From 19757cebbc7f84ecb73315fd1ab893d87483a823 Mon Sep 17 00:00:00 2001
From: Lukas Bockstaller <bockstaller@pretix.eu>
Date: Fri, 20 Feb 2026 16:47:06 +0100
Subject: [PATCH] handle auth

---
 src/pretix/api/views/order.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/pretix/api/views/order.py b/src/pretix/api/views/order.py
index 9418c92a6..e41221cfa 100644
--- a/src/pretix/api/views/order.py
+++ b/src/pretix/api/views/order.py
@@ -1175,10 +1175,18 @@ class OrganizerOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ReadOnly
 
         perm = self.permission if self.request.method in SAFE_METHODS else self.write_permission
 
-        if isinstance(self.request.auth, (TeamAPIToken, Device)) or self.request.user.is_authenticated:
-            qs = qs.filter(
-                order__event__in=self.request.auth.get_events_with_permission(perm, request=self.request)
+        if isinstance(self.request.auth, (TeamAPIToken, Device)):
+            auth_obj = self.request.auth
+        elif self.request.user.is_authenticated:
+            auth_obj = self.request.user
+        else:
+            raise PermissionDenied()
+
+        qs = qs.filter(
+            order__event__in=auth_obj.get_events_with_permission(perm, request=self.request).filter(
+                organizer=self.request.organizer
             )
+        )
 
         return qs