npm - @stamhoofd/backend - Versions diffs - 2.42.3 → 2.43.1 - Mend

@stamhoofd/backend 2.42.3 → 2.43.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.42.3",
+    "version": "2.43.1",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -36,14 +36,14 @@
         "@simonbackx/simple-encoding": "2.15.1",
         "@simonbackx/simple-endpoints": "1.14.0",
         "@simonbackx/simple-logging": "^1.0.1",
-        "@stamhoofd/backend-i18n": "2.42.3",
-        "@stamhoofd/backend-middleware": "2.42.3",
-        "@stamhoofd/email": "2.42.3",
-        "@stamhoofd/models": "2.42.3",
-        "@stamhoofd/queues": "2.42.3",
-        "@stamhoofd/sql": "2.42.3",
-        "@stamhoofd/structures": "2.42.3",
-        "@stamhoofd/utility": "2.42.3",
+        "@stamhoofd/backend-i18n": "2.43.1",
+        "@stamhoofd/backend-middleware": "2.43.1",
+        "@stamhoofd/email": "2.43.1",
+        "@stamhoofd/models": "2.43.1",
+        "@stamhoofd/queues": "2.43.1",
+        "@stamhoofd/sql": "2.43.1",
+        "@stamhoofd/structures": "2.43.1",
+        "@stamhoofd/utility": "2.43.1",
         "archiver": "^7.0.1",
         "aws-sdk": "^2.885.0",
         "axios": "1.6.8",
@@ -60,5 +60,5 @@
         "postmark": "^4.0.5",
         "stripe": "^16.6.0"
     },
-    "gitHead": "ee0812960b3c22f3c13c15b0b5a84639aeba5ad8"
+    "gitHead": "49f9a42eb52688f4f4d417871da7448969623013"
 }

package/src/endpoints/global/events/PatchEventsEndpoint.ts CHANGED Viewed

@@ -52,6 +52,15 @@ export class PatchEventsEndpoint extends Endpoint<Params, Query, Body, ResponseB
             const event = new Event();
             event.organizationId = put.organizationId;
             event.meta = put.meta;
+            if (event.meta.groups && event.meta.groups.length === 0) {
+                throw new SimpleError({
+                    code: 'invalid_field',
+                    message: 'Empty groups',
+                    human: 'Kies minstens één leeftijdsgroep',
+                });
+            }
             const eventOrganization = await this.checkEventAccess(event);
             event.id = put.id;
             event.name = put.name;
@@ -122,6 +131,14 @@ export class PatchEventsEndpoint extends Endpoint<Params, Query, Body, ResponseB
                 event.organizationId = patch.organizationId;
             }
+            if (event.meta.groups && event.meta.groups.length === 0) {
+                throw new SimpleError({
+                    code: 'invalid_field',
+                    message: 'Empty groups',
+                    human: 'Kies minstens één leeftijdsgroep',
+                });
+            }
             const eventOrganization = await this.checkEventAccess(event);
             if (eventOrganization) {
                 event.meta.organizationCache = NamedObject.create({ id: eventOrganization.id, name: eventOrganization.name });

package/src/endpoints/global/members/PatchOrganizationMembersEndpoint.ts CHANGED Viewed

