From 141634eb4923ea31a82c895bf319e458fea14bef Mon Sep 17 00:00:00 2001
From: Raphael Michel <michel@rami.io>
Date: Mon, 24 Apr 2023 18:02:05 +0200
Subject: [PATCH] Prevent accidental disconnect from Stripe

---
 src/pretix/plugins/stripe/payment.py          |  2 +-
 .../stripe/oauth_disconnect.html              | 20 +++++++++++++++++++
 src/pretix/plugins/stripe/views.py            |  4 +++-
 3 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 src/pretix/plugins/stripe/templates/pretixplugins/stripe/oauth_disconnect.html

diff --git a/src/pretix/plugins/stripe/payment.py b/src/pretix/plugins/stripe/payment.py
index 8691f5211..fbd2094ec 100644
--- a/src/pretix/plugins/stripe/payment.py
+++ b/src/pretix/plugins/stripe/payment.py
@@ -116,7 +116,7 @@ class StripeSettingsHolder(BasePaymentProvider):
                 )
             else:
                 return (
-                    "<button formaction='{}' class='btn btn-danger'>{}</button>"
+                    "<a href='{}' class='btn btn-danger'>{}</a>"
                 ).format(
                     reverse('plugins:stripe:oauth.disconnect', kwargs={
                         'organizer': self.event.organizer.slug,
diff --git a/src/pretix/plugins/stripe/templates/pretixplugins/stripe/oauth_disconnect.html b/src/pretix/plugins/stripe/templates/pretixplugins/stripe/oauth_disconnect.html
new file mode 100644
index 000000000..450992c95
--- /dev/null
+++ b/src/pretix/plugins/stripe/templates/pretixplugins/stripe/oauth_disconnect.html
@@ -0,0 +1,20 @@
+{% extends "pretixcontrol/base.html" %}
+{% load i18n %}
+{% block title %}{% trans "Stripe Connect" %}{% endblock %}
+{% block content %}
+    <h1>
+        {% trans "Stripe Connect" %}
+    </h1>
+
+    <form action="" method="post" class="form-horizontal" enctype="multipart/form-data">
+        {% csrf_token %}
+        <p>
+            {% trans "Do you really want to disconnect your Stripe account?" %}
+        </p>
+        <div class="form-group submit-group">
+            <button type="submit" class="btn btn-danger btn-save">
+                {% trans "Disconnect" %}
+            </button>
+        </div>
+    </form>
+{% endblock %}
diff --git a/src/pretix/plugins/stripe/views.py b/src/pretix/plugins/stripe/views.py
index 76864dc32..39c71d4e6 100644
--- a/src/pretix/plugins/stripe/views.py
+++ b/src/pretix/plugins/stripe/views.py
@@ -455,8 +455,10 @@ def paymentintent_webhook(event, event_json, paymentintent_id, rso):
 
 
 @event_permission_required('can_change_event_settings')
-@require_POST
 def oauth_disconnect(request, **kwargs):
+    if request.method != "POST":
+        return render(request, 'pretixplugins/stripe/oauth_disconnect.html', {})
+
     del request.event.settings.payment_stripe_publishable_key
     del request.event.settings.payment_stripe_publishable_test_key
     del request.event.settings.payment_stripe_connect_access_token