npm - @stamhoofd/backend - Versions diffs - 2.3.1 → 2.5.0 - Mend

@stamhoofd/backend 2.3.1 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/src/endpoints/organization/dashboard/registration-periods/PatchOrganizationRegistrationPeriodsEndpoint.ts CHANGED Viewed

@@ -1,10 +1,11 @@
 import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-endpoints";
-import { GroupPrivateSettings, OrganizationRegistrationPeriod as OrganizationRegistrationPeriodStruct, PermissionLevel, PermissionsResourceType, ResourcePermissions, Version } from "@stamhoofd/structures";
+import { Group as GroupStruct, GroupPrivateSettings, OrganizationRegistrationPeriod as OrganizationRegistrationPeriodStruct, PermissionLevel, PermissionsResourceType, ResourcePermissions, Version, GroupType } from "@stamhoofd/structures";
 import { AutoEncoderPatchType, Decoder, PatchableArrayAutoEncoder, PatchableArrayDecoder, StringDecoder } from "@simonbackx/simple-encoding";
 import { Context } from "../../../../helpers/Context";
-import { Group, OrganizationRegistrationPeriod, Platform, RegistrationPeriod } from "@stamhoofd/models";
+import { Group, Member, OrganizationRegistrationPeriod, Platform, RegistrationPeriod } from "@stamhoofd/models";
 import { SimpleError } from "@simonbackx/simple-errors";
+import { AuthenticatedStructures } from "../../../../helpers/AuthenticatedStructures";
 type Params = Record<string, never>;
 type Query = undefined;
@@ -15,7 +16,7 @@ type ResponseBody = OrganizationRegistrationPeriodStruct[]
  * One endpoint to create, patch and delete members and their registrations and payments
  */
-export class PatchRegistrationPeriodsEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+export class PatchOrganizationRegistrationPeriodsEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
     bodyDecoder = new PatchableArrayDecoder(OrganizationRegistrationPeriodStruct as Decoder<OrganizationRegistrationPeriodStruct>, OrganizationRegistrationPeriodStruct.patchType() as Decoder<AutoEncoderPatchType<OrganizationRegistrationPeriodStruct>>, StringDecoder)
     protected doesMatch(request: Request): [true, Params] | [false] {
@@ -33,32 +34,13 @@ export class PatchRegistrationPeriodsEndpoint extends Endpoint<Params, Query, Bo
     async handle(request: DecodedRequest<Params, Query, Body>) {
         const organization = await Context.setOrganizationScope();
-        const {user} = await Context.authenticate()
+        await Context.authenticate()
         if (!await Context.auth.hasFullAccess(organization.id)) {
             throw Context.auth.error()
         }
-        const platform = await Platform.getShared()
-        function validateDefaultGroupId(id: string|null): string|null {
-            if (id === null) {
-                return id;
-            }
-            if (platform.config.defaultAgeGroups.find(g => g.id === id)) {
-                return id;
-            }
-            throw new SimpleError({
-                code: "invalid_default_age_group",
-                message: "Invalid default age group",
-                human: "De standaard leeftijdsgroep is ongeldig",
-                statusCode: 400
-            })
-        }
-        const structs: OrganizationRegistrationPeriodStruct[] = [];
+        const periods: OrganizationRegistrationPeriod[] = [];
         for (const {put} of request.body.getPuts()) {
             if (!await Context.auth.hasFullAccess(organization.id)) {
@@ -82,23 +64,14 @@ export class PatchRegistrationPeriodsEndpoint extends Endpoint<Params, Query, Bo
             await organizationPeriod.save();
             for (const struct of put.groups) {
-                const model = new Group()
-                model.id = struct.id
-                model.organizationId = organization.id
-                model.defaultAgeGroupId = validateDefaultGroupId(struct.defaultAgeGroupId)
-                model.periodId = organizationPeriod.periodId
-                model.settings = struct.settings
-                model.privateSettings = struct.privateSettings ?? GroupPrivateSettings.create({})
-                model.status = struct.status
-                await model.updateOccupancy()
-                await model.save();
+                await PatchOrganizationRegistrationPeriodsEndpoint.createGroup(struct, organization.id, organizationPeriod.periodId)
             }
             const groups = await Group.getAll(organization.id, organizationPeriod.periodId)
             // Delete unreachable categories first
             await organizationPeriod.cleanCategories(groups);
             await Group.deleteUnreachable(organization.id, organizationPeriod, groups)
-            structs.push(organizationPeriod.getStructure(period, groups));
+            periods.push(organizationPeriod);
