@stamhoofd/backend 2.91.0 → 2.93.0

package/src/endpoints/global/email-recipients/GetEmailRecipientsEndpoint.test.ts

@@ -0,0 +1,225 @@
+import { STExpect, TestUtils } from '@stamhoofd/test-utils';
+import { GetEmailRecipientsEndpoint } from './GetEmailRecipientsEndpoint';
+import { AccessRight, EmailStatus, LimitedFilteredRequest, OrganizationEmail, PermissionLevel, Permissions, PermissionsResourceType, ResourcePermissions } from '@stamhoofd/structures';
+import { Email, EmailRecipient, Organization, OrganizationFactory, RegistrationPeriod, RegistrationPeriodFactory, Token, User, UserFactory } from '@stamhoofd/models';
+import { Request } from '@simonbackx/simple-endpoints';
+import { testServer } from '../../../../tests/helpers/TestServer';
+
+const baseUrl = `/email-recipients`;
+
+describe('Endpoint.GetEmailRecipients', () => {
+    const endpoint = new GetEmailRecipientsEndpoint();
+    let period: RegistrationPeriod;
+    let organization: Organization;
+    let token: Token;
+    let user: User;
+    let sender: OrganizationEmail;
+    let sender2: OrganizationEmail;
+
+    let token2: Token;
+    let user2: User;
+
+    beforeAll(async () => {
+        TestUtils.setPermanentEnvironment('userMode', 'platform');
+        period = await new RegistrationPeriodFactory({
+            startDate: new Date(2023, 0, 1),
+            endDate: new Date(2023, 11, 31),
+        }).create();
+
+        organization = await new OrganizationFactory({ period })
+            .create();
+
+        sender = OrganizationEmail.create({
+            email: 'groepsleiding@voorbeeld.com',
+            name: 'Groepsleiding',
+        });
+        sender2 = OrganizationEmail.create({
+            email: 'kapoenen@voorbeeld.com',
+            name: 'Kapoenen',
+        });
+
+        organization.privateMeta.emails.push(sender);
+        organization.privateMeta.emails.push(sender2);
+        await organization.save();
+
+        user = await new UserFactory({
+            organization,
+            permissions: Permissions.create({
+                level: PermissionLevel.None,
+                resources: new Map([
+                    [PermissionsResourceType.Senders, new Map([['', ResourcePermissions.create({
+                        resourceName: sender.name!,
+                        level: PermissionLevel.Read,
+                    })]])],
+                ]),
+            }),
+        })
+            .create();
+
+        token = await Token.createToken(user);
+
+        user2 = await new UserFactory({
+            organization,
+            permissions: Permissions.create({
+                level: PermissionLevel.None,
+                resources: new Map([
+                    [PermissionsResourceType.Senders, new Map([[sender2.id, ResourcePermissions.create({
+                        resourceName: sender.name!,
+                        level: PermissionLevel.Read,
+                    })]])],
+                ]),
+            }),
+        })
+            .create();
+
+        token2 = await Token.createToken(user2);
+    });
+
+    test('It can request all email recipients if read permission for all senders', async () => {
+        const email = new Email();
+        email.subject = 'test subject';
+        email.status = EmailStatus.Draft;
+        email.text = 'test email';
+        email.html = `<p style="margin: 0; padding: 0; line-height: 1.4;">test email</p>`;
+        email.json = {};
+        email.organizationId = organization.id;
+        email.senderId = sender.id;
+        await email.save();
+
+        const emailRecipient = new EmailRecipient();
+        emailRecipient.email = 'jan.janssens@geenemail.com';
+        emailRecipient.firstName = 'Jan';
+        emailRecipient.lastName = 'Janssens';
+        emailRecipient.emailId = email.id;
+        emailRecipient.organizationId = organization.id;
+        await emailRecipient.save();
+
+        const request = Request.get({
+            path: baseUrl,
+            host: organization.getApiHost(),
+            query: new LimitedFilteredRequest({
+                filter: {},
+                limit: 10,
+            }),
+            headers: {
+                authorization: 'Bearer ' + token.accessToken,
+            },
+        });
+        const result = await testServer.test(endpoint, request);
+        expect(result.body.results).toHaveLength(1);
