fix: managed tickets

smarcet · smarcet · commit d11136e041cc · 2024-08-28T18:09:01.000-03:00
get extra questions
diff --git a/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitOrderExtraQuestionTypeApiController.php b/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitOrderExtraQuestionTypeApiController.php
@@ -483,10 +483,10 @@ public function getOwnAttendeeAllowedExtraQuestions($summit_id)
     public function getAttendeeExtraQuestions($summit_id, $attendee_id)
     {
         $summit = SummitFinderStrategyFactory::build($this->getSummitRepository(), $this->getResourceServerContext())->find($summit_id);
-        if (is_null($summit)) return $this->error404("Summit not found");
+        if (is_null($summit)) return $this->error404("Summit not found.");
 
         $attendee = $summit->getAttendeeById(intval($attendee_id));
-        if (is_null($attendee)) return $this->error404("Attendee not found");
+        if (is_null($attendee)) return $this->error404("Attendee not found.");
 
         // authz
         // check that we have a current member ( not service account )
@@ -499,7 +499,12 @@ public function getAttendeeExtraQuestions($summit_id, $attendee_id)
 
         if(!$auth){
             // check if current member is the attendee
-            $auth = $attendee->getEmail() == $current_member->getEmail() || $attendee->getMemberId() == $current_member->getId();
+            $auth = (
+                    $attendee->getEmail() == $current_member->getEmail()
+                    || $attendee->getMemberId() == $current_member->getId()
+                    || $attendee->isManagedBy($current_member)
+            );
+
             if(!$auth){
                 // check if the attendee is under some order of the current member
                 foreach($current_member->getPadRegistrationOrdersForSummit($summit) as $order){
@@ -513,7 +518,7 @@ public function getAttendeeExtraQuestions($summit_id, $attendee_id)
         }
 
         if(!$auth)
-            return $this->error401();
+            return $this->error403("You are not Authorized.");
 
         return $this->_getAll(
             function () {
diff --git a/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitOrdersApiController.php b/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitOrdersApiController.php
@@ -468,7 +468,7 @@ public function getMyTicketById($order_id, $ticket_id)
             $current_user = $this->getResourceServerContext()->getCurrentUser();
 
             if (is_null($current_user))
-                return $this->error403();
+                return $this->error401();
 
             if (!$order instanceof SummitOrder)
                 throw new EntityNotFoundException("Order not found.");
