fix(promo-codes): guard WithPromoCode reservations and exclude exhausted discovery codes

caseylocker · claude · caseylocker · commit b87cefdfe101 · 2026-04-09T14:36:57.000-05:00
Two review findings on the promo-codes branch.

P1 — `POST /orders` allowed reserving audience=WithPromoCode ticket types
with just a `type_id` and no `promo_code`. `Summit::canBuyRegistrationTicketByType`
unconditionally returns true for that audience, and
`PreProcessReservationTask::run` only validated a promo code when one was
supplied. Add an explicit `isPromoCodeOnly() &amp;&amp; empty($promo_code_value)`
guard that throws ValidationException; reuses the existing
`SummitTicketType::isPromoCodeOnly()` helper.

P2 — Promo code discovery endpoint returned globally exhausted finite codes
(`quantity_used &gt;= quantity_available`). The repository filter uses
`isLive()` which is dates-only, and the service layer only enforced the
per-account quota. Add a `hasQuantityAvailable()` short-circuit at the top
of `SummitPromoCodeService::discoverPromoCodes` so discovery matches
`validate()` behavior at checkout.

Regression tests:
- `tests/Unit/Services/PreProcessReservationTaskTest.php` — pure PHPUnit
  unit tests for the WithPromoCode guard (reject + non-overreach).
- `tests/Unit/Services/SummitPromoCodeServiceDiscoveryTest.php` — pure
  PHPUnit unit tests for the global exhaustion filter (reject, healthy
  passes, mixed batch).
- `tests/oauth2/OAuth2SummitPromoCodesApiTest.php` —
  `testDiscoverExcludesGloballyExhaustedCodes`, sibling to the existing
  per-account exhaustion integration test.

Mutation-verified: temporarily reverted both fixes, confirmed that 3 of 5
new unit tests fail as expected, then restored.

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/app/Services/Model/Imp/SummitOrderService.php b/app/Services/Model/Imp/SummitOrderService.php
@@ -1032,6 +1032,14 @@ public function run(array $formerState): array
 
             $promo_code_value = isset($ticket_dto['promo_code']) ? strtoupper(trim($ticket_dto['promo_code'])) : null;
 
+            // WithPromoCode audience ticket types are never purchasable without a qualifying promo code.
+            // canBeAppliedTo (below) rejects wrong codes; this guards the no-code case.
+            if ($ticket_type->isPromoCodeOnly() && empty($promo_code_value)) {
+                throw new ValidationException(
+                    sprintf("Ticket type %s requires a promo code.", $ticket_type->getName())
+                );
+            }
+
             if (!isset($reservations[$type_id]))
                 $reservations[$type_id] = 0;
 
diff --git a/app/Services/Model/Imp/SummitPromoCodeService.php b/app/Services/Model/Imp/SummitPromoCodeService.php
@@ -1024,6 +1024,13 @@ public function discoverPromoCodes(Summit $summit, Member $member): array
         $results = [];
 
