Make device token revokation more explicit

2019-04-02 09:36:07 +02:00
parent e75ae80fb5
commit 2d37c6d94d
5 changed files with 33 additions and 2 deletions
--- a/src/pretix/api/auth/device.py
+++ b/src/pretix/api/auth/device.py
@@ -19,7 +19,7 @@ class DeviceTokenAuthentication(TokenAuthentication):
        if not device.initialized:
            raise exceptions.AuthenticationFailed('Device has not been initialized.')

-        if not device.api_token:
+        if device.revoked:
            raise exceptions.AuthenticationFailed('Device access has been revoked.')

        return AnonymousUser(), device
--- a/src/pretix/base/migrations/0116_auto_20190402_0722.py
+++ b/src/pretix/base/migrations/0116_auto_20190402_0722.py
@@ -0,0 +1,22 @@
+# Generated by Django 2.1.5 on 2019-04-02 07:22
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0115_auto_20190323_2238'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='device',
+            name='revoked',
+            field=models.BooleanField(default=False),
+        ),
+    ]
--- a/src/pretix/base/models/devices.py
+++ b/src/pretix/base/models/devices.py
@@ -41,6 +41,7 @@ class Device(LoggedModel):
    api_token = models.CharField(max_length=190, unique=True, null=True)
    all_events = models.BooleanField(default=False, verbose_name=_("All events (including newly created ones)"))
    limit_events = models.ManyToManyField('Event', verbose_name=_("Limit to events"), blank=True)
+    revoked = models.BooleanField(default=False)
    name = models.CharField(
        max_length=190,
        verbose_name=_('Name')
--- a/src/pretix/control/templates/pretixcontrol/organizers/device_revoke.html
+++ b/src/pretix/control/templates/pretixcontrol/organizers/device_revoke.html
@@ -9,6 +9,13 @@
            <strong>{% blocktrans %}Are you sure you want remove access for this device?{% endblocktrans %}</strong>
            {% trans "All data of this device will stay available, but you can't use the device any more." %}
        </p>
+        <div class="alert alert-warning">
+            <ul>
+                <li>{% trans "All data uploaded by this device will stay available online." %}</li>
+                <li>{% trans "If data (e.g. POS transactions or check-ins) has been created on this device and has not been uploaded, you will no longer be able to upload it." %}</li>
+                <li>{% trans "If the device software supports it, personal data such as orders will be deleted from the device on the next synchronization attempt. Non-personal data such as event metadata and POS transactions will persist until you uninstall or reset the software manually." %}</li>
+            </ul>
+        </div>
        <div class="form-group submit-group">
            <a href="{% url "control:organizer.devices" organizer=request.organizer.slug %}" class="btn btn-default btn-cancel">
                {% trans "Cancel" %}