fix: allow high privilege users to claim orders of other users

gettakaro · Jul 18, 2024 · 4dcf477 · 4dcf477
1 parent 569a892
commit 4dcf477
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 5 deletions.
diff --git a/packages/app-api/src/controllers/__tests__/ShopOrder.integration.test.ts b/packages/app-api/src/controllers/__tests__/ShopOrder.integration.test.ts
@@ -663,6 +663,24 @@ const tests = [
       return pogResAfter;
     },
   }),
+  new IntegrationTest<IShopSetup>({
+    group,
+    snapshot: false,
+    name: 'High privilege user can claim an order in someone elses name',
+    setup: shopSetup,
+    test: async function () {
+      const orderRes = await this.setupData.client1.shopOrder.shopOrderControllerCreate({
+        listingId: this.setupData.listing100.id,
+        amount: 1,
+      });
+
+      const order = orderRes.data.data;
+
+      const res = await this.client.shopOrder.shopOrderControllerClaim(order.id);
+      expect(res.data.data.status).to.be.eq(ShopOrderOutputDTOStatusEnum.Completed);
+      return res;
+    },
+  }),
 ];
 
 describe(group, function () {

diff --git a/packages/app-api/src/service/Shop/index.ts b/packages/app-api/src/service/Shop/index.ts
@@ -203,17 +203,14 @@ export class ShopListingService extends TakaroService<
   }
 
   async claimOrder(orderId: string): Promise<ShopOrderOutputDTO> {
-    const userId = ctx.data.user;
-    if (!userId) throw new errors.UnauthorizedError();
-
     const order = await this.orderRepo.findOne(orderId);
     if (!order) throw new errors.NotFoundError(`Shop order with id ${orderId} not found`);
     await this.checkIfOrderBelongsToUser(order);
     if (order.status !== ShopOrderStatus.PAID)
       throw new errors.BadRequestError(`Can only claim paid, unclaimed orders. Current status: ${order.status}`);
 
     const userService = new UserService(this.domainId);
-    const user = await userService.findOne(userId);
+    const user = await userService.findOne(order.userId);
 
     if (!user.playerId)
       throw new errors.BadRequestError(
@@ -265,7 +262,7 @@ export class ShopListingService extends TakaroService<
         eventName: EVENT_TYPES.SHOP_ORDER_STATUS_CHANGED,
         gameserverId: gameServerId,
         playerId: pog.playerId,
-        userId,
+        userId: order.userId,
         meta: new TakaroEventShopOrderStatusChanged({
           id: updatedOrder.id,
           status: ShopOrderStatus.COMPLETED,