@stamhoofd/backend 2.4.0 → 2.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.4.0",
+    "version": "2.5.0",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -50,5 +50,5 @@
         "postmark": "4.0.2",
         "stripe": "^11.5.0"
     },
-    "gitHead": "5313c328ca0e90544bf198bc6bebc90d7dced2aa"
+    "gitHead": "07cc26af0e3036e4ae4309a268fbf57b7f6ac2ed"
 }

package/src/endpoints/admin/invoices/GetInvoicesEndpoint.ts

@@ -169,7 +169,7 @@ export class GetInvoicesEndpoint extends Endpoint<Params, Query, Body, ResponseB
                 STInvoicePrivate.create({
                     ...invoice,
                     payment: payment ? PaymentStruct.create(payment) : null,
-                    organization: organization ? (await organization.getStructure({emptyGroups: true})) : undefined,
+                    organization: organization ? organization.getBaseStructure() : undefined,
                     settlement: payment?.settlement ?? null,
                 })
             )

package/src/endpoints/global/members/PatchOrganizationMembersEndpoint.ts

@@ -106,16 +106,29 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
                 duplicate.details.merge(member.details)
                 member = duplicate
 
-                // Only save after checking permissions
+                // You need write permissions, because a user can potentially earn write permissions on a member
+                // by registering it
+                if (!await Context.auth.canAccessMember(duplicate, PermissionLevel.Write)) {
+                    throw new SimpleError({
+                        code: "known_member_missing_rights",
+                        message: "Creating known member without sufficient access rights",
+                        human: "Dit lid is al bekend in het systeem, maar je hebt er geen toegang tot. Vraag iemand met de juiste toegangsrechten om dit lid voor jou toe te voegen, of vraag het lid om zelf in te schrijven via het ledenportaal.",
+                        statusCode: 400
+                    })
+                }
             }
 
             if (struct.registrations.length === 0) {
-                 throw new SimpleError({
-                    code: "missing_group",
-                    message: "Missing group",
-                    human: "Schrijf een nieuw lid altijd in voor minstens één groep",
-                    statusCode: 400
-                })
+                // We risk creating a new member without being able to access it manually afterwards
+
+                if ((organization && !await Context.auth.hasFullAccess(organization.id)) || (!organization && !Context.auth.hasPlatformFullAccess())) {
+                    throw new SimpleError({
+                        code: "missing_group",
+                        message: "Missing group",
+                        human: "Je moet hoofdbeheerder zijn om een lid toe te voegen zonder inschrijving in het systeem",
+                        statusCode: 400
+                    })
+                }
             }
 
             // Throw early
@@ -223,7 +236,7 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
             // Update registrations
             for (const patchRegistration of patch.registrations.getPatches()) {
                 const registration = member.registrations.find(r => r.id === patchRegistration.id)
-                if (!registration || registration.memberId != member.id) {
+                if (!registration || registration.memberId != member.id || (!await Context.auth.canAccessRegistration(registration, PermissionLevel.Write))) {
                     throw new SimpleError({
                         code: "permission_denied",
                         message: "You don't have permissions to access this endpoint",

package/src/endpoints/global/organizations/GetOrganizationFromDomainEndpoint.ts

@@ -4,6 +4,7 @@ import { SimpleError } from '@simonbackx/simple-errors';
 import { Organization } from '@stamhoofd/models';
 import { Organization as OrganizationStruct } from "@stamhoofd/structures";
 import { GoogleTranslateHelper } from "@stamhoofd/utility";
+import { AuthenticatedStructures } from "../../../helpers/AuthenticatedStructures";
 type Params = Record<string, never>;
 
 class Query extends AutoEncoder {
@@ -60,7 +61,7 @@ export class GetOrganizationFromDomainEndpoint extends Endpoint<Params, Query, B
                         statusCode: 404
                     })
                 }
-                return new Response(await organization.getStructure());
+                return new Response(await AuthenticatedStructures.organization(organization));
             }
         }
 
@@ -75,6 +76,6 @@ export class GetOrganizationFromDomainEndpoint extends Endpoint<Params, Query, B
                 statusCode: 404
             })
         }
-        return new Response(await organization.getStructure());
+        return new Response(await AuthenticatedStructures.organization(organization));
     }
 }

package/src/endpoints/global/organizations/GetOrganizationFromUriEndpoint.ts

@@ -4,6 +4,7 @@ import { SimpleError } from '@simonbackx/simple-errors';
 import { Organization } from '@stamhoofd/models';
 import { Organization as OrganizationStruct } from "@stamhoofd/structures";
 import { GoogleTranslateHelper } from "@stamhoofd/utility";
+import { AuthenticatedStructures } from "../../../helpers/AuthenticatedStructures";
 type Params = Record<string, never>;
 
 class Query extends AutoEncoder {
@@ -44,6 +45,6 @@ export class GetOrganizationFromUriEndpoint extends Endpoint<Params, Query, Body
                 statusCode: 404
             })
         }
-        return new Response(await organization.getStructure());
+        return new Response(await AuthenticatedStructures.organization(organization));
     }
 }

package/src/endpoints/global/organizations/SearchOrganizationEndpoint.ts

@@ -2,6 +2,7 @@ import { AutoEncoder, Decoder, field, StringDecoder } from '@simonbackx/simple-e
 import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-endpoints";
 import { Organization } from "@stamhoofd/models";
 import { Organization as OrganizationStruct,OrganizationSimple } from "@stamhoofd/structures"; 
+import { AuthenticatedStructures } from '../../../helpers/AuthenticatedStructures';
 
 type Params = Record<string, never>;
 
@@ -57,6 +58,6 @@ export class SearchOrganizationEndpoint extends Endpoint<Params, Query, Body, Re
         if (request.request.getVersion() < 169) {
             return new Response(organizations.map(o => OrganizationSimple.create(o)));
         }
-        return new Response(await Promise.all(organizations.map(o => o.getStructure())));
+        return new Response(await Promise.all(organizations.map(o => AuthenticatedStructures.organization(o))));
     }
 }

package/src/endpoints/global/registration/RegisterMembersEndpoint.ts

@@ -5,8 +5,8 @@ import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-
 import { SimpleError } from '@simonbackx/simple-errors';
 import { I18n } from '@stamhoofd/backend-i18n';
 import { Email } from '@stamhoofd/email';
-import { BalanceItem, BalanceItemPayment, Group, Member, MolliePayment, MollieToken, PayconiqPayment, Payment, Platform, RateLimiter, Registration } from '@stamhoofd/models';
-import { BalanceItemStatus, IDRegisterCheckout, MemberBalanceItem, MemberDetails, PaymentMethod, PaymentMethodHelper, PaymentProvider, PaymentStatus, Payment as PaymentStruct, PlatformFamily, RegisterItem, RegisterResponse, Version } from "@stamhoofd/structures";
+import { BalanceItem, BalanceItemPayment, Group, Member, MemberWithRegistrations, MolliePayment, MollieToken, Organization, PayconiqPayment, Payment, Platform, RateLimiter, Registration, User } from '@stamhoofd/models';
+import { BalanceItemStatus, IDRegisterCheckout, MemberBalanceItem, MemberDetails, PaymentMethod, PaymentMethodHelper, PaymentProvider, PaymentStatus, Payment as PaymentStruct, PermissionLevel, PlatformFamily, PlatformMember, RegisterItem, RegisterResponse, Version } from "@stamhoofd/structures";
 import { Formatter } from '@stamhoofd/utility';
 
 import { AuthenticatedStructures } from '../../../helpers/AuthenticatedStructures';
@@ -66,6 +66,17 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
         const organization = await Context.setOrganizationScope();
         const {user} = await Context.authenticate()
 