+        expect(result.body.results[0]).toMatchObject({
+            id: emailRecipient.id,
+        });
+    });
+
+    test('It can not request all email recipients if not read permission for all senders', async () => {
+        const email = new Email();
+        email.subject = 'test subject';
+        email.status = EmailStatus.Draft;
+        email.text = 'test email';
+        email.html = `<p style="margin: 0; padding: 0; line-height: 1.4;">test email</p>`;
+        email.json = {};
+        email.organizationId = organization.id;
+        email.senderId = sender2.id;
+        await email.save();
+
+        const emailRecipient = new EmailRecipient();
+        emailRecipient.email = 'jan.janssens@geenemail.com';
+        emailRecipient.firstName = 'Jan';
+        emailRecipient.lastName = 'Janssens';
+        emailRecipient.emailId = email.id;
+        emailRecipient.organizationId = organization.id;
+        await emailRecipient.save();
+
+        const request = Request.get({
+            path: baseUrl,
+            host: organization.getApiHost(),
+            query: new LimitedFilteredRequest({
+                filter: {},
+                limit: 10,
+            }),
+            headers: {
+                authorization: 'Bearer ' + token2.accessToken,
+            },
+        });
+        await expect(testServer.test(endpoint, request))
+            .rejects
+            .toThrow(STExpect.errorWithCode('permission_denied'));
+    });
+
+    test('It request all email recipients of a single email if read permission for that sender', async () => {
+        const email = new Email();
+        email.subject = 'test subject';
+        email.status = EmailStatus.Draft;
+        email.text = 'test email';
+        email.html = `<p style="margin: 0; padding: 0; line-height: 1.4;">test email</p>`;
+        email.json = {};
+        email.organizationId = organization.id;
+        email.senderId = sender2.id;
+        await email.save();
+
+        const emailRecipient = new EmailRecipient();
+        emailRecipient.email = 'jan.janssens@geenemail.com';
+        emailRecipient.firstName = 'Jan';
+        emailRecipient.lastName = 'Janssens';
+        emailRecipient.emailId = email.id;
+        emailRecipient.organizationId = organization.id;
+        await emailRecipient.save();
+
+        const request = Request.get({
+            path: baseUrl,
+            host: organization.getApiHost(),
+            query: new LimitedFilteredRequest({
+                filter: {
+                    emailId: email.id,
+                },
+                limit: 10,
+            }),
+            headers: {
+                authorization: 'Bearer ' + token2.accessToken,
+            },
+        });
+        const result = await testServer.test(endpoint, request);
+        expect(result.body.results).toHaveLength(1);
+        expect(result.body.results[0]).toMatchObject({
+            id: emailRecipient.id,
+        });
+    });
+
+    test('It cannot request all email recipients of a single email if read permission for another sender', async () => {
+        const email = new Email();
+        email.subject = 'test subject';
+        email.status = EmailStatus.Draft;
+        email.text = 'test email';
+        email.html = `<p style="margin: 0; padding: 0; line-height: 1.4;">test email</p>`;
+        email.json = {};
+        email.organizationId = organization.id;
+        email.senderId = sender.id;
+        await email.save();
+
+        const emailRecipient = new EmailRecipient();
+        emailRecipient.email = 'jan.janssens@geenemail.com';
+        emailRecipient.firstName = 'Jan';
+        emailRecipient.lastName = 'Janssens';
+        emailRecipient.emailId = email.id;
+        emailRecipient.organizationId = organization.id;
+        await emailRecipient.save();
+
+        const request = Request.get({
+            path: baseUrl,
+            host: organization.getApiHost(),
+            query: new LimitedFilteredRequest({
+                filter: {
+                    emailId: email.id,
+                },
+                limit: 10,
+            }),
+            headers: {
+                authorization: 'Bearer ' + token2.accessToken,
+            },
+        });
+        await expect(testServer.test(endpoint, request))
+            .rejects
+            .toThrow(STExpect.errorWithCode('permission_denied'));
+    });
+});

