Merge pull request #192 from eurofurence/issue-188-preps

Issue 188 preps
eurofurence · Jan 13, 2024 · fd006e3 · fd006e3
2 parents 3921f0b + 88f5716
commit fd006e3
Show file tree

Hide file tree

Showing 9 changed files with 189 additions and 21 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -4,9 +4,12 @@ on:
   push:
     branches:
       - 'main'
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
 
 jobs:
-  call_build-and-push-image:
+  call_build-and-push-image_latest:
+    if: startsWith(github.ref, 'refs/heads/')
     permissions:
       contents: read
       packages: write
@@ -20,3 +23,19 @@ jobs:
       registry-user: ${{ github.actor }}
     secrets:
       registry-pass: ${{ secrets.GITHUB_TOKEN }}
+
+  call_build-and-push-image_versioned:
+    if: startsWith(github.ref, 'refs/tags/v0.1.')
+    permissions:
+      contents: read
+      packages: write
+    uses: eurofurence/reg-workflows/.github/workflows/docker-build-push.yml@main
+    with:
+      image-name: ${{ github.repository }}
+      image-tags: ${{ github.ref_name }} v0.1
+      full-repo-url: https://github.com/${{ github.repository }}
+      branch-or-tag-name: ${{ github.ref_name }}
+      commit-hash: ${{ github.sha }}
+      registry-user: ${{ github.actor }}
+    secrets:
+      registry-pass: ${{ secrets.GITHUB_TOKEN }}
diff --git a/docs/config-template.yaml b/docs/config-template.yaml
@@ -94,7 +94,9 @@ choices:
         - regdesk
     ev:
       description: 'Eurofurence e.V. Member'
-      admin_only: true
+      read_only: true
+      # auto-set this field during initial reg if group id 'ev' is present in token
+      group: ev
       visible_for:
         - regdesk
     terms-accepted:
@@ -133,27 +135,31 @@ choices:
       read_only: true
     attendance:
       description: 'Entrance Fee (Convention Ticket)'
-      price: 12000
+      price: 16000
       vat_percent: 19
       default: true
       at-least-one-mandatory: true
       visible_for:
         - regdesk
     early:
       description: 'Early Bird Discount'
-      price: -500
+      price: -1500
       vat_percent: 19
       visible_for:
         - regdesk
       default: true
       read_only: true
-    door:
-      description: 'At The Door Fee'
-      price: 1000
+      constraint: '!day-wed,!day-thu,!day-fri,!day-sat'
+      constraint_msg: 'Early Bird Discount does not apply to Day Tickets'
+    late:
+      description: 'Late Fee'
+      price: 1500
       vat_percent: 19
       visible_for:
         - regdesk
       read_only: true
+      constraint: '!day-wed,!day-thu,!day-fri,!day-sat'
+      constraint_msg: 'Late Fee does not apply to Day Tickets'
     stage:
       description: 'Entrance Fee (Stage Ticket)'
       price: 500
@@ -163,14 +169,14 @@ choices:
         - regdesk
     sponsor:
       description: 'Sponsor Upgrade'
-      price: 8000
+      price: 10000
       vat_percent: 19
       visible_for:
         - regdesk
         - sponsordesk
     sponsor2:
       description: 'Supersponsor Upgrade'
-      price: 19000
+      price: 20000
       vat_percent: 19
       constraint: '!sponsor'
       constraint_msg: 'Please choose only one of Sponsor or Supersponsor.'
@@ -187,7 +193,7 @@ choices:
         - sponsordesk
     day-wed:
       description: 'Day Guest (Wednesday)'
-      price: 7000
+      price: 9000
       vat_percent: 19
       at-least-one-mandatory: true
       constraint: '!attendance,!stage'
@@ -196,7 +202,7 @@ choices:
         - regdesk
     day-thu:
       description: 'Day Guest (Thursday)'
-      price: 7000
+      price: 9000
       vat_percent: 19
       at-least-one-mandatory: true
       constraint: '!attendance,!stage'
@@ -205,7 +211,7 @@ choices:
         - regdesk
     day-fri:
       description: 'Day Guest (Friday)'
-      price: 7000
+      price: 9000
       vat_percent: 19
       at-least-one-mandatory: true
       constraint: '!attendance,!stage'
@@ -214,7 +220,7 @@ choices:
         - regdesk
     day-sat:
       description: 'Day Guest (Saturday)'
-      price: 7000
+      price: 9000
       vat_percent: 19
       at-least-one-mandatory: true
       constraint: '!attendance,!stage'
@@ -434,7 +440,7 @@ spoken_languages:
   - nb
   - ne
   - nl
-  - no
+  - 'no'
   - oc
   - pa
   - pl
@@ -637,7 +643,7 @@ countries:
   - NG
   - NI
   - NL
-  - NO
+  - 'NO'
   - NP
   - NR
   - NU