+        if (request.body.asOrganizationId && request.body.asOrganizationId !== organization.id) {
+            if (!await Context.auth.hasFullAccess(request.body.asOrganizationId)) {
+                throw new SimpleError({
+                    code: "forbidden",
+                    message: "No permission to register as this organization for a different organization",
+                    human: 'Je hebt niet de juiste toegangsrechten om leden in te schrijven bij een andere organisatie.',
+                    statusCode: 403
+                });
+            }
+        }
+
         // For non paid organizations, limit amount of tests
         if (!organization.meta.packages.isPaid) {
             const limiter = demoLimiter
@@ -88,12 +99,53 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
             }
         }
 
-        const members = await Member.getMembersWithRegistrationForUser(user)
-        const groups = await Group.getAll(organization.id, organization.periodId)
+        const memberIds = Formatter.uniqueArray(request.body.cart.items.map(i => i.memberId))
+        const members = await Member.getBlobByIds(...memberIds)
+        const groupIds = Formatter.uniqueArray(request.body.cart.items.map(i => i.groupId))
+        const groups = await Group.getByIDs(...groupIds)
+
+        for (const group of groups) {
+            if (group.organizationId !== organization.id) {
+                throw new SimpleError({
+                    code: "invalid_data",
+                    message: "Oeps, één of meerdere groepen waarin je probeert in te schrijven lijken niet meer te bestaan. Herlaad de pagina en probeer opnieuw."
+                })
+            }
+        }
+
+        for (const member of members) {
+            if (!await Context.auth.canAccessMember(member, PermissionLevel.Write)) {
+                throw new SimpleError({
+                    code: "forbidden",
+                    message: "No permission to register this member",
+                    human: 'Je hebt niet de juiste toegangsrechten om dit lid in te schrijven.',
+                    statusCode: 403
+                });
+            }
+        }
 
         const blob = await AuthenticatedStructures.membersBlob(members, true)
-        const family = PlatformFamily.create(blob, {platform: await Platform.getSharedStruct(), contextOrganization: await organization.getStructure()})
-        const checkout = request.body.hydrate({family})
+        const platformMembers: PlatformMember[] = []
+
+        if (request.body.asOrganizationId) {
+            const _m = PlatformFamily.createSingles(blob, {
+                platform: await Platform.getSharedStruct(),
+                contextOrganization: await AuthenticatedStructures.organization(organization)
+            })
+            platformMembers.push(..._m)
+        } else {
+            const family = PlatformFamily.create(blob, {
+                platform: await Platform.getSharedStruct(),
+                contextOrganization: await AuthenticatedStructures.organization(organization)
+            })
+            platformMembers.push(...family.members)
+        }
+
+        const checkout = request.body.hydrate({
+            members: platformMembers,
+            groups: await AuthenticatedStructures.groups(groups),
+            organizations: [await AuthenticatedStructures.organization(organization)]
+        })
         
         const registrations: RegistrationWithMemberAndGroup[] = []
         const payRegistrations: {registration: RegistrationWithMemberAndGroup, item: RegisterItem}[] = []
@@ -108,9 +160,7 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
         // Update occupancies
         // TODO: might not be needed in the future (for performance)
         for (const group of groups) {
-            if (request.body.cart.items.find(i => i.groupId == group.id)) {
-                await group.updateOccupancy()
-            }
+            await group.updateOccupancy()
         }
 
         // Validate balance items (can only happen serverside)
@@ -135,6 +185,13 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
         checkout.updatePrices()
 
         const totalPrice = checkout.totalPrice
+
+        if (totalPrice !== request.body.totalPrice) {
+            throw new SimpleError({
+                code: "changed_price",
+                message: "Oeps! De prijs is gewijzigd terwijl je aan het afrekenen was (naar "+Formatter.price(totalPrice)+"). Herlaad de pagina even om ervoor te zorgen dat je alle aangepaste prijzen ziet. Contacteer de webmaster als je dit probleem blijft ondervinden na het te herladen."
+            })
+        }
         
         if (totalPrice < 0) {
             throw new SimpleError({
@@ -146,7 +203,7 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
         const registrationMemberRelation = new ManyToOneRelation(Member, "member")
         registrationMemberRelation.foreignKey = "memberId"
 
-        mainLoop: for (const item of checkout.cart.items) {
+        for (const item of checkout.cart.items) {
             const member = members.find(m => m.id == item.memberId)
             if (!member) {
                 throw new SimpleError({
@@ -171,18 +228,13 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
                 registration = existingRegistration
                     .setRelation(registrationMemberRelation, member as Member)
                     .setRelation(Registration.group, group)
+                
 
-                if (existingRegistration.waitingList && item.waitingList) {
-                    // already on waiting list, no need to repeat it
-                    // skip without error
-                    registrations.push(registration)
-                    continue mainLoop;
-                }
-
-                if (!existingRegistration.waitingList && existingRegistration.registeredAt !== null) {
-                    // already registered, no need to put it on the waiting list or register (and pay) again
-                    registrations.push(registration)
-                    continue mainLoop;
+                if (existingRegistration.registeredAt !== null) {
+                    throw new SimpleError({
+                        code: "already_registered",
+                        message: "Dit lid is reeds ingeschreven. Herlaad de pagina en probeer opnieuw."
+                    })
                 }
             }
 
@@ -197,31 +249,29 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
             registration.memberId = member.id
             registration.groupId = group.id
             registration.cycle = group.cycle
+            registration.price = item.calculatedPrice
+
+            payRegistrations.push({
+                registration,
+                item
+            });
 
-            if (item.waitingList) {
-                registration.waitingList = true
-                registration.canRegister = false
-                registration.reservedUntil = null
-                await registration.save()
-            } else {
-                if (registration.waitingList && registration.canRegister) {
-                    // Keep data: otherwise people cannot retry if the payment fails
-                    // We'll mark the registration as valid after the payment
-                } else {
-                    registration.waitingList = false
-                    registration.canRegister = false
-                }
-                registration.price = item.calculatedPrice
-                payRegistrations.push({
-                    registration,
-                    item
-                });
-            }
             registrations.push(registration)
         }
 
