npm - @stamhoofd/backend - Versions diffs - 2.116.0 → 2.117.0 - Mend

@stamhoofd/backend 2.116.0 → 2.117.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (263) hide show

package/src/endpoints/auth/DeleteUserEndpoint.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-
 import { getDefaultEmailFrom, sendEmailTemplate } from '@stamhoofd/models';
 import { EmailTemplateType, Recipient } from '@stamhoofd/structures';
-import { Context } from '../../helpers/Context';
+import { Context } from '../../helpers/Context.js';
 type Params = Record<string, never>;
 type Query = undefined;

package/src/endpoints/auth/ForgotPasswordEndpoint.ts CHANGED Viewed

@@ -4,7 +4,7 @@ import { PasswordToken, Platform, sendEmailTemplate, User } from '@stamhoofd/mod
 import { EmailTemplateType, ForgotPasswordRequest, LoginMethod, Recipient, Replacement } from '@stamhoofd/structures';
 import { SimpleError } from '@simonbackx/simple-errors';
-import { Context } from '../../helpers/Context';
+import { Context } from '../../helpers/Context.js';
 type Params = Record<string, never>;
 type Query = undefined;

package/src/endpoints/auth/GetOtherUserEndpoint.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { UserWithMembers } from '@stamhoofd/structures';
-import { AuthenticatedStructures } from '../../helpers/AuthenticatedStructures';
-import { Context } from '../../helpers/Context';
+import { AuthenticatedStructures } from '../../helpers/AuthenticatedStructures.js';
+import { Context } from '../../helpers/Context.js';
 import { User } from '@stamhoofd/models';
 type Params = { id: string };

package/src/endpoints/auth/GetUserEndpoint.test.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 import { Request } from '@simonbackx/simple-endpoints';
 import { OrganizationFactory, Token, UserFactory } from '@stamhoofd/models';
-import { testServer } from '../../../tests/helpers/TestServer';
-import { GetUserEndpoint } from './GetUserEndpoint';
+import { testServer } from '../../../tests/helpers/TestServer.js';
+import { GetUserEndpoint } from './GetUserEndpoint.js';
 describe('Endpoint.GetUser', () => {
     // Test endpoint

package/src/endpoints/auth/GetUserEndpoint.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { UserWithMembers } from '@stamhoofd/structures';
-import { AuthenticatedStructures } from '../../helpers/AuthenticatedStructures';
-import { Context } from '../../helpers/Context';
+import { AuthenticatedStructures } from '../../helpers/AuthenticatedStructures.js';
+import { Context } from '../../helpers/Context.js';
 type Params = Record<string, never>;
 type Query = undefined;

package/src/endpoints/auth/OpenIDConnectAuthTokenEndpoint.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 import { AutoEncoder, field, StringDecoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
-import { Context } from '../../helpers/Context';
-import { SSOService } from '../../services/SSOService';
+import { Context } from '../../helpers/Context.js';
+import { SSOService } from '../../services/SSOService.js';
 import { OpenIDAuthTokenResponse } from '@stamhoofd/structures';
 type Params = Record<string, never>;

package/src/endpoints/auth/OpenIDConnectCallbackEndpoint.ts CHANGED Viewed

@@ -1,8 +1,8 @@
 import { AnyDecoder, Decoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request } from '@simonbackx/simple-endpoints';
-import { Context } from '../../helpers/Context';
-import { SSOServiceWithSession } from '../../services/SSOService';
+import { Context } from '../../helpers/Context.js';
+import { SSOServiceWithSession } from '../../services/SSOService.js';
 type Params = Record<string, never>;
 type Query = undefined;

package/src/endpoints/auth/OpenIDConnectStartEndpoint.ts CHANGED Viewed

@@ -2,8 +2,8 @@ import { Decoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request } from '@simonbackx/simple-endpoints';
 import { StartOpenIDFlowStruct } from '@stamhoofd/structures';
-import { Context } from '../../helpers/Context';
-import { SSOService } from '../../services/SSOService';
+import { Context } from '../../helpers/Context.js';
+import { SSOService } from '../../services/SSOService.js';
 type Params = Record<string, never>;
 type Query = StartOpenIDFlowStruct;

package/src/endpoints/auth/PollEmailVerificationEndpoint.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-
 import { EmailVerificationCode } from '@stamhoofd/models';
 import { PollEmailVerificationRequest, PollEmailVerificationResponse } from '@stamhoofd/structures';
-import { Context } from '../../helpers/Context';
+import { Context } from '../../helpers/Context.js';
 type Params = Record<string, never>;
 type Query = undefined;