diff --git a/internal/repository/config/structure.go b/internal/repository/config/structure.go
@@ -125,6 +125,7 @@ type (
 		AdminOnly     bool     `yaml:"admin_only"`             // this flag is kept under the adminInfo structure, so it is not visible to users
 		ReadOnly      bool     `yaml:"read_only"`              // this flag is kept under the normal flags, thus visible to end user, but only admin can change it
 		VisibleFor    []string `yaml:"visible_for"`            // list of permissions which allow seeing the flag/option/package. Admin can always see everything, "self" can always see non-admin_only, but you can add it for admin_only fields. This field also controls who else can see the info based on their permissions admin field. Example: "self,sponsordesk"
+		Group         string   `yaml:"group"`                  // set if attendee has this group during initial registration
 		Mandatory     bool     `yaml:"at-least-one-mandatory"` // one of these MUST be chosen (no constraint if not set on any choices)
 		Constraint    string   `yaml:"constraint"`
 		ConstraintMsg string   `yaml:"constraint_msg"`

diff --git a/internal/repository/paymentservice/interface.go b/internal/repository/paymentservice/interface.go
@@ -28,6 +28,7 @@ type PaymentMethod string
 const (
 	Credit   PaymentMethod = "credit"
 	Paypal   PaymentMethod = "paypal"
+	Cash     PaymentMethod = "cash"
 	Transfer PaymentMethod = "transfer"
 	Internal PaymentMethod = "internal"
 	Gift     PaymentMethod = "gift"

diff --git a/internal/service/attendeesrv/attendeesrv.go b/internal/service/attendeesrv/attendeesrv.go
@@ -43,10 +43,25 @@ func (s *AttendeeServiceImplData) RegisterNewAttendee(ctx context.Context, atten
 		}
 	}
 
+	attendee.Flags = s.setAutoFlags(ctx, attendee.Flags)
+
 	id, err := database.GetRepository().AddAttendee(ctx, attendee)
 	return id, err
 }
 
+func (s *AttendeeServiceImplData) setAutoFlags(ctx context.Context, flags string) string {
+	for key, conf := range config.FlagsConfigNoAdmin() {
+		if conf.Group != "" {
+			if ctxvalues.IsAuthorizedAsGroup(ctx, conf.Group) {
+				if !strings.Contains(flags, ","+key+",") {
+					flags += key + ","
+				}
+			}
+		}
+	}
+	return flags
+}
+
 func (s *AttendeeServiceImplData) GetAttendee(ctx context.Context, id uint) (*entity.Attendee, error) {
 	attendee, err := database.GetRepository().GetAttendeeById(ctx, id)
 	return attendee, err
@@ -202,8 +217,16 @@ func userAlreadyHasAnotherRegistration(ctx context.Context, identity string, exp
 }
 
 func checkNoForbiddenChanges(ctx context.Context, what string, key string, choiceConfig config.ChoiceConfig, originalChoices map[string]bool, newChoices map[string]bool) error {
-	if choiceConfig.AdminOnly || choiceConfig.ReadOnly {
-		if originalChoices[key] != newChoices[key] {
+	if originalChoices[key] != newChoices[key] {
+		// tolerate removing a read-only choice that has a constraint that forbids it anyway
+		if choiceConfig.ReadOnly {
+			if originalChoices[key] && !newChoices[key] {
+				if canAllowRemovalDueToConstraint(ctx, what, key, choiceConfig, originalChoices, newChoices) {
+					return nil
+				}
+			}
+		}
+		if choiceConfig.AdminOnly || choiceConfig.ReadOnly {
 			if !ctxvalues.HasApiToken(ctx) && !ctxvalues.IsAuthorizedAsGroup(ctx, config.OidcAdminGroup()) {
 				return fmt.Errorf("forbidden select or deselect of %s %s - only an admin can do that", what, key)
 			}
@@ -212,6 +235,23 @@ func checkNoForbiddenChanges(ctx context.Context, what string, key string, choic
 	return nil
 }
 