@@ -2,10 +2,11 @@ import { OneToManyRelation } from '@simonbackx/simple-database';
 import { ConvertArrayToPatchableArray, Decoder, PatchableArrayAutoEncoder, PatchableArrayDecoder, StringDecoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { SimpleError } from '@simonbackx/simple-errors';
-import { BalanceItem, Document, Group, Member, MemberFactory, MemberPlatformMembership, MemberResponsibilityRecord, MemberWithRegistrations, Organization, Platform, Registration, SetupStepUpdater, User } from '@stamhoofd/models';
-import { GroupType, MemberWithRegistrationsBlob, MembersBlob, PermissionLevel } from '@stamhoofd/structures';
+import { BalanceItem, Document, Group, Member, MemberFactory, MemberPlatformMembership, MemberResponsibilityRecord, MemberWithRegistrations, mergeTwoMembers, Organization, Platform, RateLimiter, Registration, SetupStepUpdater, User } from '@stamhoofd/models';
+import { GroupType, MembersBlob, MemberWithRegistrationsBlob, PermissionLevel } from '@stamhoofd/structures';
 import { Formatter } from '@stamhoofd/utility';
+import { Email } from '@stamhoofd/email';
 import { QueueHandler } from '@stamhoofd/queues';
 import { AuthenticatedStructures } from '../../../helpers/AuthenticatedStructures';
 import { Context } from '../../../helpers/Context';
@@ -17,6 +18,16 @@ type Query = undefined;
 type Body = PatchableArrayAutoEncoder<MemberWithRegistrationsBlob>;
 type ResponseBody = MembersBlob;
+export const securityCodeLimiter = new RateLimiter({
+    limits: [
+        {
+            // Max 10 a day
+            limit: 10,
+            duration: 24 * 60 * 1000 * 60,
+        },
+    ],
+});
 /**
  * One endpoint to create, patch and delete members and their registrations and payments
  */
@@ -92,33 +103,15 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
             struct.details.cleanData();
             member.details = struct.details;
-            const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member);
+            const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member, struct.details.securityCode);
             if (duplicate) {
                 // Merge data
-                duplicate.details.merge(member.details);
                 member = duplicate;
-                // You need write permissions, because a user can potentially earn write permissions on a member
-                // by registering it
-                if (!await Context.auth.canAccessMember(duplicate, PermissionLevel.Write)) {
-                    throw new SimpleError({
-                        code: 'known_member_missing_rights',
-                        message: 'Creating known member without sufficient access rights',
-                        human: 'Dit lid is al bekend in het systeem, maar je hebt er geen toegang tot. Vraag iemand met de juiste toegangsrechten om dit lid voor jou toe te voegen, of vraag het lid om zelf in te schrijven via het ledenportaal.',
-                        statusCode: 400,
-                    });
-                }
             }
             // We risk creating a new member without being able to access it manually afterwards
-            if ((organization && !await Context.auth.hasFullAccess(organization.id)) || (!organization && !Context.auth.hasPlatformFullAccess())) {
-                throw new SimpleError({
-                    code: 'missing_group',
-                    message: 'Missing group',
-                    human: 'Je moet hoofdbeheerder zijn om een lid toe te voegen in het systeem',
-                    statusCode: 400,
-                });
-            }
+            // Cache access to this member temporarily in memory
+            await Context.auth.temporarilyGrantMemberAccess(member, PermissionLevel.Write);
             if (STAMHOOFD.userMode !== 'platform' && !member.organizationId) {
                 throw new SimpleError({
@@ -132,8 +125,8 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
             /**
              * In development mode, we allow some secret usernames to create fake data
              */
-            if ((STAMHOOFD.environment == 'development' || STAMHOOFD.environment == 'staging') && organization) {
-                if (member.details.firstName.toLocaleLowerCase() == 'create' && parseInt(member.details.lastName) > 0) {
+            if ((STAMHOOFD.environment === 'development' || STAMHOOFD.environment === 'staging') && organization) {
+                if (member.details.firstName.toLocaleLowerCase() === 'create' && parseInt(member.details.lastName) > 0) {
                     const count = parseInt(member.details.lastName);
                     await this.createDummyMembers(organization, count);
@@ -155,9 +148,17 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
         // Loop all members one by one
         for (let patch of request.body.getPatches()) {
             const member = members.find(m => m.id === patch.id) ?? await Member.getWithRegistrations(patch.id);
-            if (!member || !await Context.auth.canAccessMember(member, PermissionLevel.Write)) {
+            const securityCode = patch.details?.securityCode; // will get cleared after the filter
+            if (!member) {
                 throw Context.auth.notFoundOrNoAccess('Je hebt geen toegang tot dit lid of het bestaat niet');
             }
+            if (!await Context.auth.canAccessMember(member, PermissionLevel.Write)) {
+                // Still allowed if you provide a security code
+                await PatchOrganizationMembersEndpoint.checkSecurityCode(member, securityCode);
+            }
             patch = await Context.auth.filterMemberPatch(member, patch);
             if (patch.details) {
@@ -179,6 +180,19 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
                 }
             }
+            const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member, securityCode);
+            if (duplicate) {
+                // Remove the member from the list
+                const iii = members.findIndex(m => m.id === member.id);
+                if (iii !== -1) {
+                    members.splice(iii, 1);
+                }
+                // Add new
+                members.push(duplicate);
+                continue;
+            }
             await member.save();
             // Update documents
@@ -561,7 +575,7 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
         }
     }
-    static async checkDuplicate(member: Member) {
+    static async findExistingMember(member: Member) {
         if (!member.details.birthDay) {
             return;
         }
@@ -585,6 +599,69 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
         }
     }
+    static async checkSecurityCode(member: MemberWithRegistrations, securityCode: string | null | undefined) {
+        if (await member.isSafeToMergeDuplicateWithoutSecurityCode() || await Context.auth.canAccessMember(member, PermissionLevel.Write)) {
+            console.log('checkSecurityCode: without security code: allowed for ' + member.id);
+        }
+        else if (securityCode) {
+            try {
+                securityCodeLimiter.track(member.details.name, 1);
+            }
+            catch (e) {
+                Email.sendWebmaster({
+                    subject: '[Limiet] Limiet bereikt voor aantal beveiligingscodes',
+                    text: 'Beste, \nDe limiet werd bereikt voor het aantal beveiligingscodes per dag. \nNaam lid: ' + member.details.name + ' (ID: ' + member.id + ')' + '\n\n' + e.message + '\n\nStamhoofd',
+                });
+                throw new SimpleError({
+                    code: 'too_many_tries',
+                    message: 'Too many securityCodes limited',
+                    human: 'Oeps! Om spam te voorkomen limiteren we het aantal beveiligingscodes die je kan proberen. Probeer morgen opnieuw.',
+                    field: 'details.securityCode',
+                });
+            }
+            // Entered the security code, so we can link the user to the member
+            if (STAMHOOFD.environment !== 'development') {
+                if (!member.details.securityCode || securityCode !== member.details.securityCode) {
+                    throw new SimpleError({
+                        code: 'invalid_field',
+                        field: 'details.securityCode',
+                        message: 'Invalid security code',
+                        human: Context.i18n.$t('49753d6a-7ca4-4145-8024-0be05a9ab063'),
+                        statusCode: 400,
+                    });
+                }
+            }
+            console.log('checkSecurityCode: security code is correct - for ' + member.id);
+            // Grant temporary access to this member without needing to enter the security code again
+            await Context.auth.temporarilyGrantMemberAccess(member, PermissionLevel.Write);
+        }
+        else {
+            throw new SimpleError({
+                code: 'known_member_missing_rights',
+                message: 'Creating known member without sufficient access rights',
+                human: `${member.details.firstName} is al gekend in ons systeem, maar jouw e-mailadres niet. Om toegang te krijgen heb je de beveiligingscode nodig.`,
+                statusCode: 400,
+            });
+        }
+    }
+    static async checkDuplicate(member: Member, securityCode: string | null | undefined) {
+        // Check for duplicates and prevent creating a duplicate member by a user
+        const duplicate = await this.findExistingMember(member);
+        if (duplicate) {
+            await this.checkSecurityCode(duplicate, securityCode);
+            // Merge data
+            // NOTE: We use mergeTwoMembers instead of mergeMultipleMembers, because we should never safe 'member' , because that one does not exist in the database
+            await mergeTwoMembers(duplicate, member);
+            return duplicate;
+        }
+    }
     async createDummyMembers(organization: Organization, count: number) {
         await new MemberFactory({
             organization,

