CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into questions-vue3

Browse Source
This commit is contained in:
Mira Weller
2026-03-19 13:13:32 +01:00
parent a924d0a266 58840a5fd6
commit 4bbcc398cc
328 changed files with 169497 additions and 151718 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
doc/api/deviceauth.rst
View File

@@ -197,10 +197,11 @@ Permissions & security profiles
Device authentication is currently hardcoded to grant the following permissions: Device authentication is currently hardcoded to grant the following permissions:
* View event meta data and products etc. * Read event meta data and products etc.
* View orders * Read and write orders
* Change orders * Read and write gift cards
* Manage gift cards * Read and write reusable media
* Read vouchers
Devices cannot change events or products and cannot access vouchers. Devices cannot change events or products and cannot access vouchers.

2
doc/api/resources/devices.rst
View File

@@ -30,7 +30,7 @@ software_brand string Device software
software_version string Device software version (read-only) software_version string Device software version (read-only)
created datetime Creation time created datetime Creation time
initialized datetime Time of initialization (or ``null``) initialized datetime Time of initialization (or ``null``)
initialization_token string Token for initialization initialization_token string Token for initialization (field invisible without write permission)
revoked boolean Whether this device no longer has access revoked boolean Whether this device no longer has access
security_profile string The name of a supported security profile restricting API access security_profile string The name of a supported security profile restricting API access
===================================== ========================== ======================================================= ===================================== ========================== =======================================================

16
doc/api/resources/events.rst
View File

@@ -65,8 +65,6 @@ Endpoints
Returns a list of all events within a given organizer the authenticated user/token has access to. Returns a list of all events within a given organizer the authenticated user/token has access to.
Permission required: "Can change event settings"
**Example request**: **Example request**:
.. sourcecode:: http .. sourcecode:: http
@@ -161,8 +159,6 @@ Endpoints
Returns information on one event, identified by its slug. Returns information on one event, identified by its slug.
Permission required: "Can change event settings"
**Example request**: **Example request**:
.. sourcecode:: http .. sourcecode:: http
@@ -234,8 +230,6 @@ Endpoints
Please note that events cannot be created as 'live' using this endpoint. Quotas and payment must be added to the Please note that events cannot be created as 'live' using this endpoint. Quotas and payment must be added to the
event before sales can go live. event before sales can go live.
Permission required: "Can create events"
**Example request**: **Example request**:
.. sourcecode:: http .. sourcecode:: http
@@ -338,8 +332,6 @@ Endpoints
Please note that you can only copy from events under the same organizer this way. Use the ``clone_from`` parameter Please note that you can only copy from events under the same organizer this way. Use the ``clone_from`` parameter
when creating a new event for this instead. when creating a new event for this instead.
Permission required: "Can create events"
**Example request**: **Example request**:
.. sourcecode:: http .. sourcecode:: http
@@ -433,8 +425,6 @@ Endpoints
Updates an event Updates an event
Permission required: "Can change event settings"
**Example request**: **Example request**:
.. sourcecode:: http .. sourcecode:: http
@@ -510,8 +500,6 @@ Endpoints
Delete an event. Note that events with orders cannot be deleted to ensure data integrity. Delete an event. Note that events with orders cannot be deleted to ensure data integrity.
Permission required: "Can change event settings"
**Example request**: **Example request**:
.. sourcecode:: http .. sourcecode:: http
@@ -561,8 +549,6 @@ organizer level.
Get current values of event settings. Get current values of event settings.
Permission required: "Can change event settings" (Exception: with device auth, *some* settings can always be *read*.)
**Example request**: **Example request**:
.. sourcecode:: http .. sourcecode:: http
@@ -615,6 +601,8 @@ organizer level.
Updates event settings. Note that ``PUT`` is not allowed here, only ``PATCH``. Updates event settings. Note that ``PUT`` is not allowed here, only ``PATCH``.
Permission "Can change event settings" is always required. Some keys require additional permissions.
.. warning:: .. warning::
Settings can be stored at different levels in pretix. If a value is not set on event level, a default setting Settings can be stored at different levels in pretix. If a value is not set on event level, a default setting

16
doc/api/resources/orders.rst
View File

@@ -117,6 +117,8 @@ cancellation_date datetime Time of order c
reliable for orders that have been cancelled, reliable for orders that have been cancelled,
reactivated and cancelled again. reactivated and cancelled again.
plugin_data object Additional data added by plugins. plugin_data object Additional data added by plugins.
use_gift_cards list of strings List of unique gift card secrets that are used to pay
for this order.
===================================== ========================== ======================================================= ===================================== ========================== =======================================================
@@ -156,6 +158,10 @@ plugin_data object Additional data
The ``tax_rounding_mode`` attribute has been added. The ``tax_rounding_mode`` attribute has been added.
.. versionchanged:: 2026.03
The ``use_gift_cards`` attribute has been added.
.. _order-position-resource: .. _order-position-resource:
Order position resource Order position resource
@@ -987,8 +993,6 @@ Creating orders
* does not support file upload questions * does not support file upload questions
* does not support redeeming gift cards
* does not support or validate memberships * does not support or validate memberships
@@ -1095,6 +1099,14 @@ Creating orders
whether these emails are enabled for certain sales channels. If set to ``null``, behavior will be controlled by pretix' whether these emails are enabled for certain sales channels. If set to ``null``, behavior will be controlled by pretix'
settings based on the sales channels (added in pretix 4.7). Defaults to ``false``. settings based on the sales channels (added in pretix 4.7). Defaults to ``false``.
Used to be ``send_mail`` before pretix 3.14. Used to be ``send_mail`` before pretix 3.14.
* ``use_gift_cards`` (optional) The provided gift cards will be used to pay for this order. They will be debited and
all the necessary payment records for these transactions will be created. The gift cards will be used in sequence to
pay for the order. Processing of the gift cards stops as soon as the order is payed for. All gift card transactions
are listed under ``payments`` in the response.
This option can only be used with orders that are in the pending state.
The ``use_gift_cards`` attribute can not be combined with ``payment_info`` and ``payment_provider`` fields. If the
order isn't completely paid after its creation with ``use_gift_cards``, then a subsequent request to the payment
endpoint is needed.
If you want to use add-on products, you need to set the ``positionid`` fields of all positions manually If you want to use add-on products, you need to set the ``positionid`` fields of all positions manually
to incrementing integers starting with ``1``. Then, you can reference one of these to incrementing integers starting with ``1``. Then, you can reference one of these

4
doc/api/resources/organizers.rst
View File

@@ -110,8 +110,6 @@ Endpoints
Updates an organizer. Currently only the ``plugins`` field may be updated. Updates an organizer. Currently only the ``plugins`` field may be updated.
Permission required: "Can change organizer settings"
**Example request**: **Example request**:
.. sourcecode:: http .. sourcecode:: http
@@ -172,8 +170,6 @@ information about the properties.
Get current values of organizer settings. Get current values of organizer settings.
Permission required: "Can change organizer settings"
**Example request**: **Example request**:
.. sourcecode:: http .. sourcecode:: http

2
doc/api/resources/reusablemedia.rst
View File

@@ -154,7 +154,7 @@ Endpoints
.. http:post:: /api/v1/organizers/(organizer)/reusablemedia/lookup/ .. http:post:: /api/v1/organizers/(organizer)/reusablemedia/lookup/
Look up a new reusable medium by its identifier. In some cases, this might lead to the automatic creation of a new Look up a new reusable medium by its identifier. In some cases, this might lead to the automatic creation of a new
medium behind the scenes. medium behind the scenes, therefore this endpoint requires write permissions.
This endpoint, and this endpoint only, might return media from a different organizer if there is a cross-acceptance This endpoint, and this endpoint only, might return media from a different organizer if there is a cross-acceptance
agreement. In this case, only linked gift cards will be returned, no order position or customer records, agreement. In this case, only linked gift cards will be returned, no order position or customer records,

6
doc/api/resources/subevents.rst
View File

@@ -154,8 +154,6 @@ Endpoints
Creates a new subevent. Creates a new subevent.
Permission required: "Can create events"
**Example request**: **Example request**:
.. sourcecode:: http .. sourcecode:: http
@@ -300,8 +298,6 @@ Endpoints
provide all fields of the resource, other fields will be reset to default. With ``PATCH``, you only need to provide provide all fields of the resource, other fields will be reset to default. With ``PATCH``, you only need to provide
the fields that you want to change. the fields that you want to change.
Permission required: "Can change event settings"
**Example request**: **Example request**:
.. sourcecode:: http .. sourcecode:: http
@@ -373,8 +369,6 @@ Endpoints
Delete a sub-event. Note that events with orders cannot be deleted to ensure data integrity. Delete a sub-event. Note that events with orders cannot be deleted to ensure data integrity.
Permission required: "Can change event settings"
**Example request**: **Example request**:
.. sourcecode:: http .. sourcecode:: http

87
doc/api/resources/teams.rst
View File

@@ -24,21 +24,58 @@ all_events boolean Whether this te
limit_events list List of event slugs this team has access to limit_events list List of event slugs this team has access to
require_2fa boolean Whether members of this team are required to use require_2fa boolean Whether members of this team are required to use
two-factor authentication two-factor authentication
can_create_events boolean all_event_permissions bool Whether members of this team are granted all event-level
can_change_teams boolean permissions, including future additions
can_change_organizer_settings boolean limit_event_permissions list of strings The event-level permissions team members are granted
can_manage_customers boolean all_organizer_permissions bool Whether members of this team are granted all organizer-level
can_manage_reusable_media boolean permissions, including future additions
can_manage_gift_cards boolean all_organizer_permissions list of strings The organizer-level permissions team members are granted
can_change_event_settings boolean can_create_events boolean **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
can_change_items boolean can_change_teams boolean **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
can_view_orders boolean can_change_organizer_settings boolean **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
can_change_orders boolean can_manage_customers boolean **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
can_view_vouchers boolean can_manage_reusable_media boolean **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
can_change_vouchers boolean can_manage_gift_cards boolean **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
can_checkin_orders boolean can_change_event_settings boolean **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
can_change_items boolean **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
can_view_orders boolean **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
can_change_orders boolean **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
can_view_vouchers boolean **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
can_change_vouchers boolean **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
can_checkin_orders boolean **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
===================================== ========================== ======================================================= ===================================== ========================== =======================================================
Possible values for ``limit_organizer_permissions`` defined in the core pretix system (plugins might add more)::
organizer.events:create
organizer.settings.general:write
organizer.teams:write
organizer.seatingplans:write
organizer.giftcards:read
organizer.giftcards:write
organizer.customers:read
organizer.customers:write
organizer.reusablemedia:read
organizer.reusablemedia:write
organizer.devices:read
organizer.devices:write
organizer.outgoingmails:read
Possible values for ``limit_event_permissions`` defined in the core pretix system (plugins might add more)::
event.settings.general:write
event.settings.payment:write
event.settings.tax:write
event.settings.invoicing:write
event.subevents:write
event.items:write
event.orders:read
event.orders:write
event.orders:checkin
event.vouchers:read
event.vouchers:write
event:cancel
Team member resource Team member resource
-------------------- --------------------
@@ -121,6 +158,10 @@ Team endpoints
"all_events": true, "all_events": true,
"limit_events": [], "limit_events": [],
"require_2fa": true, "require_2fa": true,
"all_event_permissions": true,
"limit_event_permissions": [],
"all_organizer_permissions": true,
"limit_organizer_permissions": [],
"can_create_events": true, "can_create_events": true,
... ...
} }
@@ -159,6 +200,10 @@ Team endpoints
"all_events": true, "all_events": true,
"limit_events": [], "limit_events": [],
"require_2fa": true, "require_2fa": true,
"all_event_permissions": true,
"limit_event_permissions": [],
"all_organizer_permissions": true,
"limit_organizer_permissions": [],
"can_create_events": true, "can_create_events": true,
... ...
} }
@@ -187,7 +232,10 @@ Team endpoints
"all_events": true, "all_events": true,
"limit_events": [], "limit_events": [],
"require_2fa": true, "require_2fa": true,
"can_create_events": true, "all_event_permissions": true,
"limit_event_permissions": [],
"all_organizer_permissions": true,
"limit_organizer_permissions": [],
... ...
} }
@@ -205,6 +253,10 @@ Team endpoints
"all_events": true, "all_events": true,
"limit_events": [], "limit_events": [],
"require_2fa": true, "require_2fa": true,
"all_event_permissions": true,
"limit_event_permissions": [],
"all_organizer_permissions": true,
"limit_organizer_permissions": [],
"can_create_events": true, "can_create_events": true,
... ...
} }
@@ -232,7 +284,8 @@ Team endpoints
Content-Length: 94 Content-Length: 94
{ {
"can_create_events": true "all_organizer_permissions": false,
"limit_organizer_permissions": ["organizer.events:create"]
} }
**Example response**: **Example response**:
@@ -249,6 +302,10 @@ Team endpoints
"all_events": true, "all_events": true,
"limit_events": [], "limit_events": [],
"require_2fa": true, "require_2fa": true,
"all_event_permissions": true,
"limit_event_permissions": [],
"all_organizer_permissions": false,
"limit_organizer_permissions": ["organizer.events:create"],
"can_create_events": true, "can_create_events": true,
... ...
} }

14
doc/development/api/customview.rst
View File

@@ -55,12 +55,12 @@ your views:
) )
class AdminView(EventPermissionRequiredMixin, View): class AdminView(EventPermissionRequiredMixin, View):
permission = 'can_view_orders' permission = 'event.orders:read'
... ...
@event_permission_required('can_view_orders') @event_permission_required('event.orders:read')
def admin_view(request, organizer, event): def admin_view(request, organizer, event):
... ...
@@ -78,7 +78,7 @@ event-related views, there is also a signal that allows you to add the view to t
@receiver(nav_event, dispatch_uid='friends_tickets_nav') @receiver(nav_event, dispatch_uid='friends_tickets_nav')
def navbar_info(sender, request, **kwargs): def navbar_info(sender, request, **kwargs):
url = resolve(request.path_info) url = resolve(request.path_info)
if not request.user.has_event_permission(request.organizer, request.event, 'can_change_vouchers'): if not request.user.has_event_permission(request.organizer, request.event, 'event.vouchers:read'):
return [] return []
return [{ return [{
'label': _('My plugin view'), 'label': _('My plugin view'),
@@ -118,7 +118,7 @@ for good integration. If you just want to display a form, you could do it like t
class MySettingsView(EventSettingsViewMixin, EventSettingsFormView): class MySettingsView(EventSettingsViewMixin, EventSettingsFormView):
model = Event model = Event
permission = 'can_change_settings' permission = 'event.settings.general:write'
form_class = MySettingsForm form_class = MySettingsForm
template_name = 'my_plugin/settings.html' template_name = 'my_plugin/settings.html'
@@ -204,13 +204,13 @@ In case of ``orga_router`` and ``event_router``, permission checking is done for
in the control panel. However, you need to make sure on your own only to return the correct subset of data! ``request in the control panel. However, you need to make sure on your own only to return the correct subset of data! ``request
.event`` and ``request.organizer`` are available as usual. .event`` and ``request.organizer`` are available as usual.
To require a special permission like ``can_view_orders``, you do not need to inherit from a special ViewSet base To require a special permission like ``event.orders:read``, you do not need to inherit from a special ViewSet base
class, you can just set the ``permission`` attribute on your viewset: class, you can just set the ``permission`` attribute on your viewset:
.. code-block:: python .. code-block:: python
class MyViewSet(ModelViewSet): class MyViewSet(ModelViewSet):
permission = 'can_view_orders' permission = 'event.orders:read'
... ...
If you want to check the permission only for some methods of your viewset, you have to do it yourself. Note here that If you want to check the permission only for some methods of your viewset, you have to do it yourself. Note here that
@@ -220,7 +220,7 @@ following:
.. code-block:: python .. code-block:: python
perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken) else request.user) perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken) else request.user)
if perm_holder.has_event_permission(request.event.organizer, request.event, 'can_view_orders'): if perm_holder.has_event_permission(request.event.organizer, request.event, 'event.orders:read'):
... ...

16
doc/development/api/exporter.rst
View File

@@ -80,8 +80,24 @@ The exporter class
.. autoattribute:: category .. autoattribute:: category
.. autoattribute:: feature
.. autoattribute:: export_form_fields .. autoattribute:: export_form_fields
.. autoattribute:: repeatable_read
.. automethod:: render .. automethod:: render
This is an abstract method, you **must** override this! This is an abstract method, you **must** override this!
.. automethod:: available_for_user
.. automethod:: get_required_event_permission
On organizer level, by default exporters are expected to handle on a *set of events* and the system will automatically
add a form field that allows the selection of events, limited to events the user has correct permissions for. If this
does not fit your organizer, because it is not related to events, you should **also** inherit from the following class:
.. class:: pretix.base.exporter.OrganizerLevelExportMixin
.. automethod:: get_required_organizer_permission

3
doc/development/api/general.rst
View File

@@ -14,7 +14,8 @@ Core
:members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types, notification, :members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types, notification,
item_copy_data, register_sales_channel_types, register_global_settings, quota_availability, global_email_filter, item_copy_data, register_sales_channel_types, register_global_settings, quota_availability, global_email_filter,
register_ticket_secret_generators, gift_card_transaction_display, register_ticket_secret_generators, gift_card_transaction_display,
register_text_placeholders, register_mail_placeholders, device_info_updated register_text_placeholders, register_mail_placeholders, device_info_updated,
register_event_permission_groups, register_organizer_permission_groups
Order events Order events
"""""""""""" """"""""""""

2
doc/development/implementation/logging.rst
View File

@@ -196,7 +196,7 @@ A simple implementation could look like this:
.. code-block:: python .. code-block:: python
class MyNotificationType(NotificationType): class MyNotificationType(NotificationType):
required_permission = "can_view_orders" required_permission = "event.orders:read"
action_type = "pretix.event.order.paid" action_type = "pretix.event.order.paid"
verbose_name = _("Order has been paid") verbose_name = _("Order has been paid")

89
doc/development/implementation/permissions.rst
View File

@@ -2,7 +2,7 @@ Permissions
=========== ===========
pretix uses a fine-grained permission system to control who is allowed to control what parts of the system. pretix uses a fine-grained permission system to control who is allowed to control what parts of the system.
The central concept here is the concept of *Teams*. You can read more on `configuring teams and permissions <user-teams>`_ The central concept here is the concept of *Teams*. You can read more on `configuring teams and permissions`_
and the :class:`pretix.base.models.Team` model in the respective parts of the documentation. The basic digest is: and the :class:`pretix.base.models.Team` model in the respective parts of the documentation. The basic digest is:
An organizer account can have any number of teams, and any number of users can be part of a team. A team can be An organizer account can have any number of teams, and any number of users can be part of a team. A team can be
assigned a set of permissions and connected to some or all of the events of the organizer. assigned a set of permissions and connected to some or all of the events of the organizer.
@@ -25,8 +25,8 @@ permission level to access a view:
class MyOrgaView(OrganizerPermissionRequiredMixin, View): class MyOrgaView(OrganizerPermissionRequiredMixin, View):
permission = 'can_change_organizer_settings' permission = 'organizer.settings.general:write'
# Only users with the permission ``can_change_organizer_settings`` on # Only users with the permission ``organizer.settings.general:write`` on
# this organizer can access this # this organizer can access this
@@ -35,9 +35,9 @@ permission level to access a view:
# Only users with *any* permission on this organizer can access this # Only users with *any* permission on this organizer can access this
@organizer_permission_required('can_change_organizer_settings') @organizer_permission_required('organizer.settings.general:write')
def my_orga_view(request, organizer, **kwargs): def my_orga_view(request, organizer, **kwargs):
# Only users with the permission ``can_change_organizer_settings`` on # Only users with the permission ``organizer.settings.general:write`` on
# this organizer can access this # this organizer can access this
@@ -56,8 +56,8 @@ Of course, the same is available on event level:
class MyEventView(EventPermissionRequiredMixin, View): class MyEventView(EventPermissionRequiredMixin, View):
permission = 'can_change_event_settings' permission = 'event.settings.general:write'
# Only users with the permission ``can_change_event_settings`` on # Only users with the permission ``event.settings.general:write`` on
# this event can access this # this event can access this
@@ -65,13 +65,16 @@ Of course, the same is available on event level:
permission = None permission = None
# Only users with *any* permission on this event can access this # Only users with *any* permission on this event can access this
class MyThirdEventView(EventPermissionRequiredMixin, View):
permission = AnyPermissionOf('event.settings.payment:write', 'event.settings.general:write')
# Only users with at least one of the specified permissions on this event
# can access this
@event_permission_required('can_change_event_settings') @event_permission_required('event.settings.general:write')
def my_event_view(request, organizer, **kwargs): def my_event_view(request, organizer, **kwargs):
# Only users with the permission ``can_change_event_settings`` on # Only users with the permission ``event.settings.general:write`` on
# this event can access this # this event can access this
@event_permission_required() @event_permission_required()
def my_other_event_view(request, organizer, **kwargs): def my_other_event_view(request, organizer, **kwargs):
# Only users with *any* permission on this event can access this # Only users with *any* permission on this event can access this
@@ -121,7 +124,7 @@ When creating your own ``viewset`` using Django REST framework, you just need to
and pretix will check it automatically for you:: and pretix will check it automatically for you::
class MyModelViewSet(viewsets.ReadOnlyModelViewSet): class MyModelViewSet(viewsets.ReadOnlyModelViewSet):
permission = 'can_view_orders' permission = 'event.orders:read'
Checking permission in code Checking permission in code
--------------------------- ---------------------------
@@ -136,12 +139,12 @@ Return all users that are in any team that is connected to this event::
Return all users that are in a team with a specific permission for this event:: Return all users that are in a team with a specific permission for this event::
>>> event.get_users_with_permission('can_change_event_settings') >>> event.get_users_with_permission('event.orders:read')
<QuerySet: …> <QuerySet: …>
Determine if a user has a certain permission for a specific event:: Determine if a user has a certain permission for a specific event::
>>> user.has_event_permission(organizer, event, 'can_change_event_settings', request=request) >>> user.has_event_permission(organizer, event, 'event.orders:read', request=request)
True True
Determine if a user has any permission for a specific event:: Determine if a user has any permission for a specific event::
@@ -153,27 +156,27 @@ In the two previous commands, the ``request`` argument is optional, but required
The same method exists for organizer-level permissions:: The same method exists for organizer-level permissions::
>>> user.has_organizer_permission(organizer, 'can_change_event_settings', request=request) >>> user.has_organizer_permission(organizer, 'event.orders:read', request=request)
True True
Sometimes, it might be more useful to get the set of permissions at once:: Sometimes, it might be more useful to get the set of permissions at once::
>>> user.get_event_permission_set(organizer, event) >>> user.get_event_permission_set(organizer, event)
{'can_change_event_settings', 'can_view_orders', 'can_change_orders'} {'event.settings.general:write', 'event.orders:read', 'event.orders:write'}
>>> user.get_organizer_permission_set(organizer, event) >>> user.get_organizer_permission_set(organizer, event)
{'can_change_organizer_settings', 'can_create_events'} {'organizer.settings.general:write', 'organizer.events:create'}
Within a view on the ``/control`` subpath, the results of these two methods are already available in the Within a view on the ``/control`` subpath, the results of these two methods are already available in the
``request.eventpermset`` and ``request.orgapermset`` properties. This makes it convenient to query them in templates:: ``request.eventpermset`` and ``request.orgapermset`` properties. This makes it convenient to query them in templates::
{% if "can_change_orders" in request.eventpermset %} {% if "event.orders:write" in request.eventpermset %}
{% endif %} {% endif %}
You can also do the reverse to get any events a user has access to:: You can also do the reverse to get any events a user has access to::
>>> user.get_events_with_permission('can_change_event_settings', request=request) >>> user.get_events_with_permission('event.settings.general:write', request=request)
<QuerySet: …> <QuerySet: …>
>>> user.get_events_with_any_permission(request=request) >>> user.get_events_with_any_permission(request=request)
@@ -195,3 +198,53 @@ staff mode is active. You can check if a user is in staff mode using their sessi
Staff mode has a hard time limit and during staff mode, a middleware will log all requests made by that user. Later, Staff mode has a hard time limit and during staff mode, a middleware will log all requests made by that user. Later,
the user is able to also save a message to comment on what they did in their administrative session. This feature is the user is able to also save a message to comment on what they did in their administrative session. This feature is
intended to help compliance with data protection rules as imposed e.g. by GDPR. intended to help compliance with data protection rules as imposed e.g. by GDPR.
Adding permissions
------------------
Plugins can add permissions through the ``register_event_permission_groups`` and ``register_organizer_permission_groups``.
We recommend to use this only for very significant permissions, as the system will become less usable with too many
permission levels, also because the team page will show all permission options, even those of disabled plugins.
To register your permissions, you need to register a **permission group** (often representing an area of functionality
or a key model). Below that group, there are **actions**, which represent the actual permissions. Permissions will be
generated as ``<group_name>:<action>``. Then, you need to define **options** which are the valid combinations of the
actions that should be possible to select for a team. This two-step mechanism exists to provide a better user experience
and avoid useless combinations like "write but not read".
Example::
@receiver(register_event_permission_groups)
def register_plugin_event_permissions(sender, **kwargs):
return [
PermissionGroup(
name="pretix_myplugin.resource",
label=_("Resources"),
actions=["read", "write"],
options=[
PermissionOption(actions=tuple(), label=_("No access")),
PermissionOption(actions=("read",), label=_("View")),
PermissionOption(actions=("read", "write"), label=_("View and change")),
],
help_text=_("Some help text")
),
]
@receiver(register_organizer_permission_groups)
def register_plugin_organizer_permissions(sender, **kwargs):
return [
PermissionGroup(
name="pretix_myplugin.resource",
label=_("Resources"),
actions=["read", "write"],
options=[
PermissionOption(actions=tuple(), label=_("No access")),
PermissionOption(actions=("read",), label=_("View")),
PermissionOption(actions=("read", "write"), label=_("View and change")),
],
help_text=_("Some help text")
),
]
.. _configuring teams and permissions: https://docs.pretix.eu/guides/teams/