+func canAllowRemovalDueToConstraint(ctx context.Context, what string, key string, choiceConfig config.ChoiceConfig, originalChoices map[string]bool, newChoices map[string]bool) bool {
+	if choiceConfig.Constraint != "" {
+		constraints := strings.Split(choiceConfig.Constraint, ",")
+		for _, cn := range constraints {
+			constraintK := cn
+			if strings.HasPrefix(cn, "!") {
+				constraintK = strings.TrimPrefix(cn, "!")
+				if newChoices[constraintK] {
+					aulogging.Logger.Ctx(ctx).Info().Printf("can allow removal of read only %s %s - it would violate a constraint for %s anyway", what, key, constraintK)
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
 func checkNoForbiddenChangesAfterPayment(ctx context.Context, what string, key string, choiceConfig config.ChoiceConfig, configuration map[string]config.ChoiceConfig, originalChoices map[string]bool, newChoices map[string]bool, currentStatus status.Status) error {
 	if ctxvalues.HasApiToken(ctx) || ctxvalues.IsAuthorizedAsGroup(ctx, config.OidcAdminGroup()) {
 		return nil

diff --git a/internal/web/app/logging.go b/internal/web/app/logging.go
@@ -11,6 +11,7 @@ func setupLogging(applicationName string, useEcsLogging bool) {
 	aulogging.RequestIdRetriever = ctxvalues.RequestId
 	if useEcsLogging {
 		auzerolog.SetupJsonLogging(applicationName)
+		zerolog.TimeFieldFormat = "2006-01-02T15:04:05.000Z"
 	} else {
 		aulogging.DefaultRequestIdValue = "00000000"
 		auzerolog.SetupPlaintextLogging()

diff --git a/test/acceptance/attendee_acc_test.go b/test/acceptance/attendee_acc_test.go
@@ -717,6 +717,89 @@ func TestCreateNewAttendee_LoginRequired_Admin_MayUseDifferentEmail(t *testing.T
 	require.Regexp(t, "^\\/api\\/rest\\/v1\\/attendees\\/[1-9][0-9]*$", response.location, "invalid location header in response")
 }
 