package/src/endpoints/auth/RetryEmailVerificationEndpoint.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-
 import { EmailVerificationCode } from '@stamhoofd/models';
 import { PollEmailVerificationRequest, PollEmailVerificationResponse } from '@stamhoofd/structures';
-import { Context } from '../../helpers/Context';
+import { Context } from '../../helpers/Context.js';
 type Params = Record<string, never>;
 type Query = undefined;

package/src/endpoints/auth/SignupEndpoint.ts CHANGED Viewed

@@ -4,7 +4,7 @@ import { SimpleError } from '@simonbackx/simple-errors';
 import { EmailVerificationCode, PasswordToken, Platform, sendEmailTemplate, User } from '@stamhoofd/models';
 import { EmailTemplateType, LoginMethod, NewUser, Recipient, Replacement, SignupResponse } from '@stamhoofd/structures';
-import { Context } from '../../helpers/Context';
+import { Context } from '../../helpers/Context.js';
 type Params = Record<string, never>;
 type Query = undefined;

package/src/endpoints/auth/VerifyEmailEndpoint.ts CHANGED Viewed

@@ -4,7 +4,7 @@ import { SimpleError } from '@simonbackx/simple-errors';
 import { EmailVerificationCode, Token, User } from '@stamhoofd/models';
 import { Token as TokenStruct, VerifyEmailRequest } from '@stamhoofd/structures';
-import { Context } from '../../helpers/Context';
+import { Context } from '../../helpers/Context.js';
 type Params = Record<string, never>;
 type Query = undefined;

package/src/endpoints/global/addresses/ValidateAddressEndpoint.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { Decoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { Address, ValidatedAddress } from '@stamhoofd/structures';
-import { AddressValidator } from '../../../helpers/AddressValidator';
+import { AddressValidator } from '../../../helpers/AddressValidator.js';
 type Params = Record<string, never>;
 type Query = undefined;

package/src/endpoints/global/audit-logs/GetAuditLogsEndpoint.ts CHANGED Viewed

@@ -5,10 +5,10 @@ import { AuditLog } from '@stamhoofd/models';
 import { SQL, SQLSortDefinitions, applySQLSorter, compileToSQLFilter } from '@stamhoofd/sql';
 import { AuditLog as AuditLogStruct, CountFilteredRequest, LimitedFilteredRequest, PaginatedResponse, StamhoofdFilter, assertSort, getSortFilter } from '@stamhoofd/structures';
-import { AuthenticatedStructures } from '../../../helpers/AuthenticatedStructures';
-import { Context } from '../../../helpers/Context';
-import { auditLogFilterCompilers } from '../../../sql-filters/audit-logs';
-import { auditLogSorters } from '../../../sql-sorters/audit-logs';
+import { AuthenticatedStructures } from '../../../helpers/AuthenticatedStructures.js';
+import { Context } from '../../../helpers/Context.js';
+import { auditLogFilterCompilers } from '../../../sql-filters/audit-logs.js';
+import { auditLogSorters } from '../../../sql-sorters/audit-logs.js';
 type Params = Record<string, never>;
 type Query = LimitedFilteredRequest;