package/src/endpoints/global/registration/PatchUserMembersEndpoint.ts CHANGED Viewed

@@ -1,10 +1,9 @@
 import { AutoEncoderPatchType, Decoder, PatchableArrayAutoEncoder, PatchableArrayDecoder, StringDecoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { SimpleError } from '@simonbackx/simple-errors';
-import { Document, Member, mergeTwoMembers, RateLimiter } from '@stamhoofd/models';
+import { Document, Member, RateLimiter } from '@stamhoofd/models';
 import { MemberDetails, MembersBlob, MemberWithRegistrationsBlob } from '@stamhoofd/structures';
-import { Email } from '@stamhoofd/email';
 import { AuthenticatedStructures } from '../../../helpers/AuthenticatedStructures';
 import { Context } from '../../../helpers/Context';
 import { MemberUserSyncer } from '../../../helpers/MemberUserSyncer';
@@ -61,7 +60,7 @@ export class PatchUserMembersEndpoint extends Endpoint<Params, Query, Body, Resp
             this.throwIfInvalidDetails(member.details);
-            const duplicate = await this.checkDuplicate(member, struct.details.securityCode);
+            const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member, struct.details.securityCode);
             if (duplicate) {
                 addedMembers.push(duplicate);
                 continue;
@@ -75,7 +74,7 @@ export class PatchUserMembersEndpoint extends Endpoint<Params, Query, Body, Resp
         let members = await Member.getMembersWithRegistrationForUser(user);
         for (let struct of request.body.getPatches()) {
-            const member = members.find(m => m.id == struct.id);
+            const member = members.find(m => m.id === struct.id);
             if (!member) {
                 throw new SimpleError({
                     code: 'invalid_member',
@@ -110,15 +109,15 @@ export class PatchUserMembersEndpoint extends Endpoint<Params, Query, Body, Resp
                 });
             }
-            /* const duplicate = await this.checkDuplicate(member, securityCode)
+            const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member, securityCode);
             if (duplicate) {
                 // Remove the member from the list
-                members.splice(members.findIndex(m => m.id === member.id), 1)
+                members.splice(members.findIndex(m => m.id === member.id), 1);
                 // Add new
-                addedMembers.push(duplicate)
-                continue
-            } */
+                addedMembers.push(duplicate);
+                continue;
+            }
             await member.save();
             await MemberUserSyncer.onChangeMember(member);
@@ -157,62 +156,6 @@ export class PatchUserMembersEndpoint extends Endpoint<Params, Query, Body, Resp
         );
     }
-    async checkDuplicate(member: Member, securityCode: string | null | undefined) {
-        // Check for duplicates and prevent creating a duplicate member by a user
-        const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member);
-        if (duplicate) {
-            if (await duplicate.isSafeToMergeDuplicateWithoutSecurityCode()) {
-                console.log('Merging duplicate without security code: allowed for ' + duplicate.id);
-            }
-            else if (securityCode) {
-                try {
-                    securityCodeLimiter.track(member.details.name, 1);
-                }
-                catch (e) {
-                    Email.sendWebmaster({
-                        subject: '[Limiet] Limiet bereikt voor aantal beveiligingscodes',
-                        text: 'Beste, \nDe limiet werd bereikt voor het aantal beveiligingscodes per dag. \nNaam lid: ' + member.details.name + ' (ID: ' + duplicate.id + ')' + '\n\n' + e.message + '\n\nStamhoofd',
-                    });
-                    throw new SimpleError({
-                        code: 'too_many_tries',
-                        message: 'Too many securityCodes limited',
-                        human: 'Oeps! Om spam te voorkomen limiteren we het aantal beveiligingscodes die je kan proberen. Probeer morgen opnieuw.',
-                        field: 'details.securityCode',
-                    });
-                }
-                // Entered the security code, so we can link the user to the member
-                if (STAMHOOFD.environment !== 'development') {
-                    if (!duplicate.details.securityCode || securityCode !== duplicate.details.securityCode) {
-                        throw new SimpleError({
-                            code: 'invalid_field',
-                            field: 'details.securityCode',
-                            message: 'Invalid security code',
-                            human: Context.i18n.$t('49753d6a-7ca4-4145-8024-0be05a9ab063'),
-                            statusCode: 400,
-                        });
-                    }
-                }
-                console.log('Merging duplicate: security code is correct - for ' + duplicate.id);
-            }
-            else {
-                throw new SimpleError({
-                    code: 'known_member_missing_rights',
-                    message: 'Creating known member without sufficient access rights',
-                    human: `${member.details.firstName} is al gekend in ons systeem, maar jouw e-mailadres niet. Om toegang te krijgen heb je de beveiligingscode nodig.`,
-                    statusCode: 400,
-                });
-            }
-            // Merge data
-            // NOTE: We use mergeTwoMembers instead of mergeMultipleMembers, because we should never safe 'member' , because that one does not exist in the database
-            await mergeTwoMembers(duplicate, member);
-            return duplicate;
-        }
-    }
     private throwIfInvalidDetails(details: MemberDetails) {
         if (details.firstName.length < 2) {
             throw new SimpleError({

package/src/endpoints/global/registration/RegisterMembersEndpoint.ts CHANGED Viewed