         }
         for (const patch of request.body.getPatches()) {
@@ -152,122 +125,238 @@ export class PatchRegistrationPeriodsEndpoint extends Endpoint<Params, Query, Bo
             const deleteGroups = patch.groups.getDeletes()
             if (deleteGroups.length > 0) {
                 for (const id of deleteGroups) {
-                    const model = await Group.getByID(id)
-                    if (!model || !await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
-                        throw Context.auth.error('Je hebt geen toegangsrechten om deze groep te verwijderen')
-                    }
-                    model.deletedAt = new Date()
-                    await model.save()
+                    await PatchOrganizationRegistrationPeriodsEndpoint.deleteGroup(id)
                     deleteUnreachable = true
                 }
             }
             for (const groupPut of patch.groups.getPuts()) {
-                if (!await Context.auth.hasFullAccess(organization.id) && !allowedIds.includes(groupPut.put.id)) {
-                    throw Context.auth.error('Je hebt geen toegangsrechten om groepen toe te voegen')
-                }
+                await PatchOrganizationRegistrationPeriodsEndpoint.createGroup(groupPut.put, organization.id, organizationPeriod.periodId, {allowedIds})
+            }
-                const struct = groupPut.put
-                const model = new Group()
-                model.id = struct.id
-                model.organizationId = organization.id
-                model.defaultAgeGroupId = validateDefaultGroupId(struct.defaultAgeGroupId)
-                model.periodId = organizationPeriod.periodId
-                model.settings = struct.settings
-                model.privateSettings = struct.privateSettings ?? GroupPrivateSettings.create({})
-                model.status = struct.status
-                if (!await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
-                    // Create a temporary permission role for this user
-                    const organizationPermissions = user.permissions?.organizationPermissions?.get(organization.id)
-                    if (!organizationPermissions) {
-                        throw new Error('Unexpected missing permissions')
-                    }
-                    const resourcePermissions = ResourcePermissions.create({
-                        resourceName: model.settings.name,
-                        level: PermissionLevel.Full
-                    })
-                    const patch = resourcePermissions.createInsertPatch(PermissionsResourceType.Groups, model.id, organizationPermissions)
-                    user.permissions!.organizationPermissions.set(organization.id, organizationPermissions.patch(patch))
-                    console.log('Automatically granted author full permissions to resource', 'group', model.id, 'user', user.id, 'patch', patch.encode({version: Version}))
-                    await user.save()
-                }
+            for (const struct of patch.groups.getPatches()) {
+                await PatchOrganizationRegistrationPeriodsEndpoint.patchGroup(struct)
+            }
-                // Check if current user has permissions to this new group -> else fail with error
-                if (!await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
-                    throw new SimpleError({
-                        code: "missing_permissions",
-                        message: "You cannot restrict your own permissions",
-                        human: "Je kan geen inschrijvingsgroep maken zonder dat je zelf volledige toegang hebt tot de nieuwe groep"
-                    })
-                    continue;
-                }
-                await model.updateOccupancy()
-                await model.save();
+            if (deleteUnreachable) {
+                const groups = await Group.getAll(organization.id, organizationPeriod.periodId)
+                // Delete unreachable categories first
+                await organizationPeriod.cleanCategories(groups);
+                await Group.deleteUnreachable(organization.id, organizationPeriod, groups)
             }
-            for (const struct of patch.groups.getPatches()) {
-                const model = await Group.getByID(struct.id)
+            periods.push(organizationPeriod);
+        }
-                if (!model || !await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
-                    throw Context.auth.error('Je hebt geen toegangsrechten om deze groep te wijzigen')
-                }
+        return new Response(
+            await AuthenticatedStructures.organizationRegistrationPeriods(periods),
+        );
+    }
+    static async validateDefaultGroupId(id: string|null): Promise<string|null> {
