fix: review feedback

romanetar · romanetar · commit 04376d48535e · 2026-04-08T20:56:10.000+02:00
Signed-off-by: romanetar &lt;roman_ag@hotmail.com&gt;
diff --git a/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitBadgeScanApiController.php b/app/Http/Controllers/Apis/Protected/Summit/OAuth2SummitBadgeScanApiController.php
@@ -126,10 +126,6 @@ protected function addChild(Summit $summit, array $payload): IEntity
         if (is_null($current_member))
             throw new HTTP403ForbiddenException();
 
-        if (!$current_member->hasSponsorMembershipsFor($summit)) {
-            throw new HTTP403ForbiddenException('Only sponsor users can add badge scans.');
-        }
-
         return $this->service->addBadgeScan($summit, $current_member, $payload);
     }
 
diff --git a/app/Models/Foundation/Main/Member.php b/app/Models/Foundation/Main/Member.php
@@ -1994,14 +1994,36 @@ public function addSummitRegistrationOrder(SummitOrder $summit_order)
     /**
      * @param Summit $summit
      * @return ArrayCollection
+     * @throws Exception
      */
-    public function getSponsorsBySummit(Summit $summit): ArrayCollection
+    public function getAllowedSponsorsBySummit(Summit $summit): ArrayCollection
     {
-        return new ArrayCollection(
-            $this->sponsor_memberships->filter(function ($entity) use ($summit) {
-                return $entity->getSummitId() == $summit->getId();
-            })->toArray()
-        );
+        $sql = <<<SQL
+SELECT su.SponsorID
+FROM Sponsor_Users su
+INNER JOIN Sponsor s ON s.ID = su.SponsorID
+WHERE su.MemberID = :member_id
+    AND s.SummitID = :summit_id
+    AND (
+        JSON_CONTAINS(COALESCE(su.Permissions, '[]'), JSON_QUOTE(:slug_sponsors))
+        OR JSON_CONTAINS(COALESCE(su.Permissions, '[]'), JSON_QUOTE(:slug_external))
+    )
+SQL;
+        $ids = $this->prepareRawSQL($sql, [
+            'member_id'     => $this->getId(),
+            'summit_id'     => $summit->getId(),
+            'slug_sponsors' => IGroup::Sponsors,
+            'slug_external' => IGroup::SponsorExternalUsers,
+        ])->executeQuery()->fetchFirstColumn();
+
+        if (empty($ids)) {
+            return new ArrayCollection();
+        }
+
+        $position = array_flip($ids);
+        $sponsors = $this->getEM()->getRepository(Sponsor::class)->findBy(['id' => $ids]);
+        usort($sponsors, fn($a, $b) => $position[$a->getId()] <=> $position[$b->getId()]);
+        return new ArrayCollection($sponsors);
     }
 
     /**
diff --git a/app/Services/Model/Imp/SponsorUserInfoGrantService.php b/app/Services/Model/Imp/SponsorUserInfoGrantService.php
@@ -178,24 +178,22 @@ public function addBadgeScan(Summit $summit, Member $current_member, array $data
             if(is_null($badge))
                 throw new EntityNotFoundException("badge not found.");
 
-            $member_sponsors = $current_member->getSponsorsBySummit($summit);
+            $member_sponsors = $current_member->getAllowedSponsorsBySummit($summit);
 
-            if($member_sponsors->isEmpty())
-                throw new ValidationException("Current member does not belong to any sponsor of this summit.");
+            if ($member_sponsors->isEmpty())
+                throw new ValidationException("Current member does not have badge scan permissions for any sponsor of this summit.");
 
-            if($member_sponsors->count() === 1) {
+            if ($member_sponsors->count() === 1) {
                 $sponsor = $member_sponsors->first();
             } else {
-                if(empty($data['sponsor_id']))
+                if (empty($data['sponsor_id']))
                     throw new ValidationException("sponsor_id is required when the member belongs to multiple sponsors.");
-                $sponsor = $current_member->getSponsorBySummitAndId($summit, intval($data['sponsor_id']));
-                if(is_null($sponsor))
+                $sponsor_id = intval($data['sponsor_id']);
+                $sponsor = $member_sponsors->filter(fn($s) => $s->getId() === $sponsor_id)->first();
+                if ($sponsor === false)
                     throw new ValidationException("Current member does not belong to the selected summit sponsor.");
             }
 