4
pyproject.toml
View File

@@ -54,7 +54,7 @@ dependencies = [
"django-phonenumber-field==8.4.*", "django-phonenumber-field==8.4.*",
"django-redis==6.0.*", "django-redis==6.0.*",
"django-scopes==2.0.*", "django-scopes==2.0.*",
"django-statici18n==2.6.*", "django-statici18n==2.7.*",
"djangorestframework==3.16.*", "djangorestframework==3.16.*",
"dnspython==2.8.*", "dnspython==2.8.*",
"drf_ujson2==1.7.*", "drf_ujson2==1.7.*",
@@ -73,7 +73,7 @@ dependencies = [
"packaging", "packaging",
"paypalrestsdk==1.13.*", "paypalrestsdk==1.13.*",
"paypal-checkout-serversdk==1.0.*", "paypal-checkout-serversdk==1.0.*",
"PyJWT==2.11.*", "PyJWT==2.12.*",
"phonenumberslite==9.0.*", "phonenumberslite==9.0.*",
"Pillow==12.1.*", "Pillow==12.1.*",
"pretix-plugin-build", "pretix-plugin-build",

14
src/pretix/api/auth/permission.py
View File

@@ -36,7 +36,9 @@ from rest_framework.permissions import SAFE_METHODS, BasePermission
from pretix.api.models import OAuthAccessToken from pretix.api.models import OAuthAccessToken
from pretix.base.models import Device, Event, User from pretix.base.models import Device, Event, User
from pretix.base.models.auth import SuperuserPermissionSet from pretix.base.models.auth import (
EventPermissionSet, OrganizerPermissionSet, SuperuserPermissionSet,
)
from pretix.base.models.organizer import TeamAPIToken from pretix.base.models.organizer import TeamAPIToken
from pretix.helpers.security import ( from pretix.helpers.security import (
Session2FASetupRequired, SessionInvalid, SessionPasswordChangeRequired, Session2FASetupRequired, SessionInvalid, SessionPasswordChangeRequired,
@@ -85,7 +87,7 @@ class EventPermission(BasePermission):
if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key): if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key):
request.eventpermset = SuperuserPermissionSet() request.eventpermset = SuperuserPermissionSet()
else: else:
request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event) request.eventpermset = EventPermissionSet(perm_holder.get_event_permission_set(request.organizer, request.event))
if isinstance(required_permission, (list, tuple)): if isinstance(required_permission, (list, tuple)):
if not any(p in request.eventpermset for p in required_permission): if not any(p in request.eventpermset for p in required_permission):
@@ -100,7 +102,7 @@ class EventPermission(BasePermission):
if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key): if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key):
request.orgapermset = SuperuserPermissionSet() request.orgapermset = SuperuserPermissionSet()
else: else:
request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer) request.orgapermset = OrganizerPermissionSet(perm_holder.get_organizer_permission_set(request.organizer))
if isinstance(required_permission, (list, tuple)): if isinstance(required_permission, (list, tuple)):
if not any(p in request.eventpermset for p in required_permission): if not any(p in request.eventpermset for p in required_permission):
@@ -124,12 +126,12 @@ class EventCRUDPermission(EventPermission):
def has_permission(self, request, view): def has_permission(self, request, view):
if not super(EventCRUDPermission, self).has_permission(request, view): if not super(EventCRUDPermission, self).has_permission(request, view):
return False return False
elif view.action == 'create' and 'can_create_events' not in request.orgapermset: elif view.action == 'create' and 'organizer.events:create' not in request.orgapermset:
return False return False
elif view.action == 'destroy' and 'can_change_event_settings' not in request.eventpermset: elif view.action == 'destroy' and 'event.settings.general:write' not in request.eventpermset:
return False return False
elif view.action in ['update', 'partial_update'] \ elif view.action in ['update', 'partial_update'] \
and 'can_change_event_settings' not in request.eventpermset: and 'event.settings.general:write' not in request.eventpermset:
return False return False
return True return True

21
src/pretix/api/serializers/event.py
View File

@@ -300,7 +300,7 @@ class EventSerializer(SalesChannelMigrationMixin, I18nAwareModelSerializer):
def ignored_meta_properties(self): def ignored_meta_properties(self):
perm_holder = (self.context['request'].auth if isinstance(self.context['request'].auth, (Device, TeamAPIToken)) perm_holder = (self.context['request'].auth if isinstance(self.context['request'].auth, (Device, TeamAPIToken))
else self.context['request'].user) else self.context['request'].user)
if perm_holder.has_organizer_permission(self.context['request'].organizer, 'can_change_organizer_settings', request=self.context['request']): if perm_holder.has_organizer_permission(self.context['request'].organizer, 'organizer.settings.general:write', request=self.context['request']):
return [] return []
return [k for k, p in self.meta_properties.items() if p.protected] return [k for k, p in self.meta_properties.items() if p.protected]
@@ -445,7 +445,7 @@ class CloneEventSerializer(EventSerializer):
date_admission = validated_data.pop('date_admission', None) date_admission = validated_data.pop('date_admission', None)
new_event = super().create({**validated_data, 'plugins': None}) new_event = super().create({**validated_data, 'plugins': None})
event = Event.objects.filter(slug=self.context['event'], organizer=self.context['organizer'].pk).first() event = self.context['event']
new_event.copy_data_from(event, skip_meta_data='meta_data' in validated_data) new_event.copy_data_from(event, skip_meta_data='meta_data' in validated_data)
if plugins is not None: if plugins is not None:
@@ -561,7 +561,7 @@ class SubEventSerializer(I18nAwareModelSerializer):
def ignored_meta_properties(self): def ignored_meta_properties(self):
perm_holder = (self.context['request'].auth if isinstance(self.context['request'].auth, (Device, TeamAPIToken)) perm_holder = (self.context['request'].auth if isinstance(self.context['request'].auth, (Device, TeamAPIToken))
else self.context['request'].user) else self.context['request'].user)
if perm_holder.has_organizer_permission(self.context['request'].organizer, 'can_change_organizer_settings', request=self.context['request']): if perm_holder.has_organizer_permission(self.context['request'].organizer, 'organizer.settings.general:write', request=self.context['request']):
return [] return []
return [k for k, p in self.meta_properties.items() if p.protected] return [k for k, p in self.meta_properties.items() if p.protected]
@@ -707,7 +707,10 @@ class TaxRuleSerializer(CountryFieldMixin, I18nAwareModelSerializer):
class EventSettingsSerializer(SettingsSerializer): class EventSettingsSerializer(SettingsSerializer):
default_write_permission = 'event.settings.general:write'
default_fields = [ default_fields = [
# These are readable for all users with access to the events, therefore secrets stored in the settings store
# should not be included!
'imprint_url', 'imprint_url',
'checkout_email_helptext', 'checkout_email_helptext',
'presale_has_ended_text', 'presale_has_ended_text',
@@ -1080,16 +1083,16 @@ class SeatSerializer(I18nAwareModelSerializer):
def prefetch_expanded_data(self, items, request, expand_fields): def prefetch_expanded_data(self, items, request, expand_fields):
if 'orderposition' in expand_fields: if 'orderposition' in expand_fields:
if 'can_view_orders' not in request.eventpermset: if 'event.orders:read' not in request.eventpermset:
raise PermissionDenied('can_view_orders permission required for expand=orderposition') raise PermissionDenied('event.orders:read permission required for expand=orderposition')
prefetch_by_id(items, OrderPosition.objects.prefetch_related('order'), 'orderposition_id', 'orderposition') prefetch_by_id(items, OrderPosition.objects.prefetch_related('order'), 'orderposition_id', 'orderposition')
if 'cartposition' in expand_fields: if 'cartposition' in expand_fields:
if 'can_view_orders' not in request.eventpermset: if 'event.orders:read' not in request.eventpermset:
raise PermissionDenied('can_view_orders permission required for expand=cartposition') raise PermissionDenied('event.orders:read permission required for expand=cartposition')
prefetch_by_id(items, CartPosition.objects, 'cartposition_id', 'cartposition') prefetch_by_id(items, CartPosition.objects, 'cartposition_id', 'cartposition')
if 'voucher' in expand_fields: if 'voucher' in expand_fields:
if 'can_view_vouchers' not in request.eventpermset: if 'event.vouchers:read' not in request.eventpermset:
raise PermissionDenied('can_view_vouchers permission required for expand=voucher') raise PermissionDenied('event.vouchers:read permission required for expand=voucher')
prefetch_by_id(items, Voucher.objects, 'voucher_id', 'voucher') prefetch_by_id(items, Voucher.objects, 'voucher_id', 'voucher')
def __init__(self, instance, *args, **kwargs): def __init__(self, instance, *args, **kwargs):

42
src/pretix/api/serializers/exporters.py
View File

@@ -27,7 +27,9 @@ from rest_framework.exceptions import ValidationError
from pretix.api.serializers.forms import form_field_to_serializer_field from pretix.api.serializers.forms import form_field_to_serializer_field
from pretix.base.exporter import OrganizerLevelExportMixin from pretix.base.exporter import OrganizerLevelExportMixin
from pretix.base.models import ScheduledEventExport, ScheduledOrganizerExport from pretix.base.models import (
Event, ScheduledEventExport, ScheduledOrganizerExport,
)
from pretix.base.timeframes import SerializerDateFrameField from pretix.base.timeframes import SerializerDateFrameField
@@ -54,20 +56,29 @@ class ExporterSerializer(serializers.Serializer):
class JobRunSerializer(serializers.Serializer): class JobRunSerializer(serializers.Serializer):
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
ex = kwargs.pop('exporter') ex = self.ex = kwargs.pop('exporter')
events = kwargs.pop('events', None)
super().__init__(*args, **kwargs) super().__init__(*args, **kwargs)
if events is not None and not isinstance(ex, OrganizerLevelExportMixin): if ex.is_multievent and not isinstance(ex, OrganizerLevelExportMixin):
self.fields["events"] = serializers.SlugRelatedField( self.fields["all_events"] = serializers.BooleanField(
queryset=events,
required=False, required=False,
allow_empty=False, )
self.fields["events"] = serializers.SlugRelatedField(
queryset=ex.events,
required=False,
allow_empty=True,
slug_field='slug', slug_field='slug',
many=True many=True
) )
for k, v in ex.export_form_fields.items(): for k, v in ex.export_form_fields.items():
self.fields[k] = form_field_to_serializer_field(v) self.fields[k] = form_field_to_serializer_field(v)
def to_representation(self, instance):
# Translate between events as a list of slugs (API) and list of ints (database)
if self.ex.is_multievent and not isinstance(self.ex, OrganizerLevelExportMixin) and "events" in instance and isinstance(instance["events"], list):
instance["events"] = [e for e in self.ex.events.filter(pk__in=instance["events"])]
instance = super().to_representation(instance)
return instance
def to_internal_value(self, data): def to_internal_value(self, data):
if isinstance(data, QueryDict): if isinstance(data, QueryDict):
data = data.copy() data = data.copy()
@@ -95,6 +106,14 @@ class JobRunSerializer(serializers.Serializer):
data[fk] = f'{d_from.isoformat() if d_from else ""}/{d_to.isoformat() if d_to else ""}' data[fk] = f'{d_from.isoformat() if d_from else ""}/{d_to.isoformat() if d_to else ""}'
data = super().to_internal_value(data) data = super().to_internal_value(data)
# Translate between events as a list of slugs (API) and list of ints (database)
if self.ex.is_multievent and not isinstance(self.ex, OrganizerLevelExportMixin) and "events" in data and isinstance(data["events"], list):
if data["events"] and isinstance(data["events"][0], Event):
data["events"] = [e.pk for e in data["events"]]
elif data["events"] and isinstance(data["events"][0], str):
data["events"] = [e.pk for e in self.ex.events.filter(slug__in=data["events"]).only("pk")]
return data return data
def is_valid(self, raise_exception=False): def is_valid(self, raise_exception=False):
@@ -131,13 +150,20 @@ class ScheduledExportSerializer(serializers.ModelSerializer):
exporter = self.context['exporters'].get(identifier) exporter = self.context['exporters'].get(identifier)
if exporter: if exporter:
try: try:
JobRunSerializer(exporter=exporter).to_internal_value(attrs["export_form_data"]) attrs["export_form_data"] = JobRunSerializer(exporter=exporter).to_internal_value(attrs["export_form_data"])
except ValidationError as e: except ValidationError as e:
raise ValidationError({"export_form_data": e.detail}) raise ValidationError({"export_form_data": e.detail})
else: else:
raise ValidationError({"export_identifier": ["Unknown exporter."]}) raise ValidationError({"export_identifier": ["Unknown exporter."]})
return attrs return attrs
def to_representation(self, instance):
repr = super().to_representation(instance)
exporter = self.context['exporters'].get(instance.export_identifier)
if exporter:
repr["export_form_data"] = JobRunSerializer(exporter=exporter).to_representation(repr["export_form_data"])
return repr
def validate_mail_additional_recipients(self, value): def validate_mail_additional_recipients(self, value):
d = value.replace(' ', '') d = value.replace(' ', '')
if len(d.split(',')) > 25: if len(d.split(',')) > 25:

3
src/pretix/api/serializers/forms.py
View File

@@ -65,8 +65,9 @@ def form_field_to_serializer_field(field):
if isinstance(field, m_from): if isinstance(field, m_from):
return m_to( return m_to(
required=field.required, required=field.required,
allow_null=not field.required, allow_null=not field.required and not isinstance(field, forms.BooleanField),
validators=field.validators, validators=field.validators,
initial=field.initial,
**{kwarg: getattr(field, kwarg, None) for kwarg in m_kwargs} **{kwarg: getattr(field, kwarg, None) for kwarg in m_kwargs}
) )

10
src/pretix/api/serializers/media.py
View File

@@ -24,7 +24,7 @@ from decimal import Decimal
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from rest_framework import serializers from rest_framework import serializers
from rest_framework.exceptions import ValidationError from rest_framework.exceptions import PermissionDenied, ValidationError
from pretix.api.serializers.i18n import I18nAwareModelSerializer from pretix.api.serializers.i18n import I18nAwareModelSerializer
from pretix.api.serializers.order import OrderPositionSerializer from pretix.api.serializers.order import OrderPositionSerializer
@@ -66,6 +66,9 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
super().__init__(*args, **kwargs) super().__init__(*args, **kwargs)
if 'linked_giftcard' in self.context['request'].query_params.getlist('expand'): if 'linked_giftcard' in self.context['request'].query_params.getlist('expand'):
if not self.context["can_read_giftcards"]:
raise PermissionDenied("No permission to access gift card details.")
self.fields['linked_giftcard'] = NestedGiftCardSerializer(read_only=True, context=self.context) self.fields['linked_giftcard'] = NestedGiftCardSerializer(read_only=True, context=self.context)
if 'linked_giftcard.owner_ticket' in self.context['request'].query_params.getlist('expand'): if 'linked_giftcard.owner_ticket' in self.context['request'].query_params.getlist('expand'):
self.fields['linked_giftcard'].fields['owner_ticket'] = NestedOrderPositionSerializer(read_only=True, context=self.context) self.fields['linked_giftcard'].fields['owner_ticket'] = NestedOrderPositionSerializer(read_only=True, context=self.context)
@@ -77,6 +80,8 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
) )
if 'linked_orderposition' in self.context['request'].query_params.getlist('expand'): if 'linked_orderposition' in self.context['request'].query_params.getlist('expand'):
# No additional permission check performed, documented limitation of the permission system
# Would get to complex/unusable otherwise since the permission depends on the event
self.fields['linked_orderposition'] = NestedOrderPositionSerializer(read_only=True) self.fields['linked_orderposition'] = NestedOrderPositionSerializer(read_only=True)
else: else:
self.fields['linked_orderposition'] = serializers.PrimaryKeyRelatedField( self.fields['linked_orderposition'] = serializers.PrimaryKeyRelatedField(
@@ -86,6 +91,9 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
) )
if 'customer' in self.context['request'].query_params.getlist('expand'): if 'customer' in self.context['request'].query_params.getlist('expand'):
if not self.context["can_read_customers"]:
raise PermissionDenied("No permission to access customer details.")
self.fields['customer'] = CustomerSerializer(read_only=True) self.fields['customer'] = CustomerSerializer(read_only=True)
else: else:
self.fields['customer'] = serializers.SlugRelatedField( self.fields['customer'] = serializers.SlugRelatedField(