package/src/endpoints/global/email-recipients/GetEmailRecipientsEndpoint.ts

@@ -0,0 +1,164 @@
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { assertSort, CountFilteredRequest, EmailRecipient as EmailRecipientStruct, getSortFilter, LimitedFilteredRequest, PaginatedResponse, PermissionLevel, StamhoofdFilter } from '@stamhoofd/structures';
+
+import { Decoder } from '@simonbackx/simple-encoding';
+import { SimpleError } from '@simonbackx/simple-errors';
+import { EmailRecipient } from '@stamhoofd/models';
+import { applySQLSorter, compileToSQLFilter, SQLFilterDefinitions, SQLSortDefinitions } from '@stamhoofd/sql';
+import { Context } from '../../../helpers/Context';
+import { emailRecipientsFilterCompilers } from '../../../sql-filters/email-recipients';
+import { emailRecipientSorters } from '../../../sql-sorters/email-recipients';
+import { validateEmailRecipientFilter } from './helpers/validateEmailRecipientFilter';
+
+type Params = Record<string, never>;
+type Query = LimitedFilteredRequest;
+type Body = undefined;
+type ResponseBody = PaginatedResponse<EmailRecipientStruct[], LimitedFilteredRequest>;
+
+const filterCompilers: SQLFilterDefinitions = emailRecipientsFilterCompilers;
+const sorters: SQLSortDefinitions<EmailRecipient> = emailRecipientSorters;
+
+export class GetEmailRecipientsEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    queryDecoder = LimitedFilteredRequest as Decoder<LimitedFilteredRequest>;
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method !== 'GET') {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, '/email-recipients', {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    static async buildQuery(q: CountFilteredRequest | LimitedFilteredRequest) {
+        const organization = Context.organization;
+        let scopeFilter: StamhoofdFilter | undefined = undefined;
+
+        if (organization) {
+            scopeFilter = {
+                organizationId: organization.id,
+            };
+        }
+        const canReadAllEmails = await Context.auth.canReadAllEmails(organization ?? null);
+
+        if (!canReadAllEmails) {
+            // Check if scope is correctly limited to a single email, otherwise throw an error.
+            if (!await validateEmailRecipientFilter({ filter: q.filter, permissionLevel: PermissionLevel.Read })) {
+                throw Context.auth.error({
+                    message: 'You do not have sufficient permissions to view all email recipients',
+                    human: $t(`Je hebt niet voldoende toegangsrechten om alle email ontvangers te bekijken. Filter op één specifieke e-mail.`),
+                });
+            }
+        }
+
+        const query = EmailRecipient.select();
+
+        if (scopeFilter) {
+            query.where(await compileToSQLFilter(scopeFilter, filterCompilers));
+        }
+
+        if (q.filter) {
+            query.where(await compileToSQLFilter(q.filter, filterCompilers));
+        }
+
+        if (q.search) {
+            let searchFilter: StamhoofdFilter | null = null;
+
+            searchFilter = {
+                $or: [
+                    {
+                        email: {
+                            $contains: q.search,
+                        },
+                    },
+                    {
+                        name: {
+                            $contains: q.search,
+                        },
+                    },
+                ],
+            };
+
+            if (searchFilter) {
+                query.where(await compileToSQLFilter(searchFilter, filterCompilers));
+            }
+        }
+
+        if (q instanceof LimitedFilteredRequest) {
+            if (q.pageFilter) {
+                query.where(await compileToSQLFilter(q.pageFilter, filterCompilers));
+            }
+
+            q.sort = assertSort(q.sort, [{ key: 'id' }]);
+            applySQLSorter(query, q.sort, sorters);
+            query.limit(q.limit);
+        }
+
+        return query;
+    }
+
+    static async buildData(requestQuery: LimitedFilteredRequest) {
+        const query = await GetEmailRecipientsEndpoint.buildQuery(requestQuery);
+        const recipients = await query.fetch();
+
+        let next: LimitedFilteredRequest | undefined;
+
+        if (recipients.length >= requestQuery.limit) {
+            const lastObject = recipients[recipients.length - 1];
+            const nextFilter = getSortFilter(lastObject, sorters, requestQuery.sort);
+
+            next = new LimitedFilteredRequest({
+                filter: requestQuery.filter,
+                pageFilter: nextFilter,
+                sort: requestQuery.sort,
+                limit: requestQuery.limit,
+                search: requestQuery.search,
+            });
+
+            if (JSON.stringify(nextFilter) === JSON.stringify(requestQuery.pageFilter)) {
+                console.error('Found infinite loading loop for', requestQuery);
+                next = undefined;
+            }
+        }
+
+        return new PaginatedResponse<EmailRecipientStruct[], LimitedFilteredRequest>({
+            results: recipients.map(r => r.getStructure()),
+            next,
+        });
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOptionalOrganizationScope();
+        await Context.authenticate();
+
+        if (!await Context.auth.canReadEmails(organization)) {
+            throw Context.auth.error();
+        }
+
+        const maxLimit = Context.auth.hasSomePlatformAccess() ? 1000 : 100;
+
+        if (request.query.limit > maxLimit) {
+            throw new SimpleError({
+                code: 'invalid_field',
+                field: 'limit',
+                message: 'Limit can not be more than ' + maxLimit,
+            });
+        }
+
+        if (request.query.limit < 1) {
+            throw new SimpleError({
+                code: 'invalid_field',
+                field: 'limit',
+                message: 'Limit can not be less than 1',
+            });
+        }
+
+        return new Response(
+            await GetEmailRecipientsEndpoint.buildData(request.query),
+        );
+    }
+}