@@ -260,6 +260,7 @@ export class RegisterMembersEndpoint extends Endpoint<Params, Query, Body, Respo
             registration.price = 0; // will get filled by balance items themselves
             registration.groupPrice = item.groupPrice;
             registration.options = item.options;
+            registration.recordAnswers = item.recordAnswers;
             payRegistrations.push({
                 registration,

package/src/endpoints/organization/dashboard/cached-outstanding-balance/GetCachedOutstandingBalanceCountEndpoint.ts ADDED Viewed

@@ -0,0 +1,43 @@
+import { Decoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { CountFilteredRequest, CountResponse } from '@stamhoofd/structures';
+import { Context } from '../../../../helpers/Context';
+import { GetCachedOutstandingBalanceEndpoint } from './GetCachedOutstandingBalanceEndpoint';
+type Params = Record<string, never>;
+type Query = CountFilteredRequest;
+type Body = undefined;
+type ResponseBody = CountResponse;
+export class GetCachedOutstandingBalanceCountEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    queryDecoder = CountFilteredRequest as Decoder<CountFilteredRequest>;
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method !== 'GET') {
+            return [false];
+        }
+        const params = Endpoint.parseParameters(request.url, '/cached-outstanding-balance/count', {});
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        await Context.setOrganizationScope();
+        await Context.authenticate();
+        const query = await GetCachedOutstandingBalanceEndpoint.buildQuery(request.query);
+        const count = await query
+            .count();
+        return new Response(
+            CountResponse.create({
+                count,
+            }),
+        );
+    }
+}

package/src/endpoints/organization/dashboard/cached-outstanding-balance/GetCachedOutstandingBalanceEndpoint.ts ADDED Viewed

@@ -0,0 +1,142 @@
+import { Decoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { SimpleError } from '@simonbackx/simple-errors';
+import { CachedOutstandingBalance } from '@stamhoofd/models';
+import { compileToSQLFilter, compileToSQLSorter } from '@stamhoofd/sql';
+import { CachedOutstandingBalance as CachedOutstandingBalanceStruct, CountFilteredRequest, LimitedFilteredRequest, PaginatedResponse, StamhoofdFilter, assertSort, getSortFilter } from '@stamhoofd/structures';
+import { AuthenticatedStructures } from '../../../../helpers/AuthenticatedStructures';
+import { Context } from '../../../../helpers/Context';
+import { cachedOutstandingBalanceFilterCompilers } from '../../../../sql-filters/cached-outstanding-balance';
+import { cachedOutstandingBalanceSorters } from '../../../../sql-sorters/cached-outstanding-balance';
+type Params = Record<string, never>;
+type Query = LimitedFilteredRequest;
+type Body = undefined;
+type ResponseBody = PaginatedResponse<CachedOutstandingBalanceStruct[], LimitedFilteredRequest>;
+const sorters = cachedOutstandingBalanceSorters;
+const filterCompilers = cachedOutstandingBalanceFilterCompilers;
+export class GetCachedOutstandingBalanceEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    queryDecoder = LimitedFilteredRequest as Decoder<LimitedFilteredRequest>;
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method !== 'GET') {
+            return [false];
+        }
+        const params = Endpoint.parseParameters(request.url, '/cached-outstanding-balance', {});
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+    static async buildQuery(q: CountFilteredRequest | LimitedFilteredRequest) {
+        const organization = Context.organization;
+        let scopeFilter: StamhoofdFilter | undefined = undefined;
+        if (!organization) {
+            throw Context.auth.error();
+        }
+        if (!await Context.auth.canManageFinances(organization.id)) {
+            throw Context.auth.error();
+        }
+        scopeFilter = {
+            organizationId: organization.id,
+        };
+        const query = CachedOutstandingBalance
+            .select();
+        if (scopeFilter) {
+            query.where(compileToSQLFilter(scopeFilter, filterCompilers));
+        }
+        if (q.filter) {
+            query.where(compileToSQLFilter(q.filter, filterCompilers));
+        }
+        if (q.search) {
+            throw new SimpleError({
+                code: 'not_implemented',
+                message: 'Zoeken in openstaande bedragen is voorlopig nog niet mogelijk',
+            });
+        }
+        if (q instanceof LimitedFilteredRequest) {
+            if (q.pageFilter) {
+                query.where(compileToSQLFilter(q.pageFilter, filterCompilers));
+            }
+            q.sort = assertSort(q.sort, [{ key: 'id' }]);
+            query.orderBy(compileToSQLSorter(q.sort, sorters));
+            query.limit(q.limit);
+        }
+        return query;
+    }
+    static async buildData(requestQuery: LimitedFilteredRequest) {
+        const query = await GetCachedOutstandingBalanceEndpoint.buildQuery(requestQuery);
+        const data = await query.fetch();
+        // todo: Create objects from data
+        let next: LimitedFilteredRequest | undefined;
+        if (data.length >= requestQuery.limit) {
+            const lastObject = data[data.length - 1];
+            const nextFilter = getSortFilter(lastObject, sorters, requestQuery.sort);
+            next = new LimitedFilteredRequest({
+                filter: requestQuery.filter,
+                pageFilter: nextFilter,
+                sort: requestQuery.sort,
+                limit: requestQuery.limit,
+                search: requestQuery.search,
+            });
+            if (JSON.stringify(nextFilter) === JSON.stringify(requestQuery.pageFilter)) {
+                console.error('Found infinite loading loop for', requestQuery);
+                next = undefined;
+            }
+        }
+        return new PaginatedResponse<CachedOutstandingBalanceStruct[], LimitedFilteredRequest>({
+            results: await AuthenticatedStructures.cachedOutstandingBalances(data),
+            next,
+        });
+    }
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        await Context.setOrganizationScope();
+        await Context.authenticate();
+        const maxLimit = Context.auth.hasSomePlatformAccess() ? 100 : 100;
+        if (request.query.limit > maxLimit) {
+            throw new SimpleError({
+                code: 'invalid_field',
+                field: 'limit',
+                message: 'Limit can not be more than ' + maxLimit,
+            });
+        }
+        if (request.query.limit < 1) {
+            throw new SimpleError({
+                code: 'invalid_field',
+                field: 'limit',
+                message: 'Limit can not be less than 1',
+            });
+        }
+        return new Response(
+            await GetCachedOutstandingBalanceEndpoint.buildData(request.query),
+        );
+    }
+}