55
src/pretix/api/serializers/order.py
View File

@@ -53,7 +53,7 @@ from pretix.base.decimal import round_decimal
from pretix.base.i18n import language from pretix.base.i18n import language
from pretix.base.invoicing.transmission import get_transmission_types from pretix.base.invoicing.transmission import get_transmission_types
from pretix.base.models import ( from pretix.base.models import (
CachedFile, Checkin, Customer, Device, Invoice, InvoiceAddress, CachedFile, Checkin, Customer, Device, GiftCard, Invoice, InvoiceAddress,
InvoiceLine, Item, ItemVariation, Order, OrderPosition, Question, InvoiceLine, Item, ItemVariation, Order, OrderPosition, Question,
QuestionAnswer, ReusableMedium, SalesChannel, Seat, SubEvent, TaxRule, QuestionAnswer, ReusableMedium, SalesChannel, Seat, SubEvent, TaxRule,
Voucher, Voucher,
@@ -62,6 +62,7 @@ from pretix.base.models.orders import (
BlockedTicketSecret, CartPosition, OrderFee, OrderPayment, OrderRefund, BlockedTicketSecret, CartPosition, OrderFee, OrderPayment, OrderRefund,
PrintLog, RevokedTicketSecret, Transaction, PrintLog, RevokedTicketSecret, Transaction,
) )
from pretix.base.payment import GiftCardPayment, PaymentException
from pretix.base.pdf import get_images, get_variables from pretix.base.pdf import get_images, get_variables
from pretix.base.services.cart import error_messages from pretix.base.services.cart import error_messages
from pretix.base.services.locking import LOCK_TRUST_WINDOW, lock_objects from pretix.base.services.locking import LOCK_TRUST_WINDOW, lock_objects
@@ -614,7 +615,7 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
# /events/…/checkinlists/…/positions/ # /events/…/checkinlists/…/positions/
# We're unable to check this on this level if we're on /checkinrpc/, in which case we rely on the view # We're unable to check this on this level if we're on /checkinrpc/, in which case we rely on the view
# layer to not set pdf_data=true in the first place. # layer to not set pdf_data=true in the first place.
request and hasattr(request, 'eventpermset') and 'can_view_orders' not in request.eventpermset request and hasattr(request, 'eventpermset') and 'event.orders:read' not in request.eventpermset
) )
if ('pdf_data' in self.context and not self.context['pdf_data']) or pdf_data_forbidden: if ('pdf_data' in self.context and not self.context['pdf_data']) or pdf_data_forbidden:
self.fields.pop('pdf_data', None) self.fields.pop('pdf_data', None)
@@ -1200,6 +1201,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
) )
tax_rounding_mode = serializers.ChoiceField(choices=ROUNDING_MODES, allow_null=True, required=False,) tax_rounding_mode = serializers.ChoiceField(choices=ROUNDING_MODES, allow_null=True, required=False,)
locale = serializers.ChoiceField(choices=[], required=False, allow_null=True) locale = serializers.ChoiceField(choices=[], required=False, allow_null=True)
use_gift_cards = serializers.ListField(child=serializers.CharField(required=False), required=False)
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs) super().__init__(*args, **kwargs)
@@ -1215,7 +1217,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
fields = ('code', 'status', 'testmode', 'email', 'phone', 'locale', 'payment_provider', 'fees', 'comment', 'sales_channel', fields = ('code', 'status', 'testmode', 'email', 'phone', 'locale', 'payment_provider', 'fees', 'comment', 'sales_channel',
'invoice_address', 'positions', 'checkin_attention', 'checkin_text', 'payment_info', 'payment_date', 'invoice_address', 'positions', 'checkin_attention', 'checkin_text', 'payment_info', 'payment_date',
'consume_carts', 'force', 'send_email', 'simulate', 'customer', 'custom_followup_at', 'consume_carts', 'force', 'send_email', 'simulate', 'customer', 'custom_followup_at',
'require_approval', 'valid_if_pending', 'expires', 'api_meta', 'tax_rounding_mode') 'require_approval', 'valid_if_pending', 'expires', 'api_meta', 'tax_rounding_mode', 'use_gift_cards')
def validate_payment_provider(self, pp): def validate_payment_provider(self, pp):
if pp is None: if pp is None:
@@ -1310,6 +1312,14 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
payment_date = validated_data.pop('payment_date', now()) payment_date = validated_data.pop('payment_date', now())
force = validated_data.pop('force', False) force = validated_data.pop('force', False)
simulate = validated_data.pop('simulate', False) simulate = validated_data.pop('simulate', False)
gift_card_secrets = validated_data.pop('use_gift_cards') if 'use_gift_cards' in validated_data else []
if (payment_provider is not None or payment_info != '{}') and len(gift_card_secrets) > 0:
raise ValidationError({"use_gift_cards": ['The attribute use_gift_cards is not compatible with payment_provider or payment_info']})
if validated_data.get('status') != Order.STATUS_PENDING and len(gift_card_secrets) > 0:
raise ValidationError({"use_gift_cards": ['The attribute use_gift_cards is only supported for orders that are created as pending']})
if len(set(gift_card_secrets)) != len(gift_card_secrets):
raise ValidationError({"use_gift_cards": ['Multiple copies of the same gift card secret are not allowed']})
if not validated_data.get("sales_channel"): if not validated_data.get("sales_channel"):
validated_data["sales_channel"] = self.context['event'].organizer.sales_channels.get(identifier="web") validated_data["sales_channel"] = self.context['event'].organizer.sales_channels.get(identifier="web")
@@ -1794,6 +1804,45 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
if order.total != Decimal('0.00') and order.event.currency == "XXX": if order.total != Decimal('0.00') and order.event.currency == "XXX":
raise ValidationError('Paid products not supported without a valid currency.') raise ValidationError('Paid products not supported without a valid currency.')
for gift_card_secret in gift_card_secrets:
try:
if order.status != Order.STATUS_PAID:
gift_card_payment_provider = GiftCardPayment(event=order.event)
gc = order.event.organizer.accepted_gift_cards.get(
secret=gift_card_secret
)
payment = order.payments.create(
amount=min(order.pending_sum, gc.value),
provider=gift_card_payment_provider.identifier,
info_data={
'gift_card': gc.pk,
'gift_card_secret': gc.secret,
'retry': True
},
state=OrderPayment.PAYMENT_STATE_CREATED
)
gift_card_payment_provider.execute_payment(request=None, payment=payment, is_early_special_case=True)
if order.pending_sum <= Decimal('0.00'):
order.status = Order.STATUS_PAID
except PaymentException:
pass
except GiftCard.DoesNotExist as e:
payment = order.payments.create(
amount=order.pending_sum,
provider=GiftCardPayment.identifier,
info_data={
'gift_card_secret': gift_card_secret,
},
state=OrderPayment.PAYMENT_STATE_CREATED
)
payment.fail(info={**payment.info_data, 'error': str(e)},
send_mail=False)
if order.total == Decimal('0.00') and validated_data.get('status') != Order.STATUS_PAID and not validated_data.get('require_approval'): if order.total == Decimal('0.00') and validated_data.get('status') != Order.STATUS_PAID and not validated_data.get('require_approval'):
order.status = Order.STATUS_PAID order.status = Order.STATUS_PAID
order.save() order.save()

127
src/pretix/api/serializers/organizer.py
View File

@@ -45,12 +45,19 @@ from pretix.base.models import (
SalesChannel, SeatingPlan, Team, TeamAPIToken, TeamInvite, User, SalesChannel, SeatingPlan, Team, TeamAPIToken, TeamInvite, User,
) )
from pretix.base.models.seating import SeatingPlanLayoutValidator from pretix.base.models.seating import SeatingPlanLayoutValidator
from pretix.base.permissions import (
get_all_event_permission_groups, get_all_organizer_permission_groups,
)
from pretix.base.plugins import ( from pretix.base.plugins import (
PLUGIN_LEVEL_EVENT, PLUGIN_LEVEL_EVENT_ORGANIZER_HYBRID, PLUGIN_LEVEL_EVENT, PLUGIN_LEVEL_EVENT_ORGANIZER_HYBRID,
PLUGIN_LEVEL_ORGANIZER, PLUGIN_LEVEL_ORGANIZER,
) )
from pretix.base.services.mail import mail from pretix.base.services.mail import mail
from pretix.base.settings import validate_organizer_settings from pretix.base.settings import validate_organizer_settings
from pretix.helpers.permission_migration import (
OLD_TO_NEW_EVENT_COMPAT, OLD_TO_NEW_EVENT_MIGRATION,
OLD_TO_NEW_ORGANIZER_COMPAT, OLD_TO_NEW_ORGANIZER_MIGRATION,
)
from pretix.helpers.urls import build_absolute_uri as build_global_uri from pretix.helpers.urls import build_absolute_uri as build_global_uri
from pretix.multidomain.urlreverse import build_absolute_uri from pretix.multidomain.urlreverse import build_absolute_uri
@@ -306,23 +313,128 @@ class EventSlugField(serializers.SlugRelatedField):
return self.context['organizer'].events.all() return self.context['organizer'].events.all()
class PermissionMultipleChoiceField(serializers.MultipleChoiceField):
def to_internal_value(self, data):
return {
p: True for p in super().to_internal_value(data)
}
def to_representation(self, value):
return [p for p, v in value.items() if v]
class TeamSerializer(serializers.ModelSerializer): class TeamSerializer(serializers.ModelSerializer):
limit_events = EventSlugField(slug_field='slug', many=True) limit_events = EventSlugField(slug_field='slug', many=True)
limit_event_permissions = PermissionMultipleChoiceField(choices=[], required=False, allow_null=False, allow_empty=True)
limit_organizer_permissions = PermissionMultipleChoiceField(choices=[], required=False, allow_null=False, allow_empty=True)
# Legacy fields, handled in to_representation and validate
can_change_event_settings = serializers.BooleanField(required=False, write_only=True)
can_change_items = serializers.BooleanField(required=False, write_only=True)
can_view_orders = serializers.BooleanField(required=False, write_only=True)
can_change_orders = serializers.BooleanField(required=False, write_only=True)
can_checkin_orders = serializers.BooleanField(required=False, write_only=True)
can_view_vouchers = serializers.BooleanField(required=False, write_only=True)
can_change_vouchers = serializers.BooleanField(required=False, write_only=True)
can_create_events = serializers.BooleanField(required=False, write_only=True)
can_change_organizer_settings = serializers.BooleanField(required=False, write_only=True)
can_change_teams = serializers.BooleanField(required=False, write_only=True)
can_manage_gift_cards = serializers.BooleanField(required=False, write_only=True)
can_manage_customers = serializers.BooleanField(required=False, write_only=True)
can_manage_reusable_media = serializers.BooleanField(required=False, write_only=True)
class Meta: class Meta:
model = Team model = Team
fields = ( fields = (
'id', 'name', 'require_2fa', 'all_events', 'limit_events', 'can_create_events', 'can_change_teams', 'id', 'name', 'require_2fa', 'all_events', 'limit_events', 'all_event_permissions', 'limit_event_permissions',
'can_change_organizer_settings', 'can_manage_gift_cards', 'can_change_event_settings', 'all_organizer_permissions', 'limit_organizer_permissions', 'can_change_event_settings',
'can_change_items', 'can_view_orders', 'can_change_orders', 'can_view_vouchers', 'can_change_items', 'can_view_orders', 'can_change_orders', 'can_checkin_orders', 'can_view_vouchers',
'can_change_vouchers', 'can_checkin_orders', 'can_manage_customers', 'can_manage_reusable_media' 'can_change_vouchers', 'can_create_events', 'can_change_organizer_settings', 'can_change_teams',
'can_manage_gift_cards', 'can_manage_customers', 'can_manage_reusable_media'
) )
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
event_perms_flattened = []
organizer_perms_flattened = []
for pg in get_all_event_permission_groups().values():
for action in pg.actions:
event_perms_flattened.append(f"{pg.name}:{action}")
for pg in get_all_organizer_permission_groups().values():
for action in pg.actions:
organizer_perms_flattened.append(f"{pg.name}:{action}")
self.fields['limit_event_permissions'].choices = [(p, p) for p in event_perms_flattened]
self.fields['limit_organizer_permissions'].choices = [(p, p) for p in organizer_perms_flattened]
def to_representation(self, instance):
r = super().to_representation(instance)
for old, new in OLD_TO_NEW_EVENT_COMPAT.items():
r[old] = instance.all_event_permissions or all(instance.limit_event_permissions.get(n) for n in new)
for old, new in OLD_TO_NEW_ORGANIZER_COMPAT.items():
r[old] = instance.all_organizer_permissions or all(instance.limit_organizer_permissions.get(n) for n in new)
return r
def validate(self, data): def validate(self, data):
old_data_set = any(k.startswith("can_") for k in data)
new_data_set = any(k in data for k in [
"all_event_permissions", "limit_event_permissions", "all_organizer_permissions", "limit_organizer_permissions"
])
if old_data_set and new_data_set:
raise ValidationError("You cannot set deprecated and current permission attributes at the same time.")
full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {} full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
full_data.update(data) full_data.update(data)
if new_data_set:
if full_data.get('limit_event_permissions') and full_data.get('all_event_permissions'):
raise ValidationError('Do not set both limit_event_permissions and all_event_permissions.')
if full_data.get('limit_organizer_permissions') and full_data.get('all_organizer_permissions'):
raise ValidationError('Do not set both limit_organizer_permissions and all_organizer_permissions.')
if old_data_set:
# Migrate with same logic as in migration 0297_pluggable_permissions
if all(full_data.get(k) is True for k in OLD_TO_NEW_EVENT_MIGRATION.keys() if k != "can_checkin_orders"):
data["all_event_permissions"] = True
data["limit_event_permissions"] = {}
else:
data["all_event_permissions"] = False
data["limit_event_permissions"] = {}
for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
if full_data.get(k) is True:
data["limit_event_permissions"].update({kk: True for kk in v})
if all(full_data.get(k) is True for k in OLD_TO_NEW_ORGANIZER_MIGRATION.keys() if k != "can_checkin_orders"):
data["all_organizer_permissions"] = True
data["limit_organizer_permissions"] = {}
else:
data["all_organizer_permissions"] = False
data["limit_organizer_permissions"] = {}
for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
if full_data.get(k) is True:
data["limit_organizer_permissions"].update({kk: True for kk in v})
if full_data.get('limit_events') and full_data.get('all_events'): if full_data.get('limit_events') and full_data.get('all_events'):
raise ValidationError('Do not set both limit_events and all_events.') raise ValidationError('Do not set both limit_events and all_events.')
full_data.update(data)
for pg in get_all_event_permission_groups().values():
requested = ",".join(sorted(
a for a in pg.actions if self.instance and full_data["limit_event_permissions"].get(f"{pg.name}:{a}")
))
if requested not in (",".join(sorted(opt.actions)) for opt in pg.options):
possible = '\' or \''.join(','.join(opt.actions) for opt in pg.options)
raise ValidationError(f"For permission group {pg.name}, the valid combinations of actions are "
f"'{possible}' but you tried to set '{requested}'.")
for pg in get_all_organizer_permission_groups().values():
requested = ",".join(sorted(
a for a in pg.actions if self.instance and full_data["limit_organizer_permissions"].get(f"{pg.name}:{a}")
))
if requested not in (",".join(sorted(opt.actions)) for opt in pg.options):
possible = '\' or \''.join(','.join(opt.actions) for opt in pg.options)
raise ValidationError(f"For permission group {pg.name}, the valid combinations of actions are "
f"'{possible}' but you tried to set '{requested}'.")
return data return data
@@ -339,7 +451,7 @@ class DeviceSerializer(serializers.ModelSerializer):
created = serializers.DateTimeField(read_only=True) created = serializers.DateTimeField(read_only=True)
revoked = serializers.BooleanField(read_only=True) revoked = serializers.BooleanField(read_only=True)
initialized = serializers.DateTimeField(read_only=True) initialized = serializers.DateTimeField(read_only=True)
initialization_token = serializers.DateTimeField(read_only=True) initialization_token = serializers.CharField(read_only=True)
security_profile = serializers.ChoiceField(choices=[], required=False, default="full") security_profile = serializers.ChoiceField(choices=[], required=False, default="full")
class Meta: class Meta:
@@ -353,6 +465,8 @@ class DeviceSerializer(serializers.ModelSerializer):
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs) super().__init__(*args, **kwargs)
self.fields['security_profile'].choices = [(k, v.verbose_name) for k, v in get_all_security_profiles().items()] self.fields['security_profile'].choices = [(k, v.verbose_name) for k, v in get_all_security_profiles().items()]
if not self.context['can_see_tokens']:
del self.fields['initialization_token']
class TeamInviteSerializer(serializers.ModelSerializer): class TeamInviteSerializer(serializers.ModelSerializer):
@@ -437,7 +551,10 @@ class TeamMemberSerializer(serializers.ModelSerializer):
class OrganizerSettingsSerializer(SettingsSerializer): class OrganizerSettingsSerializer(SettingsSerializer):
default_write_permission = 'organizer.settings.general:write'
default_fields = [ default_fields = [
# These are readable for all users with access to the events, therefore secrets stored in the settings store
# should not be included!
'customer_accounts', 'customer_accounts',
'customer_accounts_native', 'customer_accounts_native',
'customer_accounts_link_by_email', 'customer_accounts_link_by_email',

10
src/pretix/api/serializers/settings.py
View File

@@ -37,6 +37,8 @@ logger = logging.getLogger(__name__)
class SettingsSerializer(serializers.Serializer): class SettingsSerializer(serializers.Serializer):
default_fields = [] default_fields = []
readonly_fields = [] readonly_fields = []
default_write_permission = 'organizer.settings.general:write'
write_permission_required = {}
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
self.changed_data = [] self.changed_data = []
@@ -58,9 +60,17 @@ class SettingsSerializer(serializers.Serializer):
f._label = str(form_kwargs.get('label', fname)) f._label = str(form_kwargs.get('label', fname))
f._help_text = str(form_kwargs.get('help_text')) f._help_text = str(form_kwargs.get('help_text'))
f.parent = self f.parent = self
self.write_permission_required[fname] = DEFAULTS[fname].get('write_permission', self.default_write_permission)
self.fields[fname] = f self.fields[fname] = f
def validate(self, attrs): def validate(self, attrs):
for k in attrs.keys():
p = self.write_permission_required.get(k, self.default_write_permission)
if p not in self.context["permissions"]:
raise ValidationError({k: f"Setting this field requires permission {p}"})
return {k: v for k, v in attrs.items() if k not in self.readonly_fields} return {k: v for k, v in attrs.items() if k not in self.readonly_fields}
def update(self, instance: HierarkeyProxy, validated_data): def update(self, instance: HierarkeyProxy, validated_data):

4
src/pretix/api/views/cart.py
View File

@@ -52,8 +52,8 @@ class CartPositionViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnly
ordering = ('datetime',) ordering = ('datetime',)
ordering_fields = ('datetime', 'cart_id') ordering_fields = ('datetime', 'cart_id')
lookup_field = 'id' lookup_field = 'id'
permission = 'can_view_orders' permission = 'event.orders:read'
write_permission = 'can_change_orders' write_permission = 'event.orders:write'
def get_queryset(self): def get_queryset(self):
return CartPosition.objects.filter( return CartPosition.objects.filter(

33
src/pretix/api/views/checkin.py
View File

@@ -67,6 +67,7 @@ from pretix.base.models import (
Question, ReusableMedium, RevokedTicketSecret, TeamAPIToken, Question, ReusableMedium, RevokedTicketSecret, TeamAPIToken,
) )
from pretix.base.models.orders import PrintLog from pretix.base.models.orders import PrintLog
from pretix.base.permissions import AnyPermissionOf
from pretix.base.services.checkin import ( from pretix.base.services.checkin import (
CheckInError, RequiredQuestionsError, SQLLogic, perform_checkin, CheckInError, RequiredQuestionsError, SQLLogic, perform_checkin,
) )
@@ -118,11 +119,11 @@ class CheckinListViewSet(viewsets.ModelViewSet):
def _get_permission_name(self, request): def _get_permission_name(self, request):
if request.path.endswith('/failed_checkins/'): if request.path.endswith('/failed_checkins/'):
return 'can_checkin_orders', 'can_change_orders' return 'event.orders:checkin', 'event.orders:write'
elif request.method in SAFE_METHODS: elif request.method in SAFE_METHODS:
return 'can_view_orders', 'can_checkin_orders', return 'event.orders:read', 'event.orders:checkin',
else: else:
return 'can_change_event_settings' return 'event.settings.general:write'
def get_queryset(self): def get_queryset(self):
qs = self.request.event.checkin_lists.prefetch_related( qs = self.request.event.checkin_lists.prefetch_related(
@@ -474,7 +475,7 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
'event': op.order.event, 'event': op.order.event,
'pdf_data': pdf_data and ( 'pdf_data': pdf_data and (
user if user and user.is_authenticated else auth user if user and user.is_authenticated else auth
).has_event_permission(request.organizer, event, 'can_view_orders', request), ).has_event_permission(request.organizer, event, 'event.orders:read', request),
} }
common_checkin_args = dict( common_checkin_args = dict(
@@ -839,8 +840,8 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
} }
filterset_class = CheckinOrderPositionFilter filterset_class = CheckinOrderPositionFilter
permission = ('can_view_orders', 'can_checkin_orders') permission = AnyPermissionOf('event.orders:read', 'event.orders:checkin')
write_permission = ('can_change_orders', 'can_checkin_orders') write_permission = AnyPermissionOf('event.orders:write', 'event.orders:checkin')
def get_serializer_context(self): def get_serializer_context(self):
ctx = super().get_serializer_context() ctx = super().get_serializer_context()
@@ -871,7 +872,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
expand=self.request.query_params.getlist('expand'), expand=self.request.query_params.getlist('expand'),
) )
if 'pk' not in self.request.resolver_match.kwargs and 'can_view_orders' not in self.request.eventpermset \ if 'pk' not in self.request.resolver_match.kwargs and 'event.orders:read' not in self.request.eventpermset \
and len(self.request.query_params.get('search', '')) < 3: and len(self.request.query_params.get('search', '')) < 3:
qs = qs.none() qs = qs.none()
@@ -920,9 +921,9 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
class CheckinRPCRedeemView(views.APIView): class CheckinRPCRedeemView(views.APIView):
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
if isinstance(self.request.auth, (TeamAPIToken, Device)): if isinstance(self.request.auth, (TeamAPIToken, Device)):
events = self.request.auth.get_events_with_permission(('can_change_orders', 'can_checkin_orders')) events = self.request.auth.get_events_with_permission(('event.orders:write', 'event.orders:checkin'))
elif self.request.user.is_authenticated: elif self.request.user.is_authenticated:
events = self.request.user.get_events_with_permission(('can_change_orders', 'can_checkin_orders'), self.request).filter( events = self.request.user.get_events_with_permission(('event.orders:write', 'event.orders:checkin'), self.request).filter(
organizer=self.request.organizer organizer=self.request.organizer
) )
else: else:
@@ -990,9 +991,9 @@ class CheckinRPCSearchView(ListAPIView):
@cached_property @cached_property
def lists(self): def lists(self):
if isinstance(self.request.auth, (TeamAPIToken, Device)): if isinstance(self.request.auth, (TeamAPIToken, Device)):
events = self.request.auth.get_events_with_permission(('can_view_orders', 'can_checkin_orders')) events = self.request.auth.get_events_with_permission(('event.orders:read', 'event.orders:checkin'))
elif self.request.user.is_authenticated: elif self.request.user.is_authenticated:
events = self.request.user.get_events_with_permission(('can_view_orders', 'can_checkin_orders'), self.request).filter( events = self.request.user.get_events_with_permission(('event.orders:read', 'event.orders:checkin'), self.request).filter(
organizer=self.request.organizer organizer=self.request.organizer
) )
else: else:
@@ -1009,9 +1010,9 @@ class CheckinRPCSearchView(ListAPIView):
@cached_property @cached_property
def has_full_access_permission(self): def has_full_access_permission(self):
if isinstance(self.request.auth, (TeamAPIToken, Device)): if isinstance(self.request.auth, (TeamAPIToken, Device)):
events = self.request.auth.get_events_with_permission('can_view_orders') events = self.request.auth.get_events_with_permission('event.orders:read')
elif self.request.user.is_authenticated: elif self.request.user.is_authenticated:
events = self.request.user.get_events_with_permission('can_view_orders', self.request).filter( events = self.request.user.get_events_with_permission('event.orders:read', self.request).filter(
organizer=self.request.organizer organizer=self.request.organizer
) )
else: else:
@@ -1038,9 +1039,9 @@ class CheckinRPCSearchView(ListAPIView):
class CheckinRPCAnnulView(views.APIView): class CheckinRPCAnnulView(views.APIView):
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
if isinstance(self.request.auth, (TeamAPIToken, Device)): if isinstance(self.request.auth, (TeamAPIToken, Device)):
events = self.request.auth.get_events_with_permission(('can_change_orders', 'can_checkin_orders')) events = self.request.auth.get_events_with_permission(('event.orders:write', 'event.orders:checkin'))
elif self.request.user.is_authenticated: elif self.request.user.is_authenticated:
events = self.request.user.get_events_with_permission(('can_change_orders', 'can_checkin_orders'), self.request).filter( events = self.request.user.get_events_with_permission(('event.orders:write', 'event.orders:checkin'), self.request).filter(
organizer=self.request.organizer organizer=self.request.organizer
) )
else: else:
@@ -1118,7 +1119,7 @@ class CheckinViewSet(viewsets.ReadOnlyModelViewSet):
filterset_class = CheckinFilter filterset_class = CheckinFilter
ordering = ('created', 'id') ordering = ('created', 'id')
ordering_fields = ('created', 'datetime', 'id',) ordering_fields = ('created', 'datetime', 'id',)
permission = 'can_view_orders' permission = 'event.orders:read'
def get_queryset(self): def get_queryset(self):
qs = Checkin.all.filter().select_related( qs = Checkin.all.filter().select_related(