package/src/endpoints/global/email-recipients/helpers/validateEmailRecipientFilter.ts

@@ -0,0 +1,64 @@
+import { SimpleError } from '@simonbackx/simple-errors';
+import { Email } from '@stamhoofd/models';
+import { FilterWrapperMarker, PermissionLevel, StamhoofdFilter, unwrapFilter, WrapperFilter } from '@stamhoofd/structures';
+import { Context } from '../../../../helpers/Context';
+
+export async function validateEmailRecipientFilter({ filter, permissionLevel }: { filter: StamhoofdFilter; permissionLevel: PermissionLevel }) {
+    // Require presence of a filter
+    const requiredFilter: WrapperFilter = {
+        emailId: FilterWrapperMarker,
+    };
+
+    const unwrapped = unwrapFilter(filter, requiredFilter);
+    if (!unwrapped.match) {
+        return false;
+    }
+
+    const emailIds = typeof unwrapped.markerValue === 'string'
+        ? [unwrapped.markerValue]
+        : unwrapFilter(unwrapped.markerValue as StamhoofdFilter, {
+            $in: FilterWrapperMarker,
+        })?.markerValue;
+
+    if (!Array.isArray(emailIds)) {
+        throw new SimpleError({
+            code: 'invalid_field',
+            field: 'filter',
+            message: 'You must filter on an email id of the email recipients you are trying to access',
+            human: $t(`Je hebt niet voldoende toegangsrechten om alle email ontvangers te bekijken.`),
+        });
+    }
+
+    if (emailIds.length === 0) {
+        throw new SimpleError({
+            code: 'invalid_field',
+            field: 'filter',
+            message: 'Filtering on an empty list of email ids is not supported',
+        });
+    }
+
+    for (const emailId of emailIds) {
+        if (typeof emailId !== 'string') {
+            throw new SimpleError({
+                code: 'invalid_field',
+                field: 'filter',
+                message: 'Invalid email ID in filter',
+            });
+        }
+    }
+
+    const emails = await Email.getByIDs(...emailIds as string[]);
+
+    console.log('Fetching recipients for emails', emails.map(g => g.subject));
+
+    for (const email of emails) {
+        if (!await Context.auth.canAccessEmail(email, permissionLevel)) {
+            throw Context.auth.error({
+                message: 'You do not have access to this email',
+                human: $t(`Je hebt geen toegangsrechten tot de ontvangers van deze email`),
+            });
+        }
+    }
+
+    return true;
+}

