From 213a11e731aa9e5be055ece18a7bf1a60752c96d Mon Sep 17 00:00:00 2001
From: kbe <kevin@kev1.net>
Date: Sat, 6 Sep 2025 20:33:42 +0200
Subject: [PATCH] feat: Display ticket based on ``qr_code`` field

- Previously ticket was displayed using id which is too easy to find
- Now the URL takes ``qr_code`` field as parameters
---
 app/controllers/tickets_controller.rb |  8 ++++----
 app/models/ticket.rb                  |  1 -
 app/views/tickets/show.html.erb       |  6 ++----
 config/routes.rb                      | 12 ++++++------
 4 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/app/controllers/tickets_controller.rb b/app/controllers/tickets_controller.rb
index a4db9da..931d857 100644
--- a/app/controllers/tickets_controller.rb
+++ b/app/controllers/tickets_controller.rb
@@ -48,11 +48,10 @@ class TicketsController < ApplicationController
     end
   end
 
+  # Display informations about the event with QR code
   def show
-    @ticket = Ticket.joins(order: :user).includes(:event, :ticket_type, order: :user).find_by(
-      tickets: { id: params[:ticket_id] },
-      orders: { user_id: current_user.id }
-    )
+    @ticket = Ticket.joins(order: :user).includes(:event, :ticket_type, order: :user)
+      .find_by(tickets: { qr_code: params[:qr_code] })
 
     if @ticket.nil?
       redirect_to dashboard_path, alert: "Billet non trouvé"
@@ -63,6 +62,7 @@ class TicketsController < ApplicationController
   rescue ActiveRecord::RecordNotFound
     redirect_to dashboard_path, alert: "Billet non trouvé"
   end
+
   private
 
   def set_event
diff --git a/app/models/ticket.rb b/app/models/ticket.rb
index a2de92a..51b0ae1 100755
--- a/app/models/ticket.rb
+++ b/app/models/ticket.rb
@@ -70,7 +70,6 @@ class Ticket < ApplicationRecord
     self.qr_code = "#{id || 'temp'}-#{Time.current.to_i}-#{SecureRandom.hex(4)}"
   end
 
-
   def draft?
     status == "draft"
   end
diff --git a/app/views/tickets/show.html.erb b/app/views/tickets/show.html.erb
index e315364..0181f79 100644
--- a/app/views/tickets/show.html.erb
+++ b/app/views/tickets/show.html.erb
@@ -131,9 +131,7 @@
                 <label class="block text-sm font-medium text-gray-500 mb-1">QR Code</label>
                 <div class="bg-gray-50 rounded-lg p-4 text-center">
                   <div class="inline-block bg-white p-4 rounded-lg shadow-sm">
-                    <div data-controller="qr-code"
-                         data-qr-code-data-value="<%= @ticket.qr_code %>"
-                         class="w-32 h-32">
+                    <div data-controller="qr-code" data-qr-code-data-value="<%= @ticket.qr_code %>" class="w-32 h-32">
                       <!-- Loading indicator -->
                       <div data-qr-code-target="loading" class="w-32 h-32 bg-gray-100 rounded flex items-center justify-center">
                         <div class="animate-spin rounded-full h-8 w-8 border-b-2 border-purple-600"></div>
@@ -161,7 +159,7 @@
             <% end %>
 
             <% if @ticket.status == 'active' %>
-              <%= link_to "#",
+              <%= link_to ticket_download_path(@ticket.qr_code),
                           class: "flex-1 bg-gradient-to-r from-purple-600 to-indigo-600 hover:from-purple-700 hover:to-indigo-700 text-white font-medium py-3 px-6 rounded-xl shadow-sm transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-purple-500 focus:ring-offset-2 transform hover:-translate-y-0.5 text-center" do %>
                 <svg class="w-4 h-4 inline-block mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                   <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 10v6m0 0l-3-3m3 3l3-3m2 8H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z"/>
diff --git a/config/routes.rb b/config/routes.rb
index 692f1ed..0156ea0 100755
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -54,14 +54,14 @@ Rails.application.routes.draw do
   get   "orders/payments/cancel",       to: "orders#payment_cancel",  as: "order_payment_cancel"
 
   # Legacy ticket routes - redirect to order system
-  get "events/:slug.:id/tickets/checkout", to: "tickets#checkout", as: "ticket_checkout"
-  post "events/:slug.:id/tickets/retry",    to: "tickets#retry_payment", as: "ticket_retry_payment"
-  get   "payments/success",             to: "tickets#payment_success", as: "payment_success"
-  get   "payments/cancel",              to: "tickets#payment_cancel", as: "payment_cancel"
+  get   "events/:slug.:id/tickets/checkout", to: "tickets#checkout", as: "ticket_checkout"
+  post  "events/:slug.:id/tickets/retry",    to: "tickets#retry_payment", as: "ticket_retry_payment"
+  get   "payments/success", to: "tickets#payment_success", as: "payment_success"
+  get   "payments/cancel",  to: "tickets#payment_cancel", as: "payment_cancel"
 
   # === Tickets ===
-  get   "tickets/:ticket_id", to: "tickets#show", as: "ticket"
-  get   "tickets/:ticket_id/download", to: "events#download_ticket", as: "download_ticket"
+  get   "tickets/:qr_code", to: "tickets#show", as: "ticket"
+  get   "tickets/:qr_code/download", to: "events#download_ticket", as: "ticket_download"
 
   # === Promoter Routes ===
   namespace :promoter do