@stamhoofd/backend 2.78.3 → 2.78.4

package/.env.ci.json

@@ -1,17 +1,28 @@
 {
     "environment": "test",
     "domains": {
-        "dashboard": "dashboard.stamhoofd.dev",
-        "registration": {
-            "": "stamhoofd.dev",
-            "BE": "dev.stamhoofd.be",
-            "NL": "dev.stamhoofd.nl"
+        "dashboard": "dashboard.stamhoofd",
+        "marketing": {
+            "": "www.be.stamhoofd",
+            "BE": "www.be.stamhoofd",
+            "NL": "www.nl.stamhoofd"
         },
-        "webshop": "shop.stamhoofd.dev",
-        "api": "api.stamhoofd.dev",
+        "webshop": {
+            "": "shop.be.stamhoofd",
+            "BE": "shop.be.stamhoofd",
+            "NL": "shop.nl.stamhoofd"
+        },
+        "api": "api.stamhoofd",
+        "rendererApi": "renderer.stamhoofd",
+            
+        "defaultTransactionalEmail": {
+            "": "stamhoofd.be"
+        },
+
         "defaultBroadcastEmail": {
             "": "stamhoofd.email"
-        }
+        },
+        "webshopCname": "shop.stamhoofd"
     },
     
     "PORT": 9091,

package/index.ts

@@ -60,10 +60,13 @@ const start = async () => {
     await UniqueUserService.check();
 
     // Init platform shared struct: otherwise permissions won't work with missing responsibilities
+    console.log('Loading platform...');
     await Platform.getSharedStruct();
 
     const router = new Router();
 
+    console.log('Loading endpoints...');
+
     // Note: we should load endpoints one by once to have a reliable order of url matching
     await router.loadAllEndpoints(__dirname + '/src/endpoints/global/*');
     await router.loadAllEndpoints(__dirname + '/src/endpoints/admin/*');
@@ -76,6 +79,7 @@ const start = async () => {
 
     router.endpoints.push(new CORSPreflightEndpoint());
 
+    console.log('Creating router...');
     const routerServer = new RouterServer(router);
     routerServer.verbose = false;
 
@@ -104,6 +108,8 @@ const start = async () => {
     // Add CORS headers
     routerServer.addResponseMiddleware(CORSMiddleware);
 
+    console.log('Loading loaders...');
+
     // Register Excel loaders
     await import('./src/excel-loaders/members');
     await import('./src/excel-loaders/payments');
@@ -115,6 +121,7 @@ const start = async () => {
     await import('./src/email-recipient-loaders/orders');
     await import('./src/email-recipient-loaders/receivable-balances');
 
+    console.log('Opening port...');
     routerServer.listen(STAMHOOFD.PORT ?? 9090);
 
     const hrend = process.hrtime(bootTime);

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.78.3",
+    "version": "2.78.4",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -37,14 +37,14 @@
         "@simonbackx/simple-encoding": "2.20.0",
         "@simonbackx/simple-endpoints": "1.19.1",
         "@simonbackx/simple-logging": "^1.0.1",
-        "@stamhoofd/backend-i18n": "2.78.3",
-        "@stamhoofd/backend-middleware": "2.78.3",
-        "@stamhoofd/email": "2.78.3",
-        "@stamhoofd/models": "2.78.3",
-        "@stamhoofd/queues": "2.78.3",
-        "@stamhoofd/sql": "2.78.3",
-        "@stamhoofd/structures": "2.78.3",
-        "@stamhoofd/utility": "2.78.3",
+        "@stamhoofd/backend-i18n": "2.78.4",
+        "@stamhoofd/backend-middleware": "2.78.4",
+        "@stamhoofd/email": "2.78.4",
+        "@stamhoofd/models": "2.78.4",
+        "@stamhoofd/queues": "2.78.4",
+        "@stamhoofd/sql": "2.78.4",
+        "@stamhoofd/structures": "2.78.4",
+        "@stamhoofd/utility": "2.78.4",
         "archiver": "^7.0.1",
         "aws-sdk": "^2.885.0",
         "axios": "1.6.8",
@@ -64,5 +64,5 @@
     "publishConfig": {
         "access": "public"
     },
-    "gitHead": "272bfbb259109530326ec2fd8c83af5f69d6268b"
+    "gitHead": "e8c207be8fd75320024f670d5c663eaa8306ba29"
 }