package/src/endpoints/global/members/PatchOrganizationMembersEndpoint.ts

@@ -966,7 +966,11 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
     }
 
     static shouldCheckIfMemberIsDuplicate(put: Member): boolean {
-        if (put.details.firstName.length <= 3 && put.details.lastName.length <= 3) {
+        if (put.details.firstName === '???') {
+            return false;
+        }
+
+        if (put.details.name.length <= 3) {
             return false;
         }
 

package/src/endpoints/global/registration-periods/GetRegistrationPeriodsEndpoint.ts

@@ -5,6 +5,7 @@ import { Decoder } from '@simonbackx/simple-encoding';
 import { SimpleError } from '@simonbackx/simple-errors';
 import { RegistrationPeriod } from '@stamhoofd/models';
 import { applySQLSorter, compileToSQLFilter, SQLFilterDefinitions, SQLSortDefinitions } from '@stamhoofd/sql';
+import { Context } from '../../../helpers/Context';
 import { registrationPeriodFilterCompilers } from '../../../sql-filters/registration-periods';
 import { registrationPeriodSorters } from '../../../sql-sorters/registration-periods';
 
@@ -33,9 +34,24 @@ export class GetRegistrationPeriodsEndpoint extends Endpoint<Params, Query, Body
     }
 
     static async buildQuery(q: CountFilteredRequest | LimitedFilteredRequest) {
-        const scopeFilter: StamhoofdFilter | undefined = undefined;
+        let scopeFilter: StamhoofdFilter | undefined = undefined;
         const query = RegistrationPeriod.select();
 
+        if (STAMHOOFD.userMode === 'organization') {
+            const organization = Context.organization;
+
+            if (!organization) {
+                throw new SimpleError({
+                    code: 'no_organization',
+                    message: 'Organization is undefined on Context',
+                });
+            }
+
+            scopeFilter = {
+                organizationId: organization.id,
+            };
+        }
+
         if (scopeFilter) {
             query.where(await compileToSQLFilter(scopeFilter, filterCompilers));
         }
@@ -127,6 +143,8 @@ export class GetRegistrationPeriodsEndpoint extends Endpoint<Params, Query, Body
             });
         }
 
+        await Context.setUserOrganizationScope();
+
         return new Response(
             await GetRegistrationPeriodsEndpoint.buildData(request.query),
         );

package/src/endpoints/organization/dashboard/webshops/DeleteWebshopEndpoint.ts

@@ -1,9 +1,10 @@
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
-import { SimpleError } from '@simonbackx/simple-errors';
 import { BalanceItem, Order, Webshop } from '@stamhoofd/models';
 import { PermissionLevel } from '@stamhoofd/structures';
 
 import { Context } from '../../../../helpers/Context';
+import { UitpasService } from '../../../../services/uitpas/UitpasService';
+import { SimpleError } from '@simonbackx/simple-errors';
 
 type Params = { id: string };
 type Query = undefined;
@@ -42,6 +43,14 @@ export class DeleteWebshopEndpoint extends Endpoint<Params, Query, Body, Respons
             throw Context.auth.notFoundOrNoAccess();
         }
 
+        if (await UitpasService.areThereRegisteredTicketSales(webshop.id)) {
+            throw new SimpleError({
+                code: 'webshop_has_registered_ticket_sales',
+                message: `Webshop ${webshop.id} has registered ticket sales`,
+                human: $t(`0b3d6ea1-a70b-428c-9ba4-cc0c327ed415`),
+            });
+        }
+
         const orders = await Order.where({ webshopId: webshop.id });
         await BalanceItem.deleteForDeletedOrders(orders.map(o => o.id));
         await webshop.delete();

package/src/endpoints/organization/dashboard/webshops/PatchWebshopOrdersEndpoint.ts

