From 4dcf47710218ef1d5b9cb48a94c2014dd7cc4a80 Mon Sep 17 00:00:00 2001
From: Niek Candaele <niek@candaele.dev>
Date: Thu, 18 Jul 2024 20:08:37 +0200
Subject: [PATCH] fix: allow high privilege users to claim orders of other
 users

---
 .../__tests__/ShopOrder.integration.test.ts    | 18 ++++++++++++++++++
 packages/app-api/src/service/Shop/index.ts     |  7 ++-----
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/packages/app-api/src/controllers/__tests__/ShopOrder.integration.test.ts b/packages/app-api/src/controllers/__tests__/ShopOrder.integration.test.ts
index 39e6ab655c..9ff9b28bfa 100644
--- a/packages/app-api/src/controllers/__tests__/ShopOrder.integration.test.ts
+++ b/packages/app-api/src/controllers/__tests__/ShopOrder.integration.test.ts
@@ -663,6 +663,24 @@ const tests = [
       return pogResAfter;
     },
   }),
+  new IntegrationTest<IShopSetup>({
+    group,
+    snapshot: false,
+    name: 'High privilege user can claim an order in someone elses name',
+    setup: shopSetup,
+    test: async function () {
+      const orderRes = await this.setupData.client1.shopOrder.shopOrderControllerCreate({
+        listingId: this.setupData.listing100.id,
+        amount: 1,
+      });
+
+      const order = orderRes.data.data;
+
+      const res = await this.client.shopOrder.shopOrderControllerClaim(order.id);
+      expect(res.data.data.status).to.be.eq(ShopOrderOutputDTOStatusEnum.Completed);
+      return res;
+    },
+  }),
 ];
 
 describe(group, function () {
diff --git a/packages/app-api/src/service/Shop/index.ts b/packages/app-api/src/service/Shop/index.ts
index f2ee43fae8..c10ff1a822 100644
--- a/packages/app-api/src/service/Shop/index.ts
+++ b/packages/app-api/src/service/Shop/index.ts
@@ -203,9 +203,6 @@ export class ShopListingService extends TakaroService<
   }
 
   async claimOrder(orderId: string): Promise<ShopOrderOutputDTO> {
-    const userId = ctx.data.user;
-    if (!userId) throw new errors.UnauthorizedError();
-
     const order = await this.orderRepo.findOne(orderId);
     if (!order) throw new errors.NotFoundError(`Shop order with id ${orderId} not found`);
     await this.checkIfOrderBelongsToUser(order);
@@ -213,7 +210,7 @@ export class ShopListingService extends TakaroService<
       throw new errors.BadRequestError(`Can only claim paid, unclaimed orders. Current status: ${order.status}`);
 
     const userService = new UserService(this.domainId);
-    const user = await userService.findOne(userId);
+    const user = await userService.findOne(order.userId);
 
     if (!user.playerId)
       throw new errors.BadRequestError(
@@ -265,7 +262,7 @@ export class ShopListingService extends TakaroService<
         eventName: EVENT_TYPES.SHOP_ORDER_STATUS_CHANGED,
         gameserverId: gameServerId,
         playerId: pog.playerId,
-        userId,
+        userId: order.userId,
         meta: new TakaroEventShopOrderStatusChanged({
           id: updatedOrder.id,
           status: ShopOrderStatus.COMPLETED,