From bb18ce30e40d26163bd5a98d71acb076f0fa7389 Mon Sep 17 00:00:00 2001
From: "Andrew K. Choi" <a.choi@smartsoltech.kr>
Date: Mon, 17 Nov 2025 16:53:03 +0900
Subject: [PATCH] =?UTF-8?q?fix:=20=D1=83=D0=BF=D1=80=D0=BE=D1=81=D1=82?=
 =?UTF-8?q?=D0=B8=D1=82=D1=8C=20=D0=BB=D0=BE=D0=B3=D0=B8=D0=BA=D1=83=20?=
 =?UTF-8?q?=D0=BF=D0=BE=D0=B4=D1=82=D0=B2=D0=B5=D1=80=D0=B6=D0=B4=D0=B5?=
 =?UTF-8?q?=D0=BD=D0=B8=D1=8F=20=D0=B2=D1=8B=D0=B8=D0=B3=D1=80=D1=8B=D1=88?=
 =?UTF-8?q?=D0=B0=20-=20=D0=BF=D1=80=D0=BE=D0=B2=D0=B5=D1=80=D0=BA=D0=B0?=
 =?UTF-8?q?=20=D0=B2=D0=BB=D0=B0=D0=B4=D0=B5=D0=BB=D1=8C=D1=86=D0=B0=20?=
 =?UTF-8?q?=D1=81=D1=87=D1=91=D1=82=D0=B0=20=D0=B2=D0=BC=D0=B5=D1=81=D1=82?=
 =?UTF-8?q?=D0=BE=20=D1=82=D0=BE=D0=BA=D0=B5=D0=BD=D0=B0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/handlers/redraw_handlers.py | 34 +++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/src/handlers/redraw_handlers.py b/src/handlers/redraw_handlers.py
index 89a0c02..5793bad 100644
--- a/src/handlers/redraw_handlers.py
+++ b/src/handlers/redraw_handlers.py
@@ -314,20 +314,6 @@ async def confirm_winner_callback(callback_query):
     winner_id = int(callback_query.data.split("_")[-1])
     
     async with async_session_maker() as session:
-        # Проверяем токен верификации
-        verification = await WinnerNotificationService.verify_token(
-            session, 
-            winner_id, 
-            callback_query.from_user.id
-        )
-        
-        if not verification:
-            await callback_query.answer(
-                "❌ Токен недействителен или истек срок действия (24 часа)",
-                show_alert=True
-            )
-            return
-        
         # Получаем информацию о победителе
         winner_result = await session.execute(
             select(Winner).where(Winner.id == winner_id)
@@ -345,6 +331,26 @@ async def confirm_winner_callback(callback_query):
             )
             return
         
+        # Проверяем, что пользователь является владельцем счёта
+        if winner.account_number:
+            owner = await AccountService.get_account_owner(session, winner.account_number)
+            if not owner or owner.telegram_id != callback_query.from_user.id:
+                await callback_query.answer(
+                    "❌ Вы не являетесь владельцем этого счёта",
+                    show_alert=True
+                )
+                return
+        
+        # Проверяем срок действия (24 часа с момента создания winner)
+        if winner.created_at:
+            time_since_creation = datetime.now(timezone.utc) - winner.created_at
+            if time_since_creation > timedelta(hours=24):
+                await callback_query.answer(
+                    "❌ Срок подтверждения истёк (24 часа). Приз будет разыгран заново.",
+                    show_alert=True
+                )
+                return
+        
         # Подтверждаем выигрыш
         winner.is_confirmed = True
         winner.confirmed_at = datetime.now(timezone.utc)