CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

Generate email confirmation secret from tagged_secret (#4480)

Browse Source
This commit is contained in:
Raphael Michel
2024-10-07 13:58:08 +02:00
committed by GitHub
parent 7a66aea2cb
commit 1334a570e4
5 changed files with 25 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/pretix/base/models/orders.py
View File

@@ -381,8 +381,23 @@ class Order(LockModel, LoggedModel):
self.event.cache.delete('complain_testmode_orders') self.event.cache.delete('complain_testmode_orders')
self.delete() self.delete()
def email_confirm_hash(self): def email_confirm_secret(self):
return hashlib.sha256(settings.SECRET_KEY.encode() + self.secret.encode()).hexdigest()[:9] return self.tagged_secret("email_confirm", 9)
def check_email_confirm_secret(self, received_secret):
return (
hmac.compare_digest(
self.tagged_secret("email_confirm", 9),
received_secret[:9].lower()
) or any(
# TODO: remove this clause after a while (compatibility with old secrets currently in flight)
hmac.compare_digest(
hashlib.sha256(sk.encode() + self.secret.encode()).hexdigest()[:9],
received_secret
)
for sk in [settings.SECRET_KEY, *settings.SECRET_KEY_FALLBACKS]
)
)
def get_extended_status_display(self): def get_extended_status_display(self):
# Changes in this method should to be replicated in pretixcontrol/orders/fragment_order_status.html # Changes in this method should to be replicated in pretixcontrol/orders/fragment_order_status.html

2
src/pretix/base/services/mail.py
View File

@@ -301,7 +301,7 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
order.event, 'presale:event.order.open', kwargs={ order.event, 'presale:event.order.open', kwargs={
'order': order.code, 'order': order.code,
'secret': order.secret, 'secret': order.secret,
'hash': order.email_confirm_hash() 'hash': order.email_confirm_secret()
} }
) )
) )

4
src/pretix/base/services/placeholders.py
View File

@@ -262,7 +262,7 @@ def base_placeholders(sender, **kwargs):
'presale:event.order.open', kwargs={ 'presale:event.order.open', kwargs={
'order': order.code, 'order': order.code,
'secret': order.secret, 'secret': order.secret,
'hash': order.email_confirm_hash() 'hash': order.email_confirm_secret()
} }
), lambda event: build_absolute_uri( ), lambda event: build_absolute_uri(
event, event,
@@ -443,7 +443,7 @@ def base_placeholders(sender, **kwargs):
'organizer': event.organizer.slug, 'organizer': event.organizer.slug,
'order': order.code, 'order': order.code,
'secret': order.secret, 'secret': order.secret,
'hash': order.email_confirm_hash(), 'hash': order.email_confirm_secret(),
}), }),
) )
for order in orders for order in orders

9
src/pretix/presale/views/order.py
View File

@@ -156,11 +156,10 @@ class OrderOpen(EventViewMixin, OrderDetailMixin, View):
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):
if not self.order: if not self.order:
raise Http404(_('Unknown order code or not authorized to access this order.')) raise Http404(_('Unknown order code or not authorized to access this order.'))
if kwargs.get('hash') == self.order.email_confirm_hash(): if self.order.check_email_confirm_secret(kwargs.get('hash')) and not self.order.email_known_to_work:
if not self.order.email_known_to_work: self.order.log_action('pretix.event.order.contact.confirmed')
self.order.log_action('pretix.event.order.contact.confirmed') self.order.email_known_to_work = True
self.order.email_known_to_work = True self.order.save(update_fields=['email_known_to_work'])
self.order.save(update_fields=['email_known_to_work'])
return redirect(self.get_order_url()) return redirect(self.get_order_url())

2
src/tests/presale/test_orders.py
View File

@@ -221,7 +221,7 @@ class OrdersTest(BaseOrdersTest):
assert not self.order.email_known_to_work assert not self.order.email_known_to_work
response = self.client.get( response = self.client.get(
'/%s/%s/order/%s/%s/open/%s/' % (self.orga.slug, self.event.slug, self.order.code, self.order.secret, self.order.email_confirm_hash()) '/%s/%s/order/%s/%s/open/%s/' % (self.orga.slug, self.event.slug, self.order.code, self.order.secret, self.order.email_confirm_secret())
) )
assert response.status_code == 302 assert response.status_code == 302
self.order.refresh_from_db() self.order.refresh_from_db()