Merge pull request #521 from WISVCH/fix-sales

Fix sales

Author: robertdijk

src/main/java/ch/wisv/events/core/repository/EventRepository.java

@@ -4,8 +4,10 @@
 import ch.wisv.events.core.model.event.Event;
 import ch.wisv.events.core.model.event.EventStatus;
 import ch.wisv.events.core.model.product.Product;
+import ch.wisv.events.utils.LdapGroup;
 
 import java.time.LocalDateTime;
+import java.util.Collection;
 import java.util.List;
 import java.util.Optional;
 
@@ -36,6 +38,36 @@ public interface EventRepository extends JpaRepository<Event, Integer> {
      */
     List<Event> findAllByPublishedAndEndingIsAfter(EventStatus published, LocalDateTime ending);
 
+    /**
+     * Find all sales-visible events (upcoming from start of day and published/not published).
+     *
+     * @param dateTime of type LocalDateTime
+     * @param statuses of type EventStatus collection
+     *
+     * @return list of events
+     */
+    @Query("select e from Event e where e.ending >= :dateTime and e.published in :statuses order by e.start asc")
+    List<Event> findAllSalesVisibleEvents(
+            @Param("dateTime") LocalDateTime dateTime,
+            @Param("statuses") Collection<EventStatus> statuses
+    );
+
+    /**
+     * Find all sales-visible events for specific organizing LDAP groups.
+     *
+     * @param dateTime of type LocalDateTime
+     * @param statuses of type EventStatus collection
+     * @param groups   of type LdapGroup collection
+     *
+     * @return list of events
+     */
+    @Query("select e from Event e where e.ending >= :dateTime and e.published in :statuses and e.organizedBy in :groups order by e.start asc")
+    List<Event> findAllSalesVisibleEventsByOrganizedByIn(
+            @Param("dateTime") LocalDateTime dateTime,
+            @Param("statuses") Collection<EventStatus> statuses,
+            @Param("groups") Collection<LdapGroup> groups
+    );
+
     /**
      * Find an Event by key.
      *

src/main/java/ch/wisv/events/sales/controller/scan/SalesScanEventController.java

@@ -1,8 +1,11 @@
 package ch.wisv.events.sales.controller.scan;
 
 import ch.wisv.events.core.exception.normal.EventNotFoundException;
+import ch.wisv.events.core.model.customer.Customer;
 import ch.wisv.events.core.model.event.Event;
+import ch.wisv.events.core.service.auth.AuthenticationService;
 import ch.wisv.events.core.service.event.EventService;
+import ch.wisv.events.sales.service.SalesService;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
@@ -30,14 +33,26 @@ public class SalesScanEventController {
 
     /** EventService. */
     private final EventService eventService;
+    /** AuthenticationService. */
+    private final AuthenticationService authenticationService;
+    /** SalesService. */
+    private final SalesService salesService;
 
     /**
      * SalesScanEventController.
      *
-     * @param eventService of type EventService
+     * @param eventService          of type EventService
+     * @param authenticationService of type AuthenticationService
+     * @param salesService          of type SalesService
      */
-    public SalesScanEventController(EventService eventService) {
+    public SalesScanEventController(
+            EventService eventService,
+            AuthenticationService authenticationService,
+            SalesService salesService
+    ) {
         this.eventService = eventService;
+        this.authenticationService = authenticationService;
+        this.salesService = salesService;
     }
 