+        // Who is going to pay?
+        let whoWillPay: 'member'|'organization'|'nobody' = 'member' // if this is set to 'organization', there will also be created separate balance items so the member can pay back the paying organization
+
+        if (request.body.asOrganizationId && request.body.asOrganizationId === organization.id) {
+            // Will get added to the outstanding amount of the member
+            whoWillPay = 'nobody'
+        } else if (request.body.asOrganizationId && request.body.asOrganizationId !== organization.id) {
+            // The organization will pay to the organizing organization, and it will get added to the outstanding amount of the member towards the paying organization
+            whoWillPay = 'organization'
+        }
+
         // Validate payment method
-        if (totalPrice > 0) {
+        if (totalPrice > 0 && whoWillPay !== 'nobody') {
             const allowedPaymentMethods = organization.meta.registrationPaymentConfiguration.paymentMethods
 
             if (!checkout.paymentMethod || !allowedPaymentMethods.includes(checkout.paymentMethod)) {
@@ -230,116 +280,104 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
                     message: "Oeps, je hebt geen geldige betaalmethode geselecteerd. Selecteer een betaalmethode en probeer opnieuw. Herlaad de pagina indien nodig."
                 })
             }
-        } else {
-            checkout.paymentMethod = PaymentMethod.Unknown
-        }
-
-        const payment = new Payment()
-        payment.userId = user.id
-        payment.organizationId = organization.id
-        payment.method = checkout.paymentMethod
-        payment.status = PaymentStatus.Created
-        payment.price = totalPrice
-        payment.freeContribution = checkout.freeContribution
-
-        if (payment.method == PaymentMethod.Transfer) {
-            // remark: we cannot add the lastnames, these will get added in the frontend when it is decrypted
-            payment.transferSettings = organization.mappedTransferSettings
 
-            if (!payment.transferSettings.iban) {
+            if ((checkout.paymentMethod !== PaymentMethod.Transfer && checkout.paymentMethod !== PaymentMethod.PointOfSale) && (!request.body.redirectUrl || !request.body.cancelUrl)) {
                 throw new SimpleError({
-                    code: "no_iban",
-                    message: "No IBAN",
-                    human: "Er is geen rekeningnummer ingesteld voor overschrijvingen. Contacteer de beheerder."
+                    code: 'missing_fields',
+                    message: 'redirectUrl or cancelUrl is missing and is required for non-zero online payments',
+                    human: 'Er is iets mis. Contacteer de webmaster.'
                 })
             }
-
-            const m = [...payRegistrations.map(r => r.registration.member.details), ...memberBalanceItems.map(i => members.find(m => m.id === i.memberId)?.details).filter(n => n !== undefined)] as MemberDetails[]
-            payment.generateDescription(
-                organization, 
-                Formatter.groupNamesByFamily(m),
-                {
-                    name: Formatter.groupNamesByFamily(m),
-                    naam:  Formatter.groupNamesByFamily(m),
-                    email: user.email
-                }
-            )
-        }
-        payment.paidAt = null
-
-        if (totalPrice == 0) {
-            payment.status = PaymentStatus.Succeeded
-            payment.method = PaymentMethod.Unknown
-            payment.paidAt = new Date()
+        } else {
+            checkout.paymentMethod = PaymentMethod.Unknown
         }
 
-        // Determine the payment provider
-        // Throws if invalid
-        const {provider, stripeAccount} = await organization.getPaymentProviderFor(payment.method, organization.privateMeta.registrationPaymentConfiguration)
-        payment.provider = provider
-        payment.stripeAccountId = stripeAccount?.id ?? null
+        console.log('Registering members using whoWillPay', whoWillPay, checkout.paymentMethod, totalPrice)
 
-        await payment.save()
         const items: BalanceItem[] = []
-        const itemPayments: (BalanceItemPayment & { balanceItem: BalanceItem })[] = []
+        const shouldMarkValid = whoWillPay === 'nobody' || checkout.paymentMethod === PaymentMethod.Transfer || checkout.paymentMethod === PaymentMethod.PointOfSale
 
         // Save registrations and add extra data if needed
         for (const bundle of payRegistrations) {
             const registration = bundle.registration;
 
-            if (!registration.waitingList) {
-                // Replaced with balance items
-                // registration.paymentId = payment.id
+            registration.reservedUntil = null
 
-                registration.reservedUntil = null
-                registration.canRegister = false
-
-                if (payment.method == PaymentMethod.Transfer || payment.method == PaymentMethod.PointOfSale || payment.status == PaymentStatus.Succeeded) {
-                    await registration.markValid()
-                } else {
-                    // Reserve registration for 30 minutes (if needed)
-                    const group = groups.find(g => g.id === registration.groupId)
+            if (shouldMarkValid) {
+                await registration.markValid()
+            } else {
+                // Reserve registration for 30 minutes (if needed)
+                const group = groups.find(g => g.id === registration.groupId)
 
-                    if (group && group.settings.maxMembers !== null) {
-                        registration.reservedUntil = new Date(new Date().getTime() + 1000*60*30)
-                    }
-                    await registration.save()
+                if (group && group.settings.maxMembers !== null) {
+                    registration.reservedUntil = new Date(new Date().getTime() + 1000*60*30)
                 }
+                await registration.save()
+            }
+
+            if (bundle.item.calculatedPrice === 0) {
+                continue;
             }
-            
-            await registration.save()
 
             // Create balance item
             const balanceItem = new BalanceItem();
             balanceItem.registrationId = registration.id;
             balanceItem.price = bundle.item.calculatedPrice
             balanceItem.description = `Inschrijving ${registration.group.settings.name}`
-            balanceItem.pricePaid = payment.status == PaymentStatus.Succeeded ? bundle.item.calculatedPrice : 0;
-            balanceItem.memberId = registration.memberId;
-            balanceItem.userId = user.id
+
+            // Who needs to receive this money?
             balanceItem.organizationId = organization.id;
-            balanceItem.status = payment.status == PaymentStatus.Succeeded ? BalanceItemStatus.Paid : (payment.method == PaymentMethod.Transfer || payment.method == PaymentMethod.PointOfSale ? BalanceItemStatus.Pending : BalanceItemStatus.Hidden);
-            await balanceItem.save();
 