+func TestCreateNewAttendee_AutomaticGroupFlag(t *testing.T) {
+	docs.Given("given the configuration for login-only registration after normal reg is open")
+	tstSetup(true, false, true)
+	defer tstShutdown()
+
+	docs.Given("given a logged in user who has the 'ev' group")
+	token := tstValidUserToken(t, 102)
+
+	docs.When("when they create a new attendee")
+	attendeeSent := tstBuildValidAttendee("na62-")
+	response := tstPerformPost("/api/rest/v1/attendees", tstRenderJson(attendeeSent), token)
+
+	docs.Then("then the attendee is successfully created")
+	require.Equal(t, http.StatusCreated, response.status, "unexpected http response status")
+	require.Regexp(t, "^\\/api\\/rest\\/v1\\/attendees\\/[1-9][0-9]*$", response.location, "invalid location header in response")
+
+	docs.Then("and it has been automatically assigned the 'ev' flag even though it was not provided")
+	readAgainResponse := tstPerformGet(response.location, token)
+	attendeeReadAgain := attendee.AttendeeDto{}
+	tstParseJson(readAgainResponse.body, &attendeeReadAgain)
+	// difference in id is ok, so copy it over to expected
+	attendeeSent.Id = attendeeReadAgain.Id
+	// we expect the 'ev' flag added
+	attendeeSent.Flags += ",ev"
+	require.EqualValues(t, attendeeSent, attendeeReadAgain, "attendee data read did not match expected data")
+}
+
+func TestCreateNewAttendee_AutomaticGroupFlag_CannotSet(t *testing.T) {
+	docs.Given("given the configuration for login-only registration after normal reg is open")
+	tstSetup(true, false, true)
+	defer tstShutdown()
+
+	docs.Given("given a logged in user who has the 'ev' group")
+	token := tstValidUserToken(t, 102)
+
+	docs.When("when they attempt to create a new attendee with the automatic 'ev' flag")
+	attendeeSent := tstBuildValidAttendee("na63-")
+	attendeeSent.Flags += ",ev"
+	response := tstPerformPost("/api/rest/v1/attendees", tstRenderJson(attendeeSent), token)
+
+	docs.Then("then the attempt is rejected as invalid (400) with an appropriate error response")
+	tstRequireErrorResponse(t, response, http.StatusBadRequest, "attendee.data.invalid", url.Values{
+		"flags": []string{"forbidden select or deselect of flag ev - only an admin can do that"},
+	})
+}
+
+func TestCreateNewAttendee_ReadonlyDefaultPackageWithConstraintRemovable(t *testing.T) {
+	docs.Given("given the configuration for login-only registration after normal reg is open")
+	tstSetup(true, false, true)
+	defer tstShutdown()
+
+	docs.Given("given a logged in user")
+	token := tstValidUserToken(t, 101)
+
+	docs.When("when they create a new attendee and remove a read-only default package with matching constraint (stage)")
+	attendeeSent := tstBuildValidAttendee("na63-")
+	attendeeSent.Packages = "room-none,day-sat,boat-trip"
+	response := tstPerformPost("/api/rest/v1/attendees", tstRenderJson(attendeeSent), token)
+
+	docs.Then("then the attendee is successfully created")
+	require.Equal(t, http.StatusCreated, response.status, "unexpected http response status")
+	require.Regexp(t, "^\\/api\\/rest\\/v1\\/attendees\\/[1-9][0-9]*$", response.location, "invalid location header in response")
+}
+
+func TestCreateNewAttendee_ReadonlyDefaultPackageNoConstraintNotRemovable(t *testing.T) {
+	docs.Given("given the configuration for login-only registration after normal reg is open")
+	tstSetup(true, false, true)
+	defer tstShutdown()
+
+	docs.Given("given a logged in user")
+	token := tstValidUserToken(t, 101)
+
+	docs.When("when they create a new attendee and try to remove a read-only default package with no matching constraint (room-none)")
+	attendeeSent := tstBuildValidAttendee("na65-")
+	attendeeSent.Packages = "day-sat"
+	response := tstPerformPost("/api/rest/v1/attendees", tstRenderJson(attendeeSent), token)
+
+	docs.Then("then the attempt is rejected as invalid (400) with an appropriate error response")
+	tstRequireErrorResponse(t, response, http.StatusBadRequest, "attendee.data.invalid", url.Values{
+		"packages": []string{"forbidden select or deselect of package room-none - only an admin can do that"},
+	})
+}
+
 // --- update attendee ---
 
 func TestUpdateExistingAttendee_Self(t *testing.T) {

diff --git a/test/acceptance/tokens_test.go b/test/acceptance/tokens_test.go
@@ -11,6 +11,7 @@ func tstNoToken() string {
 
