Organizer should be able to download tickets of attendees

[ShridharGoel]

Organizers should have access to download tickets of attendees of their own events.

[mrsaicharan1]

@ShridharGoel The recent ticketing refactor made it point to a different link. Will fix this. static/media should be replaced with generated/

[mrsaicharan1]

@ShridharGoel This issue is not present locally.

[ShridharGoel]

Just checked, the URL for new attendees is having generated instead of static/media but still the link is not working. Did you try to open the link?

[mrsaicharan1]

@ShridharGoel You can't access the tickets directly. The request going to that link must have certain authorisation headers attached to access it. This was a security refactor on the server to prevent access to the unauthorized personnel.

[ShridharGoel]

@mrsaicharan1 Yes I'm providing JWT authorization token in the Headers.

[ShridharGoel]

The link is being fetched properly. It's just that it's not opening.

[mrsaicharan1]

Yeah, I go that. But the mechanism the server is in such a way that a current_user proxy must be present. What is the exact error NotFound or Unauthorized?

[ShridharGoel]

@mrsaicharan1

[mrsaicharan1]

try:
      order = Order.query.filter_by(identifier=order_identifier).first()
      user_id = order.user.id
except NoResultFound:
      return NotFoundError({'source': ''}, 'This ticket is not associated with any order').respond()

[mrsaicharan1]

@ShridharGoel So basically, either the order_identifier which you are passing is wrong or the order isn't going through and isn't saved on the db. I'm able to obtain the tickets through the frontend @iamareebjamal Can you confirm?

[iamareebjamal]

@ShridharGoel Please post the URL here

[ShridharGoel]

https://open-event-api-dev.herokuapp.com/generated/tickets/attendees/tickets/pdf/3697e440-c43e-405b-8af3-d16de4386cb0/cjN6Q2pwNS/3697e440-c43e-405b-8af3-d16de4386cb0.pdf

[ShridharGoel]

I'm able to obtain the tickets through the frontend

@mrsaicharan1 Please send link of that PDF

[iamareebjamal]

@mrsaicharan1 Please check if you can dowwnload the PDF. @ShridharGoel, we'll also need your JWT to test the link

[mrsaicharan1]

I can download from the front-end

On Wed, 29 May 2019 at 12:44 PM, Areeb Jamal notifications@github.com wrote:

@mrsaicharan1 https://github.com/mrsaicharan1 Please check if you can dowwnload the PDF

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/fossasia/open-event-server/issues/5968?email_source=notifications&email_token=AGAHUW5RLQFCHND47GZ67RLPX26G5A5CNFSM4HQMX6V2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWQDNDA#issuecomment-497038988, or mute the thread https://github.com/notifications/unsubscribe-auth/AGAHUW4LL5DLOJQQ5OS6L6LPX26G5ANCNFSM4HQMX6VQ .

[iamareebjamal]

@mrsaicharan1 I'm talking about the link shared here

[mrsaicharan1]

NO, @iamareebjamal . need jwt headers @ShridharGoel

[ShridharGoel]

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NTkxNTgyMTQsImlhdCI6MTU1OTA3MTgxNCwibmJmIjoxNTU5MDcxODE0LCJpZGVudGl0eSI6NH0.ekLj24ie4a_RDPCVurL1dpsCSpjRQJzbtoGTYgsbt_U

[mrsaicharan1]

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NTkxNTgyMTQsImlhdCI6MTU1OTA3MTgxNCwibmJmIjoxNTU5MDcxODE0LCJpZGVudGl0eSI6NH0.ekLj24ie4a_RDPCVurL1dpsCSpjRQJzbtoGTYgsbt_U

Yeah, 404 not found.

[iamareebjamal]

So this issue is valid then

[ShridharGoel]

How is it related to the JWT token? Shouldn't the direct link to download be working anyways?

[iamareebjamal]

No, I shouldn't be able to download your ticket

[mrsaicharan1]

@ShridharGoel You can't access the tickets directly. The request going to that link must have certain authorisation headers attached to access it. This was a security refactor on the server to prevent access to the unauthorized personnel.

This ^ @ShridharGoel

[ShridharGoel]

No, I shouldn't be able to download your ticket

But organizers can download the tickets of the attendees of their event, right?

[mrsaicharan1]

No, I shouldn't be able to download your ticket

But organizers can download the tickets of the attendees of their event, right?

I think a new endpoint is required for that where they can download individual/all tickets.

[ShridharGoel]

No, I shouldn't be able to download your ticket

But organizers can download the tickets of the attendees of their event, right?

I think a new endpoint is required for that where they can download individual/all tickets.

Actually, the links of the PDFs of attendees are being provided to the organizer in the Orga App. Due to the recent security changes, this functionality might have changed because of which the links can no longer be accessed by the organizers. Although, in the present case, I'm not able to download my own tickets too using the Attendee App.

[iamareebjamal]

@ShridharGoel That's because attendee app has not implemented the security changes.

@mrsaicharan1 No need for new endpoint, just change the added check that allows organizer to download the ticket as well

[mrsaicharan1]

@ShridharGoel So the main problem here is, you're not able to download your own ticket right ?

[ShridharGoel]

@mrsaicharan1 I am able to download my own ticket from the frontend, but not from the attendee app. That might be because the attendee app has not implemented the security changes as @iamareebjamal mentioned above.

The change required is that the organizers should be able to download the tickets of the attendees of their events as well.

[mrsaicharan1]

Alright.

On Mon, 10 Jun 2019 at 11:07 AM, Shridhar Goel notifications@github.com wrote:

@mrsaicharan1 https://github.com/mrsaicharan1 I am able to download my own ticket from the frontend, but not from the attendee app. That might be because the attendee app has not implemented the security changes as @iamareebjamal https://github.com/iamareebjamal mentioned above.

The change required is that the organizers should be able to download the tickets of the attendees of their events as well.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/fossasia/open-event-server/issues/5968?email_source=notifications&email_token=AGAHUWZVRMJ4D26BSBZ2ZYDPZZ327A5CNFSM4HQMX6V2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXKKMYA#issuecomment-500475488, or mute the thread https://github.com/notifications/unsubscribe-auth/AGAHUW27P7CEJ4WF6OU46H3PZZ327ANCNFSM4HQMX6VQ .

[mrsaicharan1]

Just change the issue name and will work on this.

On Mon, 10 Jun 2019 at 11:07 AM, saicharan reddy saicharan.reddy1@gmail.com wrote:

Alright.

On Mon, 10 Jun 2019 at 11:07 AM, Shridhar Goel notifications@github.com wrote:

@mrsaicharan1 https://github.com/mrsaicharan1 I am able to download my own ticket from the frontend, but not from the attendee app. That might be because the attendee app has not implemented the security changes as @iamareebjamal https://github.com/iamareebjamal mentioned above.

The change required is that the organizers should be able to download the tickets of the attendees of their events as well.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/fossasia/open-event-server/issues/5968?email_source=notifications&email_token=AGAHUWZVRMJ4D26BSBZ2ZYDPZZ327A5CNFSM4HQMX6V2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXKKMYA#issuecomment-500475488, or mute the thread https://github.com/notifications/unsubscribe-auth/AGAHUW27P7CEJ4WF6OU46H3PZZ327ANCNFSM4HQMX6VQ .

[ShridharGoel]

Updated.