-            // Create one balance item payment to pay it in one payment
-            const balanceItemPayment = new BalanceItemPayment()
-            balanceItemPayment.balanceItemId = balanceItem.id;
-            balanceItemPayment.paymentId = payment.id;
-            balanceItemPayment.organizationId = organization.id;
-            balanceItemPayment.price = balanceItem.price;
-            await balanceItemPayment.save();
+            // Who is responsible for payment?
+            let balanceItem2: BalanceItem | null = null
+            if (whoWillPay === 'organization' && request.body.asOrganizationId) {
+                // Create a separate balance item for this meber to pay back the paying organization
+                // this is not yet associated with a payment but will be added to the outstanding balance of the member
+
+                balanceItem.payingOrganizationId = request.body.asOrganizationId
+
+                balanceItem2 = new BalanceItem();
+
+                // NOTE: we don't connect the registrationId here
+                // because otherwise the total price and pricePaid for the registration would be incorrect
+                //balanceItem2.registrationId = registration.id;
+
+                balanceItem2.price = bundle.item.calculatedPrice
+                balanceItem2.description = `Inschrijving ${registration.group.settings.name}`
+
+                // Who needs to receive this money?
+                balanceItem2.organizationId = request.body.asOrganizationId;
+
+                // Who is responsible for payment?
+                balanceItem2.memberId = registration.memberId;
 
+                // If the paying organization hasn't paid yet, this should be hidden and move to pending as soon as the paying organization has paid
+                balanceItem2.status = shouldMarkValid ? BalanceItemStatus.Pending : BalanceItemStatus.Hidden
+                await balanceItem2.save();
+
+                // do not add to items array because we don't want to add this to the payment if we create a payment
+            } else {
+                balanceItem.memberId = registration.memberId;
+                balanceItem.userId = user.id
+            }
+
+            balanceItem.status = shouldMarkValid ? BalanceItemStatus.Pending : BalanceItemStatus.Hidden
+            balanceItem.pricePaid = 0
+            
+            // Connect the 'pay back' balance item to this balance item. As soon as this balance item is paid, we'll mark the other one as pending so the outstanding balance for the member increases
+            balanceItem.dependingBalanceItemId = balanceItem2?.id ?? null
+            
+            await balanceItem.save();
             items.push(balanceItem)
-            itemPayments.push(balanceItemPayment.setRelation(BalanceItemPayment.balanceItem, balanceItem))
         }
         
         const oldestMember = members.slice().sort((a, b) => b.details.defaultAge - a.details.defaultAge)[0]
-        if (checkout.freeContribution) {
+        if (checkout.freeContribution && !request.body.asOrganizationId) {
             // Create balance item
             const balanceItem = new BalanceItem();
             balanceItem.price = checkout.freeContribution
             balanceItem.description = `Vrije bijdrage`
-            balanceItem.pricePaid = payment.status == PaymentStatus.Succeeded ? balanceItem.price : 0;
+            balanceItem.pricePaid = 0;
             balanceItem.userId = user.id
             balanceItem.organizationId = organization.id;
 
@@ -348,67 +386,72 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
             if (oldestMember) {
                 balanceItem.memberId = oldestMember.id;
             }
-            balanceItem.status = payment.status == PaymentStatus.Succeeded ? BalanceItemStatus.Paid : (payment.method == PaymentMethod.Transfer || payment.method == PaymentMethod.PointOfSale ? BalanceItemStatus.Pending : BalanceItemStatus.Hidden);
+            balanceItem.status = shouldMarkValid ? BalanceItemStatus.Pending : BalanceItemStatus.Hidden
             await balanceItem.save();
-
-            // Create one balance item payment to pay it in one payment
-            const balanceItemPayment = new BalanceItemPayment()
-            balanceItemPayment.balanceItemId = balanceItem.id;
-            balanceItemPayment.paymentId = payment.id;
-            balanceItemPayment.organizationId = organization.id;
-            balanceItemPayment.price = balanceItem.price;
-            await balanceItemPayment.save();
-
             items.push(balanceItem)
-            itemPayments.push(balanceItemPayment.setRelation(BalanceItemPayment.balanceItem, balanceItem))
         }
 
-        if (checkout.administrationFee) {
+        if (checkout.administrationFee && whoWillPay !== 'nobody') {
             // Create balance item
             const balanceItem = new BalanceItem();
             balanceItem.price = checkout.administrationFee
             balanceItem.description = `Administratiekosten`
-            balanceItem.pricePaid = payment.status == PaymentStatus.Succeeded ? balanceItem.price : 0;
-            balanceItem.userId = user.id
+            balanceItem.pricePaid = 0;
             balanceItem.organizationId = organization.id;
 
-            // Connect this to the oldest member
-            
-            if (oldestMember) {
-                balanceItem.memberId = oldestMember.id;
+            if (request.body.asOrganizationId) {
+                balanceItem.payingOrganizationId = request.body.asOrganizationId
+            } else {
+                balanceItem.userId = user.id
+                // Connect this to the oldest member
+                if (oldestMember) {
+                    balanceItem.memberId = oldestMember.id;
+                }
             }
-            balanceItem.status = payment.status == PaymentStatus.Succeeded ? BalanceItemStatus.Paid : (payment.method == PaymentMethod.Transfer || payment.method == PaymentMethod.PointOfSale ? BalanceItemStatus.Pending : BalanceItemStatus.Hidden);
-            await balanceItem.save();
 
-            // Create one balance item payment to pay it in one payment
-            const balanceItemPayment = new BalanceItemPayment()
-            balanceItemPayment.balanceItemId = balanceItem.id;
-            balanceItemPayment.paymentId = payment.id;
-            balanceItemPayment.organizationId = organization.id;
-            balanceItemPayment.price = balanceItem.price;
-            await balanceItemPayment.save();
+            balanceItem.status = shouldMarkValid ? BalanceItemStatus.Pending : BalanceItemStatus.Hidden
+            await balanceItem.save();
 
             items.push(balanceItem)
-            itemPayments.push(balanceItemPayment.setRelation(BalanceItemPayment.balanceItem, balanceItem))
         }
 
-        // Create a payment pending balance item
-        for (const item of checkout.cart.balanceItems) {
-            // Create one balance item payment to pay it in one payment
-            const balanceItemPayment = new BalanceItemPayment()
-            balanceItemPayment.balanceItemId = item.item.id;
-            balanceItemPayment.paymentId = payment.id;
-            balanceItemPayment.organizationId = organization.id;
-            balanceItemPayment.price = item.price;
-            await balanceItemPayment.save();
+        if (checkout.cart.balanceItems.length && whoWillPay === 'nobody') {
+            throw new Error('Not possible to pay balance items when whoWillPay is nobody')
+        }
+
+        let paymentUrl: string | null = null
+        let payment: Payment | null = null
+
+        if (whoWillPay !== 'nobody') {
+            const mappedBalanceItems = new Map<BalanceItem, number>()
 
-            const balanceItem = balanceItems.find(i => i.id === item.item.id)
-            if (!balanceItem) {
-                throw new Error('Balance item not found')
+            for (const item of items) {
+                mappedBalanceItems.set(item, item.price)
+            }
+
+            for (const item of checkout.cart.balanceItems) {
+                const balanceItem = balanceItems.find(i => i.id === item.item.id)
+                if (!balanceItem) {
+                    throw new Error('Balance item not found')
+                }
+                mappedBalanceItems.set(balanceItem, item.price)
+                items.push(balanceItem)
+            }
+
+            const response = await this.createPayment({
+                balanceItems: mappedBalanceItems,
+                organization,
+                user,
+                checkout: request.body,
+                members
+            })
+
+            if (response) {
+                paymentUrl = response.paymentUrl
+                payment = response.payment
             }
-            itemPayments.push(balanceItemPayment.setRelation(BalanceItemPayment.balanceItem, balanceItem))
         }
-        items.push(...balanceItems)
+
         await ExchangePaymentEndpoint.updateOutstanding(items, organization.id)
 