package/src/endpoints/global/billing/ActivatePackagesEndpoint.ts CHANGED Viewed

@@ -1,14 +1,19 @@
-/* import { Decoder } from '@simonbackx/simple-encoding';
-import { DecodedRequest, Endpoint, Request } from '@simonbackx/simple-endpoints';
-import { IDRegisterCheckout, RegisterResponse } from '@stamhoofd/structures';
+import { Decoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { SimpleError } from '@simonbackx/simple-errors';
+import { BalanceItem, Organization, Platform, STPackage } from '@stamhoofd/models';
+import { CheckoutResponse, PackageCheckout, Payment as PaymentStruct, STPackageBundleHelper, STPackageStruct } from '@stamhoofd/structures';
+import { Context } from '../../../helpers/Context.js';
+import { PaymentService } from '../../../services/PaymentService.js';
+import { STPackageService } from '../../../services/STPackageService.js';
 type Params = Record<string, never>;
 type Query = undefined;
-type Body = IDRegisterCheckout;
-type ResponseBody = RegisterResponse;
+type Body = PackageCheckout;
+type ResponseBody = CheckoutResponse;
 export class ActivatePackagesEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
-    bodyDecoder = Body as Decoder<Body>;
+    bodyDecoder = PackageCheckout as Decoder<Body>;
     protected doesMatch(request: Request): [true, Params] | [false] {
         if (request.method != 'POST') {
@@ -24,7 +29,186 @@ export class ActivatePackagesEndpoint extends Endpoint<Params, Query, Body, Resp
     }
     async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope();
+        const { user } = await Context.authenticate();
+        // If the user has permission, we'll also search if he has access to the organization's key
+        if (!await Context.auth.canActivatePackages(organization.id)) {
+            throw Context.auth.error();
+        }
+        const checkout = request.body;
+        // Validate company
+        if (checkout.customer && checkout.customer.company) {
+            // Search company id
+            // this avoids needing to check the VAT number every time
+            const id = checkout.customer.company.id;
+            const foundCompany = organization.meta.companies.find(c => c.id === id);
+            if (!foundCompany) {
+                throw new SimpleError({
+                    code: 'invalid_data',
+                    message: $t(`0ab71307-8f4f-4701-b120-b552a1b6bdd0`),
+                });
+            }
+        }
+        const currentPackages = await STPackageService.getActivePackages(organization.id);
+        const packages: STPackageStruct[] = [];
+        const balanceItems: Map<BalanceItem, number> = new Map();
+        const models: STPackage[] = [];
+        let totalPrice = 0;
+        if (STAMHOOFD.userMode === 'organization') {
+            // Only allowed in organization mode
+            for (const bundle of request.body.purchases.packageBundles) {
+            // Renew after currently running packages
+                let date = new Date();
+                let skip = false;
+                // Do we have a collision? Make sure our package only start after the expiry date of existing packages
+                for (const currentPack of currentPackages) {
+                    if (!STPackageBundleHelper.isCombineable(bundle, STPackageStruct.create(currentPack))) {
+                        if (!STPackageBundleHelper.isStackable(bundle, STPackageStruct.create(currentPack))) {
+                        // WE skip silently
+                            console.error('Tried to activate non combineable, non stackable packages...');
+                            skip = true;
+                            continue;
+                        }
+                        if (currentPack.validUntil !== null) {
+                            const end = currentPack.validUntil;
+                            if (end > date) {
+                                date = end;
+                            }
+                        }
+                    }
+                }
+                if (skip) {
+                    continue;
+                }
+                packages.push(STPackageBundleHelper.getCurrentPackage(bundle, date));
+            }
+            // Add renewals
+            if (checkout.purchases.renewPackageIds.length > 0) {
+                for (const id of checkout.purchases.renewPackageIds) {
+                    const pack = currentPackages.find(c => c.id === id);
+                    if (!pack) {
+                        throw new SimpleError({
+                            code: 'not_found',
+                            message: 'Package not found',
+                            human: $t('0e5baf7f-89be-4665-a3dd-b1603b5a6627'),
+                        });
+                    }
+                    // Renew
+                    const model = pack.createRenewed();
+                    const balanceItem = await STPackageService.chargePackage(model, undefined, checkout.customer ?? undefined);
+                    if (balanceItem) {
+                        totalPrice += balanceItem.priceWithVAT;
+                        balanceItems.set(balanceItem, balanceItem.priceWithVAT);
+                    }
+                    if (!request.body.proForma) {
+                        await model.save();
+                        await balanceItem?.save();
+                    }
+                    models.push(model);
+                }
+            }
+        }
+        // Create the real models for each package
+        // calculate the price for these packages and create a hidden balance item
+        for (const pack of packages) {
+            const model = new STPackage();
+            model.id = pack.id;
+            model.meta = pack.meta;
+            model.validUntil = pack.validUntil;
+            model.removeAt = pack.removeAt;
+            // Not yet valid / active (ignored until valid)
+            model.validAt = null;
+            model.organizationId = organization.id;
+            const balanceItem = await STPackageService.chargePackage(model, undefined, checkout.customer ?? undefined);
+            if (balanceItem) {
+                totalPrice += balanceItem.priceWithVAT;
+                balanceItems.set(balanceItem, balanceItem.priceWithVAT);
+            }
+            if (!request.body.proForma) {
+                await model.save();
+                await balanceItem?.save();
+            }
+            models.push(model);
+        }
+        // todo: Add pending items (balance items in request)
+        const membershipOrganizationId = (await Platform.getShared()).membershipOrganizationId;
+        if (!membershipOrganizationId) {
+            throw new SimpleError({
+                code: 'unavailable',
+                message: 'No membership organization id set on the platform',
+                human: 'Package purchases are currently unavailable',
+            });
+        }
+        const membershipOrganization = await Organization.getByID(membershipOrganizationId);
+        if (!membershipOrganization) {
+            throw new Error('Unexpected missing membershipOrganization');
+        }
+        const result = await PaymentService.createPayment({
+            balanceItems,
+            checkout,
+            user,
+            organization: membershipOrganization,
+            payingOrganization: organization,
+            serviceFeeType: 'system',
+        });
+        console.log('Created payment', result);
+        if (!result) {
+            // No payment needed
+            throw new SimpleError({
+                code: 'missing_data',
+                message: 'Checkout was empty',
+                human: $t('c5cf0531-9751-4be0-be0c-31ccfac1722d'),
+            });
+        }
+        if (!checkout.proForma) {
+            for (const pack of models) {
+                await pack.save();
+            }
+        }
+        else {
+            // Delete payment again
+            if (result) {
+                await result.payment.delete();
+                result.paymentUrl = null;
+                result.paymentQRCode = null;
+            }
+            for (const [item] of balanceItems) {
+                await item.delete();
+            }
+        }
+        const { payment, paymentUrl, paymentQRCode } = result;
+        return new Response(CheckoutResponse.create({
+            payment: payment ? PaymentStruct.create(payment) : null,
+            paymentUrl,
+            paymentQRCode,
+        }));
     }
 }
-*/