         foreach ($codes as $code) {
+            // Global exhaustion: finite code with quantity_used >= quantity_available.
+            // The repository filter uses isLive() (dates only), so exhausted codes leak through.
+            // Skip them here so discovery matches checkout's validate() behavior.
+            if (!$code->hasQuantityAvailable()) {
+                continue;
+            }
+
             // QuantityPerAccount enforcement: exclude exhausted codes
             if ($code instanceof IDomainAuthorizedPromoCode) {
                 $quantityPerAccount = $code->getQuantityPerAccount();
diff --git a/tests/Unit/Services/PreProcessReservationTaskTest.php b/tests/Unit/Services/PreProcessReservationTaskTest.php
@@ -0,0 +1,98 @@
+<?php namespace Tests\Unit\Services;
+/**
+ * Copyright 2026 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use App\Services\Model\PreProcessReservationTask;
+use Mockery;
+use models\exceptions\ValidationException;
+use models\summit\Summit;
+use models\summit\SummitTicketType;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Class PreProcessReservationTaskTest
+ *
+ * Regression unit tests for the WithPromoCode reservation guard in
+ * {@see PreProcessReservationTask}. Uses Mockery on concrete Summit /
+ * SummitTicketType so the tests do not require Laravel, DB, or Redis.
+ *
+ * @package Tests\Unit\Services
+ */
+class PreProcessReservationTaskTest extends TestCase
+{
+    protected function tearDown(): void
+    {
+        Mockery::close();
+        parent::tearDown();
+    }
+
+    /**
+     * WithPromoCode audience + no promo code → ValidationException.
+     *
+     * This is the regression: previously, PreProcessReservationTask::run()
+     * only validated promo codes when one was supplied, letting
+     * audience=WithPromoCode tickets be reserved with just a type_id.
+     */
+    public function testRejectsPromoCodeOnlyTicketTypeWithoutPromoCode(): void
+    {
+        $ticket_type = Mockery::mock(SummitTicketType::class);
+        $ticket_type->shouldReceive('getId')->andReturn(42);
+        $ticket_type->shouldReceive('getName')->andReturn('VIP_PROMO_ONLY');
+        $ticket_type->shouldReceive('isLive')->andReturn(true);
+        $ticket_type->shouldReceive('isPromoCodeOnly')->andReturn(true);
+
+        $summit = Mockery::mock(Summit::class);
+        $summit->shouldReceive('getTicketTypeById')->with(42)->andReturn($ticket_type);
+
+        $payload = [
+            'tickets' => [
+                ['type_id' => 42], // no promo_code
+            ],
+        ];
+
+        $task = new PreProcessReservationTask($summit, $payload);
+
+        $this->expectException(ValidationException::class);
+        $this->expectExceptionMessage('Ticket type VIP_PROMO_ONLY requires a promo code.');
+
+        $task->run([]);
+    }
+
+    /**
+     * Non-WithPromoCode audience + no promo code → allowed (guard does not overreach).
+     */
+    public function testAllowsNonPromoCodeOnlyTicketTypeWithoutPromoCode(): void
+    {
+        $ticket_type = Mockery::mock(SummitTicketType::class);
+        $ticket_type->shouldReceive('getId')->andReturn(7);
+        $ticket_type->shouldReceive('getName')->andReturn('GENERAL_ADMISSION');
+        $ticket_type->shouldReceive('isLive')->andReturn(true);
+        $ticket_type->shouldReceive('isPromoCodeOnly')->andReturn(false);
+
+        $summit = Mockery::mock(Summit::class);
+        $summit->shouldReceive('getTicketTypeById')->with(7)->andReturn($ticket_type);
+
+        $payload = [
+            'tickets' => [
+                ['type_id' => 7],
+            ],
+        ];
+
+        $task = new PreProcessReservationTask($summit, $payload);
+        $state = $task->run([]);
+
+        $this->assertEquals([7 => 1], $state['reservations']);
+        $this->assertEquals([], $state['promo_codes_usage']);
+        $this->assertEquals([7], $state['ticket_types_ids']);
+    }
+}
diff --git a/tests/Unit/Services/SummitPromoCodeServiceDiscoveryTest.php b/tests/Unit/Services/SummitPromoCodeServiceDiscoveryTest.php
@@ -0,0 +1,164 @@
+<?php namespace Tests\Unit\Services;
+/**
+ * Copyright 2026 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use App\Services\Model\SummitPromoCodeService;
+use App\Services\Utils\ILockManagerService;
+use libs\utils\ITransactionService;
+use Mockery;
+use models\main\ICompanyRepository;
+use models\main\IMemberRepository;
+use models\main\ITagRepository;
+use models\main\Member;
+use models\summit\DomainAuthorizedSummitRegistrationPromoCode;
+use models\summit\ISpeakerRepository;
+use models\summit\ISummitAttendeeTicketRepository;
+use models\summit\ISummitRegistrationPromoCodeRepository;
+use models\summit\ISummitRepository;
+use models\summit\Summit;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Class SummitPromoCodeServiceDiscoveryTest
+ *
+ * Regression unit tests for {@see SummitPromoCodeService::discoverPromoCodes}
+ * filtering logic. Focuses on the global-exhaustion guard added to match
+ * checkout's validate() behavior.
+ *
+ * @package Tests\Unit\Services
+ */
+class SummitPromoCodeServiceDiscoveryTest extends TestCase
+{
+    protected function tearDown(): void
+    {
+        Mockery::close();
+        parent::tearDown();
+    }
+
+    private function buildService(ISummitRegistrationPromoCodeRepository $repository): SummitPromoCodeService
+    {
+        return new SummitPromoCodeService(
+            Mockery::mock(IMemberRepository::class),
+            Mockery::mock(ICompanyRepository::class),
+            Mockery::mock(ISpeakerRepository::class),
+            Mockery::mock(ISummitRepository::class),
+            Mockery::mock(ISummitAttendeeTicketRepository::class),