         // Update occupancy
@@ -419,8 +462,126 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
             }
         }
 
-        // Update balance items
+        return new Response(RegisterResponse.create({
+            payment: payment ? PaymentStruct.create(payment) : null,
+            members: await AuthenticatedStructures.membersBlob(members),
+            registrations: registrations.map(r => Member.getRegistrationWithMemberStructure(r)),
+            paymentUrl
+        }));
+    }
+
+    async createPayment({balanceItems, organization, user, checkout, members}: {balanceItems: Map<BalanceItem, number>, organization: Organization, user: User, checkout: IDRegisterCheckout, members: MemberWithRegistrations[]}) {
+        // Calculate total price to pay
+        let totalPrice = 0
+        const payMembers: MemberWithRegistrations[] = []
+
+        for (const [balanceItem, price] of balanceItems) {
+            if (organization.id !== balanceItem.organizationId) {
+                throw new Error('Unexpected balance item from other organization')
+            }
+
+            if (price < 0 || (price > 0 && price > balanceItem.price - balanceItem.pricePaid)) {
+                throw new SimpleError({
+                    code: "invalid_data",
+                    message: "Oeps, het bedrag dat je probeert te betalen is ongeldig. Herlaad de pagina en probeer opnieuw."
+                })
+            }
+            totalPrice += price
+
+            if (price > 0 && balanceItem.memberId) {
+                const member = members.find(m => m.id === balanceItem.memberId)
+                if (!member) {
+                    throw new SimpleError({
+                        code: "invalid_data",
+                        message: "Oeps, het lid dat je probeert in te schrijven konden we niet meer terugvinden. Je herlaadt best even de pagina om opnieuw te proberen."
+                    })
+                }
+                payMembers.push(member)
+            }
+        }
+
+        if (totalPrice < 0) {
+            throw new SimpleError({
+                code: "empty_data",
+                message: "Oeps! De totaalprijs is negatief."
+            })
+        }
+
+        if (totalPrice === 0) {
+            return;
+        }
+
+        if (!checkout.paymentMethod || checkout.paymentMethod === PaymentMethod.Unknown) {
+            throw new SimpleError({
+                code: "invalid_data",
+                message: "Oeps, je hebt geen betaalmethode geselecteerd. Selecteer een betaalmethode en probeer opnieuw."
+            })
+        }
+
+        const payment = new Payment()
+        payment.userId = user.id
+
+        // Who will receive this money?
+        payment.organizationId = organization.id
+
+        payment.method = checkout.paymentMethod
+        payment.status = PaymentStatus.Created
+        payment.price = totalPrice
+
         if (payment.method == PaymentMethod.Transfer) {
+            // remark: we cannot add the lastnames, these will get added in the frontend when it is decrypted
+            payment.transferSettings = organization.mappedTransferSettings
+
+            if (!payment.transferSettings.iban) {
+                throw new SimpleError({
+                    code: "no_iban",
+                    message: "No IBAN",
+                    human: "Er is geen rekeningnummer ingesteld voor overschrijvingen. Contacteer de beheerder."
+                })
+            }
+
+            const m = payMembers.map(r => r.details)
+            payment.generateDescription(
+                organization, 
+                Formatter.groupNamesByFamily(m),
+                {
+                    name: Formatter.groupNamesByFamily(m),
+                    naam:  Formatter.groupNamesByFamily(m),
+                    email: user.email
+                }
+            )
+        }
+        payment.paidAt = null
+
+        // Determine the payment provider
+        // Throws if invalid
+        const {provider, stripeAccount} = await organization.getPaymentProviderFor(payment.method, organization.privateMeta.registrationPaymentConfiguration)
+        payment.provider = provider
+        payment.stripeAccountId = stripeAccount?.id ?? null
+
+        await payment.save()
+
+        // Create balance item payments
+        const balanceItemPayments: (BalanceItemPayment & { balanceItem: BalanceItem })[] = []
+
+        for (const [balanceItem, price] of balanceItems) {
+            // Create one balance item payment to pay it in one payment
+            const balanceItemPayment = new BalanceItemPayment()
+            balanceItemPayment.balanceItemId = balanceItem.id;
+            balanceItemPayment.paymentId = payment.id;
+            balanceItemPayment.organizationId = organization.id;
+            balanceItemPayment.price = price;
+            await balanceItemPayment.save();
+
+            balanceItemPayments.push(balanceItemPayment.setRelation(BalanceItemPayment.balanceItem, balanceItem))
+        }
+
+        const description = 'Inschrijving '+organization.name
+
+        let paymentUrl: string | null = null
+
+        // Update balance items
+        if (payment.method === PaymentMethod.Transfer) {
             // Send a small reminder email
             try {
                 await Registration.sendTransferEmail(user, organization, payment)
@@ -428,13 +589,20 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
                 console.error("Failed to send transfer email")
                 console.error(e)
             }
-        }
+        } else if (payment.method !== PaymentMethod.PointOfSale) {
+            if (!checkout.redirectUrl || !checkout.cancelUrl) {
+                throw new Error('Should have been caught earlier')
+            }
+
+            const _redirectUrl = new URL(checkout.redirectUrl)
+            _redirectUrl.searchParams.set('id', payment.id);
+            
+            const _cancelUrl = new URL(checkout.cancelUrl)
+            _cancelUrl.searchParams.set('id', payment.id);
+            
+            const redirectUrl = _redirectUrl.href
+            const cancelUrl = _cancelUrl.href
 