package/src/endpoints/global/billing/DeactivatePackageEndpoint.ts ADDED Viewed

@@ -0,0 +1,64 @@
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { SimpleError } from '@simonbackx/simple-errors';
+import { STPackage } from '@stamhoofd/models';
+import { Context } from '../../../helpers/Context.js';
+import { STPackageService } from '../../../services/STPackageService.js';
+type Params = { id: string };
+type Query = undefined;
+type ResponseBody = undefined;
+type Body = undefined;
+export class DeactivatePackageEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != 'POST') {
+            return [false];
+        }
+        const params = Endpoint.parseParameters(request.url, '/billing/deactivate-package/@id', { id: String });
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope();
+        await Context.authenticate();
+        // If the user has permission, we'll also search if he has access to the organization's key
+        if (!await Context.auth.canDeactivatePackages(organization.id)) {
+            throw Context.auth.error();
+        }
+        const packages = await STPackageService.getActivePackages(organization.id);
+        const pack = packages.find(p => p.id === request.params.id);
+        if (!pack) {
+            throw new SimpleError({
+                code: 'not_found',
+                message: 'Package not found',
+                human: $t('c6adb3c8-c494-4f2a-8287-6bcac853a88a'),
+                statusCode: 404,
+            });
+        }
+        if (!pack.meta.canDeactivate) {
+            throw new SimpleError({
+                code: 'not_allowed',
+                message: "Can't deactivate this package",
+                human: $t('242cee92-c0ea-4736-a8c8-6d82c8faf342'),
+            });
+        }
+        // Deactivate
+        pack.removeAt = new Date();
+        pack.removeAt.setTime(pack.removeAt.getTime() - 5_000);
+        await pack.save();
+        await STPackageService.updateOrganizationPackages(organization.id);
+        return new Response(undefined);
+    }
+}

package/src/endpoints/global/email/GetAdminEmailsEndpoint.test.ts CHANGED Viewed

@@ -2,8 +2,8 @@ import { Request } from '@simonbackx/simple-endpoints';
 import { Email, EmailRecipient, MemberFactory, Organization, OrganizationFactory, RegistrationPeriod, RegistrationPeriodFactory, Token, User, UserFactory } from '@stamhoofd/models';
 import { EmailStatus, LimitedFilteredRequest, PermissionLevel, Permissions, Replacement } from '@stamhoofd/structures';
 import { TestUtils } from '@stamhoofd/test-utils';
-import { testServer } from '../../../../tests/helpers/TestServer';
-import { GetAdminEmailsEndpoint } from './GetAdminEmailsEndpoint';
+import { testServer } from '../../../../tests/helpers/TestServer.js';
+import { GetAdminEmailsEndpoint } from './GetAdminEmailsEndpoint.js';
 import { Formatter } from '@stamhoofd/utility';
 const baseUrl = `/email`;