-            if(!$current_member->hasSponsorMembershipsFor($summit, $sponsor))
-                throw new ValidationException("Current member does not have badge scan permissions for the selected sponsor.");
-
             $scan = new SponsorBadgeScan();
             $scan->setScanDate($scan_date);
             $scan->setQRCode($qr_code);
diff --git a/tests/Unit/Entities/SponsorPermissionTrackingTest.php b/tests/Unit/Entities/SponsorPermissionTrackingTest.php
@@ -233,7 +233,165 @@ public function testGetActiveSummitsSponsorMembershipsIncludesWithPermission():
     }
 
     // -------------------------------------------------------------------------
-    // 6. Sponsor::addUser — multi-sponsor membership
+    // 6. Member::addSponsorPermission — concurrency
+    // -------------------------------------------------------------------------
+
+    /**
+     * Concurrent calls to addSponsorPermission for the same (member, sponsor, slug)
+     * must not introduce duplicate entries in the Permissions JSON array.
+     * The SELECT … FOR UPDATE row lock serialises the writers so that the
+     * second caller reads the committed value and IF(JSON_CONTAINS(…)) is a no-op.
+     */
+    public function testConcurrentAddSponsorPermissionProducesNoDuplicates(): void
+    {
+        if (!function_exists('pcntl_fork')) {
+            $this->markTestSkipped('pcntl_fork() is not available in this environment');
+        }
+
+        $sponsor_id  = self::$sponsors[0]->getId();
+        $member_id   = self::$member->getId();
+        $concurrency = 5;
+
+        // Flush and disconnect the parent before forking so children each
+        // get a clean connection — inherited sockets are not fork-safe.
+        self::$em->flush();
+        self::$em->clear();
+        self::$em->getConnection()->close();
+
+        $pids = [];
+        for ($i = 0; $i < $concurrency; $i++) {
+            $pid = pcntl_fork();
+            if ($pid === -1) {
+                $this->fail('pcntl_fork() failed');
+            }
+            if ($pid === 0) {
+                // Child: DBAL auto-reconnects on the first query after close().
+                try {
+                    $conn = self::$em->getConnection();
+                    $conn->beginTransaction();
+                    $member = self::$member_repository->find($member_id);
+                    $member->addSponsorPermission($sponsor_id, IGroup::Sponsors);
+                    $conn->commit();
+                    exit(0);
+                } catch (\Throwable $e) {
+                    exit(1);
+                }
+            }
+            $pids[] = $pid;
+        }
+
+        // Parent: wait for all children and collect exit codes.
+        $failed = 0;
+        foreach ($pids as $pid) {
+            pcntl_waitpid($pid, $status);
+            if (pcntl_wexitstatus($status) !== 0) {
+                $failed++;
+            }
+        }
+
+        // Reconnect the parent for the assertion query.
+        self::$em->getConnection()->close();
+
+        $raw = self::$em->getConnection()->executeQuery(
+            'SELECT Permissions FROM Sponsor_Users WHERE SponsorID = ? AND MemberID = ?',
+            [$sponsor_id, $member_id]
+        )->fetchOne();
+
+        $permissions = json_decode($raw, true) ?? [];
+        $occurrences = array_filter($permissions, fn($p) => $p === IGroup::Sponsors);
+
+        $this->assertSame(0, $failed, 'One or more concurrent workers exited with an error.');
+        $this->assertCount(
+            1,
+            $occurrences,
+            'Concurrent addSponsorPermission calls must not produce duplicate slugs in Permissions.'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // 7. Member::removeSponsorPermission — concurrency
+    // -------------------------------------------------------------------------
+
+    /**
+     * Concurrent calls to removeSponsorPermission for the same (member, sponsor, slug)
+     * must leave the slug completely absent from the Permissions JSON array.
+     * The pre-loaded Permissions intentionally contains duplicate slugs to verify
+     * that the JSON_ARRAYAGG-based remove eliminates all occurrences in one shot
+     * and that concurrent workers do not leave stale entries behind.
+     */
+    public function testConcurrentRemoveSponsorPermissionLeavesNoStaleEntries(): void
+    {
+        if (!function_exists('pcntl_fork')) {
+            $this->markTestSkipped('pcntl_fork() is not available in this environment');
+        }
+
+        $sponsor_id  = self::$sponsors[0]->getId();
+        $member_id   = self::$member->getId();
+        $concurrency = 5;
+
+        // Seed Permissions with duplicate slugs to exercise the remove-all path.
+        self::$em->getConnection()->executeStatement(
+            'UPDATE Sponsor_Users SET Permissions = ? WHERE SponsorID = ? AND MemberID = ?',
+            [
+                json_encode([IGroup::Sponsors, IGroup::Sponsors, IGroup::Sponsors]),
+                $sponsor_id,
+                $member_id,
+            ]
+        );
+
+        self::$em->flush();
+        self::$em->clear();
+        self::$em->getConnection()->close();
+
+        $pids = [];
+        for ($i = 0; $i < $concurrency; $i++) {
+            $pid = pcntl_fork();
+            if ($pid === -1) {
+                $this->fail('pcntl_fork() failed');
+            }
+            if ($pid === 0) {
+                try {
+                    $conn = self::$em->getConnection();
+                    $conn->beginTransaction();
+                    $member = self::$member_repository->find($member_id);
+                    $member->removeSponsorPermission($sponsor_id, IGroup::Sponsors);
+                    $conn->commit();
+                    exit(0);
+                } catch (\Throwable $e) {
+                    exit(1);
+                }
+            }
+            $pids[] = $pid;
+        }
+
+        $failed = 0;
+        foreach ($pids as $pid) {
+            pcntl_waitpid($pid, $status);
+            if (pcntl_wexitstatus($status) !== 0) {
+                $failed++;
+            }
+        }
+
+        self::$em->getConnection()->close();
+
+        $raw = self::$em->getConnection()->executeQuery(
+            'SELECT Permissions FROM Sponsor_Users WHERE SponsorID = ? AND MemberID = ?',
+            [$sponsor_id, $member_id]
+        )->fetchOne();
+
+        $permissions = json_decode($raw, true) ?? [];
+        $occurrences = array_filter($permissions, fn($p) => $p === IGroup::Sponsors);
+
+        $this->assertSame(0, $failed, 'One or more concurrent workers exited with an error.');
+        $this->assertCount(
+            0,
+            $occurrences,
+            'Concurrent removeSponsorPermission calls must leave no stale slug occurrences in Permissions.'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // 8. Sponsor::addUser — multi-sponsor membership
     // -------------------------------------------------------------------------
 
