feat: prevent access removal if user has paid for a product

2025-12-19 04:19:25 +00:00 · 2024-11-03 00:56:52 +01:00 · 2024-11-03 00:56:52 +01:00 · cdd893ca6f
commit cdd893ca6f
parent 0e97580747
7 changed files with 40 additions and 17 deletions
--- a/apps/api/src/services/payments/payments_products.py
+++ b/apps/api/src/services/payments/payments_products.py
@ -9,6 +9,7 @@ from src.db.payments.payments_products import (
    PaymentsProductUpdate,
    PaymentsProductRead,
 )
+from src.db.payments.payments_users import PaymentStatusEnum, PaymentsUser
 from src.db.users import PublicUser, AnonymousUser
 from src.db.organizations import Organization
 from src.services.orgs.orgs import rbac_check
@ -138,6 +139,18 @@ async def delete_payments_product(
    if not product:
        raise HTTPException(status_code=404, detail="Payments product not found")
    
+    # Check if there are any payment users linked to this product
+    statement = select(PaymentsUser).where(
+        PaymentsUser.payment_product_id == product_id,
+        PaymentsUser.status.in_([PaymentStatusEnum.ACTIVE, PaymentStatusEnum.COMPLETED]) # type: ignore
+    )
+    payment_users = db_session.exec(statement).all()
+    if payment_users:
+        raise HTTPException(
+            status_code=400, 
+            detail="Cannot delete product because users have paid access to it."
+        )
+
    # Archive product in Stripe
    await archive_stripe_product(request, org_id, product.provider_product_id, current_user, db_session)

--- a/apps/api/src/services/payments/payments_users.py
+++ b/apps/api/src/services/payments/payments_users.py
@ -43,7 +43,7 @@ async def create_payment_user(
        stripe_customer=provider_data if provider_data else None,
    )

-    # Check if user already has a payment user
+    # Check if user already has a payment user for this product
    statement = select(PaymentsUser).where(
        PaymentsUser.user_id == user_id,
        PaymentsUser.org_id == org_id,
@ -52,8 +52,12 @@ async def create_payment_user(
    existing_payment_user = db_session.exec(statement).first()

    if existing_payment_user:
-        if existing_payment_user.status == PaymentStatusEnum.PENDING:
-            # Delete existing pending payment
+        # If status is PENDING, CANCELLED, or FAILED, delete the existing record
+        if existing_payment_user.status in [
+            PaymentStatusEnum.PENDING,
+            PaymentStatusEnum.CANCELLED,
+            PaymentStatusEnum.FAILED
+        ]:
            db_session.delete(existing_payment_user)
            db_session.commit()
        else:
--- a/apps/api/src/services/payments/stripe.py
+++ b/apps/api/src/services/payments/stripe.py
@ -208,7 +208,7 @@ async def create_checkout_session(
            product_id=product_id,
            status=PaymentStatusEnum.PENDING,
            provider_data=customer,
-            current_user=current_user,
+            current_user=InternalUser(),
            db_session=db_session
        )