Open-event-server: Ensure basic endpoints are accessible without authentication

I think it requires the permission manager to be completed before this.

@poush updated the description

@poush what is the progres on this ?

Almost complete. Just need to check some end points. Also, since ~sessions~ speakers API isn't implemented yet so that part is left.

Cool, so we have now has-PR label :D

@poush looks like this hasn't been done for event relationships ?

Eg. like https://api.eventyay.com/v1/events/1/microlocations

@poush any updates ?

sponsors api still remaining as pointed out by @Princu7

https://api.eventyay.com/v1/events/69/social-links
https://api.eventyay.com/v1/events/69/session-types
https://api.eventyay.com/v1/events/69/event-type
~https://api.eventyay.com/v1/events/69/discount-codes~
https://api.eventyay.com/v1/events/69/relationships/speakers-call

https://api.eventyay.com/v1/sessions/2823/session-type

This requests also requires authentication. Fix it also.

discount codes will need authentication and accessible only to event admins. We don't want someone just enumerating all the discount codes in the system and using them.

For discount codes, we'll need two new endpoints with only JWT check.

• [ ] /v1/events/<id>/discount-codes/<discount-code>
• [ ] /v1/discount-codes/<discount-code>

For the rest of the endpoints,

• [x] /v1/events/<id>/discount-codes/* - accessible only to event admin
• [x] /v1/discount-codes - accessible only to super admin
• [ ] /v1/discount-codes/<id> - if type=ticket, accessible only to event admin. If type=event, accessible only to super admin

@niranjan94
aren't these two endpoints are same
/v1/events/<id>/discount-codes/<discount-code>
/v1/discount-codes/<discount-code>

Since DiscountCode model is associated with events therefore we can easily check for the permission without the need of event_id in url

@poush there are two different kinds of discount codes sharing the same model. See #3911

@niranjan94 Please see if I'm correct here,

For only super admin we will have routes

DiscountList
=> /v1/discount-codes [GET]
=> /v1/discount-codes [POST]

DiscountDetail
=> /v1/discount-codes/ ( with type=event) [GET, PATCH, DELETE]

For Event Admin and super admin

DiscountList
=> /v1/events//discount-codes [GET and POST]

Discount Detail
=> /v1/discount-codes/ (type=ticket) [GET, PATCH, DELETE]

For everyone logged in

DiscountDetail
=> /v1/discount-codes/

Also what I am trying to say in the case of

/v1/events/<id>/discount-codes/<discount-code>
/v1/discount-codes/<discount-code>

is that both uses < discount-code > for same method which is not allowed in JSON API

is that both uses < discount-code > for same method which is not allowed in JSON API

They both refer to the same resource right ?

Yes, to DiscountDetail

So ... what's the confusion here ?

I cannot use < discount-code > in two endpoints pointing to same resource.

File "--/open-event-orga-server/ENV/lib/python2.7/site-packages/werkzeug/routing.py", line 202, in parse_rule
    raise ValueError('variable name %r used twice.' % variable)
ValueError: variable name 'discount_code' used twice.

Then change the variable name to id 😅 .. Please don't take the endpoint variables I give literally ... It's just for reference

This really did not require such a long discussion

@niranjan94 Before working on DiscountCodes API permissions as you described #3911 has to be completed. I have partial code ready here and will complete it as soon #3911 get done

Hi. Thanks for implementing the Speakers API :) It seems that the basic endpoints like for getting information regarding the speakers of an event are not working without the access token. I tried a call to this URL: http://open-event-api.herokuapp.com/v1/events/69/speakers
Please see to it. Thanks!!