package/src/endpoints/organization/dashboard/email-templates/GetEmailTemplatesEndpoint.ts CHANGED Viewed

@@ -1,11 +1,11 @@
-import { AutoEncoder, Data, Decoder, EnumDecoder, field, StringDecoder } from '@simonbackx/simple-encoding';
+import { AutoEncoder, Decoder, EnumDecoder, field, StringDecoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { EmailTemplate } from '@stamhoofd/models';
 import { EmailTemplate as EmailTemplateStruct, EmailTemplateType } from '@stamhoofd/structures';
-import { Context } from '../../../../helpers/Context';
-import { StringNullableDecoder } from '../../../../decoders/StringNullableDecoder';
 import { StringArrayDecoder } from '../../../../decoders/StringArrayDecoder';
+import { StringNullableDecoder } from '../../../../decoders/StringNullableDecoder';
+import { Context } from '../../../../helpers/Context';
 type Params = Record<string, never>;
 type Body = undefined;
@@ -71,7 +71,16 @@ export class GetEmailTemplatesEndpoint extends Endpoint<Params, Query, Body, Res
                         ? await EmailTemplate.where({ webshopId: request.query.webshopId ?? null, groupId: request.query.groupIds ? { sign: 'IN', value: request.query.groupIds } : null, type: { sign: 'IN', value: types } })
                         : []
                 );
-        const defaultTemplates = await EmailTemplate.where({ organizationId: null, type: { sign: 'IN', value: types } });
-        return new Response([...templates, ...defaultTemplates].map(template => EmailTemplateStruct.create(template)));
+        const defaultTemplateTypes = organization ? types.filter(type => type !== EmailTemplateType.SavedMembersEmail) : types;
+        const defaultTemplates = await EmailTemplate.where({
+            organizationId: null,
+            type: {
+                sign: 'IN',
+                value: defaultTemplateTypes,
+            },
+        });
+        return new Response(templates.concat(defaultTemplates).map(template => EmailTemplateStruct.create(template)));
     }
 }

package/src/endpoints/organization/dashboard/payments/GetMemberBalanceEndpoint.ts CHANGED Viewed

@@ -1,6 +1,5 @@
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
-import { SimpleError } from '@simonbackx/simple-errors';
-import { BalanceItem, Group, Member } from '@stamhoofd/models';
+import { BalanceItem, Member } from '@stamhoofd/models';
 import { BalanceItemWithPayments } from '@stamhoofd/structures';
 import { Context } from '../../../../helpers/Context';