-        let paymentUrl: string | null = null
-        const description = 'Inschrijving '+organization.name
-        if (payment.status != PaymentStatus.Succeeded) {
-            const redirectUrl = "https://"+organization.getHost()+'/payment?id='+encodeURIComponent(payment.id)
-            const cancelUrl = "https://"+organization.getHost()+'/payment?id='+encodeURIComponent(payment.id) + '&cancel=true'
             const webhookUrl = 'https://'+organization.getApiHost()+"/v"+Version+"/payments/"+encodeURIComponent(payment.id)+"?exchange=true"
 
             if (payment.provider === PaymentProvider.Stripe) {
@@ -449,11 +617,11 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
                         user: user.id,
                         payment: payment.id
                     },
-                    i18n: request.i18n,
-                    lineItems: itemPayments,
+                    i18n: Context.i18n,
+                    lineItems: balanceItemPayments,
                     organization,
                     customer: {
-                        name: user.name ?? oldestMember?.details.name ?? 'Onbekend',
+                        name: user.name ?? payMembers[0]?.details.name ?? 'Onbekend',
                         email: user.email,
                     }
                 });
@@ -502,9 +670,9 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
                 paymentUrl = await PayconiqPayment.createPayment(payment, organization, description, redirectUrl, webhookUrl)
             } else if (payment.provider == PaymentProvider.Buckaroo) {
                 // Increase request timeout because buckaroo is super slow (in development)
-                request.request.request?.setTimeout(60 * 1000)
+                Context.request.request?.setTimeout(60 * 1000)
                 const buckaroo = new BuckarooHelper(organization.privateMeta?.buckarooSettings?.key ?? "", organization.privateMeta?.buckarooSettings?.secret ?? "", organization.privateMeta.useTestPayments ?? STAMHOOFD.environment != 'production')
-                const ip = request.request.getIP()
+                const ip = Context.request.getIP()
                 paymentUrl = await buckaroo.createPayment(payment, ip, description, redirectUrl, webhookUrl)
                 await payment.save()
 
@@ -518,11 +686,12 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
             }
         }
 
-        return new Response(RegisterResponse.create({
-            payment: PaymentStruct.create(payment),
-            members: await AuthenticatedStructures.membersBlob(members),
-            registrations: registrations.map(r => Member.getRegistrationWithMemberStructure(r)),
+        return {
+            payment,
+            balanceItemPayments,
+            provider,
+            stripeAccount,
             paymentUrl
-        }));
+        }
     }
 }

package/src/endpoints/global/webshops/GetWebshopFromDomainEndpoint.ts

@@ -78,7 +78,7 @@ export class GetWebshopFromDomainEndpoint extends Endpoint<Params, Query, Body,
                     }
 
                     return new Response(GetWebshopFromDomainResult.create({
-                        organization: await organization.getStructure({emptyGroups: true}),
+                        organization: organization.getBaseStructure(),
                         webshop: WebshopStruct.create(webshop)
                     }));
                 }
@@ -113,14 +113,14 @@ export class GetWebshopFromDomainEndpoint extends Endpoint<Params, Query, Body,
             if (!webshop) {
                 // Return organization, so we know the locale + can do some custom logic
                 return new Response(GetWebshopFromDomainResult.create({
-                    organization: await organization.getStructure({emptyGroups: true}),
+                    organization: organization.getBaseStructure(),
                     webshop: null,
                     webshops: []
                 }));
             }
 
             return new Response(GetWebshopFromDomainResult.create({
-                organization: await organization.getStructure({emptyGroups: true}),
+                organization: organization.getBaseStructure(),
                 webshop: WebshopStruct.create(webshop)
             }));
         }
@@ -156,7 +156,7 @@ export class GetWebshopFromDomainEndpoint extends Endpoint<Params, Query, Body,
 
                 // Return organization, and the known webshops on this domain
                 return new Response(GetWebshopFromDomainResult.create({
-                    organization: await organization.getStructure({emptyGroups: true}),
+                    organization: organization.getBaseStructure(),
                     webshop: null,
                     webshops: webshops.map(w => WebshopPreview.create(w)).filter(w => w.isClosed(0) === false).sort((a, b) => Sorter.byStringValue(a.meta.name, b.meta.name))
                 }));
@@ -180,7 +180,7 @@ export class GetWebshopFromDomainEndpoint extends Endpoint<Params, Query, Body,
         }
 
         return new Response(GetWebshopFromDomainResult.create({
-            organization: await organization.getStructure({emptyGroups: true}),
+            organization: organization.getBaseStructure(),
             webshop: WebshopStruct.create(webshop)
         }));
     }

package/src/endpoints/organization/dashboard/registration-periods/PatchOrganizationRegistrationPeriodsEndpoint.ts

@@ -1,10 +1,11 @@
 import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-endpoints";
-import { Group as GroupStruct, GroupPrivateSettings, OrganizationRegistrationPeriod as OrganizationRegistrationPeriodStruct, PermissionLevel, PermissionsResourceType, ResourcePermissions, Version } from "@stamhoofd/structures";
+import { Group as GroupStruct, GroupPrivateSettings, OrganizationRegistrationPeriod as OrganizationRegistrationPeriodStruct, PermissionLevel, PermissionsResourceType, ResourcePermissions, Version, GroupType } from "@stamhoofd/structures";
 
 import { AutoEncoderPatchType, Decoder, PatchableArrayAutoEncoder, PatchableArrayDecoder, StringDecoder } from "@simonbackx/simple-encoding";
 import { Context } from "../../../../helpers/Context";
 import { Group, Member, OrganizationRegistrationPeriod, Platform, RegistrationPeriod } from "@stamhoofd/models";
 import { SimpleError } from "@simonbackx/simple-errors";
+import { AuthenticatedStructures } from "../../../../helpers/AuthenticatedStructures";
 
 type Params = Record<string, never>;
 type Query = undefined;
@@ -33,13 +34,13 @@ export class PatchOrganizationRegistrationPeriodsEndpoint extends Endpoint<Param
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
         const organization = await Context.setOrganizationScope();
-        const {user} = await Context.authenticate()
+        await Context.authenticate()
 
         if (!await Context.auth.hasFullAccess(organization.id)) {
             throw Context.auth.error()
         }
 
-        const structs: OrganizationRegistrationPeriodStruct[] = [];
+        const periods: OrganizationRegistrationPeriod[] = [];
 
         for (const {put} of request.body.getPuts()) {
             if (!await Context.auth.hasFullAccess(organization.id)) {
@@ -70,7 +71,7 @@ export class PatchOrganizationRegistrationPeriodsEndpoint extends Endpoint<Param
             // Delete unreachable categories first
             await organizationPeriod.cleanCategories(groups);
             await Group.deleteUnreachable(organization.id, organizationPeriod, groups)
-            structs.push(organizationPeriod.getPrivateStructure(period, groups));
+            periods.push(organizationPeriod);
         }
 
         for (const patch of request.body.getPatches()) {
@@ -137,22 +138,20 @@ export class PatchOrganizationRegistrationPeriodsEndpoint extends Endpoint<Param
                 await PatchOrganizationRegistrationPeriodsEndpoint.patchGroup(struct)
             }
 
-            const period = await RegistrationPeriod.getByID(organizationPeriod.periodId);
-            const groups = await Group.getAll(organization.id, organizationPeriod.periodId)
 
             if (deleteUnreachable) {
+                const groups = await Group.getAll(organization.id, organizationPeriod.periodId)
+
                 // Delete unreachable categories first
                 await organizationPeriod.cleanCategories(groups);
                 await Group.deleteUnreachable(organization.id, organizationPeriod, groups)
             }
 
-            if (period) {
-                structs.push(organizationPeriod.getPrivateStructure(period, groups));
-            }
+            periods.push(organizationPeriod);
         }
 
         return new Response(
-            structs
+            await AuthenticatedStructures.organizationRegistrationPeriods(periods),
         );
     }
 