     /**
@@ -54,6 +69,12 @@ public SalesScanEventController(EventService eventService) {
     public String scanner(Model model, RedirectAttributes redirect, @PathVariable String key, @PathVariable String method) {
         try {
             Event event = eventService.getByKey(key);
+            Customer currentUser = authenticationService.getCurrentCustomer();
+            if (!salesService.hasAccessToEvent(currentUser, event)) {
+                redirect.addFlashAttribute(ATTR_ERROR, "You do not have access to this event.");
+
+                return ERROR_REDIRECT;
+            }
             model.addAttribute(ATTR_EVENT, event);
 
             return "sales/scan/event/" + method;

src/main/java/ch/wisv/events/sales/controller/scan/SalesScanRestController.java

@@ -2,15 +2,18 @@
 
 import ch.wisv.events.core.exception.normal.EventsException;
 import ch.wisv.events.core.exception.normal.TicketNotFoundException;
+import ch.wisv.events.core.model.customer.Customer;
 import ch.wisv.events.core.model.event.Event;
 import ch.wisv.events.core.model.ticket.Ticket;
 import ch.wisv.events.core.model.ticket.TicketStatus;
+import ch.wisv.events.core.service.auth.AuthenticationService;
 import ch.wisv.events.core.service.event.EventService;
 import ch.wisv.events.core.service.ticket.TicketService;
 import static ch.wisv.events.utils.ResponseEntityBuilder.createResponseEntity;
 import java.util.Objects;
 
 import ch.wisv.events.sales.model.ScanDto;
+import ch.wisv.events.sales.service.SalesService;
 import org.json.simple.JSONObject;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@@ -41,16 +44,29 @@ public class SalesScanRestController {
 
     /** TicketService. */
     private final TicketService ticketService;
+    /** AuthenticationService. */
+    private final AuthenticationService authenticationService;
+    /** SalesService. */
+    private final SalesService salesService;
 
     /**
      * SalesScanRestController.
      *
-     * @param eventService  of type EventService
-     * @param ticketService of type TicketService
+     * @param eventService          of type EventService
+     * @param ticketService         of type TicketService
+     * @param authenticationService of type AuthenticationService
+     * @param salesService          of type SalesService
      */
-    public SalesScanRestController(EventService eventService, TicketService ticketService) {
+    public SalesScanRestController(
+            EventService eventService,
+            TicketService ticketService,
+            AuthenticationService authenticationService,
+            SalesService salesService
+    ) {
         this.eventService = eventService;
         this.ticketService = ticketService;
+        this.authenticationService = authenticationService;
+        this.salesService = salesService;
     }
 
     /**
@@ -122,6 +138,10 @@ private ResponseEntity handleScanTicket(String key, String code) {
 
         try {
             Event event = eventService.getByKey(key);
+            Customer currentUser = authenticationService.getCurrentCustomer();
+            if (!salesService.hasAccessToEvent(currentUser, event)) {
+                return createResponseEntity(HttpStatus.FORBIDDEN, "You do not have access to this event.");
+            }
             Ticket ticket = this.getTicketByUniqueCode(event, code);
             ScanDto scan = new ScanDto(ticket.getProduct().getTitle(), ticket.getOwner().getName());
 

src/main/java/ch/wisv/events/sales/controller/sell/SalesSellCustomerController.java

@@ -24,7 +24,7 @@
  * SalesSellCustomerController class.
  */
 @Controller
-@PreAuthorize("hasRole('USER')")
+@PreAuthorize("hasRole('ADMIN')")
 @RequestMapping("/sales/sell/customer/{publicReference}")
 public class SalesSellCustomerController {
 
@@ -97,6 +97,7 @@ public String determineCustomer(RedirectAttributes redirect, @PathVariable Strin
 
             return "redirect:/sales/sell/order/" + order.getPublicReference();
         } catch (CustomerNotFoundException e) {
+            redirect.addFlashAttribute("customer", customer);
             return "redirect:/sales/sell/customer/" + order.getPublicReference() + "/create";
         } catch (EventsException e) {
             redirect.addFlashAttribute("error", e.getMessage());
@@ -139,7 +140,7 @@ public String create(RedirectAttributes redirect, @ModelAttribute Customer custo
 
             redirect.addFlashAttribute("success", "Customer successfully created!");
 
