ export class AuthenticatedStructures {
         return (await this.membersBlob(members, false)).members;
     }
 
-    static async membersBlob(members: MemberWithRegistrations[], includeContextOrganization = false, includeUser?: User): Promise<MembersBlob> {
+    static async membersBlob(members: MemberWithRegistrations[], includeContextOrganization = false, includeUser?: User, options?: { forAdminCartCalculation?: boolean }): Promise<MembersBlob> {
         if (members.length === 0 && !includeUser) {
             return MembersBlob.create({ members: [], organizations: [] });
         }
@@ -459,6 +459,7 @@ export class AuthenticatedStructures {
             const filtered: (Registration & {
                 group: Group;
             })[] = [];
+            const userManager = Context.auth.isUserManager(member);
             for (const registration of member.registrations) {
                 if (includeContextOrganization || registration.organizationId !== Context.auth.organization?.id) {
                     const found = organizations.get(registration.id);
@@ -468,16 +469,18 @@ export class AuthenticatedStructures {
                     }
                 }
                 if (organizations.get(registration.organizationId)?.active || (Context.auth.organization && Context.auth.organization.active && registration.organizationId === Context.auth.organization.id) || await Context.auth.hasFullAccess(registration.organizationId)) {
-                    /* if ( // Causes issues with bundle discount calculations
-                        registration.group.settings.implicitlyAllowViewRegistrations
-                        || await Context.auth.canAccessRegistration(registration, PermissionLevel.Read)
-                    ) { */
-                    filtered.push(registration);
-                    // }
+                    if (
+                        !!options?.forAdminCartCalculation
+                        || registration.group.settings.implicitlyAllowViewRegistrations
+                        || userManager
+                        || await Context.auth.canAccessRegistration(registration, PermissionLevel.Read, member)
+                    ) {
+                        filtered.push(registration);
+                    }
                 }
             }
             member.registrations = filtered;
-            const balancesPermission = await Context.auth.hasFinancialMemberAccess(member, PermissionLevel.Read, Context.organization?.id);
+            const balancesPermission = (!!options?.forAdminCartCalculation) || await Context.auth.hasFinancialMemberAccess(member, PermissionLevel.Read, Context.organization?.id);
 
             let memberBalances: GenericBalance[] = [];
 
@@ -512,7 +515,7 @@ export class AuthenticatedStructures {
             });
 
             memberBlobs.push(
-                await Context.auth.filterMemberData(member, blob),
+                await Context.auth.filterMemberData(member, blob, { forAdminCartCalculation: options?.forAdminCartCalculation ?? false }),
             );
         }
 

package/src/services/PaymentService.ts

@@ -260,6 +260,9 @@ export const PaymentService = {
                                 if (await payconiqPayment.cancel(organization)) {
                                     status = PaymentStatus.Failed;
                                 }
+                                else {
+                                    console.error('Failed to manually cancel payment');
+                                }
                             }
 
                             if (this.isManualExpired(status, payment)) {

package/tests/e2e/bundle-discounts.test.ts

@@ -1,6 +1,6 @@
 import { Request } from '@simonbackx/simple-endpoints';
 import { BalanceItem, BalanceItemFactory, GroupFactory, MemberFactory, Organization, OrganizationFactory, OrganizationRegistrationPeriodFactory, Registration, RegistrationFactory, RegistrationPeriod, RegistrationPeriodFactory, Token, UserFactory } from '@stamhoofd/models';
-import { AppliedRegistrationDiscount, BalanceItemRelation, BalanceItemRelationType, BalanceItemStatus, BalanceItemType, BooleanStatus, GroupPriceDiscount, GroupPriceDiscountType, IDRegisterCart, IDRegisterCheckout, IDRegisterItem, PaymentMethod, PermissionLevel, Permissions, ReduceablePrice } from '@stamhoofd/structures';
+import { AccessRight, AppliedRegistrationDiscount, BalanceItemRelation, BalanceItemRelationType, BalanceItemStatus, BalanceItemType, BooleanStatus, GroupPriceDiscount, GroupPriceDiscountType, IDRegisterCart, IDRegisterCheckout, IDRegisterItem, PaymentMethod, PermissionLevel, Permissions, PermissionsResourceType, ReduceablePrice, ResourcePermissions } from '@stamhoofd/structures';
 import { STExpect, TestUtils } from '@stamhoofd/test-utils';
 import { RegisterMembersEndpoint } from '../../src/endpoints/global/registration/RegisterMembersEndpoint';
 import { assertBalances } from '../assertions/assertBalances';
@@ -9,6 +9,7 @@ import { initBundleDiscount } from '../init/initBundleDiscount';
 import { initStripe } from '../init/initStripe';
 import { initAdmin } from '../init/initAdmin';
 import { BalanceItemService } from '../../src/services/BalanceItemService';
+import { initPermissionRole } from '../init';
 
 const baseUrl = `/members/register`;
 