package/src/endpoints/global/members/PatchOrganizationMembersEndpoint.test.ts

@@ -0,0 +1,726 @@
+import { Database } from '@simonbackx/simple-database';
+import { PatchableArray, PatchMap } from '@simonbackx/simple-encoding';
+import { Endpoint, Request } from '@simonbackx/simple-endpoints';
+import { GroupFactory, MemberFactory, OrganizationFactory, OrganizationTagFactory, Platform, RegistrationFactory, Token, UserFactory } from '@stamhoofd/models';
+import { MemberDetails, MemberWithRegistrationsBlob, OrganizationMetaData, OrganizationRecordsConfiguration, Parent, PatchAnswers, PermissionLevel, Permissions, PermissionsResourceType, RecordCategory, RecordSettings, RecordTextAnswer, ResourcePermissions, UserPermissions } from '@stamhoofd/structures';
+import { TestUtils } from '@stamhoofd/test-utils';
+import { testServer } from '../../../../tests/helpers/TestServer';
+import { PatchOrganizationMembersEndpoint } from './PatchOrganizationMembersEndpoint';
+
+const baseUrl = `/organization/members`;
+const endpoint = new PatchOrganizationMembersEndpoint();
+type EndpointType = typeof endpoint;
+type Body = EndpointType extends Endpoint<any, any, infer B, any> ? B : never;
+
+const firstName = 'John';
+const lastName = 'Doe';
+const birthDay = { year: 1993, month: 4, day: 5 };
+
+const errorWithCode = (code: string) => expect.objectContaining({ code }) as jest.Constructable;
+
+describe('Endpoint.PatchOrganizationMembersEndpoint', () => {
+    beforeEach(async () => {
+        TestUtils.setEnvironment('userMode', 'platform');
+    });
+
+    afterEach(async () => {
+        // Delete all members (so the duplicate checks work as expected)
+        await Database.delete('DELETE FROM `members`');
+    });
+
+    describe('Duplicate members', () => {
+        test('The security code should be a requirement', async () => {
+            const organization = await new OrganizationFactory({ }).create();
+            const user = await new UserFactory({
+                permissions: Permissions.create({ level: PermissionLevel.Full }),
+                organization, // since we are in platform mode, this will only set the permissions for this organization
+            }).create();
+
+            const existingMember = await new MemberFactory({
+                firstName,
+                lastName,
+                birthDay,
+                generateData: true,
+            }).create();
+
+            const token = await Token.createToken(user);
+
+            const arr: Body = new PatchableArray();
+            const put = MemberWithRegistrationsBlob.create({
+                details: MemberDetails.create({
+                    firstName,
+                    lastName,
+                    birthDay: new Date(existingMember.details.birthDay!.getTime() + 1),
+                }),
+            });
+            arr.addPut(put);
+
+            const request = Request.buildJson('PATCH', baseUrl, organization.getApiHost(), arr);
+            request.headers.authorization = 'Bearer ' + token.accessToken;
+            await expect(testServer.test(endpoint, request))
+                .rejects
+                .toThrow(errorWithCode('known_member_missing_rights'));
+        });
+
+        test('The security code is not a requirement for members without additional data', async () => {
+            const organization = await new OrganizationFactory({ }).create();
+            const user = await new UserFactory({
+                permissions: Permissions.create({ level: PermissionLevel.Full }),
+                organization, // since we are in platform mode, this will only set the permissions for this organization
+            }).create();
+
+            const existingMember = await new MemberFactory({
+                firstName,
+                lastName,
+                birthDay,
+                generateData: false,
+            }).create();
+
+            const token = await Token.createToken(user);
+
+            const arr: Body = new PatchableArray();
+            const put = MemberWithRegistrationsBlob.create({
+                details: MemberDetails.create({
+                    firstName,
+                    lastName,
+                    birthDay: new Date(existingMember.details.birthDay!.getTime() + 1),
+                    email: 'anewemail@example.com',
+                }),
+            });
+            arr.addPut(put);
+
+            const request = Request.buildJson('PATCH', baseUrl, organization.getApiHost(), arr);
+            request.headers.authorization = 'Bearer ' + token.accessToken;
+            const response = await testServer.test(endpoint, request);
+            expect(response.status).toBe(200);
+
+            // Check id of the returned memebr matches the existing member
+            expect(response.body.members.length).toBe(1);
+            expect(response.body.members[0].id).toBe(existingMember.id);
+
+            // Check data matches the original data + changes from the put
+            const member = response.body.members[0];
+            expect(member.details.firstName).toBe(firstName);
+            expect(member.details.lastName).toBe(lastName);
+            expect(member.details.birthDay).toEqual(existingMember.details.birthDay);
+            expect(member.details.email).toBe('anewemail@example.com'); // this has been merged
+            expect(member.details.alternativeEmails).toHaveLength(0);
+        });
+
+        test('A duplicate member with existing registrations returns those registrations after a merge', async () => {
+            const organization = await new OrganizationFactory({ }).create();
+            const user = await new UserFactory({
+                permissions: Permissions.create({ level: PermissionLevel.Full }),
+                organization, // since we are in platform mode, this will only set the permissions for this organization
+            }).create();
+
+            const details = MemberDetails.create({
+                firstName,
+                lastName,
+                securityCode: 'ABC-123',
+                email: 'original@example.com',
+                parents: [
+                    Parent.create({
+                        firstName: 'Jane',
+                        lastName: 'Doe',
+                        email: 'jane.doe@example.com',
+                    }),
+                ],
+            });
+
+            const existingMember = await new MemberFactory({
+                birthDay,
+                details,
+            }).create();
+
+            // Create a registration for this member
+            const group = await new GroupFactory({ organization }).create();
+            const registration = await new RegistrationFactory({
+                member: existingMember,
+                group,
+            }).create();
+
+            const token = await Token.createToken(user);
+
+            const arr: Body = new PatchableArray();
+            const put = MemberWithRegistrationsBlob.create({
+                details: MemberDetails.create({
+                    firstName,
+                    lastName,
+                    birthDay: new Date(existingMember.details.birthDay!.getTime() + 1),
+                    securityCode: existingMember.details.securityCode,
+                    email: 'anewemail@example.com',
+                }),
+            });
+            arr.addPut(put);
+
+            const request = Request.buildJson('PATCH', baseUrl, organization.getApiHost(), arr);
+            request.headers.authorization = 'Bearer ' + token.accessToken;
+            const response = await testServer.test(endpoint, request);