package/src/helpers/AdminPermissionChecker.ts CHANGED Viewed

@@ -1,8 +1,9 @@
 import { AutoEncoderPatchType, PatchMap } from '@simonbackx/simple-encoding';
 import { SimpleError } from '@simonbackx/simple-errors';
 import { BalanceItem, CachedOutstandingBalance, Document, DocumentTemplate, EmailTemplate, Event, Group, Member, MemberPlatformMembership, MemberWithRegistrations, Order, Organization, OrganizationRegistrationPeriod, Payment, Registration, User, Webshop } from '@stamhoofd/models';
-import { AccessRight, FinancialSupportSettings, GroupCategory, GroupStatus, LoadedPermissions, MemberWithRegistrationsBlob, PermissionLevel, PermissionsResourceType, Platform as PlatformStruct, RecordCategory } from '@stamhoofd/structures';
+import { AccessRight, EventPermissionChecker, FinancialSupportSettings, GroupCategory, GroupStatus, MemberWithRegistrationsBlob, PermissionLevel, PermissionsResourceType, Platform as PlatformStruct, RecordCategory } from '@stamhoofd/structures';
 import { Formatter } from '@stamhoofd/utility';
+import { addTemporaryMemberAccess, hasTemporaryMemberAccess } from './TemporaryMemberAccess';
 /**
  * One class with all the responsabilities of checking permissions to each resource in the system by a given user, possibly in an organization context.
@@ -195,120 +196,11 @@ export class AdminPermissionChecker {
      * @throws error if not allowed to write this event
      */
     async checkEventAccess(event: Event): Promise<Organization | null> {
-        const accessRight: AccessRight = AccessRight.EventWrite;
-        // #region organization and groups
-        if (event.organizationId !== null) {
-            let organization: Organization | null = null;
-            let organizationPermissions: LoadedPermissions | null = null;
-            try {
-                organization = await this.getOrganization(event.organizationId);
-                organizationPermissions = await this.getOrganizationPermissions(organization);
-            }
-            catch (error) {
-                console.error(error);
-                throw new SimpleError({
-                    code: 'not_found',
-                    message: 'Event not found',
-                    human: 'De activiteit werd niet gevonden',
-                });
-            }
-            if (organizationPermissions === null) {
-                throw new SimpleError({
-                    code: 'permission_denied',
-                    message: 'Je hebt geen toegangsrechten om een activiteit te beheren voor deze organisatie.',
-                    statusCode: 403,
-                });
-            }
-            if (event.meta.groups === null) {
-                if (!organizationPermissions.hasResourceAccessRight(PermissionsResourceType.Groups, '', accessRight)) {
-                    throw new SimpleError({
-                        code: 'permission_denied',
-                        message: 'Je hebt geen toegangsrechten om een activiteit te beheren voor deze organisatie.',
-                        statusCode: 403,
-                    });
-                }
-            }
-            else {
-                for (const group of event.meta.groups) {
-                    if (!organizationPermissions.hasResourceAccessRight(PermissionsResourceType.Groups, group.id, accessRight)) {
-                        throw new SimpleError({
-                            code: 'permission_denied',
-                            message: 'Je hebt geen toegangsrechten om een activiteit te beheren voor deze groep(en).',
-                            statusCode: 403,
-                        });
-                    }
-                }
-            }
-            if (event.meta.organizationTagIds !== null) {
-                // not supported currently
-                throw new SimpleError({
-                    code: 'invalid_field',
-                    message: 'Een activiteit voor een organisatie kan geen tags bevatten.',
-                    statusCode: 403,
-                });
-            }
-            if (event.meta.defaultAgeGroupIds !== null) {
-                // not supported currently
-                throw new SimpleError({
-                    code: 'invalid_field',
-                    message: 'Een activiteit voor een organisatie kan niet beperkt worden tot specifieke standaard leeftijdsgroepen.',
-                    statusCode: 403,
-                });
-            }
-            return organization;
-        }
-        // #endregion
-        // #region platform
-        if (event.meta.groups !== null) {
-            // not supported currently
-            throw new SimpleError({
-                code: 'permission_denied',
-                message: 'Een nationale of regionale activiteit kan (momenteel) niet beperkt worden tot specifieke groepen.',
-                statusCode: 403,
-            });
-        }
-        const platformPermissions = this.platformPermissions;
-        if (!platformPermissions) {
-            throw new SimpleError({
-                code: 'permission_denied',
-                message: 'Je hebt geen toegangsrechten om een nationale of regionale activiteit te beheren.',
-                statusCode: 403,
-            });
-        }
-        // organization tags
-        if (event.meta.organizationTagIds === null) {
-            if (!(platformPermissions.hasAccessRight(accessRight) || platformPermissions.hasResourceAccessRight(PermissionsResourceType.OrganizationTags, '', accessRight))) {
-                throw new SimpleError({
-                    code: 'permission_denied',
-                    message: 'Je kan geen nationale activiteiten beheren',
-                    statusCode: 403,
-                });
-            }
-        }
-        else {
-            for (const tagId of event.meta.organizationTagIds) {
-                if (!platformPermissions.hasResourceAccessRight(PermissionsResourceType.OrganizationTags, tagId, accessRight)) {
-                    throw new SimpleError({
-                        code: 'permission_denied',
-                        message: "Je hebt geen toegangsrechten om een nationale of regionale activiteit te beheren voor deze regio('s).",
-                        statusCode: 403,
-                    });
-                }
-            }
-        }
-        // #endregion
-        return null;
+        return await EventPermissionChecker.checkEventAccessAsync(event, {
+            userPermissions: this.user.permissions,
+            platform: this.platform,
+            getOrganization: async (id: string) => await this.getOrganization(id),
+        });
     }
     async canAccessArchivedGroups(organizationId: string) {
@@ -333,9 +225,9 @@ export class AdminPermissionChecker {
             return true;
         }
-        if (member.registrations.length === 0 && permissionLevel !== PermissionLevel.Full && (this.organization && await this.hasFullAccess(this.organization.id, PermissionLevel.Full))) {
-            // Everyone with at least full access to at least one organization can access this member
-            // This allows organizations to register new members themselves
+        // Temporary access
+        if (hasTemporaryMemberAccess(this.user.id, member.id, permissionLevel)) {
+            console.log('User has temporary access to member', member.id, 'for user', this.user.id);
             return true;
         }
@@ -348,6 +240,15 @@ export class AdminPermissionChecker {
         return false;
     }
+    /**
+     * The server will temporarily grant the user access to this member, and store this in the server
+     * memory. This is required for adding new members to an organization (first add member -> then patch with registrations, which requires write access).
+     */
+    async temporarilyGrantMemberAccess(member: MemberWithRegistrations, permissionLevel: PermissionLevel = PermissionLevel.Write) {
+        console.log('Temporarily granting access to member', member.id, 'for user', this.user.id);
+        addTemporaryMemberAccess(this.user.id, member.id, permissionLevel);
+    }
     /**
      * Only full admins can delete members permanently
      */
@@ -1249,6 +1150,10 @@ export class AdminPermissionChecker {
         return !!this.platformPermissions && !!this.platformPermissions.hasAccessRight(AccessRight.PlatformLoginAs);
     }
+    canAccess(accessRight: AccessRight): boolean {
+        return !!this.platformPermissions && !!this.platformPermissions.hasAccessRight(accessRight);
+    }
     hasPlatformFullAccess(): boolean {
         return !!this.platformPermissions && !!this.platformPermissions.hasFullAccess();
     }