@@ -3388,10 +3389,335 @@ describe('E2E.Bundle Discounts', () => {
             const response2 = await post(checkout, organization, adminToken);
             expect(response2.body.registrations.length).toBe(1);
 
+            const registration2 = response2.body.registrations[0];
+            expect(registration2.registeredAt).not.toBeNull();
+            expect(registration2.discounts).toMatchMap(new Map()); // note: not super reliable, as this is permission checked
+
+            const registration2Model = (await Registration.getByID(registration2.id))!;
+            expect(registration2).toBeDefined();
+            expect(registration2Model.discounts).toMatchMap(new Map());
+
+            // Get registration 1 again, it should now have the bundle discount applied
+            await registration1.refresh();
+            expect(registration1.discounts).toMatchMap(new Map([
+                [bundleDiscount.id, AppliedRegistrationDiscount.create({
+                    name: bundleDiscount.name,
+                    amount: 5_00,
+                })],
+            ]));
+
+            await assertBalances({ member: otherMember }, [
+                {
+                    type: BalanceItemType.Registration,
+                    registrationId: registration1.id,
+                    amount: 1,
+                    price: 25_00,
+                    status: BalanceItemStatus.Due,
+                    priceOpen: 25_00,
+                    pricePending: 0,
+                    userId: user.id,
+                },
+                {
+                    type: BalanceItemType.RegistrationBundleDiscount,
+                    registrationId: registration1.id,
+                    amount: 1,
+                    price: -5_00,
+                    status: BalanceItemStatus.Due,
+                    priceOpen: -5_00,
+                    pricePending: 0,
+                    userId: null,
+                },
+            ]);
+
+            await assertBalances({ member }, [
+                {
+                    type: BalanceItemType.Registration,
+                    registrationId: registration2.id,
+                    amount: 1,
+                    price: 15_00,
+                    status: BalanceItemStatus.Due,
+                    priceOpen: 15_00,
+                    pricePending: 0,
+                    userId: null,
+                },
+            ]);
+        });
+
+        test('Discounts work across family members when admins register members, even when the admin does not have access to the family members', async () => {
+            const { organizationRegistrationPeriod, organization, member, token, user } = await initData();
+            const bundleDiscount = await initBundleDiscount({
+                organizationRegistrationPeriod,
+                discount: {
+                    countWholeFamily: true,
+                    discounts: [
+                        {
+                            value: 20_00,
+                            type: GroupPriceDiscountType.Percentage,
+                        },
+                    ],
+                },
+            });
+
+            const groups = [
+                await new GroupFactory({
+                    organization,
+                    price: 25_00,
+                    bundleDiscount,
+                }).create(),
+                await new GroupFactory({
+                    organization,
+                    price: 15_00,
+                    bundleDiscount,
+                }).create(),
+            ];
+
+            // Create an unrelated group and registration so admin has access to the member
+            const randomGroup = await new GroupFactory({
+                organization,
+                price: 0,
+            }).create();
+
+            await new RegistrationFactory({
+                organization,
+                member: member,
+                group: randomGroup,
+            }).create();
+
+            // Make sure the user has financial access so we can check the responses
+            const role = await initPermissionRole({
+                organization,
+                accessRights: [
+                    AccessRight.MemberReadFinancialData,
+                ],
+            });
+
+            const { adminToken } = await initAdmin({
+                organization,
+                permissions: Permissions.create({
+                    level: PermissionLevel.None,
+                    resources: new Map([[
+                        PermissionsResourceType.Groups, new Map([
+                            [
+                                randomGroup.id, ResourcePermissions.create({
+                                    level: PermissionLevel.Write,
+                                }),
+                            ], [
+                                groups[1].id, ResourcePermissions.create({
+                                    level: PermissionLevel.Write,
+                                }),
+                            ],
+                            // No permission for group 0
+                        ]),
+                    ]]),
+                    roles: [role],
+                }),
+            });
+
+            const otherMember = await new MemberFactory({
+                organization,
+                user,
+            }).create();
+
+            // First register the otherMember for group 1. No discount should be applied yet
+            const registration1 = await new RegistrationFactory({
+                organization,
+                member: otherMember,
+                group: groups[0],
+            }).create();
+
+            await new BalanceItemFactory({
+                userId: user.id,
+                memberId: otherMember.id,
+                organizationId: organization.id,
+                type: BalanceItemType.Registration,
+                amount: 1,
+                unitPrice: 25_00,
+                status: BalanceItemStatus.Due,
+                registrationId: registration1.id,
+            }).create();
+
+            const checkout = IDRegisterCheckout.create({
+                cart: IDRegisterCart.create({
+                    items: [
+                        IDRegisterItem.create({
+                            groupPrice: groups[1].settings.prices[0],
+                            groupId: groups[1].id,
+                            organizationId: organization.id,
+                            memberId: member.id,
+                        }),
+                    ],
+                }),
+                totalPrice: 15_00, // Admin does not know there should be discount
+                asOrganizationId: organization.id,