+            expect(response.status).toBe(200);
+
+            // Check id of the returned memebr matches the existing member
+            expect(response.body.members.length).toBe(1);
+            expect(response.body.members[0].id).toBe(existingMember.id);
+
+            // Check data matches the original data + changes from the put
+            const member = response.body.members[0];
+            expect(member.details.firstName).toBe(firstName);
+            expect(member.details.lastName).toBe(lastName);
+            expect(member.details.birthDay).toEqual(existingMember.details.birthDay);
+            expect(member.details.email).toBe('original@example.com'); // this has been merged
+            expect(member.details.alternativeEmails).toEqual(['anewemail@example.com']); // this has been merged
+
+            // Check the registration is still there
+            expect(member.registrations.length).toBe(1);
+            expect(member.registrations[0].id).toBe(registration.id);
+
+            // Check parent is still there
+            expect(member.details.parents.length).toBe(1);
+            expect(member.details.parents[0]).toEqual(existingMember.details.parents[0]);
+        });
+    });
+
+    describe('Permission checking', () => {
+        test('An admin cannot edit members of a different organization', async () => {
+            const organization = await new OrganizationFactory({}).create();
+            const otherOrganization = await new OrganizationFactory({}).create();
+
+            const user = await new UserFactory({
+                permissions: Permissions.create({
+                    level: PermissionLevel.Full,
+                }),
+                organization, // since we are in platform mode, this will only set the permissions for this organization
+            }).create();
+
+            const member = await new MemberFactory({
+                firstName,
+                lastName,
+                birthDay,
+                generateData: false,
+            }).create();
+
+            // Register this member
+            await new RegistrationFactory({
+                member,
+                organization: otherOrganization,
+            }).create();
+
+            const token = await Token.createToken(user);
+
+            const arr: Body = new PatchableArray();
+            const patch = MemberWithRegistrationsBlob.patch({
+                id: member.id,
+                details: MemberDetails.patch({
+                    firstName: 'Changed',
+                }),
+            });
+            arr.addPatch(patch);
+
+            const request = Request.buildJson('PATCH', baseUrl, organization.getApiHost(), arr);
+            request.headers.authorization = 'Bearer ' + token.accessToken;
+            await expect(testServer.test(endpoint, request)).rejects.toThrow(errorWithCode('not_found'));
+        });
+
+        test('An admin can edit members registered in its own organization', async () => {
+            const organization = await new OrganizationFactory({}).create();
+
+            const user = await new UserFactory({
+                permissions: Permissions.create({
+                    level: PermissionLevel.Full,
+                }),
+                organization, // since we are in platform mode, this will only set the permissions for this organization
+            }).create();
+
+            const member = await new MemberFactory({
+                firstName,
+                lastName,
+                birthDay,
+                generateData: false,
+            }).create();
+
+            // Register this member
+            await new RegistrationFactory({
+                member,
+                organization,
+            }).create();
+
+            const token = await Token.createToken(user);
+
+            const arr: Body = new PatchableArray();
+            const patch = MemberWithRegistrationsBlob.patch({
+                id: member.id,
+                details: MemberDetails.patch({
+                    firstName: 'Changed',
+                }),
+            });
+            arr.addPatch(patch);
+
+            const request = Request.buildJson('PATCH', baseUrl, organization.getApiHost(), arr);
+            request.headers.authorization = 'Bearer ' + token.accessToken;
+            const response = await testServer.test(endpoint, request);
+
+            // Check returned
+            expect(response.status).toBe(200);
+            expect(response.body.members.length).toBe(1);
+            const memberStruct = response.body.members[0];
+            expect(memberStruct.details).toMatchObject({
+                firstName: 'Changed',
+            });
+        });
+
+        test('A full platform admin can edit members without registrations', async () => {
+            const organization = await new OrganizationFactory({}).create();
+
+            const user = await new UserFactory({
+                globalPermissions: Permissions.create({
+                    level: PermissionLevel.Full,
+                }),
+            }).create();
+
+            const member = await new MemberFactory({
+                firstName,
+                lastName,
+                birthDay,
+                generateData: false,
+            }).create();
+
+            const token = await Token.createToken(user);
+
+            const arr: Body = new PatchableArray();
+            const patch = MemberWithRegistrationsBlob.patch({
+                id: member.id,
+                details: MemberDetails.patch({
+                    firstName: 'Changed',
+                }),
+            });
+            arr.addPatch(patch);
+
+            const request = Request.buildJson('PATCH', baseUrl, organization.getApiHost(), arr);
+            request.headers.authorization = 'Bearer ' + token.accessToken;
+            const response = await testServer.test(endpoint, request);
+
+            // Check returned
+            expect(response.status).toBe(200);
+            expect(response.body.members.length).toBe(1);
+            const memberStruct = response.body.members[0];
+            expect(memberStruct.details).toMatchObject({
+                firstName: 'Changed',
+            });
+        });
+
+        test('[Regression] A platform admin with all tag access can edit members without registrations', async () => {
+            const organization = await new OrganizationFactory({}).create();
+
+            const user = await new UserFactory({
+                globalPermissions: Permissions.create({
+                    level: PermissionLevel.None,
+                    resources: new Map([
+                        // All Tags
+                        [PermissionsResourceType.OrganizationTags, new Map(
+                            [['', ResourcePermissions.create({ level: PermissionLevel.Full })]],
+                        )],
+                    ]),
+                }),
+            }).create();
+
+            const member = await new MemberFactory({
+                firstName,
+                lastName,
+                birthDay,
+                generateData: false,
+            }).create();
+
+            const token = await Token.createToken(user);
+
+            const arr: Body = new PatchableArray();
+            const patch = MemberWithRegistrationsBlob.patch({
+                id: member.id,
+                details: MemberDetails.patch({
+                    firstName: 'Changed',
+                }),
+            });
+            arr.addPatch(patch);
+