     /**
diff --git a/tests/oauth2/OAuth2SummitBadgeScanApiControllerTest.php b/tests/oauth2/OAuth2SummitBadgeScanApiControllerTest.php
@@ -91,7 +91,7 @@ public function testAddEncryptedBadgeScan(){
         self::$em->flush();
 
         $this->assertTrue($sponsor->hasUser(self::$member));
-        $this->assertGreaterThan(0, self::$member->getSponsorsBySummit(self::$summit)->count());
+        $this->assertGreaterThan(0, self::$member->getAllowedSponsorsBySummit(self::$summit)->count());
 
         $badge = $attendee->getFirstTicket()->getBadge();
         $badge_qr_code = $badge->generateQRCode();
@@ -371,7 +371,10 @@ public function testAddBadgeScanWithMultipleSponsorsWithoutSponsorId()
 
         self::$em->flush();
 
-        $this->assertGreaterThan(1, self::$member->getSponsorsBySummit(self::$summit)->count());
+        self::$member->addSponsorPermission($sponsor1->getId(), IGroup::Sponsors);
+        self::$member->addSponsorPermission($sponsor2->getId(), IGroup::Sponsors);
+
+        $this->assertGreaterThan(1, self::$member->getAllowedSponsorsBySummit(self::$summit)->count());
 
         $params = [
             'id' => self::$summit->getId(),
@@ -416,7 +419,10 @@ public function testAddBadgeScanWithMultipleSponsorsWithSponsorId()
 
         self::$em->flush();
 
-        $this->assertGreaterThan(1, self::$member->getSponsorsBySummit(self::$summit)->count());
+        self::$member->addSponsorPermission($sponsor1->getId(), IGroup::Sponsors);
+        self::$member->addSponsorPermission($sponsor2->getId(), IGroup::Sponsors);
+
+        $this->assertGreaterThan(1, self::$member->getAllowedSponsorsBySummit(self::$summit)->count());
 
         $params = [
             'id' => self::$summit->getId(),

Original file line number	Diff line number	Diff line change
`@@ -126,10 +126,6 @@ protected function addChild(Summit $summit, array $payload): IEntity`
`126`	`126`	`if (is_null($current_member))`
`127`	`127`	`throw new HTTP403ForbiddenException();`
`128`	`128`
`129`		`- if (!$current_member->hasSponsorMembershipsFor($summit)) {`
`130`		`- throw new HTTP403ForbiddenException('Only sponsor users can add badge scans.');`
`131`		`- }`
`132`		`-`
`133`	`129`	`return $this->service->addBadgeScan($summit, $current_member, $payload);`
`134`	`130`	`}`
`135`	`131`