Force unconfirmed tickets to log in.

[StevenDufresne]

Fixes #1420

Props mkrndmane, ryelle.

This PR forces login for editing tickets that are currently unconfirmed.

Changes

• Adds user_must_confirm_ticket that checks if the ticket is unconfirmed. Reference
• Passes along all tix_ parameters found in $_REQUEST to the final destination. Reference
  • I don't understand is why the original code checked for isset( $_REQUEST['tix_tickets_selected'] ) before passing along the parameters. I would assume we could pass them along in all cases.

How to test

1. Purchase multiple tickets. (Stripe test cards, Stripe test keys)
   • Set a ticket to I don't know who will use this ticket yet
   • Set a ticket First Name/Last Name/Email.
2. While viewing an Attendees post through the admin interface list:
   • Confirm the tix_username is set to [[ unconfirmed ]]
   • Copy the edit token link address.
3. Visit that link in an incognito session.
4. Confirm you are asked to login.
   • Note if you login with the same account you purchased your ticket with, this filter will stop you. You can comment out this one and the one below it to test if you don't have a second account to use
5. Enter new details into the fields.
6. Click the "Confirm Registration" button.
7. View the attendee through the admin interface and confirm that their tix_username is set to the user that was used to log in.
8. Copy the edit token link again.
9. Log out.
10. Paste that link in your browser.
11. Update information and click "Save Attendee information"
12. Notice that you are able to update the ticket information without logging in once the user is no longer [[ unconfirmed ]].

[pkevan]

Unsure if this has been tested, but could this logic be extended to support users transferring their tickets to another username? Or is that supported elsewhere? I suppose on transfer of a ticket, it would just switch back to [[ unconfirmed ]]

[ryelle]

I don't understand is why the original code checked for isset( $_REQUEST['tix_tickets_selected'] ) before passing along the parameters. I would assume we could pass them along in all cases.

Pretty sure that was just because I used $_REQUEST['tix_tickets_selected'] right below and wanted to make sure it wouldn't error.

I've tested out the edit ticket flow and a logged out user can correctly edit a ticket bought before the require-login, and not edit after 👍🏻

Unfortunately, in testing the regular ticket purchase flow I'm seeing this error:

I also realized the current redirect probably doesn't pass through the reservation info, but I was interrupted by ^ before I could properly test. A reservation is set up on a ticket (in the edit-ticket screen), and ends up being a link like somecamp.wordcamp.org/2024/tickets/?tix_reservation_id=speakers&tix_reservation_token=k3vlopd1G3vWewZA.

[ryelle]

Oh, the error is because tix_tickets_selected should be an array of [ticket-id] => quantity, not an int.

[StevenDufresne]

I think I've covered all the relevant parameters. Can I get another review?

[pkevan]

i guess technically we could return an empty array too, if no parameters match the allowed list.

[StevenDufresne]

Yep, $args will return empty if nothing matches. Do you think we should note that here?

[pkevan]

yes, @return array Empty array or sanitized parameters. or similar would work.

[pkevan]

how long will this be temporary 😉

[StevenDufresne]

I have a script that will tell me when there are no more tickets purchased without accounts. Should be about February 2025.

[pkevan]

untested, but code looks ok.

[MakarandMane]

I will test it & get back here, found any issue.