+            });
+
+            const response2 = await post(checkout, organization, adminToken);
+            expect(response2.body.registrations.length).toBe(1);
+
+            const registration2 = response2.body.registrations[0];
+            expect(registration2.registeredAt).not.toBeNull();
+            expect(registration2.discounts).toMatchMap(new Map());
+
+            const registration2Model = (await Registration.getByID(registration2.id))!;
+            expect(registration2).toBeDefined();
+            expect(registration2Model.discounts).toMatchMap(new Map());
+
+            // Get registration 1 again, it should now have the bundle discount applied
+            await registration1.refresh();
+            expect(registration1.discounts).toMatchMap(new Map([
+                [bundleDiscount.id, AppliedRegistrationDiscount.create({
+                    name: bundleDiscount.name,
+                    amount: 5_00,
+                })],
+            ]));
+
+            await assertBalances({ member: otherMember }, [
+                {
+                    type: BalanceItemType.Registration,
+                    registrationId: registration1.id,
+                    amount: 1,
+                    price: 25_00,
+                    status: BalanceItemStatus.Due,
+                    priceOpen: 25_00,
+                    pricePending: 0,
+                    userId: user.id,
+                },
+                {
+                    type: BalanceItemType.RegistrationBundleDiscount,
+                    registrationId: registration1.id,
+                    amount: 1,
+                    price: -5_00,
+                    status: BalanceItemStatus.Due,
+                    priceOpen: -5_00,
+                    pricePending: 0,
+                    userId: null,
+                },
+            ]);
+
+            await assertBalances({ member }, [
+                {
+                    type: BalanceItemType.Registration,
+                    registrationId: registration2.id,
+                    amount: 1,
+                    price: 15_00,
+                    status: BalanceItemStatus.Due,
+                    priceOpen: 15_00,
+                    pricePending: 0,
+                    userId: null,
+                },
+            ]);
+        });
+
+        test('Discounts work across family members when admins register members, even when the admin does not have access to the family members nor financial access rights', async () => {
+            const { organizationRegistrationPeriod, organization, member, token, user } = await initData();
+            const bundleDiscount = await initBundleDiscount({
+                organizationRegistrationPeriod,
+                discount: {
+                    countWholeFamily: true,
+                    discounts: [
+                        {
+                            value: 20_00,
+                            type: GroupPriceDiscountType.Percentage,
+                        },
+                    ],
+                },
+            });
+
+            const groups = [
+                await new GroupFactory({
+                    organization,
+                    price: 25_00,
+                    bundleDiscount,
+                }).create(),
+                await new GroupFactory({
+                    organization,
+                    price: 15_00,
+                    bundleDiscount,
+                }).create(),
+            ];
+
+            // Create an unrelated group and registration so admin has access to the member
+            const randomGroup = await new GroupFactory({
+                organization,
+                price: 0,
+            }).create();
+
+            await new RegistrationFactory({
+                organization,
+                member: member,
+                group: randomGroup,
+            }).create();
+
+            const { adminToken } = await initAdmin({
+                organization,
+                permissions: Permissions.create({
+                    level: PermissionLevel.None,
+                    resources: new Map([[
+                        PermissionsResourceType.Groups, new Map([
+                            [
+                                randomGroup.id, ResourcePermissions.create({
+                                    level: PermissionLevel.Write,
+                                }),
+                            ], [
+                                groups[1].id, ResourcePermissions.create({
+                                    level: PermissionLevel.Write,
+                                }),
+                            ],
+                            // No permission for group 0
+                        ]),
+                    ]]),
+                }),
+            });
+
+            const otherMember = await new MemberFactory({
+                organization,
+                user,
+            }).create();
+
+            // First register the otherMember for group 1. No discount should be applied yet
+            const registration1 = await new RegistrationFactory({
+                organization,
+                member: otherMember,
+                group: groups[0],
+            }).create();
+
+            await new BalanceItemFactory({
+                userId: user.id,
+                memberId: otherMember.id,
+                organizationId: organization.id,
+                type: BalanceItemType.Registration,
+                amount: 1,
+                unitPrice: 25_00,
+                status: BalanceItemStatus.Due,
+                registrationId: registration1.id,
+            }).create();
+
+            const checkout = IDRegisterCheckout.create({
+                cart: IDRegisterCart.create({
+                    items: [
+                        IDRegisterItem.create({
+                            groupPrice: groups[1].settings.prices[0],
+                            groupId: groups[1].id,
+                            organizationId: organization.id,
+                            memberId: member.id,
+                        }),
+                    ],
+                }),
+                totalPrice: 15_00, // Admin does not know there should be discount
+                asOrganizationId: organization.id,
+            });
+
+            const response2 = await post(checkout, organization, adminToken);
+            expect(response2.body.registrations.length).toBe(1);
+
             const registration2 = response2.body.registrations[0];
             expect(registration2.registeredAt).not.toBeNull();
             expect(registration2.discounts).toMatchMap(new Map());
 