+            Mockery::mock(ITagRepository::class),
+            $repository,
+            Mockery::mock(ITransactionService::class),
+            Mockery::mock(ILockManagerService::class)
+        );
+    }
+
+    /**
+     * Regression: a finite domain-authorized code whose quantity_used has
+     * reached quantity_available must not appear in discovery. Previously,
+     * the repository filter used isLive() (dates only), so globally
+     * exhausted codes leaked through — frontend auto-apply would then hit
+     * a hard checkout failure.
+     */
+    public function testDiscoverExcludesGloballyExhaustedDomainAuthorizedCode(): void
+    {
+        $exhausted = Mockery::mock(DomainAuthorizedSummitRegistrationPromoCode::class);
+        $exhausted->shouldReceive('getCode')->andReturn('GLOBAL_EXHAUSTED');
+        $exhausted->shouldReceive('hasQuantityAvailable')->andReturn(false);
+        // getQuantityPerAccount should never be reached if the global-exhaustion
+        // guard is in place — but define it defensively so a regression would
+        // surface as a quota check, not an uncaught Mockery error.
+        $exhausted->shouldReceive('getQuantityPerAccount')->andReturn(0);
+        $exhausted->shouldReceive('setRemainingQuantityPerAccount')->andReturn(null);
+
+        $summit = Mockery::mock(Summit::class);
+        $member = Mockery::mock(Member::class);
+        $member->shouldReceive('getEmail')->andReturn('new-buyer@acme.com');
+        $member->shouldReceive('getId')->andReturn(99);
+
+        $repository = Mockery::mock(ISummitRegistrationPromoCodeRepository::class);
+        // Repository filter is isLive()-only, so it would pass the exhausted
+        // code through — simulate that by returning it.
+        $repository->shouldReceive('getDiscoverableByEmailForSummit')
+            ->with($summit, 'new-buyer@acme.com')
+            ->andReturn([$exhausted]);
+
+        $service = $this->buildService($repository);
+        $result = $service->discoverPromoCodes($summit, $member);
+
+        $this->assertSame([], $result,
+            'Globally exhausted domain-authorized code must not appear in discovery');
+    }
+
+    /**
+     * A healthy domain-authorized code (has global quantity, unlimited quota)
+     * passes through. Guards against over-filtering: the exhaustion guard must
+     * not drop valid codes.
+     */
+    public function testDiscoverReturnsHealthyDomainAuthorizedCode(): void
+    {
+        $healthy = Mockery::mock(DomainAuthorizedSummitRegistrationPromoCode::class);
+        $healthy->shouldReceive('getCode')->andReturn('HEALTHY');
+        $healthy->shouldReceive('hasQuantityAvailable')->andReturn(true);
+        $healthy->shouldReceive('getQuantityPerAccount')->andReturn(0);
+        $healthy->shouldReceive('setRemainingQuantityPerAccount')->with(null)->once();
+
+        $summit = Mockery::mock(Summit::class);
+        $member = Mockery::mock(Member::class);
+        $member->shouldReceive('getEmail')->andReturn('buyer@acme.com');
+        $member->shouldReceive('getId')->andReturn(42);
+
+        $repository = Mockery::mock(ISummitRegistrationPromoCodeRepository::class);
+        $repository->shouldReceive('getDiscoverableByEmailForSummit')
+            ->with($summit, 'buyer@acme.com')
+            ->andReturn([$healthy]);
+
+        $service = $this->buildService($repository);
+        $result = $service->discoverPromoCodes($summit, $member);
+
+        $this->assertCount(1, $result);
+        $this->assertSame('HEALTHY', $result[0]->getCode());
+    }
+
+    /**
+     * Mixed case: exhausted code is dropped while a healthy sibling survives.
+     * This proves the guard uses per-code `continue`, not a scalar short-circuit.
+     */
+    public function testDiscoverMixedHealthyAndExhaustedCodes(): void
+    {
+        $exhausted = Mockery::mock(DomainAuthorizedSummitRegistrationPromoCode::class);
+        $exhausted->shouldReceive('getCode')->andReturn('EXHAUSTED');
+        $exhausted->shouldReceive('hasQuantityAvailable')->andReturn(false);
+        $exhausted->shouldReceive('getQuantityPerAccount')->andReturn(0);
+        $exhausted->shouldReceive('setRemainingQuantityPerAccount')->andReturn(null);
+
+        $healthy = Mockery::mock(DomainAuthorizedSummitRegistrationPromoCode::class);
+        $healthy->shouldReceive('getCode')->andReturn('HEALTHY');
+        $healthy->shouldReceive('hasQuantityAvailable')->andReturn(true);
+        $healthy->shouldReceive('getQuantityPerAccount')->andReturn(0);
+        $healthy->shouldReceive('setRemainingQuantityPerAccount')->with(null)->once();
+
+        $summit = Mockery::mock(Summit::class);
+        $member = Mockery::mock(Member::class);
+        $member->shouldReceive('getEmail')->andReturn('buyer@acme.com');
+        $member->shouldReceive('getId')->andReturn(7);
+
+        $repository = Mockery::mock(ISummitRegistrationPromoCodeRepository::class);
+        $repository->shouldReceive('getDiscoverableByEmailForSummit')
+            ->with($summit, 'buyer@acme.com')
+            ->andReturn([$exhausted, $healthy]);
+
+        $service = $this->buildService($repository);
+        $result = $service->discoverPromoCodes($summit, $member);
+
+        $this->assertCount(1, $result);
+        $this->assertSame('HEALTHY', $result[0]->getCode());
+    }
+}
diff --git a/tests/oauth2/OAuth2SummitPromoCodesApiTest.php b/tests/oauth2/OAuth2SummitPromoCodesApiTest.php
@@ -1022,6 +1022,59 @@ public function testDiscoverExcludesExhaustedCodes()
             'Exhausted domain-authorized code (quantity_per_account reached) should not appear in discovery');
     }
 