+        if (id === null) {
+            return id;
+        }
+        const platform = await Platform.getSharedStruct()
+        if (platform.config.defaultAgeGroups.find(g => g.id === id)) {
+            return id;
+        }
+        throw new SimpleError({
+            code: "invalid_default_age_group",
+            message: "Invalid default age group",
+            human: "De standaard leeftijdsgroep is ongeldig",
+            statusCode: 400
+        })
+    }
+    static async deleteGroup(id: string) {
+        const model = await Group.getByID(id)
+        if (!model || !await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
+            throw Context.auth.error('Je hebt geen toegangsrechten om deze groep te verwijderen')
+        }
+        model.deletedAt = new Date()
+        await model.save()
+        Member.updateMembershipsForGroupId(id)
+    }
+    static async patchGroup(struct: AutoEncoderPatchType<GroupStruct>) {
+        const model = await Group.getByID(struct.id)
+        if (!model || !await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
+            throw Context.auth.error('Je hebt geen toegangsrechten om deze groep te wijzigen')
+        }
+        if (struct.settings) {
+            model.settings.patchOrPut(struct.settings)
+        }
-                if (struct.settings) {
-                    model.settings.patchOrPut(struct.settings)
+        if (struct.status) {
+            model.status = struct.status
+        }
+        if (struct.privateSettings) {
+            model.privateSettings.patchOrPut(struct.privateSettings)
+            if (!await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
+                throw new SimpleError({
+                    code: "missing_permissions",
+                    message: "You cannot restrict your own permissions",
+                    human: "Je kan je eigen volledige toegang tot deze inschrijvingsgroep niet verwijderen. Vraag aan een hoofdbeheerder om jouw toegang te verwijderen."
+                })
+            }
+        }
+        if (struct.cycle !== undefined) {
+            model.cycle = struct.cycle
+        }
+        if (struct.deletedAt !== undefined) {
+            model.deletedAt = struct.deletedAt
+        }
+        if (struct.defaultAgeGroupId !== undefined) {
+            model.defaultAgeGroupId = await this.validateDefaultGroupId(struct.defaultAgeGroupId)
+        }
+        const patch = struct;
+        if (patch.waitingList !== undefined) {
+            if (patch.waitingList === null) {
+                // delete
+                if (model.waitingListId) {
+                    // for now don't delete, as waiting lists can be shared between multiple groups
+                    // await PatchOrganizationRegistrationPeriodsEndpoint.deleteGroup(model.waitingListId)
+                    model.waitingListId = null;
                 }
-                if (struct.status) {
-                    model.status = struct.status
+            } else if (patch.waitingList.isPatch()) {
+                if (!model.waitingListId) {
+                    throw new SimpleError({
+                        code: 'invalid_field',
+                        field: 'waitingList',
+                        message: 'Cannot patch waiting list before it is created'
+                    })
                 }
-                if (struct.privateSettings) {
-                    model.privateSettings.patchOrPut(struct.privateSettings)
+                patch.waitingList.id = model.waitingListId
+                patch.waitingList.type = GroupType.WaitingList
+                await PatchOrganizationRegistrationPeriodsEndpoint.patchGroup(patch.waitingList)
+            } else {
+                if (model.waitingListId) {
+                    // for now don't delete, as waiting lists can be shared between multiple groups
+                    // await PatchOrganizationRegistrationPeriodsEndpoint.deleteGroup(model.waitingListId)
+                    model.waitingListId = null;
+                }
+                patch.waitingList.type = GroupType.WaitingList
-                    if (!await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
+                const existing = await Group.getByID(patch.waitingList.id)
+                if (existing) {
+                    if (existing.organizationId !== model.organizationId) {
                         throw new SimpleError({
-                            code: "missing_permissions",
-                            message: "You cannot restrict your own permissions",
-                            human: "Je kan je eigen volledige toegang tot deze inschrijvingsgroep niet verwijderen. Vraag aan een hoofdbeheerder om jouw toegang te verwijderen."
