fix: Filter attendees when ticket holder is not ticket purchaser (#7471)

Co-authored-by: Suneet Srivastava <[email protected]>

Author: codedsun

app/api/attendees.py

@@ -142,6 +142,8 @@ def query(self, view_kwargs):
             ):
                 raise ForbiddenError({'source': ''}, 'Access Forbidden')
             query_ = query_.join(Order).filter(Order.id == order.id)
+            if current_user.id != order.user_id:
+                query_ = query_.filter(TicketHolder.user == current_user)
 
         if view_kwargs.get('ticket_id'):
             ticket = safe_query_kwargs(Ticket, view_kwargs, 'ticket_id')

app/api/schema/orders.py

@@ -107,7 +107,7 @@ def initial_values(self, data):
     )
 
     attendees = Relationship(
-        attribute='ticket_holders',
+        attribute='filtered_ticket_holders',
         self_view='v1.order_attendee',
         self_view_kwargs={'order_identifier': '<identifier>'},
         related_view='v1.attendee_list',

app/models/order.py

@@ -1,5 +1,6 @@
 import time
 
+from flask_jwt_extended import current_user
 from sqlalchemy.sql import func
 
 from app.api.helpers.db import get_new_identifier
@@ -154,6 +155,13 @@ def invoice_pdf_path(self) -> str:
             + '.pdf'
         )
 
+    @property
+    def filtered_ticket_holders(self):
+        query_ = TicketHolder.query.filter_by(order_id=self.id, deleted_at=None)
+        if current_user.id != self.user_id:
+            query_ = query_.filter(TicketHolder.user == current_user)
+        return query_.all()
+
     @property
     def site_view_link(self) -> str:
         frontend_url = get_settings()['frontend_url']