package/src/endpoints/global/email/GetAdminEmailsEndpoint.ts CHANGED Viewed

@@ -5,9 +5,9 @@ import { Decoder } from '@simonbackx/simple-encoding';
 import { SimpleError } from '@simonbackx/simple-errors';
 import { Email, Platform } from '@stamhoofd/models';
 import { applySQLSorter, compileToSQLFilter, SQLFilterDefinitions, SQLSortDefinitions } from '@stamhoofd/sql';
-import { Context } from '../../../helpers/Context';
-import { emailFilterCompilers } from '../../../sql-filters/emails';
-import { emailSorters } from '../../../sql-sorters/emails';
+import { Context } from '../../../helpers/Context.js';
+import { emailFilterCompilers } from '../../../sql-filters/emails.js';
+import { emailSorters } from '../../../sql-sorters/emails.js';
 type Params = Record<string, never>;
 type Query = LimitedFilteredRequest;

package/src/endpoints/global/email/GetEmailAddressEndpoint.ts CHANGED Viewed

@@ -4,7 +4,7 @@ import { SimpleError } from '@simonbackx/simple-errors';
 import { EmailAddress } from '@stamhoofd/email';
 import { Organization } from '@stamhoofd/models';
 import { EmailAddressSettings, OrganizationSimple } from '@stamhoofd/structures';
-import { Context } from '../../../helpers/Context';
+import { Context } from '../../../helpers/Context.js';
 type Params = Record<string, never>;
 type Body = undefined;

package/src/endpoints/global/email/GetEmailEndpoint.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import { Email } from '@stamhoofd/models';
 import { EmailPreview } from '@stamhoofd/structures';
 import { SimpleError } from '@simonbackx/simple-errors';
-import { Context } from '../../../helpers/Context';
+import { Context } from '../../../helpers/Context.js';
 type Params = { id: string };
 type Query = undefined;

package/src/endpoints/global/email/GetUserEmailsEndpoint.test.ts CHANGED Viewed

@@ -2,8 +2,8 @@ import { Request } from '@simonbackx/simple-endpoints';
 import { Email, EmailRecipient, MemberFactory, Organization, OrganizationFactory, RegistrationPeriod, RegistrationPeriodFactory, Token, User, UserFactory } from '@stamhoofd/models';
 import { EmailStatus, LimitedFilteredRequest, Replacement } from '@stamhoofd/structures';
 import { TestUtils } from '@stamhoofd/test-utils';
-import { testServer } from '../../../../tests/helpers/TestServer';
-import { GetUserEmailsEndpoint } from './GetUserEmailsEndpoint';
+import { testServer } from '../../../../tests/helpers/TestServer.js';
+import { GetUserEmailsEndpoint } from './GetUserEmailsEndpoint.js';
 import { Formatter } from '@stamhoofd/utility';
 const baseUrl = `/user/email`;

package/src/endpoints/global/email/GetUserEmailsEndpoint.ts CHANGED Viewed

@@ -5,9 +5,9 @@ import { Decoder } from '@simonbackx/simple-encoding';
 import { SimpleError } from '@simonbackx/simple-errors';
 import { Email, Member } from '@stamhoofd/models';
 import { applySQLSorter, compileToSQLFilter, SQLFilterDefinitions, SQLSortDefinitions } from '@stamhoofd/sql';
-import { Context } from '../../../helpers/Context';
-import { emailFilterCompilers, userEmailFilterCompilers } from '../../../sql-filters/emails';
-import { emailSorters } from '../../../sql-sorters/emails';
+import { Context } from '../../../helpers/Context.js';
+import { emailFilterCompilers, userEmailFilterCompilers } from '../../../sql-filters/emails.js';
+import { emailSorters } from '../../../sql-sorters/emails.js';
 type Params = Record<string, never>;
 type Query = LimitedFilteredRequest;