+                            code: 'invalid_field',
+                            field: 'waitingList',
+                            message: 'Waiting list group is already used in another organization'
                         })
                     }
-                }
-                if (struct.cycle !== undefined) {
-                    model.cycle = struct.cycle
+                    model.waitingListId = existing.id
+                } else {
+                    const group = await PatchOrganizationRegistrationPeriodsEndpoint.createGroup(
+                        patch.waitingList,
+                        model.organizationId,
+                        model.periodId
+                    )
+                    model.waitingListId = group.id
                 }
+            }
+        }
+        await model.updateOccupancy()
+        await model.save();
-                if (struct.deletedAt !== undefined) {
-                    model.deletedAt = struct.deletedAt
-                }
+        if (struct.deletedAt !== undefined || struct.defaultAgeGroupId !== undefined) {
+            Member.updateMembershipsForGroupId(model.id)
+        }
+    }
-                if (struct.defaultAgeGroupId !== undefined) {
-                    model.defaultAgeGroupId = validateDefaultGroupId(struct.defaultAgeGroupId)
-                }
-                await model.updateOccupancy()
-                await model.save();
-            }
-            const period = await RegistrationPeriod.getByID(organizationPeriod.periodId);
-            const groups = await Group.getAll(organization.id, organizationPeriod.periodId)
+    static async createGroup(struct: GroupStruct, organizationId: string, periodId: string, options?: {allowedIds?: string[]}): Promise<Group> {
+        const allowedIds = options?.allowedIds ?? []
-            if (deleteUnreachable) {
-                // Delete unreachable categories first
-                await organizationPeriod.cleanCategories(groups);
-                await Group.deleteUnreachable(organization.id, organizationPeriod, groups)
+        if (!await Context.auth.hasFullAccess(organizationId)) {
+            if (allowedIds.includes(struct.id)) {
+                // Ok
+            } else {
+                throw Context.auth.error('Je hebt geen toegangsrechten om groepen toe te voegen')
             }
+        }
-            if (period) {
-                structs.push(organizationPeriod.getStructure(period, groups));
+        const user = Context.auth.user
+        const model = new Group()
+        model.id = struct.id
+        model.organizationId = organizationId
+        model.defaultAgeGroupId = await this.validateDefaultGroupId(struct.defaultAgeGroupId)
+        model.periodId = periodId
+        model.settings = struct.settings
+        model.privateSettings = struct.privateSettings ?? GroupPrivateSettings.create({})
+        model.status = struct.status
+        model.type = struct.type
+        if (!await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
+            // Create a temporary permission role for this user
+            const organizationPermissions = user.permissions?.organizationPermissions?.get(organizationId)
+            if (!organizationPermissions) {
+                throw new Error('Unexpected missing permissions')
             }
+            const resourcePermissions = ResourcePermissions.create({
+                resourceName: model.settings.name,
+                level: PermissionLevel.Full
+            })
+            const patch = resourcePermissions.createInsertPatch(PermissionsResourceType.Groups, model.id, organizationPermissions)
+            user.permissions!.organizationPermissions.set(organizationId, organizationPermissions.patch(patch))
+            console.log('Automatically granted author full permissions to resource', 'group', model.id, 'user', user.id, 'patch', patch.encode({version: Version}))
+            await user.save()
         }
-        return new Response(
-            structs
-        );
+        // Check if current user has permissions to this new group -> else fail with error
+        if (!await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
+            throw new SimpleError({
+                code: "missing_permissions",
+                message: "You cannot restrict your own permissions",
+                human: "Je kan geen inschrijvingsgroep maken zonder dat je zelf volledige toegang hebt tot de nieuwe groep"
+            })
+        }