+            const registration2Model = (await Registration.getByID(registration2.id))!;
+            expect(registration2).toBeDefined();
+            expect(registration2Model.discounts).toMatchMap(new Map());
+
             // Get registration 1 again, it should now have the bundle discount applied
             await registration1.refresh();
             expect(registration1.discounts).toMatchMap(new Map([

package/tests/helpers/PayconiqMocker.ts

@@ -44,6 +44,28 @@ export class PayconiqMocker {
                         checkout: {
                             href: 'https://payconiq.com/pay/2/5bdb1685b93d1c000bde96f2?token=530ea8a4ec8ded7d87620c8637354022cd965b143f257f8f8cb118e7f4a22d8f&returnUrl=https%3A%2F%2Fummy.webshop%2Fcheckout%2Fsuccess',
                         },
+                        qrcode: {
+                            href: 'https://payconiq.com/pay/2/5bdb1685b93d1c000bde96f2?token=530ea8a4ec8ded7d87620c8637354022cd965b143f257f8f8cb118e7f4a22d8f&returnUrl=https%3A%2F%2Fummy.webshop%2Fcheckout%2Fsuccess',
+                        },
+                    },
+                }];
+            });
+
+        nock('https://merchant.api.preprod.bancontact.net')
+            .persist()
+            .post('/v3/payments')
+            .reply((uri, body) => {
+                // todo: do something smarter with the body
+
+                return [200, {
+                    paymentId: uuidv4(),
+                    _links: {
+                        checkout: {
+                            href: 'https://payconiq.com/pay/2/5bdb1685b93d1c000bde96f2?token=530ea8a4ec8ded7d87620c8637354022cd965b143f257f8f8cb118e7f4a22d8f&returnUrl=https%3A%2F%2Fummy.webshop%2Fcheckout%2Fsuccess',
+                        },
+                        qrcode: {
+                            href: 'https://payconiq.com/pay/2/5bdb1685b93d1c000bde96f2?token=530ea8a4ec8ded7d87620c8637354022cd965b143f257f8f8cb118e7f4a22d8f&returnUrl=https%3A%2F%2Fummy.webshop%2Fcheckout%2Fsuccess',
+                        },
                     },
                 }];
             });

package/tests/init/index.ts

@@ -3,3 +3,4 @@ export * from './initPlatformAdmin';
 export * from './initPayconiq';
 export * from './initBundleDiscount';
 export * from './initStripe';
+export * from './initPermissionRole';

package/tests/init/initAdmin.ts

@@ -1,10 +1,10 @@
 import { Organization, Token, UserFactory } from '@stamhoofd/models';
 import { PermissionLevel, Permissions } from '@stamhoofd/structures';
 
-export async function initAdmin({ organization }: { organization: Organization }) {
+export async function initAdmin({ organization, permissions }: { organization: Organization; permissions?: Permissions }) {
     const admin = await new UserFactory({
         organization,
-        permissions: Permissions.create({
+        permissions: permissions ?? Permissions.create({
             level: PermissionLevel.Full,
         }),
     }).create();