fix #1438

alfio-event · Dec 31, 2024 · 8acd388 · 8acd388
1 parent c08abfe
commit 8acd388
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 5 deletions.
diff --git a/src/main/java/alfio/config/authentication/support/APITokenAuthentication.java b/src/main/java/alfio/config/authentication/support/APITokenAuthentication.java
@@ -31,7 +31,11 @@ public APITokenAuthentication(Object principal, Object credentials, Collection<?
         super(authorities);
         this.credentials = credentials;
         this.principal = principal;
-        setAuthenticated(true);
+    }
+
+    @Override
+    public boolean isAuthenticated() {
+        return true;
     }
 
     @Override

diff --git a/src/main/java/alfio/controller/api/admin/EventApiController.java b/src/main/java/alfio/controller/api/admin/EventApiController.java
@@ -586,9 +586,8 @@ public List<Triple<Boolean, String, String>> bulkConfirmation(@PathVariable Stri
                                                                   Principal principal,
                                                                   @RequestBody UploadBase64FileModification file) throws IOException {
         record Transaction(String reservationId, BigDecimal price) {}
-        var csvMapper = new CsvMapper();
         try(InputStreamReader isr = new InputStreamReader(file.getInputStream(), UTF_8)) {
-            MappingIterator<List<String>> iterator = csvMapper.readerFor(Transaction.class)
+            MappingIterator<List<String>> iterator = new CsvMapper().readerForListOf(String.class)
                 .with(CsvSchema.emptySchema().withoutHeader())
                 .with(CsvParser.Feature.WRAP_AS_ARRAY)
                 .readValues(isr);
@@ -600,7 +599,7 @@ record Transaction(String reservationId, BigDecimal price) {}
             var reservationIds = all.stream()
                 .map(Transaction::reservationId)
                 .collect(Collectors.toSet());
-            accessService.checkEventAndReservationOwnership(principal, eventName, reservationIds);
+            accessService.checkEventAndReservationOwnership(principal, eventName, reservationIds, true);
 
             Event event = loadEvent(eventName, principal);
             return all.stream()

diff --git a/src/main/java/alfio/manager/AccessService.java b/src/main/java/alfio/manager/AccessService.java
@@ -577,8 +577,18 @@ public void checkCategoryOwnershipAndTicket(Principal principal, String eventNam
     }
 
     public void checkEventAndReservationOwnership(Principal principal, String eventName, Set<String> reservationIds) {
+        checkEventAndReservationOwnership(principal, eventName, reservationIds, false);
+    }
+
+    public void checkEventAndReservationOwnership(Principal principal, String eventName, Set<String> reservationIds, boolean partialIds) {
         var eventAndOrgId = checkEventOwnership(principal, eventName);
-        if (reservationIds.size() != reservationRepository.countReservationsWithEventId(reservationIds, eventAndOrgId.getId())) {
+        int countExisting;
+        if (partialIds) {
+            countExisting = reservationRepository.countReservationWithShortIdsForEvent(List.copyOf(reservationIds), eventAndOrgId.getId());
+        } else {
+            countExisting = reservationRepository.countReservationsWithEventId(reservationIds, eventAndOrgId.getId());
+        }
+        if (reservationIds.size() != countExisting) {
             if (log.isWarnEnabled()) {
                 log.warn("Some reservation ids {} are not in the event {}", reservationIds.stream().map(MiscUtils::removeTabsAndNewlines).collect(Collectors.toSet()), removeTabsAndNewlines(eventName));
             }

diff --git a/src/main/java/alfio/repository/TicketReservationRepository.java b/src/main/java/alfio/repository/TicketReservationRepository.java
@@ -17,11 +17,13 @@
 package alfio.repository;
 
 import alfio.model.*;
+import alfio.model.support.Array;
 import alfio.model.support.JSONData;
 import alfio.model.support.UserIdAndOrganizationId;
 import ch.digitalfondue.npjt.Bind;
 import ch.digitalfondue.npjt.Query;
 import ch.digitalfondue.npjt.QueryRepository;
+import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate;
 
 import java.math.BigDecimal;
 import java.time.ZonedDateTime;
@@ -328,6 +330,14 @@ int updateVatStatus(@Bind("reservationId") String reservationId,
     @Query("select count(id) from tickets_reservation where id in (:ids) and event_id_fk = :eventId")
     int countReservationsWithEventId(@Bind("ids") Set<String> reservationIds, @Bind("eventId") int eventId);
 
+
+    @Query("""
+        SELECT count(id) from tickets_reservation where id ilike ANY(
+                    select s || '%' from unnest(:ids::text[]) s(s)
+                ) and event_id_fk = :eventId
+        """)
+    int countReservationWithShortIdsForEvent(@Bind("ids") @Array List<String> reservationIds, @Bind("eventId") int eventId);
+
     @Query("select exists(select id from b_transaction where id = :transactionId and reservation_id = reservationId)")
     boolean hasReservationWithTransactionId(@Bind("reservationId") String reservationId, @Bind("transactionId") int transactionId);
 }