+            const request = Request.buildJson('PATCH', baseUrl, organization.getApiHost(), arr);
+            request.headers.authorization = 'Bearer ' + token.accessToken;
+            const response = await testServer.test(endpoint, request);
+
+            // Check returned
+            expect(response.status).toBe(200);
+            expect(response.body.members.length).toBe(1);
+            const memberStruct = response.body.members[0];
+            expect(memberStruct.details).toMatchObject({
+                firstName: 'Changed',
+            });
+        });
+    });
+
+    describe('Record answers', () => {
+        test('An admin can set records of its own organization', async () => {
+            const commentsRecord = RecordSettings.create({
+                name: 'Opmerkingen',
+                externalPermissionLevel: PermissionLevel.Read, // this should be ignored since we are an admin
+            });
+
+            const recordCategory = RecordCategory.create({
+                name: 'Medische fiche',
+                records: [
+                    commentsRecord,
+                ],
+            });
+            const organization = await new OrganizationFactory({
+                meta: OrganizationMetaData.create({
+                    recordsConfiguration: OrganizationRecordsConfiguration.create({
+                        recordCategories: [recordCategory],
+                    }),
+                }),
+            }).create();
+
+            const user = await new UserFactory({
+                permissions: Permissions.create({ level: PermissionLevel.Full }),
+                organization, // since we are in platform mode, this will only set the permissions for this organization
+            }).create();
+
+            const member = await new MemberFactory({
+                firstName,
+                lastName,
+                birthDay,
+                generateData: false,
+            }).create();
+
+            // Register this member
+            await new RegistrationFactory({
+                member,
+                organization,
+            }).create();
+
+            const token = await Token.createToken(user);
+
+            const recordAnswers = new PatchMap() as PatchAnswers;
+
+            recordAnswers.set(commentsRecord.id, RecordTextAnswer.create({
+                settings: commentsRecord,
+                value: 'Some comments',
+            }));
+
+            const arr: Body = new PatchableArray();
+            const patch = MemberWithRegistrationsBlob.patch({
+                id: member.id,
+                details: MemberDetails.patch({
+                    recordAnswers,
+                }),
+            });
+            arr.addPatch(patch);
+
+            const request = Request.buildJson('PATCH', baseUrl, organization.getApiHost(), arr);
+            request.headers.authorization = 'Bearer ' + token.accessToken;
+            const response = await testServer.test(endpoint, request);
+
+            // Check returned
+            expect(response.status).toBe(200);
+            expect(response.body.members.length).toBe(1);
+            const struct = response.body.members[0];
+            expect(struct.details.recordAnswers.get(commentsRecord.id)).toMatchObject({
+                value: 'Some comments',
+            });
+        });
+
+        test('An admin with read only record category permission cannot set the records in that category', async () => {
+            const commentsRecord = RecordSettings.create({
+                name: 'Opmerkingen',
+            });
+
+            const recordCategory = RecordCategory.create({
+                name: 'Medische fiche',
+                records: [
+                    commentsRecord,
+                ],
+            });
+            const organization = await new OrganizationFactory({
+                meta: OrganizationMetaData.create({
+                    recordsConfiguration: OrganizationRecordsConfiguration.create({
+                        recordCategories: [recordCategory],
+                    }),
+                }),
+            }).create();
+
+            const group = await new GroupFactory({ organization }).create();
+
+            const user = await new UserFactory({
+                permissions: Permissions.create({
+                    level: PermissionLevel.None,
+                    resources: new Map([
+                        [PermissionsResourceType.RecordCategories, new Map([
+                            [recordCategory.id, ResourcePermissions.create({ level: PermissionLevel.Read })],
+                        ])],
+                        [PermissionsResourceType.Groups, new Map([
+                            [group.id, ResourcePermissions.create({ level: PermissionLevel.Full })],
+                        ])],
+                    ]),
+                }),
+                organization, // since we are in platform mode, this will only set the permissions for this organization
+            }).create();
+
+            const member = await new MemberFactory({
+                firstName,
+                lastName,
+                birthDay,
+                generateData: false,
+            }).create();
+
+            // Register this member
+            await new RegistrationFactory({
+                member,
+                group,
+            }).create();
+
+            const token = await Token.createToken(user);
+
+            const recordAnswers = new PatchMap() as PatchAnswers;
+
+            recordAnswers.set(commentsRecord.id, RecordTextAnswer.create({
+                settings: commentsRecord,
+                value: 'Some comments',
+            }));
+
+            const arr: Body = new PatchableArray();
+            const patch = MemberWithRegistrationsBlob.patch({
+                id: member.id,
+                details: MemberDetails.patch({
+                    recordAnswers,
+                }),
+            });
+            arr.addPatch(patch);
+
+            const request = Request.buildJson('PATCH', baseUrl, organization.getApiHost(), arr);
+            request.headers.authorization = 'Bearer ' + token.accessToken;
+            await expect(testServer.test(endpoint, request)).rejects.toThrow(errorWithCode('permission_denied'));
+        });
+
+        test('An admin without record category permission cannot set the records in that category', async () => {
+            const commentsRecord = RecordSettings.create({
+                name: 'Opmerkingen',
+            });
+
+            const recordCategory = RecordCategory.create({
+                name: 'Medische fiche',
+                records: [
+                    commentsRecord,
+                ],
+            });
+            const organization = await new OrganizationFactory({
+                meta: OrganizationMetaData.create({
+                    recordsConfiguration: OrganizationRecordsConfiguration.create({
+                        recordCategories: [recordCategory],
+                    }),
+                }),
+            }).create();
+
+            const group = await new GroupFactory({ organization }).create();
+
+            const user = await new UserFactory({
+                permissions: Permissions.create({
+                    level: PermissionLevel.None,
+                    resources: new Map([
+                        [PermissionsResourceType.Groups, new Map([
+                            [group.id, ResourcePermissions.create({ level: PermissionLevel.Full })],
+                        ])],
+                    ]),
+                }),