2
src/pretix/api/views/discount.py
View File

@@ -57,7 +57,7 @@ class DiscountViewSet(ConditionalListView, viewsets.ModelViewSet):
ordering_fields = ('id', 'position') ordering_fields = ('id', 'position')
ordering = ('position', 'id') ordering = ('position', 'id')
permission = None permission = None
write_permission = 'can_change_items' write_permission = 'event.items:write'
def get_queryset(self): def get_queryset(self):
return self.request.event.discounts.prefetch_related( return self.request.event.discounts.prefetch_related(

43
src/pretix/api/views/event.py
View File

@@ -281,6 +281,11 @@ class EventViewSet(viewsets.ModelViewSet):
new_event = serializer.save(organizer=self.request.organizer) new_event = serializer.save(organizer=self.request.organizer)
if copy_from: if copy_from:
perm_holder = (self.request.auth if isinstance(self.request.auth, (Device, TeamAPIToken))
else self.request.user)
if not copy_from.allow_copy_data(self.request.organizer, perm_holder):
raise PermissionDenied("Not sufficient permission on source event to copy")
new_event.copy_data_from(copy_from, skip_meta_data='meta_data' in serializer.validated_data) new_event.copy_data_from(copy_from, skip_meta_data='meta_data' in serializer.validated_data)
if plugins is not None: if plugins is not None:
@@ -341,15 +346,24 @@ class CloneEventViewSet(viewsets.ModelViewSet):
lookup_field = 'slug' lookup_field = 'slug'
lookup_url_kwarg = 'event' lookup_url_kwarg = 'event'
http_method_names = ['post'] http_method_names = ['post']
write_permission = 'can_create_events' write_permission = 'event.settings.general:write'
def get_serializer_context(self): def get_serializer_context(self):
ctx = super().get_serializer_context() ctx = super().get_serializer_context()
ctx['event'] = self.kwargs['event'] ctx['event'] = Event.objects.get(slug=self.kwargs['event'], organizer=self.request.organizer)
ctx['organizer'] = self.request.organizer ctx['organizer'] = self.request.organizer
return ctx return ctx
def perform_create(self, serializer): def perform_create(self, serializer):
# Weird edge case: Requires settings permission on the event (to read) but also on the organizer (two write)
perm_holder = (self.request.auth if isinstance(self.request.auth, (Device, TeamAPIToken))
else self.request.user)
if not perm_holder.has_organizer_permission(self.request.organizer, "organizer.events:create", request=self.request):
raise PermissionDenied("No permission to create events")
if not serializer.context['event'].allow_copy_data(self.request.organizer, perm_holder):
raise PermissionDenied("Not sufficient permission on source event to copy")
serializer.save(organizer=self.request.organizer) serializer.save(organizer=self.request.organizer)
serializer.instance.log_action( serializer.instance.log_action(
@@ -426,7 +440,7 @@ with scopes_disabled():
class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet): class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
serializer_class = SubEventSerializer serializer_class = SubEventSerializer
queryset = SubEvent.objects.none() queryset = SubEvent.objects.none()
write_permission = 'can_change_event_settings' write_permission = 'event.subevents:write'
filter_backends = (DjangoFilterBackend, TotalOrderingFilter) filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
ordering = ('date_from',) ordering = ('date_from',)
ordering_fields = ('id', 'date_from', 'last_modified') ordering_fields = ('id', 'date_from', 'last_modified')
@@ -546,7 +560,7 @@ class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet): class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet):
serializer_class = TaxRuleSerializer serializer_class = TaxRuleSerializer
queryset = TaxRule.objects.none() queryset = TaxRule.objects.none()
write_permission = 'can_change_event_settings' write_permission = 'event.settings.tax:write'
def get_queryset(self): def get_queryset(self):
return self.request.event.tax_rules.all() return self.request.event.tax_rules.all()
@@ -589,7 +603,7 @@ class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet):
class ItemMetaPropertiesViewSet(viewsets.ModelViewSet): class ItemMetaPropertiesViewSet(viewsets.ModelViewSet):
serializer_class = ItemMetaPropertiesSerializer serializer_class = ItemMetaPropertiesSerializer
queryset = ItemMetaProperty.objects.none() queryset = ItemMetaProperty.objects.none()
write_permission = 'can_change_event_settings' write_permission = 'event.settings.general:write'
def get_queryset(self): def get_queryset(self):
qs = self.request.event.item_meta_properties.all() qs = self.request.event.item_meta_properties.all()
@@ -636,19 +650,18 @@ class ItemMetaPropertiesViewSet(viewsets.ModelViewSet):
class EventSettingsView(views.APIView): class EventSettingsView(views.APIView):
permission = None permission = None
write_permission = 'can_change_event_settings' write_permission = 'event.settings.general:write'
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):
if isinstance(request.auth, Device): if isinstance(request.auth, Device):
s = DeviceEventSettingsSerializer(instance=request.event.settings, event=request.event, context={ s = DeviceEventSettingsSerializer(instance=request.event.settings, event=request.event, context={
'request': request 'request': request, 'permissions': request.eventpermset
})
elif 'can_change_event_settings' in request.eventpermset:
s = EventSettingsSerializer(instance=request.event.settings, event=request.event, context={
'request': request
}) })
else: else:
raise PermissionDenied() s = EventSettingsSerializer(instance=request.event.settings, event=request.event, context={
'request': request, 'permissions': request.eventpermset,
})
if 'explain' in request.GET: if 'explain' in request.GET:
return Response({ return Response({
fname: { fname: {
@@ -662,7 +675,7 @@ class EventSettingsView(views.APIView):
def patch(self, request, *wargs, **kwargs): def patch(self, request, *wargs, **kwargs):
s = EventSettingsSerializer(instance=request.event.settings, data=request.data, partial=True, s = EventSettingsSerializer(instance=request.event.settings, data=request.data, partial=True,
event=request.event, context={'request': request}) event=request.event, context={'request': request, 'permissions': request.eventpermset})
s.is_valid(raise_exception=True) s.is_valid(raise_exception=True)
with transaction.atomic(): with transaction.atomic():
s.save() s.save()
@@ -674,7 +687,7 @@ class EventSettingsView(views.APIView):
) )
s = EventSettingsSerializer( s = EventSettingsSerializer(
instance=request.event.settings, event=request.event, context={ instance=request.event.settings, event=request.event, context={
'request': request 'request': request, 'permissions': request.eventpermset
}) })
return Response(s.data) return Response(s.data)
@@ -701,7 +714,7 @@ class SeatFilter(FilterSet):
class SeatViewSet(ConditionalListView, viewsets.ModelViewSet): class SeatViewSet(ConditionalListView, viewsets.ModelViewSet):
serializer_class = SeatSerializer serializer_class = SeatSerializer
queryset = Seat.objects.none() queryset = Seat.objects.none()
write_permission = 'can_change_event_settings' write_permission = 'event.settings.general:write'
filter_backends = (DjangoFilterBackend, ) filter_backends = (DjangoFilterBackend, )
filterset_class = SeatFilter filterset_class = SeatFilter

167
src/pretix/api/views/exporters.py
View File

@@ -40,12 +40,12 @@ from pretix.api.serializers.exporters import (
) )
from pretix.base.exporter import OrganizerLevelExportMixin from pretix.base.exporter import OrganizerLevelExportMixin
from pretix.base.models import ( from pretix.base.models import (
CachedFile, Device, Event, ScheduledEventExport, ScheduledOrganizerExport, CachedFile, Device, ScheduledEventExport, ScheduledOrganizerExport,
TeamAPIToken, TeamAPIToken,
) )
from pretix.base.services.export import export, multiexport from pretix.base.models.organizer import TeamQuerySet
from pretix.base.signals import ( from pretix.base.services.export import (
register_data_exporters, register_multievent_data_exporters, export, init_event_exporters, init_organizer_exporters, multiexport,
) )
from pretix.helpers.http import ChunkBasedFileResponse from pretix.helpers.http import ChunkBasedFileResponse
@@ -111,7 +111,7 @@ class ExportersMixin:
@action(detail=True, methods=['POST']) @action(detail=True, methods=['POST'])
def run(self, *args, **kwargs): def run(self, *args, **kwargs):
instance = self.get_object() instance = self.get_object()
serializer = JobRunSerializer(exporter=instance, data=self.request.data, **self.get_serializer_kwargs()) serializer = JobRunSerializer(exporter=instance, data=self.request.data)
serializer.is_valid(raise_exception=True) serializer.is_valid(raise_exception=True)
cf = CachedFile(web_download=True) cf = CachedFile(web_download=True)
@@ -136,27 +136,34 @@ class ExportersMixin:
class EventExportersViewSet(ExportersMixin, viewsets.ViewSet): class EventExportersViewSet(ExportersMixin, viewsets.ViewSet):
permission = 'can_view_orders' permission = None
def get_serializer_kwargs(self):
return {}
@cached_property @cached_property
def exporters(self): def exporters(self):
raw_exporters = list(init_event_exporters(
event=self.request.event,
user=self.request.user if self.request.user and self.request.user.is_authenticated else None,
token=self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None,
device=self.request.auth if isinstance(self.request.auth, Device) else None,
request=self.request,
))
exporters = [] exporters = []
responses = register_data_exporters.send(self.request.event)
raw_exporters = [response(self.request.event, self.request.organizer) for r, response in responses if response]
raw_exporters = [
ex for ex in raw_exporters
if ex.available_for_user(self.request.user if self.request.user and self.request.user.is_authenticated else None)
]
for ex in sorted(raw_exporters, key=lambda ex: str(ex.verbose_name)): for ex in sorted(raw_exporters, key=lambda ex: str(ex.verbose_name)):
ex._serializer = JobRunSerializer(exporter=ex) ex._serializer = JobRunSerializer(exporter=ex)
exporters.append(ex) exporters.append(ex)
return exporters return exporters
def do_export(self, cf, instance, data): def do_export(self, cf, instance, data):
return export.apply_async(args=(self.request.event.id, str(cf.id), instance.identifier, data)) return export.apply_async(args=(
self.request.event.id,
), kwargs={
'user': self.request.user.pk if self.request.user and self.request.user.is_authenticated else None,
'token': self.request.auth.pk if isinstance(self.request.auth, TeamAPIToken) else None,
'device': self.request.auth.pk if isinstance(self.request.auth, Device) else None,
'fileid': str(cf.id),
'provider': instance.identifier,
'form_data': data,
})
class OrganizerExportersViewSet(ExportersMixin, viewsets.ViewSet): class OrganizerExportersViewSet(ExportersMixin, viewsets.ViewSet):
@@ -164,47 +171,23 @@ class OrganizerExportersViewSet(ExportersMixin, viewsets.ViewSet):
@cached_property @cached_property
def exporters(self): def exporters(self):
raw_exporters = list(init_organizer_exporters(
organizer=self.request.organizer,
user=self.request.user if self.request.user and self.request.user.is_authenticated else None,
token=self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None,
device=self.request.auth if isinstance(self.request.auth, Device) else None,
request=self.request,
))
exporters = [] exporters = []
if isinstance(self.request.auth, (Device, TeamAPIToken)):
perm_holder = self.request.auth
else:
perm_holder = self.request.user
events = perm_holder.get_events_with_permission('can_view_orders', request=self.request).filter(
organizer=self.request.organizer
)
responses = register_multievent_data_exporters.send(self.request.organizer)
raw_exporters = [
response(Event.objects.none() if issubclass(response, OrganizerLevelExportMixin) else events, self.request.organizer)
for r, response in responses
if response
]
raw_exporters = [
ex for ex in raw_exporters
if (
not isinstance(ex, OrganizerLevelExportMixin) or
perm_holder.has_organizer_permission(self.request.organizer, ex.organizer_required_permission, self.request)
) and ex.available_for_user(self.request.user if self.request.user and self.request.user.is_authenticated else None)
]
for ex in sorted(raw_exporters, key=lambda ex: str(ex.verbose_name)): for ex in sorted(raw_exporters, key=lambda ex: str(ex.verbose_name)):
ex._serializer = JobRunSerializer(exporter=ex, events=events) ex._serializer = JobRunSerializer(exporter=ex)
exporters.append(ex) exporters.append(ex)
return exporters return exporters
def get_serializer_kwargs(self):
if isinstance(self.request.auth, (Device, TeamAPIToken)):
perm_holder = self.request.auth
else:
perm_holder = self.request.user
return {
'events': perm_holder.get_events_with_permission('can_view_orders', request=self.request).filter(
organizer=self.request.organizer
)
}
def do_export(self, cf, instance, data): def do_export(self, cf, instance, data):
return multiexport.apply_async(kwargs={ return multiexport.apply_async(kwargs={
'organizer': self.request.organizer.id, 'organizer': self.request.organizer.id,
'user': self.request.user.id if self.request.user.is_authenticated else None, 'user': self.request.user.id if self.request.user and self.request.user.is_authenticated else None,
'token': self.request.auth.pk if isinstance(self.request.auth, TeamAPIToken) else None, 'token': self.request.auth.pk if isinstance(self.request.auth, TeamAPIToken) else None,
'device': self.request.auth.pk if isinstance(self.request.auth, Device) else None, 'device': self.request.auth.pk if isinstance(self.request.auth, Device) else None,
'fileid': str(cf.id), 'fileid': str(cf.id),
@@ -222,11 +205,11 @@ class ScheduledExportersViewSet(viewsets.ModelViewSet):
class ScheduledEventExportViewSet(ScheduledExportersViewSet): class ScheduledEventExportViewSet(ScheduledExportersViewSet):
serializer_class = ScheduledEventExportSerializer serializer_class = ScheduledEventExportSerializer
queryset = ScheduledEventExport.objects.none() queryset = ScheduledEventExport.objects.none()
permission = 'can_view_orders' permission = None
def get_queryset(self): def get_queryset(self):
perm_holder = self.request.auth if isinstance(self.request.auth, (TeamAPIToken, Device)) else self.request.user perm_holder = self.request.auth if isinstance(self.request.auth, (TeamAPIToken, Device)) else self.request.user
if not perm_holder.has_event_permission(self.request.organizer, self.request.event, 'can_change_event_settings', if not perm_holder.has_event_permission(self.request.organizer, self.request.event, 'event.settings.general:write',
request=self.request): request=self.request):
if self.request.user.is_authenticated: if self.request.user.is_authenticated:
qs = self.request.event.scheduled_exports.filter(owner=self.request.user) qs = self.request.event.scheduled_exports.filter(owner=self.request.user)
@@ -258,11 +241,28 @@ class ScheduledEventExportViewSet(ScheduledExportersViewSet):
@cached_property @cached_property
def exporters(self): def exporters(self):
responses = register_data_exporters.send(self.request.event) exporters = list(init_event_exporters(
exporters = [response(self.request.event, self.request.organizer) for r, response in responses if response] event=self.request.event,
user=self.request.user if self.request.user and self.request.user.is_authenticated else None,
token=self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None,
device=self.request.auth if isinstance(self.request.auth, Device) else None,
request=self.request,
))
return {e.identifier: e for e in exporters} return {e.identifier: e for e in exporters}
def perform_update(self, serializer): def perform_update(self, serializer):
if not self.request.user.is_authenticated or self.request.user != serializer.instance.owner:
# This is to prevent a possible privilege escalation where user A creates a scheduled export and
# user B has settings permission (= they can see the export configuration), but not enough permission
# to run the export themselves. Without this check, user B could modify the export and add themselves
# as a recipient. Thereby, user B would gain access to data they can't have.
exporter = self.exporters.get(serializer.instance.export_identifier)
if not exporter:
raise PermissionDenied("No access to exporter.")
perm_holder = self.request.auth if isinstance(self.request.auth, (TeamAPIToken, Device)) else self.request.user
if not perm_holder.has_event_permission(self.request.organizer, self.request.event, exporter.get_required_event_permission()):
raise PermissionDenied("No permission to edit exports you could not run.")
serializer.save(event=self.request.event) serializer.save(event=self.request.event)
serializer.instance.compute_next_run() serializer.instance.compute_next_run()
serializer.instance.error_counter = 0 serializer.instance.error_counter = 0
@@ -291,7 +291,7 @@ class ScheduledOrganizerExportViewSet(ScheduledExportersViewSet):
def get_queryset(self): def get_queryset(self):
perm_holder = self.request.auth if isinstance(self.request.auth, (TeamAPIToken, Device)) else self.request.user perm_holder = self.request.auth if isinstance(self.request.auth, (TeamAPIToken, Device)) else self.request.user
if not perm_holder.has_organizer_permission(self.request.organizer, 'can_change_organizer_settings', if not perm_holder.has_organizer_permission(self.request.organizer, 'organizer.settings.general:write',
request=self.request): request=self.request):
if self.request.user.is_authenticated: if self.request.user.is_authenticated:
qs = self.request.organizer.scheduled_exports.filter(owner=self.request.user) qs = self.request.organizer.scheduled_exports.filter(owner=self.request.user)
@@ -321,26 +321,55 @@ class ScheduledOrganizerExportViewSet(ScheduledExportersViewSet):
ctx['exporters'] = self.exporters ctx['exporters'] = self.exporters
return ctx return ctx
@cached_property
def events(self):
if isinstance(self.request.auth, (TeamAPIToken, Device)):
return self.request.auth.get_events_with_permission('can_view_orders')
elif self.request.user.is_authenticated:
return self.request.user.get_events_with_permission('can_view_orders', self.request).filter(
organizer=self.request.organizer
)
@cached_property @cached_property
def exporters(self): def exporters(self):
responses = register_multievent_data_exporters.send(self.request.organizer) exporters = list(init_organizer_exporters(
exporters = [ organizer=self.request.organizer,
response(Event.objects.none() if issubclass(response, OrganizerLevelExportMixin) else self.events, user=self.request.user if self.request.user and self.request.user.is_authenticated else None,
self.request.organizer) token=self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None,
for r, response in responses if response device=self.request.auth if isinstance(self.request.auth, Device) else None,
] request=self.request,
))
return {e.identifier: e for e in exporters} return {e.identifier: e for e in exporters}
def perform_update(self, serializer): def perform_update(self, serializer):
if not self.request.user.is_authenticated or self.request.user != serializer.instance.owner:
# This is to prevent a possible privilege escalation where user A creates a scheduled export and
# user B has settings permission (= they can see the export configuration), but not enough permission
# to run the export themselves. Without this check, user B could modify the export and add themselves
# as a recipient. Thereby, user B would gain access to data they can't have.
exporter = self.exporters.get(serializer.instance.export_identifier)
if not exporter:
raise PermissionDenied("No access to exporter.")
perm_holder = (self.request.auth if isinstance(self.request.auth, (Device, TeamAPIToken))
else self.request.user)
if isinstance(exporter, OrganizerLevelExportMixin):
if not perm_holder.has_organizer_permission(
self.request.organizer, exporter.get_required_organizer_permission(), request=self.request,
):
raise PermissionDenied("No permission to edit exports you could not run.")
else:
if serializer.instance.export_form_data.get("all_events", False):
if isinstance(self.request.auth, Device):
if not self.request.auth.all_events:
raise PermissionDenied("No permission to edit exports you could not run.")
elif isinstance(self.request.auth, TeamAPIToken):
if not self.request.auth.team.all_events:
raise PermissionDenied("No permission to edit exports you could not run.")
elif self.request.user.is_authenticated:
if not self.request.user.teams.filter(
TeamQuerySet.event_permission_q(exporter.get_required_event_permission()),
all_events=True,
).exists():
raise PermissionDenied("No permission to edit exports you could not run.")
else:
events_selected = serializer.instance.export_form_data.get("events", [])
events_permission = set(perm_holder.get_events_with_permission(
exporter.get_required_event_permission(), request=self.request
).values_list("pk", flat=True))
if not all(e in events_permission for e in events_selected):
raise PermissionDenied("No permission to edit exports you could not run.")
serializer.save(organizer=self.request.organizer) serializer.save(organizer=self.request.organizer)
serializer.instance.compute_next_run() serializer.instance.compute_next_run()
serializer.instance.error_counter = 0 serializer.instance.error_counter = 0

18
src/pretix/api/views/item.py
View File

@@ -99,7 +99,7 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
ordering = ('position', 'id') ordering = ('position', 'id')
filterset_class = ItemFilter filterset_class = ItemFilter
permission = None permission = None
write_permission = 'can_change_items' write_permission = 'event.items:write'
def get_queryset(self): def get_queryset(self):
return self.request.event.items.select_related('tax_rule').prefetch_related( return self.request.event.items.select_related('tax_rule').prefetch_related(
@@ -163,7 +163,7 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
ordering_fields = ('id', 'position') ordering_fields = ('id', 'position')
ordering = ('id',) ordering = ('id',)
permission = None permission = None
write_permission = 'can_change_items' write_permission = 'event.items:write'
@cached_property @cached_property
def item(self): def item(self):
@@ -234,7 +234,7 @@ class ItemBundleViewSet(viewsets.ModelViewSet):
ordering_fields = ('id',) ordering_fields = ('id',)
ordering = ('id',) ordering = ('id',)
permission = None permission = None
write_permission = 'can_change_items' write_permission = 'event.items:write'
@cached_property @cached_property
def item(self): def item(self):
@@ -286,7 +286,7 @@ class ItemProgramTimeViewSet(viewsets.ModelViewSet):
ordering_fields = ('id',) ordering_fields = ('id',)
ordering = ('id',) ordering = ('id',)
permission = None permission = None
write_permission = 'can_change_items' write_permission = 'event.items:write'
@cached_property @cached_property
def item(self): def item(self):
@@ -339,7 +339,7 @@ class ItemAddOnViewSet(viewsets.ModelViewSet):
ordering_fields = ('id', 'position') ordering_fields = ('id', 'position')
ordering = ('id',) ordering = ('id',)
permission = None permission = None
write_permission = 'can_change_items' write_permission = 'event.items:write'
@cached_property @cached_property
def item(self): def item(self):
@@ -398,7 +398,7 @@ class ItemCategoryViewSet(ConditionalListView, viewsets.ModelViewSet):
ordering_fields = ('id', 'position') ordering_fields = ('id', 'position')
ordering = ('position', 'id') ordering = ('position', 'id')
permission = None permission = None
write_permission = 'can_change_items' write_permission = 'event.items:write'
def get_queryset(self): def get_queryset(self):
return self.request.event.categories.all() return self.request.event.categories.all()
@@ -453,7 +453,7 @@ class QuestionViewSet(ConditionalListView, viewsets.ModelViewSet):
ordering_fields = ('id', 'position') ordering_fields = ('id', 'position')
ordering = ('position', 'id') ordering = ('position', 'id')
permission = None permission = None
write_permission = 'can_change_items' write_permission = 'event.items:write'
def get_queryset(self): def get_queryset(self):
return self.request.event.questions.prefetch_related('options').all() return self.request.event.questions.prefetch_related('options').all()
@@ -497,7 +497,7 @@ class QuestionOptionViewSet(viewsets.ModelViewSet):
ordering_fields = ('id', 'position') ordering_fields = ('id', 'position')
ordering = ('position',) ordering = ('position',)
permission = None permission = None
write_permission = 'can_change_items' write_permission = 'event.items:write'
def get_queryset(self): def get_queryset(self):
q = get_object_or_404(Question, pk=self.kwargs['question'], event=self.request.event) q = get_object_or_404(Question, pk=self.kwargs['question'], event=self.request.event)
@@ -564,7 +564,7 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
ordering_fields = ('id', 'size') ordering_fields = ('id', 'size')
ordering = ('id',) ordering = ('id',)
permission = None permission = None
write_permission = 'can_change_items' write_permission = 'event.items:write'
def get_queryset(self): def get_queryset(self):
return self.request.event.quotas.select_related('subevent').prefetch_related('items', 'variations').all() return self.request.event.quotas.select_related('subevent').prefetch_related('items', 'variations').all()