+    /**
+     * Discovery excludes codes where global quantity_available is exhausted
+     * (quantity_used >= quantity_available), independent of quantity_per_account.
+     * Regression: isLive() is dates-only, so the repository filter does not
+     * catch globally-exhausted-but-still-in-date codes.
+     */
+    public function testDiscoverExcludesGloballyExhaustedCodes()
+    {
+        $memberEmail = self::$member->getEmail();
+        $domain = '@' . substr($memberEmail, strpos($memberEmail, '@') + 1);
+
+        $code = new DomainAuthorizedSummitRegistrationPromoCode();
+        $code->setCode('DISC_GLOBAL_EXHAUST_' . str_random(8));
+        $code->setAllowedEmailDomains([$domain]);
+        $code->setQuantityAvailable(1);
+        // quantity_per_account = 0 (unlimited) isolates the global exhaustion path
+        $code->setQuantityPerAccount(0);
+        self::$summit->addPromoCode($code);
+        self::$em->persist(self::$summit);
+        self::$em->flush();
+
+        // Globally exhaust: quantity_used becomes 1, matches quantity_available=1.
+        // isLive() is dates-only and will still return true, so without the
+        // service-layer guard this code would leak into the discovery results.
+        $code->addUsage('someone-else@example.com', 1);
+        self::$em->persist($code);
+        self::$em->flush();
+
+        $params = [
+            'id' => self::$summit->getId(),
+        ];
+
+        $headers = ["HTTP_Authorization" => " Bearer " . $this->access_token];
+
+        $response = $this->action(
+            "GET",
+            "OAuth2SummitPromoCodesApiController@discover",
+            $params,
+            [],
+            [],
+            [],
+            $headers
+        );
+
+        $content = $response->getContent();
+        $this->assertResponseStatus(200);
+        $result = json_decode($content, true);
+
+        $codes = array_column($result['data'], 'code');
+        $this->assertNotContains($code->getCode(), $codes,
+            'Globally exhausted domain-authorized code (quantity_used >= quantity_available) should not appear in discovery');
+    }
+
     // -----------------------------------------------------------------------
     // Checkout enforcement — Task 12 follow-up #6
     // -----------------------------------------------------------------------
