From d11136e041cccc7d1e8c348f6e6ee6fb7f675e89 Mon Sep 17 00:00:00 2001
From: "smarcet@gmail.com" <smarcet@gmail.com>
Date: Tue, 27 Aug 2024 16:29:22 -0300
Subject: [PATCH] fix: managed tickets

get extra questions
---
 ...th2SummitOrderExtraQuestionTypeApiController.php | 13 +++++++++----
 .../Summit/OAuth2SummitOrdersApiController.php      |  2 +-
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitOrderExtraQuestionTypeApiController.php b/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitOrderExtraQuestionTypeApiController.php
index b275f39e7..7ee2e85c1 100644
--- a/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitOrderExtraQuestionTypeApiController.php
+++ b/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitOrderExtraQuestionTypeApiController.php
@@ -483,10 +483,10 @@ public function getOwnAttendeeAllowedExtraQuestions($summit_id)
     public function getAttendeeExtraQuestions($summit_id, $attendee_id)
     {
         $summit = SummitFinderStrategyFactory::build($this->getSummitRepository(), $this->getResourceServerContext())->find($summit_id);
-        if (is_null($summit)) return $this->error404("Summit not found");
+        if (is_null($summit)) return $this->error404("Summit not found.");
 
         $attendee = $summit->getAttendeeById(intval($attendee_id));
-        if (is_null($attendee)) return $this->error404("Attendee not found");
+        if (is_null($attendee)) return $this->error404("Attendee not found.");
 
         // authz
         // check that we have a current member ( not service account )
@@ -499,7 +499,12 @@ public function getAttendeeExtraQuestions($summit_id, $attendee_id)
 
         if(!$auth){
             // check if current member is the attendee
-            $auth = $attendee->getEmail() == $current_member->getEmail() || $attendee->getMemberId() == $current_member->getId();
+            $auth = (
+                    $attendee->getEmail() == $current_member->getEmail()
+                    || $attendee->getMemberId() == $current_member->getId()
+                    || $attendee->isManagedBy($current_member)
+            );
+
             if(!$auth){
                 // check if the attendee is under some order of the current member
                 foreach($current_member->getPadRegistrationOrdersForSummit($summit) as $order){
@@ -513,7 +518,7 @@ public function getAttendeeExtraQuestions($summit_id, $attendee_id)
         }
 
         if(!$auth)
-            return $this->error401();
+            return $this->error403("You are not Authorized.");
 
         return $this->_getAll(
             function () {
diff --git a/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitOrdersApiController.php b/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitOrdersApiController.php
index 20f9fd3e9..f0b9a610c 100644
--- a/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitOrdersApiController.php
+++ b/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitOrdersApiController.php
@@ -468,7 +468,7 @@ public function getMyTicketById($order_id, $ticket_id)
             $current_user = $this->getResourceServerContext()->getCurrentUser();
 
             if (is_null($current_user))
-                return $this->error403();
+                return $this->error401();
 
             if (!$order instanceof SummitOrder)
                 throw new EntityNotFoundException("Order not found.");