+        if (struct.waitingList) {
+            const existing = await Group.getByID(struct.waitingList.id)
+            if (existing) {
+                if (existing.organizationId !== model.organizationId) {
+                    throw new SimpleError({
+                        code: 'invalid_field',
+                        field: 'waitingList',
+                        message: 'Waiting list group is already used in another organization'
+                    })
+                }
+                model.waitingListId = existing.id
+            } else {
+                struct.waitingList.type = GroupType.WaitingList
+                const group = await PatchOrganizationRegistrationPeriodsEndpoint.createGroup(
+                    struct.waitingList,
+                    model.organizationId,
+                    model.periodId
+                )
+                model.waitingListId = group.id
+            }
+        }
+        await model.updateOccupancy()
+        await model.save();
+        return model;
     }
 }

package/src/endpoints/organization/dashboard/stripe/DeleteStripeAccountEndpoint.ts CHANGED Viewed

@@ -1,10 +1,10 @@
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
-import { SimpleError } from '@simonbackx/simple-errors';
 import { StripeAccount } from '@stamhoofd/models';
 import { PermissionLevel } from '@stamhoofd/structures';
 import { Context } from '../../../../helpers/Context';
+import { StripeHelper } from '../../../../helpers/StripeHelper';
 type Params = { id: string };
 type Body = undefined;
@@ -42,13 +42,13 @@ export class DeleteStripeAccountEndpoint extends Endpoint<Params, Query, Body, R
         }
         // For now we don't delete them in Stripe because this causes issues with data access
-        // const stripe = StripeHelper.getInstance()
-        //
-        // try {
-        //     await stripe.accounts.del(model.accountId);
-        // } catch (e) {
-        //     console.error('Tried deleting account but failed', e)
-        // }
+        const stripe = StripeHelper.getInstance()
+        try {
+            await stripe.accounts.del(model.accountId);
+        } catch (e) {
+            console.error('Tried deleting account but failed', e)
+        }
         // If that succeeded
         model.status = "deleted"

package/src/endpoints/organization/dashboard/users/GetOrganizationAdminsEndpoint.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import { User } from '@stamhoofd/models';
 import { OrganizationAdmins, User as UserStruct } from "@stamhoofd/structures";
 import { Context } from "../../../../helpers/Context";
+import { AuthenticatedStructures } from "../../../../helpers/AuthenticatedStructures";
 type Params = Record<string, never>;
 type Query = undefined;
 type Body = undefined
@@ -35,7 +36,7 @@ export class GetOrganizationAdminsEndpoint extends Endpoint<Params, Query, Body,
         const admins = await User.getAdmins([organization.id])
         return new Response(OrganizationAdmins.create({
-            users: admins.map(a => UserStruct.create({...a, hasAccount: a.hasAccount()})),
+            users: await AuthenticatedStructures.usersWithMembers(admins)
         }));
     }
 }

package/src/endpoints/organization/shared/ExchangePaymentEndpoint.ts CHANGED Viewed

@@ -101,8 +101,9 @@ export class ExchangePaymentEndpoint extends Endpoint<Params, Query, Body, Respo
             // Prevent concurrency issues
             await QueueHandler.schedule("balance-item-update/"+organization.id, async () => {
+                const unloaded = (await BalanceItemPayment.where({paymentId: payment.id})).map(r => r.setRelation(BalanceItemPayment.payment, payment))
                 const balanceItemPayments = await BalanceItemPayment.balanceItem.load(
-                    (await BalanceItemPayment.where({paymentId: payment.id})).map(r => r.setRelation(BalanceItemPayment.payment, payment))
+                    unloaded
                 );
                 for (const balanceItemPayment of balanceItemPayments) {

package/src/helpers/AdminPermissionChecker.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { AutoEncoderPatchType, PatchMap } from "@simonbackx/simple-encoding"
 import { SimpleError } from "@simonbackx/simple-errors"
-import { BalanceItem, Document, DocumentTemplate, EmailTemplate, Group, Member, MemberWithRegistrations, Order, Organization, Payment, Registration, User, Webshop } from "@stamhoofd/models"