6
src/pretix/api/views/media.py
View File

@@ -62,8 +62,8 @@ with scopes_disabled():
class ReusableMediaViewSet(viewsets.ModelViewSet): class ReusableMediaViewSet(viewsets.ModelViewSet):
serializer_class = ReusableMediaSerializer serializer_class = ReusableMediaSerializer
queryset = ReusableMedium.objects.none() queryset = ReusableMedium.objects.none()
permission = 'can_manage_reusable_media' permission = 'organizer.reusablemedia:read'
write_permission = 'can_manage_reusable_media' write_permission = 'organizer.reusablemedia:write'
filter_backends = (DjangoFilterBackend, OrderingFilter) filter_backends = (DjangoFilterBackend, OrderingFilter)
ordering = ('-updated', '-id') ordering = ('-updated', '-id')
ordering_fields = ('created', 'updated', 'identifier', 'type', 'id') ordering_fields = ('created', 'updated', 'identifier', 'type', 'id')
@@ -95,6 +95,8 @@ class ReusableMediaViewSet(viewsets.ModelViewSet):
def get_serializer_context(self): def get_serializer_context(self):
ctx = super().get_serializer_context() ctx = super().get_serializer_context()
ctx['organizer'] = self.request.organizer ctx['organizer'] = self.request.organizer
ctx['can_read_giftcards'] = 'organizer.giftcards:read' in self.request.orgapermset
ctx['can_read_customers'] = 'organizer.customers:read' in self.request.orgapermset
return ctx return ctx
@transaction.atomic() @transaction.atomic()

47
src/pretix/api/views/order.py
View File

@@ -317,7 +317,7 @@ class OrderViewSetMixin:
class OrganizerOrderViewSet(OrderViewSetMixin, viewsets.ReadOnlyModelViewSet): class OrganizerOrderViewSet(OrderViewSetMixin, viewsets.ReadOnlyModelViewSet):
def get_base_queryset(self): def get_base_queryset(self):
perm = "can_view_orders" if self.request.method in SAFE_METHODS else "can_change_orders" perm = "event.orders:read" if self.request.method in SAFE_METHODS else "event.orders:write"
if isinstance(self.request.auth, (TeamAPIToken, Device)): if isinstance(self.request.auth, (TeamAPIToken, Device)):
return Order.objects.filter( return Order.objects.filter(
event__organizer=self.request.organizer, event__organizer=self.request.organizer,
@@ -338,8 +338,8 @@ class OrganizerOrderViewSet(OrderViewSetMixin, viewsets.ReadOnlyModelViewSet):
class EventOrderViewSet(OrderViewSetMixin, viewsets.ModelViewSet): class EventOrderViewSet(OrderViewSetMixin, viewsets.ModelViewSet):
permission = 'can_view_orders' permission = 'event.orders:read'
write_permission = 'can_change_orders' write_permission = 'event.orders:write'
def get_serializer_context(self): def get_serializer_context(self):
ctx = super().get_serializer_context() ctx = super().get_serializer_context()
@@ -1072,8 +1072,6 @@ class OrderPositionViewSetMixin:
ordering = ('order__datetime', 'positionid') ordering = ('order__datetime', 'positionid')
ordering_fields = ('order__code', 'order__datetime', 'positionid', 'attendee_name', 'order__status',) ordering_fields = ('order__code', 'order__datetime', 'positionid', 'attendee_name', 'order__status',)
filterset_class = OrderPositionFilter filterset_class = OrderPositionFilter
permission = 'can_view_orders'
write_permission = 'can_change_orders'
ordering_custom = { ordering_custom = {
'attendee_name': { 'attendee_name': {
'_order': F('display_name').asc(nulls_first=True), '_order': F('display_name').asc(nulls_first=True),
@@ -1169,11 +1167,13 @@ class OrderPositionViewSetMixin:
class OrganizerOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ReadOnlyModelViewSet): class OrganizerOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ReadOnlyModelViewSet):
serializer_class = OrganizerOrderPositionSerializer serializer_class = OrganizerOrderPositionSerializer
permission = None
write_permission = None
def get_queryset(self): def get_queryset(self):
qs = super().get_queryset() qs = super().get_queryset()
perm = self.permission if self.request.method in SAFE_METHODS else self.write_permission perm = "event.orders:read" if self.request.method in SAFE_METHODS else "event.orders:write"
if isinstance(self.request.auth, (TeamAPIToken, Device)): if isinstance(self.request.auth, (TeamAPIToken, Device)):
auth_obj = self.request.auth auth_obj = self.request.auth
@@ -1193,6 +1193,8 @@ class OrganizerOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ReadOnly
class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet): class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet):
serializer_class = OrderPositionSerializer serializer_class = OrderPositionSerializer
permission = 'event.orders:read'
write_permission = 'event.orders:write'
def get_serializer_context(self): def get_serializer_context(self):
ctx = super().get_serializer_context() ctx = super().get_serializer_context()
@@ -1611,8 +1613,8 @@ class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet
class PaymentViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet): class PaymentViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
serializer_class = OrderPaymentSerializer serializer_class = OrderPaymentSerializer
queryset = OrderPayment.objects.none() queryset = OrderPayment.objects.none()
permission = 'can_view_orders' permission = 'event.orders:read'
write_permission = 'can_change_orders' write_permission = 'event.orders:write'
lookup_field = 'local_id' lookup_field = 'local_id'
def get_serializer_context(self): def get_serializer_context(self):
@@ -1784,8 +1786,8 @@ class PaymentViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet): class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
serializer_class = OrderRefundSerializer serializer_class = OrderRefundSerializer
queryset = OrderRefund.objects.none() queryset = OrderRefund.objects.none()
permission = 'can_view_orders' permission = 'event.orders:read'
write_permission = 'can_change_orders' write_permission = 'event.orders:write'
lookup_field = 'local_id' lookup_field = 'local_id'
def get_queryset(self): def get_queryset(self):
@@ -1942,13 +1944,18 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
ordering = ('nr',) ordering = ('nr',)
ordering_fields = ('nr', 'date') ordering_fields = ('nr', 'date')
filterset_class = InvoiceFilter filterset_class = InvoiceFilter
permission = 'can_view_orders'
lookup_url_kwarg = 'number' lookup_url_kwarg = 'number'
lookup_field = 'nr' lookup_field = 'nr'
write_permission = 'can_change_orders'
def _get_permission_name(self, request):
if 'event' in request.resolver_match.kwargs:
if request.method not in SAFE_METHODS:
return "event.orders:write"
return "event.orders:read"
return None # org-level is handled by event__in check
def get_queryset(self): def get_queryset(self):
perm = "can_view_orders" if self.request.method in SAFE_METHODS else "can_change_orders" perm = "event.orders:read" if self.request.method in SAFE_METHODS else "event.orders:write"
if getattr(self.request, 'event', None): if getattr(self.request, 'event', None):
qs = self.request.event.invoices qs = self.request.event.invoices
elif isinstance(self.request.auth, (TeamAPIToken, Device)): elif isinstance(self.request.auth, (TeamAPIToken, Device)):
@@ -2089,8 +2096,8 @@ class RevokedSecretViewSet(viewsets.ReadOnlyModelViewSet):
ordering = ('-created',) ordering = ('-created',)
ordering_fields = ('created', 'secret') ordering_fields = ('created', 'secret')
filterset_class = RevokedSecretFilter filterset_class = RevokedSecretFilter
permission = 'can_view_orders' permission = 'event.orders:read'
write_permission = 'can_change_orders' write_permission = 'event.orders:write'
def get_queryset(self): def get_queryset(self):
return RevokedTicketSecret.objects.filter(event=self.request.event) return RevokedTicketSecret.objects.filter(event=self.request.event)
@@ -2111,8 +2118,8 @@ class BlockedSecretViewSet(viewsets.ReadOnlyModelViewSet):
filter_backends = (DjangoFilterBackend, TotalOrderingFilter) filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
ordering = ('-updated', '-pk') ordering = ('-updated', '-pk')
filterset_class = BlockedSecretFilter filterset_class = BlockedSecretFilter
permission = 'can_view_orders' permission = 'event.orders:read'
write_permission = 'can_change_orders' write_permission = 'event.orders:write'
def get_queryset(self): def get_queryset(self):
return BlockedTicketSecret.objects.filter(event=self.request.event) return BlockedTicketSecret.objects.filter(event=self.request.event)
@@ -2147,7 +2154,7 @@ class TransactionViewSet(viewsets.ReadOnlyModelViewSet):
ordering = ('datetime', 'pk') ordering = ('datetime', 'pk')
ordering_fields = ('datetime', 'created', 'id',) ordering_fields = ('datetime', 'created', 'id',)
filterset_class = TransactionFilter filterset_class = TransactionFilter
permission = 'can_view_orders' permission = 'event.orders:read'
def get_queryset(self): def get_queryset(self):
return Transaction.objects.filter(order__event=self.request.event).select_related("order") return Transaction.objects.filter(order__event=self.request.event).select_related("order")
@@ -2164,11 +2171,11 @@ class OrganizerTransactionViewSet(TransactionViewSet):
if isinstance(self.request.auth, (TeamAPIToken, Device)): if isinstance(self.request.auth, (TeamAPIToken, Device)):
qs = qs.filter( qs = qs.filter(
order__event__in=self.request.auth.get_events_with_permission("can_view_orders"), order__event__in=self.request.auth.get_events_with_permission("event.orders:read"),
) )
elif self.request.user.is_authenticated: elif self.request.user.is_authenticated:
qs = qs.filter( qs = qs.filter(
order__event__in=self.request.user.get_events_with_permission("can_view_orders", request=self.request) order__event__in=self.request.user.get_events_with_permission("event.orders:read", request=self.request)
) )
else: else:
raise PermissionDenied("Unknown authentication scheme") raise PermissionDenied("Unknown authentication scheme")

57
src/pretix/api/views/organizer.py
View File

@@ -70,7 +70,7 @@ class OrganizerViewSet(mixins.UpdateModelMixin, viewsets.ReadOnlyModelViewSet):
filter_backends = (TotalOrderingFilter,) filter_backends = (TotalOrderingFilter,)
ordering = ('slug',) ordering = ('slug',)
ordering_fields = ('name', 'slug') ordering_fields = ('name', 'slug')
write_permission = "can_change_organizer_settings" write_permission = "organizer.settings.general:write"
def get_queryset(self): def get_queryset(self):
if self.request.user.is_authenticated: if self.request.user.is_authenticated:
@@ -154,8 +154,8 @@ class OrganizerViewSet(mixins.UpdateModelMixin, viewsets.ReadOnlyModelViewSet):
class SeatingPlanViewSet(viewsets.ModelViewSet): class SeatingPlanViewSet(viewsets.ModelViewSet):
serializer_class = SeatingPlanSerializer serializer_class = SeatingPlanSerializer
queryset = SeatingPlan.objects.none() queryset = SeatingPlan.objects.none()
permission = 'can_change_organizer_settings' permission = None
write_permission = 'can_change_organizer_settings' write_permission = 'organizer.seatingplans:write'
def get_queryset(self): def get_queryset(self):
return self.request.organizer.seating_plans.order_by('name') return self.request.organizer.seating_plans.order_by('name')
@@ -221,8 +221,8 @@ with scopes_disabled():
class GiftCardViewSet(viewsets.ModelViewSet): class GiftCardViewSet(viewsets.ModelViewSet):
serializer_class = GiftCardSerializer serializer_class = GiftCardSerializer
queryset = GiftCard.objects.none() queryset = GiftCard.objects.none()
permission = 'can_manage_gift_cards' permission = 'organizer.giftcards:read'
write_permission = 'can_manage_gift_cards' write_permission = 'organizer.giftcards:write'
filter_backends = (DjangoFilterBackend,) filter_backends = (DjangoFilterBackend,)
filterset_class = GiftCardFilter filterset_class = GiftCardFilter
@@ -344,8 +344,8 @@ class GiftCardViewSet(viewsets.ModelViewSet):
class GiftCardTransactionViewSet(viewsets.ReadOnlyModelViewSet): class GiftCardTransactionViewSet(viewsets.ReadOnlyModelViewSet):
serializer_class = GiftCardTransactionSerializer serializer_class = GiftCardTransactionSerializer
queryset = GiftCardTransaction.objects.none() queryset = GiftCardTransaction.objects.none()
permission = 'can_manage_gift_cards' permission = 'organizer.giftcards:read'
write_permission = 'can_manage_gift_cards' write_permission = 'organizer.giftcards:write'
@cached_property @cached_property
def giftcard(self): def giftcard(self):
@@ -362,8 +362,8 @@ class GiftCardTransactionViewSet(viewsets.ReadOnlyModelViewSet):
class TeamViewSet(viewsets.ModelViewSet): class TeamViewSet(viewsets.ModelViewSet):
serializer_class = TeamSerializer serializer_class = TeamSerializer
queryset = Team.objects.none() queryset = Team.objects.none()
permission = 'can_change_teams' permission = 'organizer.teams:write'
write_permission = 'can_change_teams' write_permission = 'organizer.teams:write'
def get_queryset(self): def get_queryset(self):
return self.request.organizer.teams.order_by('pk') return self.request.organizer.teams.order_by('pk')
@@ -402,8 +402,8 @@ class TeamViewSet(viewsets.ModelViewSet):
class TeamMemberViewSet(DestroyModelMixin, viewsets.ReadOnlyModelViewSet): class TeamMemberViewSet(DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
serializer_class = TeamMemberSerializer serializer_class = TeamMemberSerializer
queryset = User.objects.none() queryset = User.objects.none()
permission = 'can_change_teams' permission = 'organizer.teams:write'
write_permission = 'can_change_teams' write_permission = 'organizer.teams:write'
@cached_property @cached_property
def team(self): def team(self):
@@ -431,8 +431,8 @@ class TeamMemberViewSet(DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
class TeamInviteViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyModelViewSet): class TeamInviteViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
serializer_class = TeamInviteSerializer serializer_class = TeamInviteSerializer
queryset = TeamInvite.objects.none() queryset = TeamInvite.objects.none()
permission = 'can_change_teams' permission = 'organizer.teams:write'
write_permission = 'can_change_teams' write_permission = 'organizer.teams:write'
@cached_property @cached_property
def team(self): def team(self):
@@ -468,8 +468,8 @@ class TeamInviteViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyMo
class TeamAPITokenViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyModelViewSet): class TeamAPITokenViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
serializer_class = TeamAPITokenSerializer serializer_class = TeamAPITokenSerializer
queryset = TeamAPIToken.objects.none() queryset = TeamAPIToken.objects.none()
permission = 'can_change_teams' permission = 'organizer.teams:write'
write_permission = 'can_change_teams' write_permission = 'organizer.teams:write'
@cached_property @cached_property
def team(self): def team(self):
@@ -532,8 +532,8 @@ class DeviceViewSet(mixins.CreateModelMixin,
GenericViewSet): GenericViewSet):
serializer_class = DeviceSerializer serializer_class = DeviceSerializer
queryset = Device.objects.none() queryset = Device.objects.none()
permission = 'can_change_organizer_settings' permission = 'organizer.devices:read'
write_permission = 'can_change_organizer_settings' write_permission = 'organizer.devices:write'
lookup_field = 'device_id' lookup_field = 'device_id'
def get_queryset(self): def get_queryset(self):
@@ -542,6 +542,9 @@ class DeviceViewSet(mixins.CreateModelMixin,
def get_serializer_context(self): def get_serializer_context(self):
ctx = super().get_serializer_context() ctx = super().get_serializer_context()
ctx['organizer'] = self.request.organizer ctx['organizer'] = self.request.organizer
ctx['can_see_tokens'] = (
self.request.user if self.request.user and self.request.user.is_authenticated else self.request.auth
).has_organizer_permission(self.request.organizer, 'organizer.devices:write', request=self.request)
return ctx return ctx
@transaction.atomic() @transaction.atomic()
@@ -568,11 +571,11 @@ class DeviceViewSet(mixins.CreateModelMixin,
class OrganizerSettingsView(views.APIView): class OrganizerSettingsView(views.APIView):
permission = None permission = None
write_permission = 'can_change_organizer_settings' write_permission = 'organizer.settings.general:write'
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):
s = OrganizerSettingsSerializer(instance=request.organizer.settings, organizer=request.organizer, context={ s = OrganizerSettingsSerializer(instance=request.organizer.settings, organizer=request.organizer, context={
'request': request 'request': request, 'permissions': request.orgapermset
}) })
if 'explain' in request.GET: if 'explain' in request.GET:
return Response({ return Response({
@@ -589,7 +592,7 @@ class OrganizerSettingsView(views.APIView):
s = OrganizerSettingsSerializer( s = OrganizerSettingsSerializer(
instance=request.organizer.settings, data=request.data, partial=True, instance=request.organizer.settings, data=request.data, partial=True,
organizer=request.organizer, context={ organizer=request.organizer, context={
'request': request 'request': request, 'permissions': request.orgapermset
} }
) )
s.is_valid(raise_exception=True) s.is_valid(raise_exception=True)
@@ -601,7 +604,7 @@ class OrganizerSettingsView(views.APIView):
} }
) )
s = OrganizerSettingsSerializer(instance=request.organizer.settings, organizer=request.organizer, context={ s = OrganizerSettingsSerializer(instance=request.organizer.settings, organizer=request.organizer, context={
'request': request 'request': request, 'permissions': request.orgapermset
}) })
return Response(s.data) return Response(s.data)
@@ -618,7 +621,8 @@ with scopes_disabled():
class CustomerViewSet(viewsets.ModelViewSet): class CustomerViewSet(viewsets.ModelViewSet):
serializer_class = CustomerSerializer serializer_class = CustomerSerializer
queryset = Customer.objects.none() queryset = Customer.objects.none()
permission = 'can_manage_customers' permission = 'organizer.customers:read'
write_permission = 'organizer.customers:write'
lookup_field = 'identifier' lookup_field = 'identifier'
filter_backends = (DjangoFilterBackend,) filter_backends = (DjangoFilterBackend,)
filterset_class = CustomerFilter filterset_class = CustomerFilter
@@ -678,7 +682,7 @@ class CustomerViewSet(viewsets.ModelViewSet):
class MembershipTypeViewSet(viewsets.ModelViewSet): class MembershipTypeViewSet(viewsets.ModelViewSet):
serializer_class = MembershipTypeSerializer serializer_class = MembershipTypeSerializer
queryset = MembershipType.objects.none() queryset = MembershipType.objects.none()
permission = 'can_change_organizer_settings' permission = 'organizer.settings.general:write'
def get_queryset(self): def get_queryset(self):
qs = self.request.organizer.membership_types.all() qs = self.request.organizer.membership_types.all()
@@ -735,7 +739,8 @@ with scopes_disabled():
class MembershipViewSet(viewsets.ModelViewSet): class MembershipViewSet(viewsets.ModelViewSet):
serializer_class = MembershipSerializer serializer_class = MembershipSerializer
queryset = Membership.objects.none() queryset = Membership.objects.none()
permission = 'can_manage_customers' permission = 'organizer.customers:read'
write_permission = 'organizer.customers:write'
filter_backends = (DjangoFilterBackend,) filter_backends = (DjangoFilterBackend,)
filterset_class = MembershipFilter filterset_class = MembershipFilter
@@ -785,8 +790,8 @@ with scopes_disabled():
class SalesChannelViewSet(viewsets.ModelViewSet): class SalesChannelViewSet(viewsets.ModelViewSet):
serializer_class = SalesChannelSerializer serializer_class = SalesChannelSerializer
queryset = SalesChannel.objects.none() queryset = SalesChannel.objects.none()
permission = 'can_change_organizer_settings' permission = 'organizer.settings.general:write'
write_permission = 'can_change_organizer_settings' write_permission = 'organizer.settings.general:write'
filter_backends = (DjangoFilterBackend,) filter_backends = (DjangoFilterBackend,)
filterset_class = SalesChannelFilter filterset_class = SalesChannelFilter
lookup_field = 'identifier' lookup_field = 'identifier'

2
src/pretix/api/views/shredders.py
View File

@@ -204,7 +204,7 @@ class ShreddersMixin:
class EventShreddersViewSet(ShreddersMixin, viewsets.ViewSet): class EventShreddersViewSet(ShreddersMixin, viewsets.ViewSet):
permission = 'can_change_orders' permission = 'event.orders:write'
def get_serializer_kwargs(self): def get_serializer_kwargs(self):
return {} return {}

4
src/pretix/api/views/voucher.py
View File

@@ -62,8 +62,8 @@ class VoucherViewSet(viewsets.ModelViewSet):
ordering = ('id',) ordering = ('id',)
ordering_fields = ('id', 'code', 'max_usages', 'valid_until', 'value') ordering_fields = ('id', 'code', 'max_usages', 'valid_until', 'value')
filterset_class = VoucherFilter filterset_class = VoucherFilter
permission = 'can_view_vouchers' permission = 'event.vouchers:read'
write_permission = 'can_change_vouchers' write_permission = 'event.vouchers:write'
@scopes_disabled() # we have an event check here, and we can save some performance on subqueries @scopes_disabled() # we have an event check here, and we can save some performance on subqueries
def get_queryset(self): def get_queryset(self):

4
src/pretix/api/views/waitinglist.py
View File

@@ -51,8 +51,8 @@ class WaitingListViewSet(viewsets.ModelViewSet):
ordering = ('created', 'pk',) ordering = ('created', 'pk',)
ordering_fields = ('id', 'created', 'email', 'item') ordering_fields = ('id', 'created', 'email', 'item')
filterset_class = WaitingListFilter filterset_class = WaitingListFilter
permission = 'can_view_orders' permission = 'event.orders:read'
write_permission = 'can_change_orders' write_permission = 'event.orders:write'
def get_queryset(self): def get_queryset(self):
return self.request.event.waitinglistentries.all() return self.request.event.waitinglistentries.all()