-            return "redirect:/sales/order/" + order.getPublicReference();
+            return "redirect:/sales/sell/order/" + order.getPublicReference();
         } catch (CustomerInvalidException e) {
             redirect.addFlashAttribute("error", e.getMessage());
             redirect.addFlashAttribute("customer", customer);

src/main/java/ch/wisv/events/sales/controller/sell/SalesSellMainController.java

@@ -23,7 +23,7 @@
  */
 @Controller
 @RequestMapping(value = "/sales/sell")
-@PreAuthorize("hasRole('USER')")
+@PreAuthorize("hasRole('ADMIN')")
 public class SalesSellMainController {
 
     /** AuthenticationService. */

src/main/java/ch/wisv/events/sales/controller/sell/SalesSellOrderController.java

@@ -15,7 +15,7 @@
  * SalesSellOrderController class.
  */
 @Controller
-@PreAuthorize("hasRole('USER')")
+@PreAuthorize("hasRole('ADMIN')")
 @RequestMapping(value = "/sales/sell/order/{publicReference}")
 public class SalesSellOrderController {
 
@@ -73,4 +73,4 @@ public String complete(RedirectAttributes redirect, @PathVariable String publicR
             return "redirect:/sales/";
         }
     }
-}
+}

src/main/java/ch/wisv/events/sales/controller/sell/SalesSellPaymentController.java

@@ -14,7 +14,7 @@
 import org.springframework.web.bind.annotation.RequestParam;
 
 @Controller
-@PreAuthorize("hasRole('USER')")
+@PreAuthorize("hasRole('ADMIN')")
 @RequestMapping(value = "/sales/sell/payment/{publicReference}")
 public class SalesSellPaymentController {
 

src/main/java/ch/wisv/events/sales/controller/stats/SalesStatsController.java

@@ -16,6 +16,7 @@
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 
 import java.util.List;
 import java.util.stream.Collectors;
@@ -83,8 +84,14 @@ public String indexView(Model model) {
      * @return String
      */
     @GetMapping("/products/{key}")
-    public String ticketSalesindex(Model model, @PathVariable String key) throws EventNotFoundException {
+    public String ticketSalesindex(Model model, RedirectAttributes redirect, @PathVariable String key) throws EventNotFoundException {
         Event event = eventService.getByKey(key);
+        Customer currentUser = authenticationService.getCurrentCustomer();
+        if (!salesService.hasAccessToEvent(currentUser, event)) {
+            redirect.addFlashAttribute("error", "You do not have access to this event.");
+
+            return ERROR_REDIRECT;
+        }
 
         model.addAttribute("products", event.getProducts());
         model.addAttribute("target", event.getTarget());
@@ -101,8 +108,15 @@ public String ticketSalesindex(Model model, @PathVariable String key) throws Eve
      * @return String
      */
     @GetMapping("/event/{key}")
-    public String eventSalesView(Model model, @PathVariable String key) throws EventNotFoundException {
+    public String eventSalesView(Model model, RedirectAttributes redirect, @PathVariable String key) throws EventNotFoundException {
         Event event = eventService.getByKey(key);
+        Customer currentUser = authenticationService.getCurrentCustomer();
+        if (!salesService.hasAccessToEvent(currentUser, event)) {
+            redirect.addFlashAttribute("error", "You do not have access to this event.");
+
+            return ERROR_REDIRECT;
+        }
+
         List<Order> orders = salesService.getAllOrdersByEvent(event).stream().peek((Order order) -> {
             order.setOwner(null);
             order.setChPaymentsReference(null);

src/main/java/ch/wisv/events/sales/service/SalesService.java

@@ -25,6 +25,15 @@ public interface SalesService {
      */
     List<Product> getAllGrantedProductByCustomer(Customer customer);
 
+    /**
+     * Check whether the given customer can access data for a specific event.
+     *
+     * @param customer of type Customer
+     * @param event    of type Event
+     * @return true when the customer is admin or is in the event organizer LDAP group
+     */
+    boolean hasAccessToEvent(Customer customer, Event event);
+
     /**
      * Get all orders of an event.
      *