+                organization, // since we are in platform mode, this will only set the permissions for this organization
+            }).create();
+
+            const member = await new MemberFactory({
+                firstName,
+                lastName,
+                birthDay,
+                generateData: false,
+            }).create();
+
+            // Register this member
+            await new RegistrationFactory({
+                member,
+                group,
+            }).create();
+
+            const token = await Token.createToken(user);
+
+            const recordAnswers = new PatchMap() as PatchAnswers;
+
+            recordAnswers.set(commentsRecord.id, RecordTextAnswer.create({
+                settings: commentsRecord,
+                value: 'Some comments',
+            }));
+
+            const arr: Body = new PatchableArray();
+            const patch = MemberWithRegistrationsBlob.patch({
+                id: member.id,
+                details: MemberDetails.patch({
+                    recordAnswers,
+                }),
+            });
+            arr.addPatch(patch);
+
+            const request = Request.buildJson('PATCH', baseUrl, organization.getApiHost(), arr);
+            request.headers.authorization = 'Bearer ' + token.accessToken;
+            await expect(testServer.test(endpoint, request)).rejects.toThrow(errorWithCode('permission_denied'));
+        });
+
+        test('An admin can set records of the platform', async () => {
+            const commentsRecord = RecordSettings.create({
+                name: 'Opmerkingen',
+            });
+
+            const recordCategory = RecordCategory.create({
+                name: 'Medische fiche',
+                records: [
+                    commentsRecord,
+                ],
+            });
+
+            const platform = await Platform.getShared();
+            platform.config.recordsConfiguration.recordCategories.push(recordCategory);
+            await platform.save();
+
+            const organization = await new OrganizationFactory({}).create();
+            const group = await new GroupFactory({ organization }).create();
+
+            const user = await new UserFactory({
+                permissions: Permissions.create({
+                    level: PermissionLevel.None,
+                    resources: new Map([
+                        [PermissionsResourceType.RecordCategories, new Map([
+                            [recordCategory.id, ResourcePermissions.create({ level: PermissionLevel.Write })],
+                        ])],
+                        [PermissionsResourceType.Groups, new Map([
+                            [group.id, ResourcePermissions.create({ level: PermissionLevel.Full })],
+                        ])],
+                    ]),
+                }),
+                organization, // since we are in platform mode, this will only set the permissions for this organization
+            }).create();
+
+            const member = await new MemberFactory({
+                firstName,
+                lastName,
+                birthDay,
+                generateData: false,
+            }).create();
+
+            // Register this member
+            await new RegistrationFactory({
+                member,
+                group,
+            }).create();
+
+            const token = await Token.createToken(user);
+
+            const recordAnswers = new PatchMap() as PatchAnswers;
+
+            recordAnswers.set(commentsRecord.id, RecordTextAnswer.create({
+                settings: commentsRecord,
+                value: 'Some comments',
+            }));
+
+            const arr: Body = new PatchableArray();
+            const patch = MemberWithRegistrationsBlob.patch({
+                id: member.id,
+                details: MemberDetails.patch({
+                    recordAnswers,
+                }),
+            });
+            arr.addPatch(patch);
+
+            const request = Request.buildJson('PATCH', baseUrl, organization.getApiHost(), arr);
+            request.headers.authorization = 'Bearer ' + token.accessToken;
+            const response = await testServer.test(endpoint, request);
+
+            // Check returned
+            expect(response.status).toBe(200);
+            expect(response.body.members.length).toBe(1);
+            const struct = response.body.members[0];
+            expect(struct.details.recordAnswers.get(commentsRecord.id)).toMatchObject({
+                value: 'Some comments',
+            });
+        });
+
+        test('[Regression] A platform admin with tag-access to an organization can change platform records', async () => {
+            const commentsRecord = RecordSettings.create({
+                name: 'Opmerkingen',
+            });
+
+            const recordCategory = RecordCategory.create({
+                name: 'Medische fiche',
+                records: [
+                    commentsRecord,
+                ],
+            });
+
+            const platform = await Platform.getShared();
+            platform.config.recordsConfiguration.recordCategories.push(recordCategory);
+            await platform.save();
+
+            const tag = await new OrganizationTagFactory({}).create();
+            const organization = await new OrganizationFactory({
+                tags: [tag.id],
+            }).create();
+            const group = await new GroupFactory({ organization }).create();
+
+            const user = await new UserFactory({
+                globalPermissions: Permissions.create({
+                    level: PermissionLevel.None,
+                    resources: new Map([
+                        [PermissionsResourceType.OrganizationTags, new Map([
+                            [tag.id, ResourcePermissions.create({ level: PermissionLevel.Full })],
+                        ])],
+                    ]),
+                }),
+                organization, // since we are in platform mode, this will only set the permissions for this organization
+            }).create();
+
+            const member = await new MemberFactory({
+                firstName,
+                lastName,
+                birthDay,
+                generateData: false,
+            }).create();
+
+            // Register this member
+            await new RegistrationFactory({
+                member,
+                group,
+            }).create();
+
+            const token = await Token.createToken(user);
+
+            const recordAnswers = new PatchMap() as PatchAnswers;
+
+            recordAnswers.set(commentsRecord.id, RecordTextAnswer.create({
+                settings: commentsRecord,
+                value: 'Some comments',
+            }));
+
+            const arr: Body = new PatchableArray();
+            const patch = MemberWithRegistrationsBlob.patch({
+                id: member.id,
+                details: MemberDetails.patch({
+                    recordAnswers,
+                }),
+            });
+            arr.addPatch(patch);
+
+            const request = Request.buildJson('PATCH', baseUrl, organization.getApiHost(), arr);
+            request.headers.authorization = 'Bearer ' + token.accessToken;
+            const response = await testServer.test(endpoint, request);
+
+            // Check returned
+            expect(response.status).toBe(200);
+            expect(response.body.members.length).toBe(1);
+            const struct = response.body.members[0];
+            expect(struct.details.recordAnswers.get(commentsRecord.id)).toMatchObject({
+                value: 'Some comments',
+            });
+        });
+    });
+});