package/src/endpoints/global/email/ManageEmailAddressEndpoint.ts CHANGED Viewed

@@ -1,9 +1,11 @@
 import { AutoEncoder, BooleanDecoder, Decoder, field, StringDecoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { SimpleError } from '@simonbackx/simple-errors';
-import { EmailAddress } from '@stamhoofd/email';
-import { Context } from '../../../helpers/Context';
+import { Email, EmailAddress } from '@stamhoofd/email';
+import { Context } from '../../../helpers/Context.js';
 import { SESv2Client, DeleteSuppressedDestinationCommand } from '@aws-sdk/client-sesv2'; // ES Modules import
+import { RateLimiter } from '@stamhoofd/models';
+import { SQL } from '@stamhoofd/sql';
 type Params = Record<string, never>;
 type Query = undefined;
@@ -37,6 +39,16 @@ class Body extends AutoEncoder {
     markedAsSpam?: boolean;
 }
+export const unblockLimiter = new RateLimiter({
+    limits: [
+        {
+            // Max 10 per week
+            limit: 10,
+            duration: 24 * 60 * 1000 * 60 * 7,
+        },
+    ],
+});
 type ResponseBody = undefined;
 export class ManageEmailAddressEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
@@ -89,20 +101,20 @@ export class ManageEmailAddressEndpoint extends Endpoint<Params, Query, Body, Re
             }
             const organization = await Context.setOptionalOrganizationScope();
-            await Context.authenticate();
-            if (!Context.auth.hasPlatformFullAccess()) {
-                throw Context.auth.error();
-            }
+            const { user } = await Context.authenticate();
-            const query = EmailAddress.select().where(
-                'email', request.body.email,
-            );
             if (organization) {
-                query.andWhere('organizationId', organization.id);
+                if (!await Context.auth.hasFullAccess(organization.id)) {
+                    throw Context.auth.error();
+                }
+            }
+            else {
+                if (!Context.auth.hasPlatformFullAccess()) {
+                    throw Context.auth.error();
+                }
             }
-            const emails = await query.fetch();
+            const emails = await EmailAddress.getByEmails([request.body.email], organization?.id ?? null);
             if (emails.length === 0) {
                 throw new SimpleError({
@@ -112,6 +124,43 @@ export class ManageEmailAddressEndpoint extends Endpoint<Params, Query, Body, Re
                     statusCode: 404,
                 });
             }
+            // Track limits
+            for (const email of emails) {
+                const wasBlocked = email.unsubscribedAll || email.unsubscribedMarketing || email.hardBounce || email.markedAsSpam;
+                if (email.organizationId === null || (organization && email.organizationId === organization.id)) {
+                    if (Context.auth.hasPlatformFullAccess()) {
+                        // Only allowed as platform admins
+                        email.unsubscribedAll = request.body.unsubscribedAll ?? email.unsubscribedAll;
+                        email.unsubscribedMarketing = request.body.unsubscribedMarketing ?? email.unsubscribedMarketing;
+                    }
+                }
+                email.hardBounce = request.body.hardBounce ?? email.hardBounce;
+                email.markedAsSpam = request.body.markedAsSpam ?? email.markedAsSpam;
+                const isBlocked = email.unsubscribedAll || email.unsubscribedMarketing || email.hardBounce || email.markedAsSpam;
+                if (!isBlocked && wasBlocked && !Context.auth.hasPlatformFullAccess()) {
+                    try {
+                        unblockLimiter.track(organization?.id ?? '', 1);
+                    }
+                    catch (e) {
+                        Email.sendWebmaster({
+                            subject: '[Limiet] Limiet bereikt voor aantal unblocks',
+                            text: 'Beste, \nDe limiet werd bereikt voor het aantal email unblocks per week. \nUser: ' + user.email + '\n\nVereniging: ' + (organization ? (organization.id + ' (' + organization.name + ')') : 'platform') + '\n\n' + e.message + '\n\nStamhoofd',
+                        });
+                        throw new SimpleError({
+                            code: 'too_many_unblocks',
+                            message: 'Too many unblocks',
+                            human: $t(`ed5bd32c-7d9a-42d8-b9d0-da74d82ef3a9`),
+                        });
+                    }
+                }
+            }
             console.log('Updated email address settings', request.body);
             const client = new SESv2Client({});
@@ -132,10 +181,7 @@ export class ManageEmailAddressEndpoint extends Endpoint<Params, Query, Body, Re
             }
             for (const email of emails) {
-                email.unsubscribedAll = request.body.unsubscribedAll ?? email.unsubscribedAll;
-                email.unsubscribedMarketing = request.body.unsubscribedMarketing ?? email.unsubscribedMarketing;
-                email.hardBounce = request.body.hardBounce ?? email.hardBounce;
-                email.markedAsSpam = request.body.markedAsSpam ?? email.markedAsSpam;
+                // Only save if all went well
                 await email.save();
             }