@@ -223,10 +222,64 @@ export class PatchOrganizationRegistrationPeriodsEndpoint extends Endpoint<Param
         if (struct.defaultAgeGroupId !== undefined) {
             model.defaultAgeGroupId = await this.validateDefaultGroupId(struct.defaultAgeGroupId)
         }
+
+        const patch = struct;
+        if (patch.waitingList !== undefined) {
+            if (patch.waitingList === null) {
+                // delete
+                if (model.waitingListId) {
+                    // for now don't delete, as waiting lists can be shared between multiple groups
+                    // await PatchOrganizationRegistrationPeriodsEndpoint.deleteGroup(model.waitingListId)
+                    model.waitingListId = null;
+                }
+
+            } else if (patch.waitingList.isPatch()) {
+                if (!model.waitingListId) {
+                    throw new SimpleError({
+                        code: 'invalid_field',
+                        field: 'waitingList',
+                        message: 'Cannot patch waiting list before it is created'
+                    })
+                }
+                patch.waitingList.id = model.waitingListId
+                patch.waitingList.type = GroupType.WaitingList
+                await PatchOrganizationRegistrationPeriodsEndpoint.patchGroup(patch.waitingList)
+            } else {
+                if (model.waitingListId) {
+                    // for now don't delete, as waiting lists can be shared between multiple groups
+                    // await PatchOrganizationRegistrationPeriodsEndpoint.deleteGroup(model.waitingListId)
+                    model.waitingListId = null;
+                }
+                patch.waitingList.type = GroupType.WaitingList
+
+                const existing = await Group.getByID(patch.waitingList.id)
+                if (existing) {
+                    if (existing.organizationId !== model.organizationId) {
+                        throw new SimpleError({
+                            code: 'invalid_field',
+                            field: 'waitingList',
+                            message: 'Waiting list group is already used in another organization'
+                        })
+                    }
+
+                    model.waitingListId = existing.id
+                } else {
+                    const group = await PatchOrganizationRegistrationPeriodsEndpoint.createGroup(
+                        patch.waitingList,
+                        model.organizationId,
+                        model.periodId
+                    )
+                    model.waitingListId = group.id
+                }
+            }
+        }
         
         await model.updateOccupancy()
         await model.save();
-        Member.updateMembershipsForGroupId(model.id)
+
+        if (struct.deletedAt !== undefined || struct.defaultAgeGroupId !== undefined) {
+            Member.updateMembershipsForGroupId(model.id)
+        }
     }
 
 
@@ -278,6 +331,29 @@ export class PatchOrganizationRegistrationPeriodsEndpoint extends Endpoint<Param
             })
         }
 
+        if (struct.waitingList) {
+            const existing = await Group.getByID(struct.waitingList.id)
+            if (existing) {
+                if (existing.organizationId !== model.organizationId) {
+                    throw new SimpleError({
+                        code: 'invalid_field',
+                        field: 'waitingList',
+                        message: 'Waiting list group is already used in another organization'
+                    })
+                }
+
+                model.waitingListId = existing.id
+            } else {
+                struct.waitingList.type = GroupType.WaitingList
+                const group = await PatchOrganizationRegistrationPeriodsEndpoint.createGroup(
+                    struct.waitingList,
+                    model.organizationId,
+                    model.periodId
+                )
+                model.waitingListId = group.id
+            }
+        }
+
         await model.updateOccupancy()
         await model.save();
         return model;

package/src/endpoints/organization/shared/ExchangePaymentEndpoint.ts

@@ -101,8 +101,9 @@ export class ExchangePaymentEndpoint extends Endpoint<Params, Query, Body, Respo
 
             // Prevent concurrency issues
             await QueueHandler.schedule("balance-item-update/"+organization.id, async () => {
+                const unloaded = (await BalanceItemPayment.where({paymentId: payment.id})).map(r => r.setRelation(BalanceItemPayment.payment, payment))
                 const balanceItemPayments = await BalanceItemPayment.balanceItem.load(
-                    (await BalanceItemPayment.where({paymentId: payment.id})).map(r => r.setRelation(BalanceItemPayment.payment, payment))
+                    unloaded
                 );
 
                 for (const balanceItemPayment of balanceItemPayments) {

package/src/helpers/AdminPermissionChecker.ts

@@ -224,6 +224,12 @@ export class AdminPermissionChecker {
             return true
         }
 
+        if (member.registrations.length === 0 && permissionLevel !== PermissionLevel.Full && (this.organization && await this.hasFullAccess(this.organization.id, PermissionLevel.Full))) {
+            // Everyone with at least full access to at least one organization can access this member
+            // This allows organizations to register new members themselves
+            return true;
+        }
+
         for (const registration of member.registrations) {
             if (await this.canAccessRegistration(registration, permissionLevel)) {
                 return true;

package/src/helpers/AuthenticatedStructures.ts

@@ -1,6 +1,7 @@
 import { SimpleError } from "@simonbackx/simple-errors";
 import { Event, Group, Member, MemberPlatformMembership, MemberResponsibilityRecord, MemberWithRegistrations, Organization, OrganizationRegistrationPeriod, Payment, RegistrationPeriod, User, Webshop } from "@stamhoofd/models";
 import { Event as EventStruct, MemberPlatformMembership as MemberPlatformMembershipStruct, MemberResponsibilityRecord as MemberResponsibilityRecordStruct, MemberWithRegistrationsBlob, MembersBlob, Organization as OrganizationStruct, PaymentGeneral, PermissionLevel, PrivateWebshop, User as UserStruct, UserWithMembers, WebshopPreview, Webshop as WebshopStruct } from '@stamhoofd/structures';
+import { OrganizationRegistrationPeriod as OrganizationRegistrationPeriodStruct, GroupCategory, GroupPrivateSettings, GroupSettings, GroupStatus, Group as GroupStruct, GroupType } from '@stamhoofd/structures';
 
 import { Context } from "./Context";
 import { Formatter } from "@stamhoofd/utility";
@@ -52,10 +53,71 @@ export class AuthenticatedStructures {
     }
 