package/src/helpers/AuthenticatedStructures.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { SimpleError } from '@simonbackx/simple-errors';
-import { Event, Group, Member, MemberPlatformMembership, MemberResponsibilityRecord, MemberWithRegistrations, Organization, OrganizationRegistrationPeriod, Payment, RegistrationPeriod, User, Webshop } from '@stamhoofd/models';
-import { Event as EventStruct, Group as GroupStruct, MemberPlatformMembership as MemberPlatformMembershipStruct, MemberWithRegistrationsBlob, MembersBlob, OrganizationRegistrationPeriod as OrganizationRegistrationPeriodStruct, Organization as OrganizationStruct, PaymentGeneral, PermissionLevel, PrivateWebshop, UserWithMembers, WebshopPreview, Webshop as WebshopStruct } from '@stamhoofd/structures';
+import { CachedOutstandingBalance, Event, Group, Member, MemberPlatformMembership, MemberResponsibilityRecord, MemberWithRegistrations, Organization, OrganizationRegistrationPeriod, Payment, RegistrationPeriod, User, Webshop } from '@stamhoofd/models';
+import { AccessRight, CachedOutstandingBalanceObject, CachedOutstandingBalanceObjectContact, CachedOutstandingBalance as CachedOutstandingBalanceStruct, CachedOutstandingBalanceType, Event as EventStruct, Group as GroupStruct, MemberPlatformMembership as MemberPlatformMembershipStruct, MemberWithRegistrationsBlob, MembersBlob, OrganizationRegistrationPeriod as OrganizationRegistrationPeriodStruct, Organization as OrganizationStruct, PaymentGeneral, PermissionLevel, PrivateWebshop, UserWithMembers, WebshopPreview, Webshop as WebshopStruct } from '@stamhoofd/structures';
 import { Formatter } from '@stamhoofd/utility';
 import { Context } from './Context';
@@ -422,4 +422,40 @@ export class AuthenticatedStructures {
         return result;
     }
+    static async cachedOutstandingBalances(balances: CachedOutstandingBalance[]): Promise<CachedOutstandingBalanceStruct[]> {
+        if (balances.length === 0) {
+            return [];
+        }
+        const organizationIds = Formatter.uniqueArray(balances.filter(b => b.objectType === CachedOutstandingBalanceType.organization).map(b => b.objectId));
+        const organizations = organizationIds.length > 0 ? await Organization.getByIDs(...organizationIds) : [];
+        const admins = await User.getAdmins(organizationIds, { verified: true });
+        const organizationStructs = await this.organizations(organizations);
+        const result: CachedOutstandingBalanceStruct[] = [];
+        for (const balance of balances) {
+            const organization = organizationStructs.find(o => o.id == balance.objectId) ?? null;
+            let thisAdmins: User[] = [];
+            if (organization) {
+                thisAdmins = admins.filter(a => a.permissions && a.permissions.forOrganization(organization)?.hasAccessRight(AccessRight.OrganizationFinanceDirector));
+            }
+            const struct = CachedOutstandingBalanceStruct.create({
+                ...balance,
+                object: CachedOutstandingBalanceObject.create({
+                    name: organization?.name ?? 'Onbekend',
+                    contacts: thisAdmins.map(a => CachedOutstandingBalanceObjectContact.create({
+                        name: a.name ?? '',
+                        emails: [a.email],
+                    })),
+                }),
+            });
+            result.push(struct);
+        }
+        return result;
+    }
 }

package/src/helpers/TemporaryMemberAccess.ts ADDED Viewed

@@ -0,0 +1,40 @@
+import { getPermissionLevelNumber, PermissionLevel } from '@stamhoofd/structures';
+const userMemberTemporaryAccessCache = new Map<string, { memberId: string; level: PermissionLevel; validUntil: Date }[]>();
+export function hasTemporaryMemberAccess(userId: string, memberId, level: PermissionLevel) {
+    const list = userMemberTemporaryAccessCache.get(userId);
+    if (!list) {
+        return false;
+    }
+    const d = new Date();
+    return !!list.find(m =>
+        m.memberId === memberId
+        && getPermissionLevelNumber(m.level) >= getPermissionLevelNumber(level)
+        && m.validUntil > d,
+    );
+}
+export function addTemporaryMemberAccess(userId: string, memberId, level: PermissionLevel, timeout: number = 1000 * 60 * 60 * 24) {
+    deleteExpiredTemporaryMemberAccess();
+    let list = userMemberTemporaryAccessCache.get(userId);
+    if (!list) {
+        list = [];
+        userMemberTemporaryAccessCache.set(userId, list);
+    }
+    list.push({ memberId, level, validUntil: new Date(Date.now() + timeout) });
+}
+export function deleteExpiredTemporaryMemberAccess() {
+    const d = new Date();
+    for (const [userId, list] of userMemberTemporaryAccessCache) {
+        const filtered = list.filter(m => m.validUntil > d);
+        if (filtered.length === 0) {
+            userMemberTemporaryAccessCache.delete(userId);
+        }
+        else {
+            userMemberTemporaryAccessCache.set(userId, filtered);
+        }
+    }
+}

