From 412e158240d1b1a4392e40397da0f6f618ce8483 Mon Sep 17 00:00:00 2001
From: Ridwan Aguda <59691595+realicon23@users.noreply.github.com>
Date: Sat, 27 Jun 2026 19:17:50 +0100
Subject: [PATCH] fix(check-in): hide attendee email from public resource

Public check-in list URLs act as capability links for check-in staff. They need enough attendee information to identify tickets, but exposing email addresses through the unauthenticated public attendee resource increases the blast radius if a link is shared or logged.

Remove email from AttendeeWithCheckInPublicResource while keeping authenticated attendee resources unchanged, and add a focused resource test for the public response shape.

Fixes #1224
---
 .../AttendeeWithCheckInPublicResource.php     |  1 -
 .../AttendeeWithCheckInPublicResourceTest.php | 33 +++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 backend/tests/Unit/Resources/Attendee/AttendeeWithCheckInPublicResourceTest.php

diff --git a/backend/app/Resources/Attendee/AttendeeWithCheckInPublicResource.php b/backend/app/Resources/Attendee/AttendeeWithCheckInPublicResource.php
index 198bf3f1fe..4bca6bd835 100644
--- a/backend/app/Resources/Attendee/AttendeeWithCheckInPublicResource.php
+++ b/backend/app/Resources/Attendee/AttendeeWithCheckInPublicResource.php
@@ -16,7 +16,6 @@ public function toArray(Request $request): array
     {
         return [
             'id' => $this->getId(),
-            'email' => $this->getEmail(),
             'first_name' => $this->getFirstName(),
             'last_name' => $this->getLastName(),
             'public_id' => $this->getPublicId(),
diff --git a/backend/tests/Unit/Resources/Attendee/AttendeeWithCheckInPublicResourceTest.php b/backend/tests/Unit/Resources/Attendee/AttendeeWithCheckInPublicResourceTest.php
new file mode 100644
index 0000000000..1780da0997
--- /dev/null
+++ b/backend/tests/Unit/Resources/Attendee/AttendeeWithCheckInPublicResourceTest.php
@@ -0,0 +1,33 @@
+<?php
+
+namespace Tests\Unit\Resources\Attendee;
+
+use HiEvents\DomainObjects\AttendeeDomainObject;
+use HiEvents\Resources\Attendee\AttendeeWithCheckInPublicResource;
+use Illuminate\Http\Request;
+use Tests\TestCase;
+
+class AttendeeWithCheckInPublicResourceTest extends TestCase
+{
+    public function test_public_check_in_attendee_resource_excludes_email(): void
+    {
+        $attendee = (new AttendeeDomainObject())
+            ->setId(1)
+            ->setOrderId(10)
+            ->setProductId(20)
+            ->setProductPriceId(30)
+            ->setEmail('attendee@example.com')
+            ->setFirstName('Jane')
+            ->setLastName('Attendee')
+            ->setPublicId('A-12345')
+            ->setStatus('ACTIVE');
+
+        $resource = (new AttendeeWithCheckInPublicResource($attendee))->toArray(Request::create('/'));
+
+        $this->assertArrayNotHasKey('email', $resource);
+        $this->assertSame('Jane', $resource['first_name']);
+        $this->assertSame('Attendee', $resource['last_name']);
+        $this->assertSame('A-12345', $resource['public_id']);
+        $this->assertSame(10, $resource['order_id']);
+    }
+}