package/src/endpoints/global/members/PatchOrganizationMembersEndpoint.ts

@@ -16,8 +16,7 @@ import { MemberUserSyncer } from '../../../helpers/MemberUserSyncer';
 import { SetupStepUpdater } from '../../../helpers/SetupStepUpdater';
 import { PlatformMembershipService } from '../../../services/PlatformMembershipService';
 import { RegistrationService } from '../../../services/RegistrationService';
-import { shouldCheckIfMemberIsDuplicateForPatch, shouldCheckIfMemberIsDuplicateForPut } from './shouldCheckIfMemberIsDuplicate';
-import { AuditLogService } from '../../../services/AuditLogService';
+import { shouldCheckIfMemberIsDuplicateForPatch } from './shouldCheckIfMemberIsDuplicate';
 
 type Params = Record<string, never>;
 type Query = undefined;
@@ -109,12 +108,10 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
             struct.details.cleanData();
             member.details = struct.details;
 
-            if (shouldCheckIfMemberIsDuplicateForPut(struct)) {
-                const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member, struct.details.securityCode);
-                if (duplicate) {
+            const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member, struct.details.securityCode, 'put');
+            if (duplicate) {
                 // Merge data
-                    member = duplicate;
-                }
+                member = duplicate;
             }
 
             // We risk creating a new member without being able to access it manually afterwards
@@ -159,12 +156,11 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
             const securityCode = patch.details?.securityCode; // will get cleared after the filter
 
             if (!member) {
-                throw Context.auth.notFoundOrNoAccess('Je hebt geen toegang tot dit lid of het bestaat niet');
+                throw Context.auth.memberNotFoundOrNoAccess();
             }
 
-            if (!await Context.auth.canAccessMember(member, PermissionLevel.Write)) {
-                // Still allowed if you provide a security code
-                await PatchOrganizationMembersEndpoint.checkSecurityCode(member, securityCode);
+            if (!(await Context.auth.canAccessMember(member, PermissionLevel.Write))) {
+                await PatchOrganizationMembersEndpoint.checkSecurityCode(member, securityCode, 'patch');
             }
 
             patch = await Context.auth.filterMemberPatch(member, patch);
@@ -194,7 +190,7 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
             }
 
             if (shouldCheckDuplicate) {
-                const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member, securityCode);
+                const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member, securityCode, 'patch');
 
                 if (duplicate) {
                     // Remove the member from the list
@@ -759,8 +755,8 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
         }
     }
 
