Merge pull request #20 from HiEventsDev/develop

Fix ability to select tickets unrelated to your order

Author: daveearley

SECURITY.md

@@ -42,7 +42,7 @@ For any questions or clarifications, feel free to reach out to us at [security@h
 
 ##  Hi.Events Public Key
 
-if you need to send us encrypted information, you can use our public key below:
+If you need to send us encrypted information, you can use our public key below:
 
 ```plaintext
 
@@ -101,4 +101,4 @@ URSFSI5iNr0JSvCYNmzsDB6zSSlR/UvgRFM1SRUoG3sygmV32Onh0EzU
 
 ---
 
-Hi.Events Team
+Hi.Events Team

backend/app/Services/Handlers/Order/CompleteOrderHandler.php

@@ -96,6 +96,8 @@ private function createAttendees(Collection $attendees, OrderDomainObject $order
             values: $attendees->pluck('ticket_price_id')->toArray(),
         );
 
+        $this->validateTicketPriceIdsMatchOrder($order, $ticketsPrices);
+
         foreach ($attendees as $attendee) {
             $ticketId = $ticketsPrices->first(
                 fn(TicketPriceDomainObject $ticketPrice) => $ticketPrice->getId() === $attendee->ticket_price_id)
@@ -238,4 +240,21 @@ private function updateOrder(OrderDomainObject $order, CompleteOrderOrderDTO $or
                 ]
             );
     }
+
+    /**
+     * Check if the passed ticket price IDs match what exist in the order_items table
+     *
+     * @throws ResourceConflictException
+     */
+    private function validateTicketPriceIdsMatchOrder(OrderDomainObject $order, Collection $ticketsPrices): void
+    {
+        $orderTicketPriceIds = $order->getOrderItems()
+            ?->map(fn(OrderItemDomainObject $orderItem) => $orderItem->getTicketPriceId())->toArray();
+
+        $ticketsPricesIds = $ticketsPrices->map(fn(TicketPriceDomainObject $ticketPrice) => $ticketPrice->getId());
+
+        if ($ticketsPricesIds->diff($orderTicketPriceIds)->isNotEmpty()) {
+            throw new ResourceConflictException(__('There is an unexpected ticket price ID in the order'));
+        }
+    }
 }