fix: Give access to order tickets and attendees to organizers (#7481)

Author: iamareebjamal

app/api/attendees.py

@@ -132,17 +132,19 @@ def query(self, view_kwargs):
                 'order_identifier',
                 'identifier',
             )
+
+            is_coorganizer = has_access(
+                'is_coorganizer',
+                event_id=order.event_id,
+            )
             if not (
-                has_access(
-                    'is_coorganizer_or_user_itself',
-                    event_id=order.event_id,
-                    user_id=order.user_id,
-                )
+                is_coorganizer
+                or current_user.id == order.user_id
                 or order.is_attendee(current_user)
             ):
                 raise ForbiddenError({'source': ''}, 'Access Forbidden')
             query_ = query_.join(Order).filter(Order.id == order.id)
-            if current_user.id != order.user_id:
+            if not is_coorganizer and current_user.id != order.user_id:
                 query_ = query_.filter(TicketHolder.user == current_user)
 
         if view_kwargs.get('ticket_id'):

app/models/order.py

@@ -157,8 +157,16 @@ def invoice_pdf_path(self) -> str:
 
     @property
     def filtered_ticket_holders(self):
+        from app.api.helpers.permission_manager import has_access
+
         query_ = TicketHolder.query.filter_by(order_id=self.id, deleted_at=None)
-        if current_user.id != self.user_id:
+        if (
+            not has_access(
+                'is_coorganizer',
+                event_id=self.event_id,
+            )
+            and current_user.id != self.user_id
+        ):
             query_ = query_.filter(TicketHolder.user == current_user)
         return query_.all()