-    static async checkSecurityCode(member: MemberWithRegistrations, securityCode: string | null | undefined) {
-        if (await member.isSafeToMergeDuplicateWithoutSecurityCode() || await Context.auth.canAccessMember(member, PermissionLevel.Write)) {
+    static async checkSecurityCode(member: MemberWithRegistrations, securityCode: string | null | undefined, type: 'put' | 'patch') {
+        if ((type === 'put' && await member.isSafeToMergeDuplicateWithoutSecurityCode()) || await Context.auth.canAccessMember(member, PermissionLevel.Write)) {
             console.log('checkSecurityCode: without security code: allowed for ' + member.id);
         }
         else if (securityCode) {
@@ -802,8 +798,8 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
             const log = new AuditLog();
 
             // a member has multiple organizations, so this is difficult to determine - for now it is only visible in the admin panel
-            log.organizationId = member.organizationId; 
-            
+            log.organizationId = member.organizationId;
+
             log.type = AuditLogType.MemberSecurityCodeUsed;
             log.source = AuditLogSource.Anonymous;
 
@@ -823,6 +819,9 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
             await log.save();
         }
         else {
+            if (type === 'patch') {
+                throw Context.auth.memberNotFoundOrNoAccess();
+            }
             throw new SimpleError({
                 code: 'known_member_missing_rights',
                 message: 'Creating known member without sufficient access rights',
@@ -832,11 +831,25 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
         }
     }
 
-    static async checkDuplicate(member: Member, securityCode: string | null | undefined) {
+    static shouldCheckIfMemberIsDuplicate(put: Member): boolean {
+        if (put.details.firstName.length <= 3 && put.details.lastName.length <= 3) {
+            return false;
+        }
+
+        const age = put.details.age;
+        // do not check if member is duplicate for historical members
+        return age !== null && age < 81;
+    }
+
+    static async checkDuplicate(member: Member, securityCode: string | null | undefined, type: 'put' | 'patch') {
+        if (!this.shouldCheckIfMemberIsDuplicate(member)) {
+            return;
+        }
+
         // Check for duplicates and prevent creating a duplicate member by a user
         const duplicate = await this.findExistingMember(member);
         if (duplicate) {
-            await this.checkSecurityCode(duplicate, securityCode);
+            await this.checkSecurityCode(duplicate, securityCode, type);
 
             // Merge data
             // NOTE: We use mergeTwoMembers instead of mergeMultipleMembers, because we should never safe 'member' , because that one does not exist in the database

package/src/endpoints/global/members/shouldCheckIfMemberIsDuplicate.ts

@@ -1,34 +1,22 @@
 import { AutoEncoderPatchType } from '@simonbackx/simple-encoding';
 import { MemberDetails, MemberWithRegistrationsBlob } from '@stamhoofd/structures';
 
+/**
+ * Returns true when either the firstname, lastname or birthday has changed
+ */
 export function shouldCheckIfMemberIsDuplicateForPatch(patch: { details: MemberDetails | AutoEncoderPatchType<MemberDetails> | undefined }, originalDetails: MemberDetails): boolean {
     if (patch.details === undefined) {
         return false;
     }
 
-    return (
-    // has long first name
-        ((patch.details.firstName !== undefined && patch.details.firstName.length > 3) || (patch.details.firstName === undefined && originalDetails.firstName.length > 3))
-        // or has long last name
-        || ((patch.details.lastName !== undefined && patch.details.lastName.length > 3) || (patch.details.lastName === undefined && originalDetails.lastName.length > 3))
-    )
-    // has name change or birthday change
-    && (
-    // has first name change
+    // name or birthday has changed
+    if (
         (patch.details.firstName !== undefined && patch.details.firstName !== originalDetails.firstName)
-        // has last name change
         || (patch.details.lastName !== undefined && patch.details.lastName !== originalDetails.lastName)
-        // has birth day change
-        || (patch.details.birthDay !== undefined && patch.details.birthDay?.getTime() !== originalDetails.birthDay?.getTime())
-    );
-}
-
-export function shouldCheckIfMemberIsDuplicateForPut(put: MemberWithRegistrationsBlob): boolean {
-    if (put.details.firstName.length <= 3 && put.details.lastName.length <= 3) {
-        return false;
+        || (patch.details.birthDay !== undefined && patch.details.birthDay !== originalDetails.birthDay)
+    ) {
+        return true;
     }
 
-    const age = put.details.age;
-    // do not check if member is duplicate for historical members
-    return age !== null && age < 81;
+    return false;
 }

package/src/endpoints/global/registration/PatchUserMembersEndpoint.ts

@@ -8,7 +8,7 @@ import { AuthenticatedStructures } from '../../../helpers/AuthenticatedStructure
 import { Context } from '../../../helpers/Context';
 import { MemberUserSyncer } from '../../../helpers/MemberUserSyncer';
 import { PatchOrganizationMembersEndpoint } from '../../global/members/PatchOrganizationMembersEndpoint';
-import { shouldCheckIfMemberIsDuplicateForPatch, shouldCheckIfMemberIsDuplicateForPut } from '../members/shouldCheckIfMemberIsDuplicate';
+import { shouldCheckIfMemberIsDuplicateForPatch } from '../members/shouldCheckIfMemberIsDuplicate';
 type Params = Record<string, never>;
 type Query = undefined;
 type Body = PatchableArrayAutoEncoder<MemberWithRegistrationsBlob>;
@@ -61,12 +61,10 @@ export class PatchUserMembersEndpoint extends Endpoint<Params, Query, Body, Resp
 
             this.throwIfInvalidDetails(member.details);
 