@@ -7,6 +7,7 @@ import { AuditLogSource, BalanceItemRelation, BalanceItemRelationType, BalanceIt
 
 import { Context } from '../../../../helpers/Context';
 import { AuditLogService } from '../../../../services/AuditLogService';
+import { shouldReserveUitpasNumbers, UitpasService } from '../../../../services/uitpas/UitpasService';
 
 type Params = { id: string };
 type Query = undefined;
@@ -132,6 +133,7 @@ export class PatchWebshopOrdersEndpoint extends Endpoint<Params, Query, Body, Re
 
                 // TODO: validate before updating stock
                 order.data.validate(webshopGetter.struct, organization.meta, request.i18n, true);
+                order.data.cart = await UitpasService.validateCart(organization.id, webshop.id, order.data.cart);
 
                 try {
                     await order.updateStock(null, true);
@@ -230,6 +232,8 @@ export class PatchWebshopOrdersEndpoint extends Endpoint<Params, Query, Body, Re
                 const previousToPay = model.totalToPay;
                 const previousStatus = model.status;
 
+                const shouldReserveBefore = shouldReserveUitpasNumbers(model.status);
+
                 model.status = patch.status ?? model.status;
 
                 // For now, we don't invalidate tickets, because they will get invalidated at scan time (the order status is checked)
@@ -240,13 +244,16 @@ export class PatchWebshopOrdersEndpoint extends Endpoint<Params, Query, Body, Re
                 const previousData = model.data.clone();
                 if (patch.data) {
                     model.data.patchOrPut(patch.data);
-
                     if (model.status !== OrderStatus.Deleted) {
                         // Make sure all data is up to date and validated (= possible corrections happen here too)
                         model.data.validate(webshopGetter.struct, organization.meta, request.i18n, true);
                     }
                 }
 
+                if ((patch.data || !shouldReserveBefore) && shouldReserveUitpasNumbers(model.status)) {
+                    model.data.cart = await UitpasService.validateCart(organization.id, webshop.id, model.data.cart, model.id);
+                }
+
                 if (model.status === OrderStatus.Deleted) {
                     model.data.removePersonalData();
 

package/src/endpoints/organization/webshops/PlaceOrderEndpoint.ts

@@ -3,7 +3,7 @@ import { Decoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { SimpleError } from '@simonbackx/simple-errors';
 import { Email } from '@stamhoofd/email';
-import { BalanceItem, BalanceItemPayment, MolliePayment, MollieToken, Order, PayconiqPayment, Payment, RateLimiter, Webshop, WebshopDiscountCode, WebshopUitpasNumber } from '@stamhoofd/models';
+import { BalanceItem, BalanceItemPayment, MolliePayment, MollieToken, Order, PayconiqPayment, Payment, RateLimiter, Webshop, WebshopDiscountCode } from '@stamhoofd/models';
 import { QueueHandler } from '@stamhoofd/queues';
 import { AuditLogSource, BalanceItemRelation, BalanceItemRelationType, BalanceItemStatus, BalanceItemType, OrderData, OrderResponse, Order as OrderStruct, PaymentCustomer, PaymentMethod, PaymentMethodHelper, PaymentProvider, PaymentStatus, Payment as PaymentStruct, TranslatedString, Version, WebshopAuthType, Webshop as WebshopStruct } from '@stamhoofd/structures';
 import { Formatter } from '@stamhoofd/utility';
@@ -133,72 +133,7 @@ export class PlaceOrderEndpoint extends Endpoint<Params, Query, Body, ResponseBo
             request.body.validate(webshopStruct, organization.meta, request.i18n, false, Context.user?.getStructure());
             request.body.update(webshopStruct);
 