 const valid_JWT_is_not_staff_sub1234567890 = `eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdF9oYXNoIjoidDdWYkV5NVQ3STdYSlh3VHZ4S3hLdyIsImF1ZCI6WyIxNGQ5ZjM3YS0xZWVjLTQ3YzktYTk0OS01ZjFlYmRmOWM4ZTUiXSwiYXV0aF90aW1lIjoxNTE2MjM5MDIyLCJlbWFpbCI6ImpzcXVpcnJlbF9naXRodWJfOWE2ZEBwYWNrZXRsb3NzLmRlIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImV4cCI6MjA3NTEyMDgxNiwiaWF0IjoxNTE2MjM5MDIyLCJpc3MiOiJodHRwOi8vaWRlbnRpdHkubG9jYWxob3N0LyIsImp0aSI6IjQwNmJlM2U0LWY0ZTktNDdiNy1hYzVmLTA2YjkyNzQzMjg0OCIsIm5hbWUiOiJKb2huIERvZSIsIm5vbmNlIjoiMzBjODNjMTNjOTE3OTgwNGFhMGY5YjM5MzQyNTlkNzUiLCJyYXQiOjE2NzUxMTcxNzcsInNpZCI6ImQ3YjhmZTdhLTA3OWEtNDU5Ni04ZTUzLWE2MGY4NmEwOGFjNiIsInN1YiI6IjEyMzQ1Njc4OSJ9.XOy7LUJVsc7VBuintQDQ5asAbhmOEPzYNQwW0cxJhvlQMq77IBx1kUCCbg3_mstMopKQ85Njqhi5BksKpXuviRZE1BAzB5oQvIiB5IPyJrksm9Q5brJan37jclNc1rQN5wwAsGyY5alB4i9EeX4qo-ZWedtQPSdFTvUIOWf7-LpgWvc_xibQnPtbDwe1kkjbj6-fcubvkGI66yOylFGsg01jisYgWIIcV5N29KRffadJ2spk1tSCNvzTw-G4qcWHvBXQf2FUlOeKZSPV21-RwvHaTJYCyLCBt0CLDx847d44qaDBAxdntQI5KnhvEwthw-FvV0mPcgGA4fA-6l8v7A`
 const valid_JWT_is_not_staff_sub101 = `eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdF9oYXNoIjoidDdWYkV5NVQ3STdYSlh3VHZ4S3hLdyIsImF1ZCI6WyIxNGQ5ZjM3YS0xZWVjLTQ3YzktYTk0OS01ZjFlYmRmOWM4ZTUiXSwiYXV0aF90aW1lIjoxNTE2MjM5MDIyLCJlbWFpbCI6ImpzcXVpcnJlbF9naXRodWJfOWE2ZEBwYWNrZXRsb3NzLmRlIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImV4cCI6MjA3NTEyMDgxNiwiZ3JvdXBzIjpbInNvbWVncm91cCJdLCJpYXQiOjE1MTYyMzkwMjIsImlzcyI6Imh0dHA6Ly9pZGVudGl0eS5sb2NhbGhvc3QvIiwianRpIjoiNDA2YmUzZTQtZjRlOS00N2I3LWFjNWYtMDZiOTI3NDMyODQ4IiwibmFtZSI6IkpvaG4gRG9lIiwibm9uY2UiOiIzMGM4M2MxM2M5MTc5ODA0YWEwZjliMzkzNDI1OWQ3NSIsInJhdCI6MTY3NTExNzE3Nywic2lkIjoiZDdiOGZlN2EtMDc5YS00NTk2LThlNTMtYTYwZjg2YTA4YWM2Iiwic3ViIjoiMTAxIn0.ntHz3G7LLtHC3pJ1PoWJoG3mnzg96IIcP3LAV4V1CcKYMFoKVQfh7MiOdRXpiB-_j4QFE7O-za3mynwFqRbF3_Tw_Sp7Zsgk9OUPo2Mk3VBSl9yPIU4pmc8v7nrmaAVOQLyjglVG7NLRWLpx0oIG8SSN0d75PBI5iLyQ0H7Zu0npEu6xekHeAYAg9DHQxqZInzom72aLmHdtG7tOqOgN0XphiK7zmIqm5aCg7R9_J9s0UU0g16_Phxm3DaynufGCjEPE2YrSL7hY9UVT2nfrHO7MvVOEKMG3RaKUDjzqOkLawz9TcUJlUTBc1J-91zYbdXLHYT_2b4EW_qa1C-P3Ow`