+import { BalanceItem, Document, DocumentTemplate, EmailTemplate, Event, Group, Member, MemberWithRegistrations, Order, Organization, Payment, Registration, User, Webshop } from "@stamhoofd/models"
 import { AccessRight, GroupCategory, GroupStatus, MemberWithRegistrationsBlob, PermissionLevel, PermissionsResourceType, Platform as PlatformStruct, RecordCategory } from "@stamhoofd/structures"
 import { Formatter } from "@stamhoofd/utility"
@@ -11,6 +11,10 @@ import { Formatter } from "@stamhoofd/utility"
 export class AdminPermissionChecker {
     organization: Organization|null
     user: User
+    /**
+     * The member that is linked to this user = is this user
+     */
+    member: MemberWithRegistrations|null = null
     platform: PlatformStruct
     organizationCache: Map<string, Organization|Promise<Organization|undefined>> = new Map()
@@ -143,6 +147,13 @@ export class AdminPermissionChecker {
         if (!this.checkScope(group.organizationId)) {
             return false
         }
+        const organization = await this.getOrganization(group.organizationId)
+        if (group.periodId !== organization.periodId) {
+            if (!await this.hasFullAccess(group.organizationId)) {
+                return false
+            }
+        }
         if (group.deletedAt || group.status === GroupStatus.Archived) {
             return await this.canAccessArchivedGroups(group.organizationId);
@@ -160,7 +171,6 @@ export class AdminPermissionChecker {
         }
         // Check parent categories
-        const organization = await this.getOrganization(group.organizationId)
         const parentCategories = group.getParentCategories(organization.meta.categories)
         for (const category of parentCategories) {
             if (organizationPermissions.hasResourceAccess(PermissionsResourceType.GroupCategories, category.id, permissionLevel)) {
@@ -171,6 +181,28 @@ export class AdminPermissionChecker {
         return false;
     }
+    async canAccessEvent(event: Event, permissionLevel: PermissionLevel = PermissionLevel.Read): Promise<boolean> {
+        // Check permissions aren't scoped to a specific organization, and they mismatch
+        if (!this.checkScope(event.organizationId)) {
+            return false
+        }
+        if (permissionLevel !== PermissionLevel.Read) {
+            if (event.organizationId) {
+                // Need full access for now
+                if (!await this.hasFullAccess(event.organizationId)) {
+                    return false
+                }
+            } else {
+                if (!this.hasPlatformFullAccess()) {
+                    return false
+                }
+            }
+        }
+        return true;
+    }
     async canAccessArchivedGroups(organizationId: string) {
         return await this.hasFullAccess(organizationId)
     }
@@ -192,6 +224,12 @@ export class AdminPermissionChecker {
             return true
         }
+        if (member.registrations.length === 0 && permissionLevel !== PermissionLevel.Full && (this.organization && await this.hasFullAccess(this.organization.id, PermissionLevel.Full))) {
+            // Everyone with at least full access to at least one organization can access this member
+            // This allows organizations to register new members themselves
+            return true;
+        }
         for (const registration of member.registrations) {
             if (await this.canAccessRegistration(registration, permissionLevel)) {
                 return true;
@@ -221,7 +259,8 @@ export class AdminPermissionChecker {
             return false;
         }
-        if (organizationPermissions.hasAccess(permissionLevel)) {
+        if (organizationPermissions.hasAccess(PermissionLevel.Full)) {
+            // Only full permissions; because non-full doesn't have access to other periods
             return true;
         }
@@ -853,6 +892,24 @@ export class AdminPermissionChecker {
         return set
     }
+    async getAccessibleGroups(organizationId: string, level: PermissionLevel = PermissionLevel.Read): Promise<string[] | 'all'> {
+        if (await this.hasFullAccess(organizationId)) {
+            return 'all'
+        }
+        const groups = await this.getOrganizationGroups(organizationId)
+        const accessibleGroups: string[] = []
+        for (const group of groups) {
+            if (await this.canAccessGroup(group, level)) {
+                accessibleGroups.push(group.id)
+            }
+        }
+        return accessibleGroups
+    }
     /**
      * Changes data inline
      */