-            // UiTPAS numbers validation
-            const articlesWithUitpasSocialTariff = request.body.cart.items.filter(item => item.productPrice.uitpasBaseProductPriceId !== null);
-            for (const item of articlesWithUitpasSocialTariff) {
-                const uitpasNumbersOnly = item.uitpasNumbers.map(p => p.uitpasNumber);
-
-                // verify the amount of UiTPAS numbers
-                if (uitpasNumbersOnly.length !== item.amount) {
-                    throw new SimpleError({
-                        code: 'amount_of_uitpas_numbers_mismatch',
-                        message: 'The number of UiTPAS numbers and items with UiTPAS social tariff does not match',
-                        human: $t('6140c642-69b2-43d6-80ba-2af4915c5837'),
-                        field: 'cart.items.uitpasNumbers',
-                    });
-                }
-
-                // verify the UiTPAS numbers are unique (within the order)
-                if (uitpasNumbersOnly.length !== Formatter.uniqueArray(uitpasNumbersOnly).length) {
-                    throw new SimpleError({
-                        code: 'duplicate_uitpas_numbers',
-                        message: 'Duplicate uitpas numbers used',
-                        human: $t('d9ec27f3-dafa-41e8-bcfb-9da564a4a675'),
-                        field: 'cart.items.uitpasNumbers',
-                    });
-                }
-
-                // verify the UiTPAS numbers are not already used for this product
-                const hasBeenUsed = await WebshopUitpasNumber.areUitpasNumbersUsed(webshop.id, item.product.id, uitpasNumbersOnly);
-                if (hasBeenUsed) {
-                    throw new SimpleError({
-                        code: 'uitpas_number_already_used',
-                        message: 'One or more uitpas numbers are already used',
-                        human: $t('1ef059c2-e758-4cfa-bc2b-16a581029450'),
-                        field: 'cart.items.uitpasNumbers',
-                    });
-                }
-
-                // verify the UiTPAS numbers are valid for social tariff (static check + API call to UiTPAS)
-                if (item.product.uitpasEvent) {
-                    const basePrice = item.product.prices.find(p => p.id === item.productPrice.uitpasBaseProductPriceId)?.price ?? 0;
-                    const reducedPrices = await UitpasService.getSocialTariffForUitpasNumbers(organization.id, uitpasNumbersOnly, basePrice, item.product.uitpasEvent.url);
-                    const expectedReducedPrices = item.uitpasNumbers;
-                    if (reducedPrices.length < expectedReducedPrices.length) {
-                        // should not happen
-                        throw new SimpleError({
-                            code: 'uitpas_social_tariff_price_mismatch',
-                            message: 'UiTPAS wrong number of prices retruned',
-                            human: $t('2d1983fa-2224-422f-9ea0-fdae77cb4914'),
-                            field: 'cart.items.uitpasNumbers',
-                        });
-                    }
-                    for (let i = 0; i < expectedReducedPrices.length; i++) {
-                        if (reducedPrices[i].price !== expectedReducedPrices[i].price) {
-                            throw new SimpleError({
-                                code: 'uitpas_social_tariff_price_mismatch',
-                                message: 'UiTPAS social tariff have a different price',
-                                human: $t('2f4b9572-4b9c-42e0-91f1-b0984624d225', { correctPrice: Formatter.price(reducedPrices[i].price), orderPrice: Formatter.price(expectedReducedPrices[i].price) }),
-                                field: 'uitpasNumbers.' + i.toString(),
-                            });
-                        }
-                        item.uitpasNumbers[i].uitpasTariffId = reducedPrices[i].uitpasTariffId;
-                    }
-                }
-                else {
-                    await UitpasService.checkUitpasNumbers(uitpasNumbersOnly); // Throws if invalid
-                }
-            }
+            request.body.cart = await UitpasService.validateCart(organization.id, webshop.id, request.body.cart);
 
             const order = new Order().setRelation(Order.webshop, webshop);
             order.data = request.body; // TODO: validate