+const valid_JWT_ev_sub102 = `eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdF9oYXNoIjoidDdWYkV5NVQ3STdYSlh3VHZ4S3hLdyIsImF1ZCI6WyIxNGQ5ZjM3YS0xZWVjLTQ3YzktYTk0OS01ZjFlYmRmOWM4ZTUiXSwiYXV0aF90aW1lIjoxNTE2MjM5MDIyLCJlbWFpbCI6ImpzcXVpcnJlbF9naXRodWJfOWE2ZEBwYWNrZXRsb3NzLmRlIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImV4cCI6MjA3NTEyMDgxNiwiZ3JvdXBzIjpbImV2IiwiZnVyIl0sImlhdCI6MTUxNjIzOTAyMiwiaXNzIjoiaHR0cDovL2lkZW50aXR5LmxvY2FsaG9zdC8iLCJqdGkiOiI0MDZiZTNlNC1mNGU5LTQ3YjctYWM1Zi0wNmI5Mjc0MzI4NDgiLCJuYW1lIjoiSm9obiBEb2UiLCJub25jZSI6IjMwYzgzYzEzYzkxNzk4MDRhYTBmOWIzOTM0MjU5ZDc1IiwicmF0IjoxNjc1MTE3MTc3LCJzaWQiOiJkN2I4ZmU3YS0wNzlhLTQ1OTYtOGU1My1hNjBmODZhMDhhYzYiLCJzdWIiOiIxMDIifQ.qzHiYNkcr8Hkqpe86F_C849Z06TS1ZxkFYsiqvFFS__mVkbSS9jbUhCJNfckCc0dZleTfN8L1w7RK0fD1PQR3hsF-Wy4sZE9-ZzW7P1sNmYkmY68w4avpAMs7Fn3_o9Ros25oOqcEbu0d4M43GYDX8dwA729Jtle8N46LjJXhuYG6wz_K59qVd8kTMbUgm5GapWdrQs4Qlswnf_K1G5HXhAi7mrrMZOGejDODeofHPGukY1TZfMfMEUgJmlIn2nn6hu8fyyvpIDgaQpg1LKKw5JYzVi_EAjqz0xzXzvsJ1Tacj2aoXFDCxOawG-6-ID2Q4uPAJvZ9GTdmmePsJuhxw`
 const valid_JWT_is_not_staff_sub101_unverified = `eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdF9oYXNoIjoidDdWYkV5NVQ3STdYSlh3VHZ4S3hLdyIsImF1ZCI6WyIxNGQ5ZjM3YS0xZWVjLTQ3YzktYTk0OS01ZjFlYmRmOWM4ZTUiXSwiYXV0aF90aW1lIjoxNTE2MjM5MDIyLCJlbWFpbCI6ImpzcXVpcnJlbF9naXRodWJfOWE2ZEBwYWNrZXRsb3NzLmRlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJleHAiOjIwNzUxMjA4MTYsImdyb3VwcyI6WyJzb21lZ3JvdXAiXSwiaWF0IjoxNTE2MjM5MDIyLCJpc3MiOiJodHRwOi8vaWRlbnRpdHkubG9jYWxob3N0LyIsImp0aSI6IjQwNmJlM2U0LWY0ZTktNDdiNy1hYzVmLTA2YjkyNzQzMjg0OCIsIm5hbWUiOiJKb2huIERvZSIsIm5vbmNlIjoiMzBjODNjMTNjOTE3OTgwNGFhMGY5YjM5MzQyNTlkNzUiLCJyYXQiOjE2NzUxMTcxNzcsInNpZCI6ImQ3YjhmZTdhLTA3OWEtNDU5Ni04ZTUzLWE2MGY4NmEwOGFjNiIsInN1YiI6IjEwMSJ9.QewwmuCatUYhcJPk_JZPeOqJOmh0XlbT9CKWPmjXT-ODX-oWZ2Dop3-J2xsMRSbMn23m1mXy8SXcUjIuFFzMcZCZY6O2-HD9igskn6e8yg8WBi2QnP-sOrWfvaLfnVORYwVxyO3o9eeWPhPjDaFVGvg7rzho_IVIXg0LqluN2ID3RcBc5JuzDGwm0YpuC9gJr1I5rDLADbXF3pLVDTGWFXrlln_1vbzhnPvKAJNPFhKwtuIEmKuLC9OgzW4bIjbPHU_A4dCfa7aAZ4D2RId7rBUOyVKIXQR0_K7UwIjx-oJlDyQsj0OSzgGsj6FUMJSZMI8lXOdH1i1haWc7ekbZqg`
 