4
src/pretix/api/views/webhooks.py
View File

@@ -35,8 +35,8 @@ class WebhookFilter(FilterSet):
class WebHookViewSet(viewsets.ModelViewSet): class WebHookViewSet(viewsets.ModelViewSet):
serializer_class = WebHookSerializer serializer_class = WebHookSerializer
queryset = WebHook.objects.none() queryset = WebHook.objects.none()
permission = 'can_change_organizer_settings' permission = 'organizer.settings.general:write'
write_permission = 'can_change_organizer_settings' write_permission = 'organizer.settings.general:write'
filter_backends = (DjangoFilterBackend,) filter_backends = (DjangoFilterBackend,)
filterset_class = WebhookFilter filterset_class = WebhookFilter

2
src/pretix/base/auth.py
View File

@@ -224,7 +224,7 @@ class HistoryPasswordValidator:
).delete() ).delete()
def has_event_access_permission(request, permission='can_change_event_settings'): def has_event_access_permission(request, permission='event.settings.general:write'):
return ( return (
request.user.is_authenticated and request.user.is_authenticated and
request.user.has_event_permission(request.organizer, request.event, permission, request=request) request.user.has_event_permission(request.organizer, request.event, permission, request=request)

28
src/pretix/base/exporter.py
View File

@@ -73,6 +73,9 @@ class BaseExporter:
self.events = Event.objects.filter(pk=event.pk) self.events = Event.objects.filter(pk=event.pk)
self.timezone = event.timezone self.timezone = event.timezone
if hasattr(self, 'organizer_required_permission'):
raise TypeError("Deprecated attribute organizer_required_permission no longer supported.")
def __str__(self): def __str__(self):
return self.identifier return self.identifier
@@ -176,15 +179,30 @@ class BaseExporter:
""" """
return True return True
@classmethod
def get_required_event_permission(cls) -> str:
"""
The permission level required to use this exporter for events. For multi-event-exports, this will be used
to limit the selection of events. Will be ignored if the ``OrganizerLevelExportMixin`` mixin is used.
The default implementation returns ``"event.orders:read"``.
"""
return 'event.orders:read'
class OrganizerLevelExportMixin: class OrganizerLevelExportMixin:
@property @classmethod
def organizer_required_permission(self) -> str: def get_required_event_permission(cls):
raise TypeError("required_event_permission may not be called on OrganizerLevelExportMixin")
@classmethod
def get_required_organizer_permission(cls) -> str:
""" """
The permission level required to use this exporter. Only useful for organizer-level exports, The permission level required to use this exporter. Must be set for organizer-level exports. Set to `None` to
not for event-level exports. allow everyone with any access to the organizer.
``get_required_event_permission`` will be ignored on this class.
""" """
return 'can_view_orders' raise NotImplementedError()
class ListExporter(BaseExporter): class ListExporter(BaseExporter):

5
src/pretix/base/exporters/customers.py
View File

@@ -47,10 +47,13 @@ from ..signals import register_multievent_data_exporters
class CustomerListExporter(OrganizerLevelExportMixin, ListExporter): class CustomerListExporter(OrganizerLevelExportMixin, ListExporter):
identifier = 'customerlist' identifier = 'customerlist'
verbose_name = gettext_lazy('Customer accounts') verbose_name = gettext_lazy('Customer accounts')
organizer_required_permission = 'can_manage_customers'
category = pgettext_lazy('export_category', 'Customer accounts') category = pgettext_lazy('export_category', 'Customer accounts')
description = gettext_lazy('Download a spreadsheet of all currently registered customer accounts.') description = gettext_lazy('Download a spreadsheet of all currently registered customer accounts.')
@classmethod
def get_required_organizer_permission(cls) -> str:
return 'organizer.customers:write'
@property @property
def additional_form_fields(self): def additional_form_fields(self):
return OrderedDict( return OrderedDict(

16
src/pretix/base/exporters/orderlist.py
View File

@@ -271,7 +271,7 @@ class OrderListExporter(MultiSheetListExporter):
qs = self._date_filter(qs, form_data, rel='') qs = self._date_filter(qs, form_data, rel='')
if form_data['paid_only']: if form_data.get('paid_only'):
qs = qs.filter(status=Order.STATUS_PAID) qs = qs.filter(status=Order.STATUS_PAID)
return qs return qs
@@ -458,7 +458,7 @@ class OrderListExporter(MultiSheetListExporter):
).annotate( ).annotate(
payment_providers=Subquery(p_providers, output_field=CharField()), payment_providers=Subquery(p_providers, output_field=CharField()),
).select_related('order', 'order__invoice_address', 'order__customer', 'tax_rule') ).select_related('order', 'order__invoice_address', 'order__customer', 'tax_rule')
if form_data['paid_only']: if form_data.get('paid_only'):
qs = qs.filter(order__status=Order.STATUS_PAID, canceled=False) qs = qs.filter(order__status=Order.STATUS_PAID, canceled=False)
if form_data.get('items'): if form_data.get('items'):
@@ -562,7 +562,7 @@ class OrderListExporter(MultiSheetListExporter):
qs = OrderPosition.all.filter( qs = OrderPosition.all.filter(
order__event__in=self.events, order__event__in=self.events,
) )
if form_data['paid_only']: if form_data.get('paid_only'):
qs = qs.filter(order__status=Order.STATUS_PAID, canceled=False) qs = qs.filter(order__status=Order.STATUS_PAID, canceled=False)
if form_data.get('items'): if form_data.get('items'):
@@ -1239,11 +1239,14 @@ class QuotaListExporter(ListExporter):
class GiftcardTransactionListExporter(OrganizerLevelExportMixin, ListExporter): class GiftcardTransactionListExporter(OrganizerLevelExportMixin, ListExporter):
identifier = 'giftcardtransactionlist' identifier = 'giftcardtransactionlist'
verbose_name = gettext_lazy('Gift card transactions') verbose_name = gettext_lazy('Gift card transactions')
organizer_required_permission = 'can_manage_gift_cards'
category = pgettext_lazy('export_category', 'Gift cards') category = pgettext_lazy('export_category', 'Gift cards')
description = gettext_lazy('Download a spreadsheet of all gift card transactions.') description = gettext_lazy('Download a spreadsheet of all gift card transactions.')
repeatable_read = False repeatable_read = False
@classmethod
def get_required_organizer_permission(cls) -> str:
return 'organizer.giftcards:read'
@property @property
def additional_form_fields(self): def additional_form_fields(self):
d = [ d = [
@@ -1346,10 +1349,13 @@ class GiftcardRedemptionListExporter(ListExporter):
class GiftcardListExporter(OrganizerLevelExportMixin, ListExporter): class GiftcardListExporter(OrganizerLevelExportMixin, ListExporter):
identifier = 'giftcardlist' identifier = 'giftcardlist'
verbose_name = gettext_lazy('Gift cards') verbose_name = gettext_lazy('Gift cards')
organizer_required_permission = 'can_manage_gift_cards'
category = pgettext_lazy('export_category', 'Gift cards') category = pgettext_lazy('export_category', 'Gift cards')
description = gettext_lazy('Download a spreadsheet of all gift cards including their current value.') description = gettext_lazy('Download a spreadsheet of all gift cards including their current value.')
@classmethod
def get_required_organizer_permission(cls) -> str:
return 'organizer.giftcards:read'
@property @property
def additional_form_fields(self): def additional_form_fields(self):
return OrderedDict( return OrderedDict(

4
src/pretix/base/exporters/reusablemedia.py
View File

@@ -36,6 +36,10 @@ class ReusableMediaExporter(OrganizerLevelExportMixin, ListExporter):
description = _('Download a spread sheet with the data of all reusable medias on your account.') description = _('Download a spread sheet with the data of all reusable medias on your account.')
repeatable_read = False repeatable_read = False
@classmethod
def get_required_organizer_permission(cls) -> str:
return "organizer.reusablemedia:read"
def iterate_list(self, form_data): def iterate_list(self, form_data):
media = ReusableMedium.objects.filter( media = ReusableMedium.objects.filter(
organizer=self.organizer, organizer=self.organizer,

137
src/pretix/base/migrations/0298_pluggable_permissions.py Normal file
View File

@@ -0,0 +1,137 @@
from django.db import migrations, models
from pretix.helpers.permission_migration import (
OLD_TO_NEW_EVENT_MIGRATION, OLD_TO_NEW_ORGANIZER_MIGRATION,
)
def migrate_teams_forward(apps, schema_editor):
Team = apps.get_model("pretixbase", "Team")
for team in Team.objects.iterator():
if all(getattr(team, k) for k in OLD_TO_NEW_EVENT_MIGRATION.keys() if k != "can_checkin_orders"):
team.all_event_permissions = True
team.limit_event_permissions = {}
else:
team.all_event_permissions = False
for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
if getattr(team, k):
team.limit_event_permissions.update({kk: True for kk in v})
# Prevent combinations that were possible previously but no longer make sense
if team.limit_event_permissions.get("event.orders:checkin") and team.limit_event_permissions.get("event.orders:write"):
team.limit_event_permissions.pop("event.orders:checkin")
if team.limit_event_permissions.get("event.orders:write") and not team.limit_event_permissions.get("event.orders:read"):
team.limit_event_permissions.pop("event.orders:write")
if team.limit_event_permissions.get("event.vouchers:write") and not team.limit_event_permissions.get("event.vouchers:read"):
team.limit_event_permissions.pop("event.vouchers:write")
if all(getattr(team, k) for k in OLD_TO_NEW_ORGANIZER_MIGRATION.keys()):
team.all_organizer_permissions = True
team.limit_organizer_permissions = {}
else:
team.all_organizer_permissions = False
for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
if getattr(team, k):
team.limit_organizer_permissions.update({kk: True for kk in v})
team.save(update_fields=[
"all_event_permissions", "limit_event_permissions", "all_organizer_permissions", "limit_organizer_permissions"
])
def migrate_teams_backward(apps, schema_editor):
Team = apps.get_model("pretixbase", "Team")
for team in Team.objects.iterator():
for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
setattr(team, k, team.all_event_permissions or all(team.limit_event_permissions.get(kk) for kk in v))
for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
setattr(team, k, team.all_organizer_permissions or all(team.limit_organizer_permissions.get(kk) for kk in v))
team.save()
class Migration(migrations.Migration):
dependencies = [
("pretixbase", "0297_outgoingmail"),
]
operations = [
migrations.AddField(
model_name="team",
name="all_event_permissions",
field=models.BooleanField(default=False),
),
migrations.AddField(
model_name="team",
name="all_organizer_permissions",
field=models.BooleanField(default=False),
),
migrations.AddField(
model_name="team",
name="limit_event_permissions",
field=models.JSONField(default=dict),
),
migrations.AddField(
model_name="team",
name="limit_organizer_permissions",
field=models.JSONField(default=dict),
),
migrations.RunPython(
migrate_teams_forward,
migrate_teams_backward,
),
migrations.RemoveField(
model_name="team",
name="can_change_event_settings",
),
migrations.RemoveField(
model_name="team",
name="can_change_items",
),
migrations.RemoveField(
model_name="team",
name="can_change_orders",
),
migrations.RemoveField(
model_name="team",
name="can_change_organizer_settings",
),
migrations.RemoveField(
model_name="team",
name="can_change_teams",
),
migrations.RemoveField(
model_name="team",
name="can_change_vouchers",
),
migrations.RemoveField(
model_name="team",
name="can_checkin_orders",
),
migrations.RemoveField(
model_name="team",
name="can_create_events",
),
migrations.RemoveField(
model_name="team",
name="can_manage_customers",
),
migrations.RemoveField(
model_name="team",
name="can_manage_gift_cards",
),
migrations.RemoveField(
model_name="team",
name="can_manage_reusable_media",
),
migrations.RemoveField(
model_name="team",
name="can_view_orders",
),
migrations.RemoveField(
model_name="team",
name="can_view_vouchers",
),
]

54
src/pretix/base/models/auth.py
View File

@@ -49,6 +49,7 @@ from django.core.exceptions import BadRequest, PermissionDenied
from django.db import IntegrityError, models, transaction from django.db import IntegrityError, models, transaction
from django.db.models import Q from django.db.models import Q
from django.utils.crypto import get_random_string, salted_hmac from django.utils.crypto import get_random_string, salted_hmac
from django.utils.functional import cached_property
from django.utils.timezone import now from django.utils.timezone import now
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from django_otp.models import Device from django_otp.models import Device
@@ -212,6 +213,28 @@ class SuperuserPermissionSet:
return True return True
class EventPermissionSet(set):
def __contains__(self, item):
from pretix.base.permissions import assert_valid_event_permission
if super().__contains__(item):
return True
assert_valid_event_permission(item, allow_tuple=False)
return False
class OrganizerPermissionSet(set):
def __contains__(self, item):
from pretix.base.permissions import assert_valid_organizer_permission
if super().__contains__(item):
return True
assert_valid_organizer_permission(item, allow_tuple=False)
return False
class User(AbstractBaseUser, PermissionsMixin, LoggingMixin): class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
""" """
This is the user model used by pretix for authentication. This is the user model used by pretix for authentication.
@@ -472,7 +495,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
:return: set :return: set
""" """
teams = self._get_teams_for_event(organizer, event) teams = self._get_teams_for_event(organizer, event)
sets = [t.permission_set() for t in teams] sets = [t.event_permission_set() for t in teams]
if sets: if sets:
return set.union(*sets) return set.union(*sets)
else: else:
@@ -486,7 +509,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
:return: set :return: set
""" """
teams = self._get_teams_for_organizer(organizer) teams = self._get_teams_for_organizer(organizer)
sets = [t.permission_set() for t in teams] sets = [t.organizer_permission_set() for t in teams]
if sets: if sets:
return set.union(*sets) return set.union(*sets)
else: else:
@@ -501,7 +524,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
:param organizer: The organizer of the event :param organizer: The organizer of the event
:param event: The event to check :param event: The event to check
:param perm_name: The permission, e.g. ``can_change_teams`` :param perm_name: The permission, e.g. ``event.orders:read``
:param request: The current request (optional) :param request: The current request (optional)
:param session_key: The current session key (optional) :param session_key: The current session key (optional)
:return: bool :return: bool
@@ -513,8 +536,8 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
if teams: if teams:
self._teamcache['e{}'.format(event.pk)] = teams self._teamcache['e{}'.format(event.pk)] = teams
if isinstance(perm_name, (tuple, list)): if isinstance(perm_name, (tuple, list)):
return any([any(team.has_permission(p) for team in teams) for p in perm_name]) return any([any(team.has_event_permission(p) for team in teams) for p in perm_name])
if not perm_name or any([team.has_permission(perm_name) for team in teams]): if not perm_name or any([team.has_event_permission(perm_name) for team in teams]):
return True return True
return False return False
@@ -524,7 +547,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
to the organizer ``organizer``. to the organizer ``organizer``.
:param organizer: The organizer to check :param organizer: The organizer to check
:param perm_name: The permission, e.g. ``can_change_teams`` :param perm_name: The permission, e.g. ``organizer.events:create``
:param request: The current request (optional). Required to detect staff sessions properly. :param request: The current request (optional). Required to detect staff sessions properly.
:return: bool :return: bool
""" """
@@ -533,8 +556,8 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
teams = self._get_teams_for_organizer(organizer) teams = self._get_teams_for_organizer(organizer)
if teams: if teams:
if isinstance(perm_name, (tuple, list)): if isinstance(perm_name, (tuple, list)):
return any([any(team.has_permission(p) for team in teams) for p in perm_name]) return any([any(team.has_organizer_permission(p) for team in teams) for p in perm_name])
if not perm_name or any([team.has_permission(perm_name) for team in teams]): if not perm_name or any([team.has_organizer_permission(perm_name) for team in teams]):
return True return True
return False return False
@@ -565,14 +588,15 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
:return: Iterable of Events :return: Iterable of Events
""" """
from .event import Event from .event import Event
from .organizer import TeamQuerySet
if request and self.has_active_staff_session(request.session.session_key): if request and self.has_active_staff_session(request.session.session_key):
return Event.objects.all() return Event.objects.all()
if isinstance(permission, (tuple, list)): if isinstance(permission, (tuple, list)):
q = reduce(operator.or_, [Q(**{p: True}) for p in permission]) q = reduce(operator.or_, [TeamQuerySet.event_permission_q(p) for p in permission])
else: else:
q = Q(**{permission: True}) q = TeamQuerySet.event_permission_q(permission)
return Event.objects.filter( return Event.objects.filter(
Q(organizer_id__in=self.teams.filter(q, all_events=True).values_list('organizer', flat=True)) Q(organizer_id__in=self.teams.filter(q, all_events=True).values_list('organizer', flat=True))
@@ -605,14 +629,13 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
:return: Iterable of Organizers :return: Iterable of Organizers
""" """
from .event import Organizer from .event import Organizer
from .organizer import TeamQuerySet
if request and self.has_active_staff_session(request.session.session_key): if request and self.has_active_staff_session(request.session.session_key):
return Organizer.objects.all() return Organizer.objects.all()
kwargs = {permission: True}
return Organizer.objects.filter( return Organizer.objects.filter(
id__in=self.teams.filter(**kwargs).values_list('organizer', flat=True) id__in=self.teams.filter(TeamQuerySet.organizer_permission_q(permission)).values_list('organizer', flat=True)
) )
def has_active_staff_session(self, session_key=None): def has_active_staff_session(self, session_key=None):
@@ -667,6 +690,11 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
self.session_token = generate_session_token() self.session_token = generate_session_token()
self.save(update_fields=['session_token']) self.save(update_fields=['session_token'])
@cached_property
@scopes_disabled()
def is_in_any_teams(self):
return self.teams.exists()
class UserKnownLoginSource(models.Model): class UserKnownLoginSource(models.Model):
user = models.ForeignKey('User', on_delete=models.CASCADE, related_name="known_login_sources") user = models.ForeignKey('User', on_delete=models.CASCADE, related_name="known_login_sources")

42
src/pretix/base/models/devices.py
View File

@@ -29,6 +29,9 @@ from django.utils.translation import gettext_lazy as _
from django_scopes import ScopedManager, scopes_disabled from django_scopes import ScopedManager, scopes_disabled
from pretix.base.models import LoggedModel from pretix.base.models import LoggedModel
from pretix.base.permissions import (
AnyPermissionOf, assert_valid_event_permission,
)
@scopes_disabled() @scopes_disabled()
@@ -189,13 +192,19 @@ class Device(LoggedModel):
kwargs['update_fields'] = {'device_id'}.union(kwargs['update_fields']) kwargs['update_fields'] = {'device_id'}.union(kwargs['update_fields'])
super().save(*args, **kwargs) super().save(*args, **kwargs)
def permission_set(self) -> set: def _event_permission_set(self) -> set:
return { return {
'can_view_orders', 'event.orders:read',
'can_change_orders', 'event.orders:write',
'can_view_vouchers', 'event.vouchers:read',
'can_manage_gift_cards', }
'can_manage_reusable_media',
def _organizer_permission_set(self) -> set:
return {
'organizer.giftcards:read',
'organizer.giftcards:write',
'organizer.reusablemedia:read',
'organizer.reusablemedia:write',
} }
def get_event_permission_set(self, organizer, event) -> set: def get_event_permission_set(self, organizer, event) -> set:
@@ -209,7 +218,7 @@ class Device(LoggedModel):
has_event_access = (self.all_events and organizer == self.organizer) or ( has_event_access = (self.all_events and organizer == self.organizer) or (
event in self.limit_events.all() event in self.limit_events.all()
) )
return self.permission_set() if has_event_access else set() return self._event_permission_set() if has_event_access else set()
def get_organizer_permission_set(self, organizer) -> set: def get_organizer_permission_set(self, organizer) -> set:
""" """
@@ -218,7 +227,7 @@ class Device(LoggedModel):
:param organizer: The organizer of the event :param organizer: The organizer of the event
:return: set of permissions :return: set of permissions
""" """
return self.permission_set() if self.organizer == organizer else set() return self._organizer_permission_set() if self.organizer == organizer else set()
def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool: def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
""" """
@@ -227,7 +236,7 @@ class Device(LoggedModel):
:param organizer: The organizer of the event :param organizer: The organizer of the event
:param event: The event to check :param event: The event to check
:param perm_name: The permission, e.g. ``can_change_teams`` :param perm_name: The permission, e.g. ``event.orders:read``
:param request: This parameter is ignored and only defined for compatibility reasons. :param request: This parameter is ignored and only defined for compatibility reasons.
:return: bool :return: bool
""" """
@@ -235,8 +244,8 @@ class Device(LoggedModel):
event in self.limit_events.all() event in self.limit_events.all()
) )
if isinstance(perm_name, (tuple, list)): if isinstance(perm_name, (tuple, list)):
return has_event_access and any(p in self.permission_set() for p in perm_name) return has_event_access and any(p in self._event_permission_set() for p in perm_name)
return has_event_access and (not perm_name or perm_name in self.permission_set()) return has_event_access and (not perm_name or perm_name in self._event_permission_set())
def has_organizer_permission(self, organizer, perm_name=None, request=None): def has_organizer_permission(self, organizer, perm_name=None, request=None):
""" """
@@ -244,13 +253,13 @@ class Device(LoggedModel):
to the organizer ``organizer``. to the organizer ``organizer``.
:param organizer: The organizer to check :param organizer: The organizer to check
:param perm_name: The permission, e.g. ``can_change_teams`` :param perm_name: The permission, e.g. ``organizer.events:create``
:param request: This parameter is ignored and only defined for compatibility reasons. :param request: This parameter is ignored and only defined for compatibility reasons.
:return: bool :return: bool
""" """
if isinstance(perm_name, (tuple, list)): if isinstance(perm_name, (tuple, list)):
return organizer == self.organizer and any(p in self.permission_set() for p in perm_name) return organizer == self.organizer and any(p in self._organizer_permission_set() for p in perm_name)
return organizer == self.organizer and (not perm_name or perm_name in self.permission_set()) return organizer == self.organizer and (not perm_name or perm_name in self._organizer_permission_set())
def get_events_with_any_permission(self): def get_events_with_any_permission(self):
""" """
@@ -270,9 +279,10 @@ class Device(LoggedModel):
:param request: Ignored, for compatibility with User model :param request: Ignored, for compatibility with User model
:return: Iterable of Events :return: Iterable of Events
""" """
assert_valid_event_permission(permission)
if ( if (
isinstance(permission, (list, tuple)) and any(p in self.permission_set() for p in permission) isinstance(permission, (AnyPermissionOf, list, tuple)) and any(p in self._event_permission_set() for p in permission)
) or (isinstance(permission, str) and permission in self.permission_set()): ) or (isinstance(permission, str) and permission in self._event_permission_set()):
return self.get_events_with_any_permission() return self.get_events_with_any_permission()
else: else:
return self.organizer.events.none() return self.organizer.events.none()