     static async group(group: Group) {
-        if (!await Context.optionalAuth?.canAccessGroup(group)) {
-            return group.getStructure()
+        return (await this.groups([group]))[0]
+    }
+
+    static async groups(groups: Group[]) {
+        const waitingListIds = Formatter.uniqueArray(groups.map(g => g.waitingListId).filter(id => id !== null) as string[])
+        const waitingLists = waitingListIds.length > 0 ? await Group.getByIDs(...waitingListIds) : []
+
+        const structs: GroupStruct[] = []
+        for (const group of groups) {
+            const waitingList = waitingLists.find(g => g.id == group.waitingListId) ?? null
+            const waitingListStruct = waitingList ? GroupStruct.create(waitingList) : null
+            if (waitingList && waitingListStruct && !await Context.optionalAuth?.canAccessGroup(waitingList)) {
+                waitingListStruct.privateSettings = null;
+            }
+
+            const struct = GroupStruct.create({
+                ...group,
+                waitingList: waitingListStruct
+            })
+
+            if (!await Context.optionalAuth?.canAccessGroup(group)) {
+                struct.privateSettings = null;
+            }
+
+            structs.push(struct)
+        }
+
+        return structs;
+    }
+
+    static async organizationRegistrationPeriods(organizationRegistrationPeriods: OrganizationRegistrationPeriod[]) {
+        if (organizationRegistrationPeriods.length === 0) {
+            return [];
+        }
+
+        const periodIds = Formatter.uniqueArray(organizationRegistrationPeriods.map(p => p.periodId))
+        const periods = await RegistrationPeriod.getByIDs(...periodIds)
+
+        const groupIds = Formatter.uniqueArray(organizationRegistrationPeriods.flatMap(p => p.settings.categories.flatMap(c => c.groupIds)))
+        const groups = groupIds.length ? await Group.getByIDs(...groupIds) : []
+
+        const groupStructs = await this.groups(groups)
+
+        const structs: OrganizationRegistrationPeriodStruct[] = []
+        for (const organizationPeriod of organizationRegistrationPeriods) {
+            const period = periods.find(p => p.id == organizationPeriod.periodId) ?? null
+            if (!period) {
+                continue
+            }
+            const groupIds = Formatter.uniqueArray(organizationPeriod.settings.categories.flatMap(c => c.groupIds))
+
+            structs.push(
+                OrganizationRegistrationPeriodStruct.create({
+                    ...organizationPeriod,
+                    period: period.getStructure(),
+                    groups: groupStructs.filter(gg => groupIds.includes(gg.id)).sort(GroupStruct.defaultSort)
+                })
+            )
         }
-        return group.getPrivateStructure()
+
+        return structs
+    }
+
+    static async organizationRegistrationPeriod(organizationRegistrationPeriod: OrganizationRegistrationPeriod) {
+        return (await this.organizationRegistrationPeriods([organizationRegistrationPeriod]))[0]
     }
 
     static async webshop(webshop: Webshop) {
@@ -66,6 +128,8 @@ export class AuthenticatedStructures {
     }
 
     static async organization(organization: Organization): Promise<OrganizationStruct> {
+        const organizationPeriod = await organization.getPeriod()
+
         if (await Context.optionalAuth?.canAccessPrivateOrganizationData(organization)) {
             const webshops = await Webshop.where({ organizationId: organization.id }, { select: Webshop.selectColumnsWithout(undefined, "products", "categories")})
             const webshopStructures: WebshopPreview[] = [] 
@@ -77,35 +141,29 @@ export class AuthenticatedStructures {
                 webshopStructures.push(WebshopPreview.create(w))
             }
 
-            const {groups, organizationPeriod, period} = await organization.getPeriod({emptyGroups: false})
-
             return OrganizationStruct.create({
-                id: organization.id,
-                name: organization.name,
-                meta: organization.meta,
-                address: organization.address,
-                registerDomain: organization.registerDomain,
-                uri: organization.uri,
-                website: organization.website,
+                ...organization.getBaseStructure(),
                 privateMeta: organization.privateMeta,
                 webshops: webshopStructures,
-                createdAt: organization.createdAt,
-                period: organizationPeriod.getPrivateStructure(period, groups)
+                period: await this.organizationRegistrationPeriod(organizationPeriod)
             })
         }
         
-        return await organization.getStructure()
+        return OrganizationStruct.create({
+            ...organization.getBaseStructure(),
+            period: await this.organizationRegistrationPeriod(organizationPeriod)
+        })
     }
 
     static async adminOrganizations(organizations: Organization[]): Promise<OrganizationStruct[]> {
         const structs: OrganizationStruct[] = [];
 
         for (const organization of organizations) {
-            const base = await organization.getStructure({emptyGroups: true})
+            const base = organization.getBaseStructure()
             structs.push(base)
         }
         
-        return structs
+        return Promise.resolve(structs)
     }
 
     static async userWithMembers(user: User): Promise<UserWithMembers> {
@@ -114,7 +172,9 @@ export class AuthenticatedStructures {
         return UserWithMembers.create({
             ...user,
             hasAccount: user.hasAccount(),
-            members: await this.membersBlob(members, false, user)
+
+            // Always include the current context organization - because it is possible we switch organization and we don't want to refetch every time
+            members: await this.membersBlob(members, true, user)
         })
     }
 
@@ -207,17 +267,19 @@ export class AuthenticatedStructures {
         // Load groups
         const groupIds = events.map(e => e.groupId).filter(id => id !== null) as string[]
         const groups = groupIds.length > 0 ? await Group.getByIDs(...groupIds) : []
+        const groupStructs = await this.groups(groups)
 
         const result: EventStruct[] = []
 
         for (const event of events) {
-            const group = groups.find(g => g.id == event.groupId) ?? null
+            const group = groupStructs.find(g => g.id == event.groupId) ?? null
 
-            if (group && await Context.auth.canAccessGroup(group)) {
-                result.push(event.getPrivateStructure(group))
-            } else {
-                result.push(event.getStructure(group))
-            }
+            const struct = EventStruct.create({
+                ...event,
+                group
+            })
+
+            result.push(struct)
         }
         
         return result

package/src/seeds/1722344160-update-membership.ts

@@ -0,0 +1,57 @@
+import { Migration } from '@simonbackx/simple-database';
+import { Member } from '@stamhoofd/models';
+
+export default new Migration(async () => {
+    if (STAMHOOFD.environment == "test") {
+        console.log("skipped in tests")
+        return;
+    }
+
+    if(STAMHOOFD.userMode !== "platform") {
+        console.log("skipped seed update-membership because usermode not platform")
+        return;
+    }
+
+    process.stdout.write('\n');
+    let c = 0;
+    let id: string = '';
+
+    while(true) {
+        const rawMembers = await Member.where({
+            id: {
+                value: id,
+                sign: '>'
+            }
+        }, {limit: 100, sort: ['id']});
+
+        // const members = await Member.getByIDs(...rawMembers.map(m => m.id));
+
+        for (const member of rawMembers) {
+            const memberWithRegistrations = await Member.getWithRegistrations(member.id);
+            if(memberWithRegistrations) {
+                await memberWithRegistrations.updateMemberships();
+                await memberWithRegistrations.save();
+            } else {
+                throw new Error("Member with registrations not found: " + member.id);
+            }
+
+            c++;
+
+            if (c%1000 === 0) {
+                process.stdout.write('.');
+            }
+            if (c%10000 === 0) {
+                process.stdout.write('\n');
+            }
+        }
+
+        if (rawMembers.length === 0) {
+            break;
+        }
+
+        id = rawMembers[rawMembers.length - 1].id;
+    }
+
+    // Do something here
+    return Promise.resolve()
+})