-            if (shouldCheckIfMemberIsDuplicateForPut(struct)) {
-                const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member, struct.details.securityCode);
-                if (duplicate) {
-                    addedMembers.push(duplicate);
-                    continue;
-                }
+            const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member, struct.details.securityCode, 'put');
+            if (duplicate) {
+                addedMembers.push(duplicate);
+                continue;
             }
 
             await member.save();
@@ -79,12 +77,9 @@ export class PatchUserMembersEndpoint extends Endpoint<Params, Query, Body, Resp
         for (let struct of request.body.getPatches()) {
             const member = members.find(m => m.id === struct.id);
             if (!member) {
-                throw new SimpleError({
-                    code: 'invalid_member',
-                    message: "This member does not exist or you don't have permissions to modify this member",
-                    human: 'Je probeert een lid aan te passen die niet (meer) bestaat. Er ging ergens iets mis.',
-                });
+                throw Context.auth.memberNotFoundOrNoAccess();
             }
+
             const securityCode = struct.details?.securityCode; // will get cleared after the filter
             struct = await Context.auth.filterMemberPatch(member, struct);
 
@@ -117,7 +112,7 @@ export class PatchUserMembersEndpoint extends Endpoint<Params, Query, Body, Resp
             }
 
             if (shouldCheckDuplicate) {
-                const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member, securityCode);
+                const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member, securityCode, 'patch');
                 if (duplicate) {
                 // Remove the member from the list
                     members.splice(members.findIndex(m => m.id === member.id), 1);

package/src/endpoints/organization/dashboard/payments/PatchBalanceItemsEndpoint.ts

@@ -250,7 +250,7 @@ export class PatchBalanceItemsEndpoint extends Endpoint<Params, Query, Body, Res
         if (!member || !(await Context.auth.canLinkBalanceItemToMember(member))) {
             throw new SimpleError({
                 code: 'permission_denied',
-                message: 'No permission to link balanace items to this member',
+                message: 'No permission to link balance items to this member',
                 human: 'Je hebt geen toegang om aanrekeningen te maken verbonden met dit lid',
                 field: 'memberId',
             });
@@ -264,7 +264,7 @@ export class PatchBalanceItemsEndpoint extends Endpoint<Params, Query, Body, Res
         if (!user || !await Context.auth.canLinkBalanceItemToUser(balanceItem, user)) {
             throw new SimpleError({
                 code: 'permission_denied',
-                message: 'No permission to link balanace items to this user',
+                message: 'No permission to link balance items to this user',
                 human: 'Je hebt geen toegang om aanrekeningen te maken verbonden met deze gebruiker',
                 field: 'userId',
             });

package/src/helpers/AdminPermissionChecker.ts

@@ -91,6 +91,10 @@ export class AdminPermissionChecker {
         });
     }
 
+    memberNotFoundOrNoAccess(): SimpleError {
+        return this.notFoundOrNoAccess($t('Je hebt geen toegang tot dit lid of het bestaat niet'));
+    }
+
     notFoundOrNoAccess(message?: string): SimpleError {
         return new SimpleError({
             code: 'not_found',
@@ -1043,6 +1047,20 @@ export class AdminPermissionChecker {
             };
         }
 
+        // It is possible that this is a platform admin, and inherits automatic permissions for tags. So'll need to loop all the organizations where this member has an active registration for
+        if (!record.organizationId && this.platformPermissions) {
+            const organizations = Formatter.uniqueArray(member.registrations.map(r => r.organizationId));
+            for (const organizationId of organizations) {
+                const organizationPermissions = await this.getOrganizationPermissions(organizationId);
+                if (organizationPermissions && organizationPermissions.hasResourceAccess(PermissionsResourceType.RecordCategories, record.rootCategoryId, level)) {
+                    return {
+                        canAccess: true,
+                        record: record.record,
+                    };
+                }
+            }
+        }
+
         return {
             canAccess: false,
             record: record.record,
@@ -1088,8 +1106,8 @@ export class AdminPermissionChecker {
         if (isUserManager) {
             // For a user manager without an organization, we don't delete data, because when registering a new member, it doesn't have any organizations yet...
             if (!(await this.canAccessMember(member, PermissionLevel.Full))) {
-                cloned.details.securityCode = null;
                 cloned.details.notes = null;
+                // a user manager can see the security codes
             }
 
             return cloned;

package/src/services/FileSignService.ts

@@ -22,7 +22,7 @@ export class FileSignService {
         const alg = STAMHOOFD.FILE_SIGNING_ALG || 'ES256';
 
         if (!STAMHOOFD.FILE_SIGNING_PUBLIC_KEY || !STAMHOOFD.FILE_SIGNING_PRIVATE_KEY) {
-            if (STAMHOOFD.environment !== 'development') {
+            if (STAMHOOFD.environment !== 'development' && STAMHOOFD.environment !== 'test') {
                 throw new Error('Missing environment variables for file signing. Please make sure FILE_SIGNING_PUBLIC_KEY, FILE_SIGNING_PRIVATE_KEY and FILE_SIGNING_ALG are set.');
             }