34
src/pretix/base/models/event.py
View File

@@ -843,6 +843,33 @@ class Event(EventMixin, LoggedModel):
time(hour=23, minute=59, second=59) time(hour=23, minute=59, second=59)
), tz) ), tz)
def allow_copy_data(self, new_organizer, auth) -> bool:
"""
Returns whether it is allowed to copy the event to the target organizer. Auth can be TeamAPIToken or User.
"""
from ..permissions import get_all_event_permissions
from .auth import User
if self.organizer == new_organizer:
# Copying in the same organizer is always okay with any read access, we just need to ensure it does not
# grant more permissions than I had before, but that is handled by the view logic
return auth.has_event_permission(self.organizer, self, None)
if isinstance(auth, User):
# Cross-organizer copying requires almost full permission of source to prevent settings extraction
required_permissions = get_all_event_permissions() - {
# We do not require these, as this data is not copied
"event.orders:read", "event.orders:write", "event.vouchers:read", "event.vouchers:write",
"event.subevents:write",
}
given_permission = auth.get_event_permission_set(self.organizer, self)
return all(p in given_permission for p in required_permissions if ":" in p)
else:
# Tokens or devices can never copy between organizers, as they are organizer-bound. Kept for future
# compatibility and easier calling
return False
def copy_data_from(self, other, skip_meta_data=False): def copy_data_from(self, other, skip_meta_data=False):
from ..signals import event_copy_data from ..signals import event_copy_data
from . import ( from . import (
@@ -1386,14 +1413,13 @@ class Event(EventMixin, LoggedModel):
from .auth import User from .auth import User
if permission: if permission:
kwargs = {permission: True} qs = Team.objects.with_event_permission(permission)
else: else:
kwargs = {} qs = Team.objects.all()
team_with_perm = Team.objects.filter( team_with_perm = qs.filter(
members__pk=OuterRef('pk'), members__pk=OuterRef('pk'),
organizer=self.organizer, organizer=self.organizer,
**kwargs
).filter( ).filter(
Q(all_events=True) | Q(limit_events__pk=self.pk) Q(all_events=True) | Q(limit_events__pk=self.pk)
) )

244
src/pretix/base/models/organizer.py
View File

@@ -31,9 +31,10 @@
# Unless required by applicable law or agreed to in writing, software distributed under the Apache License 2.0 is # Unless required by applicable law or agreed to in writing, software distributed under the Apache License 2.0 is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under the License. # License for the specific language governing permissions and limitations under the License.
import operator
import string import string
from datetime import date, datetime, time from datetime import date, datetime, time
from functools import reduce
import pytz_deprecation_shim import pytz_deprecation_shim
from django.conf import settings from django.conf import settings
@@ -53,6 +54,10 @@ from i18nfield.strings import LazyI18nString
from pretix.base.models.base import LoggedModel from pretix.base.models.base import LoggedModel
from pretix.base.validators import OrganizerSlugBanlistValidator from pretix.base.validators import OrganizerSlugBanlistValidator
from ...helpers.permission_migration import (
OLD_TO_NEW_EVENT_COMPAT, OLD_TO_NEW_ORGANIZER_COMPAT,
LegacyPermissionProperty,
)
from ..settings import settings_hierarkey from ..settings import settings_hierarkey
from .auth import User from .auth import User
@@ -309,6 +314,38 @@ def generate_api_token():
return get_random_string(length=64, allowed_chars=string.ascii_lowercase + string.digits) return get_random_string(length=64, allowed_chars=string.ascii_lowercase + string.digits)
class TeamQuerySet(models.QuerySet):
@classmethod
def event_permission_q(cls, perm_name):
from ..permissions import assert_valid_event_permission
if perm_name.startswith('can_') and perm_name in OLD_TO_NEW_EVENT_COMPAT: # legacy
return reduce(operator.and_, [cls.event_permission_q(p) for p in OLD_TO_NEW_EVENT_COMPAT[perm_name]])
assert_valid_event_permission(perm_name, allow_legacy=False)
return (
Q(all_event_permissions=True) |
Q(**{f'limit_event_permissions__{perm_name}': True})
)
@classmethod
def organizer_permission_q(cls, perm_name):
from ..permissions import assert_valid_organizer_permission
if perm_name.startswith('can_') and perm_name in OLD_TO_NEW_ORGANIZER_COMPAT: # legacy
return reduce(operator.and_, [cls.organizer_permission_q(p) for p in OLD_TO_NEW_ORGANIZER_COMPAT[perm_name]])
assert_valid_organizer_permission(perm_name, allow_legacy=False)
return (
Q(all_organizer_permissions=True) |
Q(**{f'limit_organizer_permissions__{perm_name}': True})
)
def with_event_permission(self, perm_name):
return self.filter(self.event_permission_q(perm_name))
def with_organizer_permission(self, perm_name):
return self.filter(self.organizer_permission_q(perm_name))
class Team(LoggedModel): class Team(LoggedModel):
""" """
A team is a collection of people given certain access rights to one or more events of an organizer. A team is a collection of people given certain access rights to one or more events of an organizer.
@@ -321,36 +358,10 @@ class Team(LoggedModel):
:param all_events: Whether this team has access to all events of this organizer :param all_events: Whether this team has access to all events of this organizer
:type all_events: bool :type all_events: bool
:param limit_events: A set of events this team has access to. Irrelevant if ``all_events`` is ``True``. :param limit_events: A set of events this team has access to. Irrelevant if ``all_events`` is ``True``.
:param can_create_events: Whether or not the members can create new events with this organizer account.
:type can_create_events: bool
:param can_change_teams: If ``True``, the members can change the teams of this organizer account.
:type can_change_teams: bool
:param can_manage_customers: If ``True``, the members can view and change organizer-level customer accounts.
:type can_manage_customers: bool
:param can_manage_reusable_media: If ``True``, the members can view and change organizer-level reusable media.
:type can_manage_reusable_media: bool
:param can_change_organizer_settings: If ``True``, the members can change the settings of this organizer account.
:type can_change_organizer_settings: bool
:param can_change_event_settings: If ``True``, the members can change the settings of the associated events.
:type can_change_event_settings: bool
:param can_change_items: If ``True``, the members can change and add items and related objects for the associated events.
:type can_change_items: bool
:param can_view_orders: If ``True``, the members can inspect details of all orders of the associated events.
:type can_view_orders: bool
:param can_change_orders: If ``True``, the members can change details of orders of the associated events.
:type can_change_orders: bool
:param can_checkin_orders: If ``True``, the members can perform check-in related actions.
:type can_checkin_orders: bool
:param can_view_vouchers: If ``True``, the members can inspect details of all vouchers of the associated events.
:type can_view_vouchers: bool
:param can_change_vouchers: If ``True``, the members can change and create vouchers for the associated events.
:type can_change_vouchers: bool
""" """
organizer = models.ForeignKey(Organizer, related_name="teams", on_delete=models.CASCADE) organizer = models.ForeignKey(Organizer, related_name="teams", on_delete=models.CASCADE)
name = models.CharField(max_length=190, verbose_name=_("Team name")) name = models.CharField(max_length=190, verbose_name=_("Team name"))
members = models.ManyToManyField(User, related_name="teams", verbose_name=_("Team members")) members = models.ManyToManyField(User, related_name="teams", verbose_name=_("Team members"))
all_events = models.BooleanField(default=False, verbose_name=_("All events (including newly created ones)"))
limit_events = models.ManyToManyField('Event', verbose_name=_("Limit to events"), blank=True)
require_2fa = models.BooleanField( require_2fa = models.BooleanField(
default=False, verbose_name=_("Require all members of this team to use two-factor authentication"), default=False, verbose_name=_("Require all members of this team to use two-factor authentication"),
help_text=_("If you turn this on, all members of the team will be required to either set up two-factor " help_text=_("If you turn this on, all members of the team will be required to either set up two-factor "
@@ -358,62 +369,33 @@ class Team(LoggedModel):
"all users.") "all users.")
) )
can_create_events = models.BooleanField( # Scope
default=False, all_events = models.BooleanField(default=False, verbose_name=_("All events (including newly created ones)"))
verbose_name=_("Can create events"), limit_events = models.ManyToManyField('Event', verbose_name=_("Limit to events"), blank=True)
)
can_change_teams = models.BooleanField( # Permissions
default=False, # We store them as {key: True} instead of [key] because otherwise not all lookups we need are supported on SQLite
verbose_name=_("Can change teams and permissions"), all_event_permissions = models.BooleanField(default=False, verbose_name=_("All event permissions"))
) limit_event_permissions = models.JSONField(default=dict, verbose_name=_("Event permissions"))
can_change_organizer_settings = models.BooleanField( all_organizer_permissions = models.BooleanField(default=False, verbose_name=_("All organizer permissions"))
default=False, limit_organizer_permissions = models.JSONField(default=dict, verbose_name=_("Organizer permissions"))
verbose_name=_("Can change organizer settings"),
help_text=_('Someone with this setting can get access to most data of all of your events, i.e. via privacy ' # Legacy lookups for plugin compatibility
'reports, so be careful who you add to this team!') can_change_event_settings = LegacyPermissionProperty()
) can_change_items = LegacyPermissionProperty()
can_manage_customers = models.BooleanField( can_view_orders = LegacyPermissionProperty()
default=False, can_change_orders = LegacyPermissionProperty()
verbose_name=_("Can manage customer accounts") can_checkin_orders = LegacyPermissionProperty()
) can_view_vouchers = LegacyPermissionProperty()
can_manage_reusable_media = models.BooleanField( can_change_vouchers = LegacyPermissionProperty()
default=False, can_create_events = LegacyPermissionProperty()
verbose_name=_("Can manage reusable media") can_change_organizer_settings = LegacyPermissionProperty()
) can_change_teams = LegacyPermissionProperty()
can_manage_gift_cards = models.BooleanField( can_manage_gift_cards = LegacyPermissionProperty()
default=False, can_manage_customers = LegacyPermissionProperty()
verbose_name=_("Can manage gift cards") can_manage_reusable_media = LegacyPermissionProperty()
)
can_change_event_settings = models.BooleanField( objects = TeamQuerySet.as_manager()
default=False,
verbose_name=_("Can change event settings")
)
can_change_items = models.BooleanField(
default=False,
verbose_name=_("Can change product settings")
)
can_view_orders = models.BooleanField(
default=False,
verbose_name=_("Can view orders")
)
can_change_orders = models.BooleanField(
default=False,
verbose_name=_("Can change orders")
)
can_checkin_orders = models.BooleanField(
default=False,
verbose_name=_("Can perform check-ins"),
help_text=_('This includes searching for attendees, which can be used to obtain personal information about '
'attendees. Users with "can change orders" can also perform check-ins.')
)
can_view_vouchers = models.BooleanField(
default=False,
verbose_name=_("Can view vouchers")
)
can_change_vouchers = models.BooleanField(
default=False,
verbose_name=_("Can change vouchers")
)
def __str__(self) -> str: def __str__(self) -> str:
return _("%(name)s on %(object)s") % { return _("%(name)s on %(object)s") % {
@@ -421,21 +403,62 @@ class Team(LoggedModel):
'object': str(self.organizer), 'object': str(self.organizer),
} }
def permission_set(self) -> set: def event_permission_set(self, include_legacy=True) -> set:
attribs = dir(self) from ..permissions import get_all_event_permission_groups
return {
a for a in attribs if a.startswith('can_') and self.has_permission(a) result = set()
} for pg in get_all_event_permission_groups().values():
for action in pg.actions:
if self.all_event_permissions or self.limit_event_permissions.get(f"{pg.name}:{action}"):
result.add(f"{pg.name}:{action}")
if include_legacy:
# Add legacy permissions as well for plugin compatibility
for k, v in OLD_TO_NEW_EVENT_COMPAT.items():
if self.all_event_permissions or all(self.limit_event_permissions.get(kk) for kk in v):
result.add(k)
if "can_change_event_settings" in result:
result.add("can_change_settings")
return result
def organizer_permission_set(self, include_legacy=True) -> set:
from ..permissions import get_all_organizer_permission_groups
result = set()
for pg in get_all_organizer_permission_groups().values():
for action in pg.actions:
if self.all_organizer_permissions or self.limit_organizer_permissions.get(f"{pg.name}:{action}"):
result.add(f"{pg.name}:{action}")
if include_legacy:
# Add legacy permissions as well for plugin compatibility
for k, v in OLD_TO_NEW_ORGANIZER_COMPAT.items():
if self.all_organizer_permissions or all(self.limit_organizer_permissions.get(kk) for kk in v):
result.add(k)
return result
@property @property
def can_change_settings(self): # Legacy compatiblilty def can_change_settings(self): # Legacy compatibility
return self.can_change_event_settings return self.can_change_event_settings
def has_permission(self, perm_name): def has_event_permission(self, perm_name):
try: from ..permissions import assert_valid_event_permission
if perm_name.startswith('can_') and hasattr(self, perm_name): # legacy
return getattr(self, perm_name) return getattr(self, perm_name)
except AttributeError: assert_valid_event_permission(perm_name, allow_legacy=False)
raise ValueError('Invalid required permission: %s' % perm_name) return self.all_event_permissions or self.limit_event_permissions.get(perm_name, False)
def has_organizer_permission(self, perm_name):
from ..permissions import assert_valid_organizer_permission
if perm_name.startswith('can_') and hasattr(self, perm_name): # legacy
return getattr(self, perm_name)
assert_valid_organizer_permission(perm_name, allow_legacy=False)
return self.all_organizer_permissions or self.limit_organizer_permissions.get(perm_name, False)
def permission_for_event(self, event): def permission_for_event(self, event):
if self.all_events: if self.all_events:
@@ -447,6 +470,19 @@ class Team(LoggedModel):
def active_tokens(self): def active_tokens(self):
return self.tokens.filter(active=True) return self.tokens.filter(active=True)
def save(self, **kwargs):
if not isinstance(self.limit_event_permissions, dict):
raise TypeError("Permissions must be a dictionary")
if not isinstance(self.limit_organizer_permissions, dict):
raise TypeError("Permissions must be a dictionary")
for k in self.limit_event_permissions.values():
if k is not True:
raise TypeError("Permissions must only contain True values")
for k in self.limit_organizer_permissions.values():
if k is not True:
raise TypeError("Permissions must only contain True values")
return super().save(**kwargs)
class Meta: class Meta:
verbose_name = _("Team") verbose_name = _("Team")
verbose_name_plural = _("Teams") verbose_name_plural = _("Teams")
@@ -503,7 +539,7 @@ class TeamAPIToken(models.Model):
has_event_access = (self.team.all_events and organizer == self.team.organizer) or ( has_event_access = (self.team.all_events and organizer == self.team.organizer) or (
event in self.team.limit_events.all() event in self.team.limit_events.all()
) )
return self.team.permission_set() if has_event_access else set() return self.team.event_permission_set() if has_event_access else set()
def get_organizer_permission_set(self, organizer) -> set: def get_organizer_permission_set(self, organizer) -> set:
""" """
@@ -512,7 +548,7 @@ class TeamAPIToken(models.Model):
:param organizer: The organizer of the event :param organizer: The organizer of the event
:return: set of permissions :return: set of permissions
""" """
return self.team.permission_set() if self.team.organizer == organizer else set() return self.team.organizer_permission_set() if self.team.organizer == organizer else set()
def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool: def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
""" """
@@ -521,7 +557,7 @@ class TeamAPIToken(models.Model):
:param organizer: The organizer of the event :param organizer: The organizer of the event
:param event: The event to check :param event: The event to check
:param perm_name: The permission, e.g. ``can_change_teams`` :param perm_name: The permission, e.g. ``event.orders:read``
:param request: This parameter is ignored and only defined for compatibility reasons. :param request: This parameter is ignored and only defined for compatibility reasons.
:return: bool :return: bool
""" """
@@ -529,8 +565,8 @@ class TeamAPIToken(models.Model):
event in self.team.limit_events.all() event in self.team.limit_events.all()
) )
if isinstance(perm_name, (tuple, list)): if isinstance(perm_name, (tuple, list)):
return has_event_access and any(self.team.has_permission(p) for p in perm_name) return has_event_access and any(self.team.has_event_permission(p) for p in perm_name)
return has_event_access and (not perm_name or self.team.has_permission(perm_name)) return has_event_access and (not perm_name or self.team.has_event_permission(perm_name))
def has_organizer_permission(self, organizer, perm_name=None, request=None): def has_organizer_permission(self, organizer, perm_name=None, request=None):
""" """
@@ -538,13 +574,13 @@ class TeamAPIToken(models.Model):
to the organizer ``organizer``. to the organizer ``organizer``.
:param organizer: The organizer to check :param organizer: The organizer to check
:param perm_name: The permission, e.g. ``can_change_teams`` :param perm_name: The permission, e.g. ``organizer.events:create``
:param request: This parameter is ignored and only defined for compatibility reasons. :param request: This parameter is ignored and only defined for compatibility reasons.
:return: bool :return: bool
""" """
if isinstance(perm_name, (tuple, list)): if isinstance(perm_name, (tuple, list)):
return organizer == self.team.organizer and any(self.team.has_permission(p) for p in perm_name) return organizer == self.team.organizer and any(self.team.has_organizer_permission(p) for p in perm_name)
return organizer == self.team.organizer and (not perm_name or self.team.has_permission(perm_name)) return organizer == self.team.organizer and (not perm_name or self.team.has_organizer_permission(perm_name))
def get_events_with_any_permission(self): def get_events_with_any_permission(self):
""" """
@@ -564,9 +600,11 @@ class TeamAPIToken(models.Model):
:param request: Ignored, for compatibility with User model :param request: Ignored, for compatibility with User model
:return: Iterable of Events :return: Iterable of Events
""" """
from pretix.base.permissions import AnyPermissionOf
if ( if (
isinstance(permission, (list, tuple)) and any(getattr(self.team, p, False) for p in permission) isinstance(permission, (AnyPermissionOf, list, tuple)) and any(self.team.has_event_permission(p) for p in permission)
) or (isinstance(permission, str) and getattr(self.team, permission, False)): ) or (isinstance(permission, str) and self.team.has_event_permission(permission)):
return self.get_events_with_any_permission() return self.get_events_with_any_permission()
else: else:
return self.team.organizer.events.none() return self.team.organizer.events.none()

2
src/pretix/base/notifications.py
View File

@@ -151,7 +151,7 @@ def get_all_notification_types(event=None):
class ParametrizedOrderNotificationType(NotificationType): class ParametrizedOrderNotificationType(NotificationType):
required_permission = "can_view_orders" required_permission = "event.orders:read"
def __init__(self, event, action_type, verbose_name, title): def __init__(self, event, action_type, verbose_name, title):
self._action_type = action_type self._action_type = action_type

32
src/pretix/base/payment.py
View File

@@ -1526,16 +1526,26 @@ class GiftCardPayment(BasePaymentProvider):
def payment_control_render(self, request, payment) -> str: def payment_control_render(self, request, payment) -> str:
from .models import GiftCard from .models import GiftCard
if 'gift_card' in payment.info_data: if any(key in payment.info_data for key in ('gift_card', 'error')):
gc = GiftCard.objects.get(pk=payment.info_data.get('gift_card'))
template = get_template('pretixcontrol/giftcards/payment.html') template = get_template('pretixcontrol/giftcards/payment.html')
ctx = { ctx = {
'request': request, 'request': request,
'event': self.event, 'event': self.event,
'gc': gc, **({'error': payment.info_data[
'error']} if 'error' in payment.info_data else {}),
**({'gift_card_secret': payment.info_data[
'gift_card_secret']} if 'gift_card_secret' in payment.info_data else {})
} }
return template.render(ctx)
try:
gc = GiftCard.objects.get(pk=payment.info_data.get('gift_card'))
ctx = {
'gc': gc,
}
except GiftCard.DoesNotExist:
pass
finally:
return template.render(ctx)
def payment_control_render_short(self, payment: OrderPayment) -> str: def payment_control_render_short(self, payment: OrderPayment) -> str:
d = payment.info_data d = payment.info_data
@@ -1550,12 +1560,16 @@ class GiftCardPayment(BasePaymentProvider):
try: try:
gc = GiftCard.objects.get(pk=payment.info_data.get('gift_card')) gc = GiftCard.objects.get(pk=payment.info_data.get('gift_card'))
except GiftCard.DoesNotExist: except GiftCard.DoesNotExist:
return {} return {
**({'error': payment.info_data[
'error']} if 'error' in payment.info_data else {})
}
return { return {
'gift_card': { 'gift_card': {
'id': gc.pk, 'id': gc.pk,
'secret': gc.secret, 'secret': gc.secret,
'organizer': gc.issuer.slug 'organizer': gc.issuer.slug,
** ({'error': payment.info_data['error']} if 'error' in payment.info_data else {})
} }
} }
@@ -1627,6 +1641,8 @@ class GiftCardPayment(BasePaymentProvider):
raise PaymentException(_("This gift card does not support this currency.")) raise PaymentException(_("This gift card does not support this currency."))
if not gc.accepted_by(self.event.organizer): if not gc.accepted_by(self.event.organizer):
raise PaymentException(_("This gift card is not accepted by this event organizer.")) raise PaymentException(_("This gift card is not accepted by this event organizer."))
if gc.value <= Decimal("0.00"):
raise PaymentException(_("All credit on this gift card has been used."))
if payment.amount > gc.value: if payment.amount > gc.value:
raise PaymentException(_("This gift card was used in the meantime. Please try again.")) raise PaymentException(_("This gift card was used in the meantime. Please try again."))
if gc.testmode and not payment.order.testmode: if gc.testmode and not payment.order.testmode:
@@ -1656,7 +1672,7 @@ class GiftCardPayment(BasePaymentProvider):
} }
) )
except PaymentException as e: except PaymentException as e:
payment.fail(info={'error': str(e)}) payment.fail(info={**payment.info_data, 'error': str(e)}, send_mail=not is_early_special_case)
raise e raise e
def payment_is_valid_session(self, request: HttpRequest) -> bool: def payment_is_valid_session(self, request: HttpRequest) -> bool:

