Make device token revokation more explicit

src/pretix/api/auth/device.py

@@ -19,7 +19,7 @@ class DeviceTokenAuthentication(TokenAuthentication):
         if not device.initialized:
             raise exceptions.AuthenticationFailed('Device has not been initialized.')
 
-        if not device.api_token:
+        if device.revoked:
             raise exceptions.AuthenticationFailed('Device access has been revoked.')
 
         return AnonymousUser(), device

src/pretix/base/migrations/0116_auto_20190402_0722.py

@@ -0,0 +1,22 @@
+# Generated by Django 2.1.5 on 2019-04-02 07:22
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0115_auto_20190323_2238'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='device',
+            name='revoked',
+            field=models.BooleanField(default=False),
+        ),
+    ]

src/pretix/base/models/devices.py

@@ -41,6 +41,7 @@ class Device(LoggedModel):
     api_token = models.CharField(max_length=190, unique=True, null=True)
     all_events = models.BooleanField(default=False, verbose_name=_("All events (including newly created ones)"))
     limit_events = models.ManyToManyField('Event', verbose_name=_("Limit to events"), blank=True)
+    revoked = models.BooleanField(default=False)
     name = models.CharField(
         max_length=190,
         verbose_name=_('Name')

src/pretix/control/templates/pretixcontrol/organizers/device_revoke.html

@@ -9,6 +9,13 @@
             <strong>{% blocktrans %}Are you sure you want remove access for this device?{% endblocktrans %}</strong>
             {% trans "All data of this device will stay available, but you can't use the device any more." %}
         </p>
+        <div class="alert alert-warning">
+            <ul>
+                <li>{% trans "All data uploaded by this device will stay available online." %}</li>
+                <li>{% trans "If data (e.g. POS transactions or check-ins) has been created on this device and has not been uploaded, you will no longer be able to upload it." %}</li>
+                <li>{% trans "If the device software supports it, personal data such as orders will be deleted from the device on the next synchronization attempt. Non-personal data such as event metadata and POS transactions will persist until you uninstall or reset the software manually." %}</li>
+            </ul>
+        </div>
         <div class="form-group submit-group">
             <a href="{% url "control:organizer.devices" organizer=request.organizer.slug %}" class="btn btn-default btn-cancel">
                 {% trans "Cancel" %}

src/tests/api/test_auth.py

@@ -72,7 +72,8 @@ def test_device_auth_valid(client, device):
 @pytest.mark.django_db
 def test_device_auth_revoked(client, device):
     client.credentials(HTTP_AUTHORIZATION='Device ' + device.api_token)
-    device.api_token = None
+    device.revoked = True
     device.save()
     resp = client.get('/api/v1/organizers/')
     assert resp.status_code == 401
+    assert str(resp.data['detail']) == "Device access has been revoked."