 const valid_JWT_is_staff_sub1234567890 = `eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdF9oYXNoIjoidDdWYkV5NVQ3STdYSlh3VHZ4S3hLdyIsImF1ZCI6WyIxNGQ5ZjM3YS0xZWVjLTQ3YzktYTk0OS01ZjFlYmRmOWM4ZTUiXSwiYXV0aF90aW1lIjoxNTE2MjM5MDIyLCJlbWFpbCI6ImpzcXVpcnJlbF9naXRodWJfOWE2ZEBwYWNrZXRsb3NzLmRlIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImV4cCI6MjA3NTEyMDgxNiwiZ3JvdXBzIjpbInN0YWZmIl0sImlhdCI6MTUxNjIzOTAyMiwiaXNzIjoiaHR0cDovL2lkZW50aXR5LmxvY2FsaG9zdC8iLCJqdGkiOiI0MDZiZTNlNC1mNGU5LTQ3YjctYWM1Zi0wNmI5Mjc0MzI4NDgiLCJuYW1lIjoiSm9obiBTdGFmZiIsIm5vbmNlIjoiMzBjODNjMTNjOTE3OTgwNGFhMGY5YjM5MzQyNTlkNzUiLCJyYXQiOjE2NzUxMTcxNzcsInNpZCI6ImQ3YjhmZTdhLTA3OWEtNDU5Ni04ZTUzLWE2MGY4NmEwOGFjNiIsInN1YiI6IjEyMzQ1Njc4OTAifQ.GgzYXcFQf6q6xRxRgjJx2F8CCcAV-lYZ0ZS1Legv8_uEyZcyzX27hoPBwR1w4HcEEPK-QRQCKs4qj7Jyr0GRGNcN5ZFZZzo4LOUZsmU26Hc9YNzAzc9jin783yWrF5cH2QnUxpmH9TmQGG1yekDSNn3Mn2AB-0iyUAl_vHQ8REJPT_Cilhd5l0wxAy8Ht-Lal5pcz5LDJ9mFUTpBR1B614Aq6QBdShfeWXCYje7dGVvDRfFXxpQ4kRRog9dTkMAa0MyFJ3MgF2Uv53lmq7BDbcwSYed3beIHUqe7TLkImsG8jtpGKfcOadnW8qOGr7FI4AhJi_GKJzvnepz9jrVBNg`
@@ -21,6 +22,8 @@ const valid_JWT_is_admin_sub1234567890 = `eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.e
 func tstValidUserToken(t *testing.T, id uint) string {
 	if id == 101 {
 		return valid_JWT_is_not_staff_sub101
+	} else if id == 102 {
+		return valid_JWT_ev_sub102
 	} else {
 		return valid_JWT_is_not_staff_sub1234567890
 	}
@@ -68,6 +71,13 @@ func tstSetupAuthMockResponses() {
 		Email:         "[email protected]",
 		EmailVerified: true,
 	})
+	authMock.SetupResponse(valid_JWT_ev_sub102, "access"+valid_JWT_ev_sub102, authservice.UserInfoResponse{
+		Audiences:     []string{"14d9f37a-1eec-47c9-a949-5f1ebdf9c8e5"},
+		Subject:       "102",
+		Name:          "John Doe",
+		Email:         "[email protected]",
+		EmailVerified: true,
+	})
 	authMock.SetupResponse(valid_JWT_is_staff_sub1234567890, "access"+valid_JWT_is_staff_sub1234567890, authservice.UserInfoResponse{
 		Audiences:     []string{"14d9f37a-1eec-47c9-a949-5f1ebdf9c8e5"},
 		Subject:       "1234567890",
@@ -108,6 +118,13 @@ func tstSetupAuthMockResponses() {
 		Email:         "[email protected]",
 		EmailVerified: true,
 	})
+	authMock.SetupResponse("", "access"+valid_JWT_ev_sub102, authservice.UserInfoResponse{
+		Audiences:     []string{"14d9f37a-1eec-47c9-a949-5f1ebdf9c8e5"},
+		Subject:       "102",
+		Name:          "John Doe",
+		Email:         "[email protected]",
+		EmailVerified: true,
+	})
 	authMock.SetupResponse("", "access"+valid_JWT_is_staff_sub1234567890, authservice.UserInfoResponse{
 		Audiences:     []string{"14d9f37a-1eec-47c9-a949-5f1ebdf9c8e5"},
 		Subject:       "1234567890",