package/src/helpers/ViesHelper.ts CHANGED Viewed

@@ -38,7 +38,7 @@ export class ViesHelperStatic {
             patch.VATNumber = await ViesHelper.checkVATNumber(company.address.country, company.VATNumber);
             if (company.address.country === Country.Belgium) {
-                patch.companyNumber = company.VATNumber;
+                patch.companyNumber = company.VATNumber.substring(2);
             }
         }
@@ -66,8 +66,14 @@ export class ViesHelperStatic {
         }
         // In Belgium, the company number syntax is the same as VAT number
+        let correctedVATNumber = companyNumber;
-        const result = jsvat.checkVAT(companyNumber, [jsvat.belgium]);
+        if (companyNumber.length > 2 && companyNumber.substr(0, 2) !== country) {
+            // Add required country in VAT number
+            correctedVATNumber = country + companyNumber;
+        }
+        const result = jsvat.checkVAT(correctedVATNumber, [jsvat.belgium]);
         if (!result.isValid) {
             throw new SimpleError({
@@ -79,11 +85,11 @@ export class ViesHelperStatic {
         // If this is a valid VAT number, we can assume it's a valid company number
         try {
-            const corrected = await this.checkVATNumber(Country.Belgium, companyNumber);
+            const corrected = await this.checkVATNumber(Country.Belgium, correctedVATNumber);
             // this is a VAT number, not a company number
             return {
-                companyNumber: corrected,
+                companyNumber: corrected.substring(2),
                 VATNumber: corrected,
             };
         }
@@ -98,7 +104,7 @@ export class ViesHelperStatic {
         }
         return {
-            companyNumber: result.value ?? companyNumber,
+            companyNumber: result.value?.substring(2) ?? companyNumber,
             // VATNumber should always be set to null if it is not a valid VAT number
             VATNumber: null,
@@ -144,6 +150,12 @@ export class ViesHelperStatic {
             }
             // Unavailable: ignore for now
             console.error('VIES error', e);
+            throw new SimpleError({
+                code: 'service_unavailable',
+                message: 'De BTW-nummer validatie service (VIES) is tijdelijk niet beschikbaar. Probeer het later opnieuw.',
+                field: 'VATNumber',
+            });
         }
         return formatted;

package/src/sql-filters/cached-outstanding-balance.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { SQLFilterDefinitions, baseSQLFilterCompilers, createSQLColumnFilterCompiler } from '@stamhoofd/sql';
+/**
+ * Defines how to filter cached balance items in the database from StamhoofdFilter objects
+ */
+export const cachedOutstandingBalanceFilterCompilers: SQLFilterDefinitions = {
+    ...baseSQLFilterCompilers,
+    id: createSQLColumnFilterCompiler('id'),
+    organizationId: createSQLColumnFilterCompiler('organizationId'),
+    objectType: createSQLColumnFilterCompiler('objectType'),
+    amount: createSQLColumnFilterCompiler('amount'),
+    amountPending: createSQLColumnFilterCompiler('amountPending'),
+};

package/src/sql-sorters/cached-outstanding-balance.ts ADDED Viewed

@@ -0,0 +1,46 @@
+import { CachedOutstandingBalance } from '@stamhoofd/models';
+import { SQL, SQLOrderBy, SQLOrderByDirection, SQLSortDefinitions } from '@stamhoofd/sql';
+export const cachedOutstandingBalanceSorters: SQLSortDefinitions<CachedOutstandingBalance> = {
+    // WARNING! TEST NEW SORTERS THOROUGHLY!
+    // Try to avoid creating sorters on fields that er not 1:1 with the database, that often causes pagination issues if not thought through
+    // An example: sorting on 'name' is not a good idea, because it is a concatenation of two fields.
+    // You might be tempted to use ORDER BY firstName, lastName, but that will not work as expected and it needs to be ORDER BY CONCAT(firstName, ' ', lastName)
+    // Why? Because ORDER BY firstName, lastName produces a different order dan ORDER BY CONCAT(firstName, ' ', lastName) if there are multiple people with spaces in the first name
+    // And that again causes issues with pagination because the next query will append a filter of name > 'John Doe' - causing duplicate and/or skipped results
+    // What if you need mapping? simply map the sorters in the frontend: name -> firstname, lastname, age -> birthDay, etc.
+    id: {
+        getValue(a) {
+            return a.id;
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.column('id'),
+                direction,
+            });
+        },
+    },
+    amount: {
+        getValue(a) {
+            return a.amount;
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.column('amount'),
+                direction,
+            });
+        },
+    },
+    amountPending: {
+        getValue(a) {
+            return a.amountPending;
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.column('amountPending'),
+                direction,
+            });
+        },
+    },
+};