334
src/pretix/base/permissions.py Normal file
View File

@@ -0,0 +1,334 @@
#
# This file is part of pretix (Community Edition).
#
# Copyright (C) 2014-2020 Raphael Michel and contributors
# Copyright (C) 2020-today pretix GmbH and contributors
#
# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
# Public License as published by the Free Software Foundation in version 3 of the License.
#
# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
# this file, see <https://pretix.eu/about/en/license>.
#
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License along with this program. If not, see
# <https://www.gnu.org/licenses/>.
#
import functools
import logging
import warnings
from collections import OrderedDict
from typing import Callable, Dict, List, NamedTuple, Set, Tuple
from django.apps import apps
from django.dispatch import receiver
from django.utils.functional import Promise
from django.utils.translation import gettext_lazy as _, pgettext_lazy
from pretix.base.signals import (
register_event_permission_groups, register_organizer_permission_groups,
)
logger = logging.getLogger(__name__)
def cache_until_change(input_value: Callable):
def decorator(func):
old_input_value = None
cached_result = None
@functools.wraps(func)
def wrapper():
nonlocal cached_result, old_input_value
if cached_result is None or old_input_value != input_value():
cached_result = func()
old_input_value = input_value()
return cached_result
return wrapper
return decorator
class PermissionOption(NamedTuple):
actions: Tuple[str, ...]
label: str | Promise
help_text: str | Promise = None
class PermissionGroup(NamedTuple):
name: str
label: str | Promise
actions: List[str]
options: List[PermissionOption]
help_text: str | Promise = None
@cache_until_change(input_value=lambda: apps.ready)
def get_all_event_permission_groups() -> Dict[str, PermissionGroup]:
types = OrderedDict()
for recv, ret in register_event_permission_groups.send(None):
if isinstance(ret, (list, tuple)):
for r in ret:
types[r.name] = r
else:
types[ret.name] = ret
return types
@cache_until_change(input_value=lambda: apps.ready)
def get_all_organizer_permission_groups() -> Dict[str, PermissionGroup]:
types = OrderedDict()
for recv, ret in register_organizer_permission_groups.send(None):
if isinstance(ret, (list, tuple)):
for r in ret:
types[r.name] = r
else:
types[ret.name] = ret
return types
@cache_until_change(input_value=lambda: apps.ready)
def get_all_event_permissions() -> Set[str]:
from pretix.helpers.permission_migration import OLD_TO_NEW_EVENT_COMPAT
res = set(OLD_TO_NEW_EVENT_COMPAT.keys())
for pg in get_all_event_permission_groups().values():
for a in pg.actions:
res.add(f"{pg.name}:{a}")
return res
@cache_until_change(input_value=lambda: apps.ready)
def get_all_organizer_permissions() -> Set[str]:
from pretix.helpers.permission_migration import OLD_TO_NEW_ORGANIZER_COMPAT
res = set(OLD_TO_NEW_ORGANIZER_COMPAT.keys())
for pg in get_all_organizer_permission_groups().values():
for a in pg.actions:
res.add(f"{pg.name}:{a}")
return res
def assert_valid_event_permission(permission, allow_legacy=True, allow_tuple=True):
if not apps.ready:
# can't really check yet
return
if allow_legacy and permission == "can_change_settings":
permission = "can_change_event_settings"
if permission is None:
return
if isinstance(permission, (AnyPermissionOf, list, tuple)) and allow_tuple:
for p in permission:
assert_valid_event_permission(p)
return
if not allow_legacy and ':' not in permission:
raise ValueError(f"Not allowed to use legacy permission '{permission}'")
all_permissions = get_all_event_permissions()
if permission not in all_permissions:
# Warning *and* exception because warning is silently caught when used in if statements in Django templates
warnings.warn(f"Use of undefined permission '{permission}'")
raise Exception(f"Undefined permission '{permission}'")
def assert_valid_organizer_permission(permission, allow_legacy=True, allow_tuple=True):
if not apps.ready:
# can't really check yet
return
if permission is None:
return
if isinstance(permission, (AnyPermissionOf, list, tuple)) and allow_tuple:
for p in permission:
assert_valid_organizer_permission(p)
return
if not allow_legacy and ':' not in permission:
raise ValueError(f"Not allowed to use legacy permission '{permission}'")
all_permissions = get_all_organizer_permissions()
if permission not in all_permissions:
# Warning *and* exception because warning is silently caught when used in if statements in Django templates
warnings.warn(f"Use of undefined permission '{permission}'")
raise Exception(f"Undefined permission '{permission}'")
class AnyPermissionOf(list):
def __init__(self, *items):
super().__init__(items)
OPTS_ALL_READ = [
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "View")),
PermissionOption(actions=("write",), label=pgettext_lazy("permission_level", "View and change")),
]
OPTS_ALL_READ_SETTINGS_API = [
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "View"),
help_text=_("API only")),
PermissionOption(actions=("write",), label=pgettext_lazy("permission_level", "View and change")),
]
OPTS_ALL_READ_SETTINGS_PARENT = [
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "View"),
help_text=_("Menu item will only show up if the user has permission for general settings.")),
PermissionOption(actions=("write",), label=pgettext_lazy("permission_level", "View and change")),
]
OPTS_READ_WRITE = [
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "No access")),
PermissionOption(actions=("read",), label=pgettext_lazy("permission_level", "View")),
PermissionOption(actions=("read", "write"), label=pgettext_lazy("permission_level", "View and change")),
]
@receiver(register_event_permission_groups, dispatch_uid="base_register_default_event_permissions")
def register_default_event_permissions(sender, **kwargs):
return [
PermissionGroup(
name="event.settings.general",
label=_("General settings"),
actions=["write"],
options=OPTS_ALL_READ_SETTINGS_API,
help_text=_(
"This includes access to all settings not listed explicitly below, including plugin settings."
),
),
PermissionGroup(
name="event.settings.payment",
label=_("Payment settings"),
actions=["write"],
options=OPTS_ALL_READ_SETTINGS_PARENT,
),
PermissionGroup(
name="event.settings.tax",
label=_("Tax settings"),
actions=["write"],
options=OPTS_ALL_READ_SETTINGS_PARENT,
),
PermissionGroup(
name="event.settings.invoicing",
label=_("Invoicing settings"),
actions=["write"],
options=OPTS_ALL_READ_SETTINGS_PARENT,
),
PermissionGroup(
name="event.subevents",
label=_("Event series dates"),
actions=["write"],
options=OPTS_ALL_READ,
),
PermissionGroup(
name="event.items",
label=_("Products, quotas and questions"),
actions=["write"],
options=OPTS_ALL_READ,
help_text=_("Also includes related objects like categories or discounts."),
),
PermissionGroup(
name="event.orders",
label=_("Orders"),
actions=["read", "write", "checkin"],
options=[
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "No access")),
PermissionOption(actions=("checkin",), label=pgettext_lazy("permission_level", "Only check-in")),
PermissionOption(actions=("read",), label=pgettext_lazy("permission_level", "View all")),
PermissionOption(actions=("read", "checkin"), label=pgettext_lazy("permission_level", "View all and check-in")),
PermissionOption(actions=("read", "write"), label=pgettext_lazy("permission_level", "View all and change"),
help_text=_("Includes the ability to cancel and refund individual orders.")),
],
help_text=_("Also includes related objects like the waiting list."),
),
PermissionGroup(
name="event.vouchers",
label=_("Vouchers"),
actions=["read", "write"],
options=OPTS_READ_WRITE,
),
PermissionGroup(
name="event",
label=_("Full event or date cancellation"),
actions=["cancel"],
options=[
# If we ever add more actions, we need a new UI idea here
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "Not allowed")),
PermissionOption(actions=("cancel",), label=pgettext_lazy("permission_level", "Allowed")),
],
help_text="",
),
]
@receiver(register_organizer_permission_groups, dispatch_uid="base_register_default_organizer_permissions")
def register_default_organizer_permissions(sender, **kwargs):
return [
PermissionGroup(
name="organizer.events",
label=_("Events"),
actions=["create"],
options=[
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "Access existing events")),
PermissionOption(actions=("create",), label=pgettext_lazy("permission_level", "Access existing and create new events")),
],
help_text=_("The level of access to events is determined in detail by the settings below."),
),
PermissionGroup(
name="organizer.settings.general",
label=_("Settings"),
actions=["write"],
options=OPTS_ALL_READ_SETTINGS_API,
help_text=_("This includes access to all organizer-level functionality not listed explicitly below, including plugin settings."),
),
PermissionGroup(
name="organizer.teams",
label=_("Teams"),
actions=["write"],
options=[
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "No access")),
PermissionOption(actions=("write",), label=pgettext_lazy("permission_level", "View and change"),
help_text=_("Includes the ability to give someone (including oneself) additional permissions.")),
],
),
PermissionGroup(
name="organizer.giftcards",
label=_("Gift cards"),
actions=["read", "write"],
options=OPTS_READ_WRITE,
),
PermissionGroup(
name="organizer.customers",
label=_("Customers"),
actions=["read", "write"],
options=OPTS_READ_WRITE,
),
PermissionGroup(
name="organizer.reusablemedia",
label=_("Reusable media"),
actions=["read", "write"],
options=OPTS_READ_WRITE,
),
PermissionGroup(
name="organizer.devices",
label=_("Devices"),
actions=["read", "write"],
options=[
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "No access")),
PermissionOption(actions=("read",), label=pgettext_lazy("permission_level", "View")),
PermissionOption(actions=("read", "write"), label=pgettext_lazy("permission_level", "View and change"),
help_text=_("Includes the ability to give access to events and data oneself does not have access to.")),
],
),
PermissionGroup(
name="organizer.seatingplans",
label=_("Seating plans"),
actions=["write"],
options=OPTS_ALL_READ,
),
PermissionGroup(
name="organizer.outgoingmails",
label=_("Outgoing emails"),
actions=["read"],
options=[
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "No access")),
PermissionOption(actions=("read",), label=pgettext_lazy("permission_level", "View")),
],
),
]

299
src/pretix/base/services/export.py
View File

@@ -34,7 +34,7 @@ from django_scopes import scopes_disabled
from i18nfield.strings import LazyI18nString from i18nfield.strings import LazyI18nString
from pretix.base.email import get_email_context from pretix.base.email import get_email_context
from pretix.base.exporter import OrganizerLevelExportMixin from pretix.base.exporter import BaseExporter, OrganizerLevelExportMixin
from pretix.base.i18n import LazyLocaleException, language from pretix.base.i18n import LazyLocaleException, language
from pretix.base.models import ( from pretix.base.models import (
CachedFile, Device, Event, Organizer, ScheduledEventExport, TeamAPIToken, CachedFile, Device, Event, Organizer, ScheduledEventExport, TeamAPIToken,
@@ -64,7 +64,15 @@ class ExportEmptyError(ExportError):
@app.task(base=ProfiledEventTask, throws=(ExportError, ExportEmptyError), bind=True) @app.task(base=ProfiledEventTask, throws=(ExportError, ExportEmptyError), bind=True)
def export(self, event: Event, fileid: str, provider: str, form_data: Dict[str, Any]) -> None: def export(self, event: Event, user: User, device: int, token: int, fileid: str, provider: str,
form_data: Dict[str, Any], staff_session=False) -> None:
if user:
user = User.objects.get(pk=user)
if device:
device = Device.objects.get(pk=device)
if token:
device = TeamAPIToken.objects.get(pk=token)
def set_progress(val): def set_progress(val):
if not self.request.called_directly: if not self.request.called_directly:
self.update_state( self.update_state(
@@ -72,30 +80,38 @@ def export(self, event: Event, fileid: str, provider: str, form_data: Dict[str,
meta={'value': val} meta={'value': val}
) )
ex = init_event_exporter(
identifier=provider,
event=event,
user=user,
token=token,
device=device,
staff_session=staff_session,
progress_callback=set_progress,
)
if not ex:
raise ExportError(
gettext('Export not found or you do not have sufficient permission to perform this export.')
)
file = CachedFile.objects.get(id=fileid) file = CachedFile.objects.get(id=fileid)
with language(event.settings.locale, event.settings.region), override(event.settings.timezone): with language(event.settings.locale, event.settings.region), override(event.settings.timezone):
responses = register_data_exporters.send(event) if ex.repeatable_read:
for recv, response in responses: with repeatable_reads_transaction():
if not response: d = ex.render(form_data)
continue else:
ex = response(event, event.organizer, set_progress) d = ex.render(form_data)
if ex.identifier == provider:
if ex.repeatable_read:
with repeatable_reads_transaction():
d = ex.render(form_data)
else:
d = ex.render(form_data)
if d is None: if d is None:
raise ExportError( raise ExportError(
gettext('Your export did not contain any data.') gettext('Your export did not contain any data.')
) )
file.filename, file.type, data = d file.filename, file.type, data = d
close_old_connections() # This task can run very long, we might need a new DB connection close_old_connections() # This task can run very long, we might need a new DB connection
f = ContentFile(data) f = ContentFile(data)
file.file.save(cachedfile_name(file, file.filename), f) file.file.save(cachedfile_name(file, file.filename), f)
return str(file.pk) return str(file.pk)
@@ -105,10 +121,7 @@ def multiexport(self, organizer: Organizer, user: User, device: int, token: int,
if device: if device:
device = Device.objects.get(pk=device) device = Device.objects.get(pk=device)
if token: if token:
device = TeamAPIToken.objects.get(pk=token) token = TeamAPIToken.objects.get(pk=token)
allowed_events = (device or token or user).get_events_with_permission('can_view_orders')
if user and staff_session:
allowed_events = organizer.events.all()
def set_progress(val): def set_progress(val):
if not self.request.called_directly: if not self.request.called_directly:
@@ -118,12 +131,35 @@ def multiexport(self, organizer: Organizer, user: User, device: int, token: int,
) )
file = CachedFile.objects.get(id=fileid) file = CachedFile.objects.get(id=fileid)
event_qs = organizer.events.all()
if form_data.get('events') is not None and not form_data.get('all_events'):
if form_data['events'] and isinstance(form_data['events'][0], str): # legacy API-created schedules
event_qs = event_qs.filter(slug__in=form_data.get('events'))
else:
event_qs = event_qs.filter(pk__in=form_data.get('events'))
ex = init_organizer_exporter(
identifier=provider,
organizer=organizer,
user=user,
token=token,
device=device,
staff_session=staff_session,
progress_callback=set_progress,
event_qs=event_qs,
)
if not ex:
raise ExportError(
gettext('Export not found or you do not have sufficient permission to perform this export.')
)
if user: if user:
locale = user.locale locale = user.locale
timezone = user.timezone timezone = user.timezone
region = None # todo: add to user? region = None # todo: add to user?
else: else:
e = allowed_events.first() e = ex.events.first()
if e: if e:
locale = e.settings.locale locale = e.settings.locale
timezone = e.settings.timezone timezone = e.settings.timezone
@@ -133,47 +169,140 @@ def multiexport(self, organizer: Organizer, user: User, device: int, token: int,
timezone = organizer.settings.timezone or settings.TIME_ZONE timezone = organizer.settings.timezone or settings.TIME_ZONE
region = organizer.settings.region region = organizer.settings.region
with language(locale, region), override(timezone): with language(locale, region), override(timezone):
if form_data.get('events') is not None and not form_data.get('all_events'): if ex.repeatable_read:
if isinstance(form_data['events'][0], str): with repeatable_reads_transaction():
events = allowed_events.filter(slug__in=form_data.get('events'), organizer=organizer) d = ex.render(form_data)
else:
events = allowed_events.filter(pk__in=form_data.get('events'), organizer=organizer)
else: else:
events = allowed_events.filter(organizer=organizer) d = ex.render(form_data)
responses = register_multievent_data_exporters.send(organizer) if d is None:
raise ExportError(
gettext('Your export did not contain any data.')
)
file.filename, file.type, data = d
for recv, response in responses: close_old_connections() # This task can run very long, we might need a new DB connection
if not response:
continue
ex = response(events, organizer, set_progress)
if ex.identifier == provider:
if (
isinstance(ex, OrganizerLevelExportMixin) and
not staff_session and
not (device or token or user).has_organizer_permission(organizer, ex.organizer_required_permission)
):
raise ExportError(
gettext('You do not have sufficient permission to perform this export.')
)
if ex.repeatable_read: f = ContentFile(data)
with repeatable_reads_transaction(): file.file.save(cachedfile_name(file, file.filename), f)
d = ex.render(form_data)
else:
d = ex.render(form_data)
if d is None:
raise ExportError(
gettext('Your export did not contain any data.')
)
file.filename, file.type, data = d
close_old_connections() # This task can run very long, we might need a new DB connection
f = ContentFile(data)
file.file.save(cachedfile_name(file, file.filename), f)
return str(file.pk) return str(file.pk)
def init_event_exporter(identifier, **kwargs):
for ex in init_event_exporters(**kwargs):
if ex.identifier == identifier:
return ex
return None
def init_event_exporters(event, user=None, token=None, device=None, request=None, staff_session=False, **kwargs):
if not user and not token and not device:
raise ValueError("No auth source given.")
perm_holder = device or token or user
responses = register_data_exporters.send(event)
for r, response in responses:
if not response:
continue
if issubclass(response, OrganizerLevelExportMixin):
raise TypeError("Cannot user organizer-level exporter on event level")
permission_name = response.get_required_event_permission()
if not perm_holder.has_event_permission(event.organizer, event, permission_name, request) and not staff_session:
continue
exporter: BaseExporter = response(event=event, organizer=event.organizer, **kwargs)
if not exporter.available_for_user(user if user and user.is_authenticated else None):
continue
yield exporter
def init_organizer_exporter(identifier, **kwargs):
for ex in init_organizer_exporters(**kwargs):
if ex.identifier == identifier:
return ex
return None
def init_organizer_exporters(
organizer, user=None, token=None, device=None, request=None, staff_session=False, event_qs=None, **kwargs
):
if not user and not token and not device:
raise ValueError("No auth source given.")
perm_holder = device or token or user
_event_list_cache = {}
_has_permission_on_any_team_cache = {}
_team_cache = None
responses = register_multievent_data_exporters.send(organizer)
for r, response in responses:
if not response:
continue
if issubclass(response, OrganizerLevelExportMixin):
exporter: BaseExporter = response(event=Event.objects.none(), organizer=organizer, **kwargs)
try:
if not perm_holder.has_organizer_permission(organizer, response.get_required_organizer_permission(), request) and not staff_session:
continue
except NotImplementedError:
logger.error(f"Not showing export {response} because get_required_organizer_permission() is not implemented.")
continue
else:
permission_name = response.get_required_event_permission()
if permission_name not in _event_list_cache:
if staff_session:
events = event_qs.all() if event_qs else organizer.events.all()
elif event_qs is not None:
events = event_qs.filter(
pk__in=perm_holder.get_events_with_permission(
permission_name, request=request
).filter(
organizer=organizer
).values("id")
)
else:
events = perm_holder.get_events_with_permission(
permission_name, request=request
).filter(
organizer=organizer
)
_event_list_cache[permission_name] = events
if permission_name not in _has_permission_on_any_team_cache:
# Check if the user has this event permission on any teams they are part of to decide whether to show
# the export at all.
# This is different from _event_list_cache[permission_name].exists() for the case of an organizer with
# zero events in total, or a team with zero events. In these cases, we still want people to be able
# to see waht exports they'll get once they have events.
if user:
if _team_cache is None:
_team_cache = list(user.teams.filter(organizer=organizer))
_has_permission_on_any_team_cache[permission_name] = staff_session or any(
t.has_event_permission(permission_name) for t in _team_cache
)
elif token:
_has_permission_on_any_team_cache[permission_name] = token.team.has_event_permission(permission_name)
elif device:
_has_permission_on_any_team_cache[permission_name] = device.has_event_permission(permission_name)
if not _has_permission_on_any_team_cache[permission_name] and not staff_session:
continue
exporter: BaseExporter = response(event=_event_list_cache[permission_name], organizer=organizer, **kwargs)
if not exporter.available_for_user(user if user and user.is_authenticated else None):
continue
yield exporter
def _run_scheduled_export(schedule, context: Union[Event, Organizer], exporter, config_url, retry_func, has_permission): def _run_scheduled_export(schedule, context: Union[Event, Organizer], exporter, config_url, retry_func, has_permission):
with language(schedule.locale, context.settings.region), override(schedule.tz): with language(schedule.locale, context.settings.region), override(schedule.tz):
file = CachedFile(web_download=False) file = CachedFile(web_download=False)
@@ -217,7 +346,7 @@ def _run_scheduled_export(schedule, context: Union[Event, Organizer], exporter,
try: try:
if not exporter: if not exporter:
raise ExportError("Export type not found.") raise ExportError("Export type not found or permission denied.")
if exporter.repeatable_read: if exporter.repeatable_read:
with repeatable_reads_transaction(): with repeatable_reads_transaction():
d = exporter.render(schedule.export_form_data) d = exporter.render(schedule.export_form_data)
@@ -291,31 +420,20 @@ def _run_scheduled_export(schedule, context: Union[Event, Organizer], exporter,
def scheduled_organizer_export(self, organizer: Organizer, schedule: int) -> None: def scheduled_organizer_export(self, organizer: Organizer, schedule: int) -> None:
schedule = organizer.scheduled_exports.get(pk=schedule) schedule = organizer.scheduled_exports.get(pk=schedule)
allowed_events = schedule.owner.get_events_with_permission('can_view_orders') event_qs = organizer.events.all()
if schedule.export_form_data.get('events') is not None and not schedule.export_form_data.get('all_events'): if schedule.export_form_data.get('events') is not None and not schedule.export_form_data.get('all_events'):
if isinstance(schedule.export_form_data['events'][0], str): if isinstance(schedule.export_form_data['events'][0], str):
events = allowed_events.filter(slug__in=schedule.export_form_data.get('events'), organizer=organizer) event_qs = event_qs.filter(slug__in=schedule.export_form_data.get('events'))
else: else:
events = allowed_events.filter(pk__in=schedule.export_form_data.get('events'), organizer=organizer) event_qs = event_qs.filter(pk__in=schedule.export_form_data.get('events'))
else:
events = allowed_events.filter(organizer=organizer)
responses = register_multievent_data_exporters.send(organizer)
exporter = None
for recv, response in responses:
if not response:
continue
ex = response(events, organizer)
if ex.identifier == schedule.export_identifier:
exporter = ex
break
exporter = init_organizer_exporter(
identifier=schedule.export_identifier,
organizer=organizer,
user=schedule.owner,
event_qs=event_qs,
)
has_permission = schedule.owner.is_active has_permission = schedule.owner.is_active
if isinstance(exporter, OrganizerLevelExportMixin):
if not schedule.owner.has_organizer_permission(organizer, exporter.organizer_required_permission):
has_permission = False
if exporter and not exporter.available_for_user(schedule.owner):
has_permission = False
_run_scheduled_export( _run_scheduled_export(
schedule, schedule,
@@ -336,17 +454,12 @@ def scheduled_organizer_export(self, organizer: Organizer, schedule: int) -> Non
def scheduled_event_export(self, event: Event, schedule: int) -> None: def scheduled_event_export(self, event: Event, schedule: int) -> None:
schedule = event.scheduled_exports.get(pk=schedule) schedule = event.scheduled_exports.get(pk=schedule)
responses = register_data_exporters.send(event) exporter = init_event_exporter(
exporter = None identifier=schedule.export_identifier,
for recv, response in responses: event=event,
if not response: user=schedule.owner,
continue )
ex = response(event, event.organizer) has_permission = schedule.owner.is_active
if ex.identifier == schedule.export_identifier:
exporter = ex
break
has_permission = schedule.owner.is_active and schedule.owner.has_event_permission(event.organizer, event, 'can_view_orders')
_run_scheduled_export( _run_scheduled_export(
schedule, schedule,

21
src/pretix/base/services/mail.py
View File

@@ -512,16 +512,17 @@ def mail_send_task(self, **kwargs) -> bool:
# Attach calendar files # Attach calendar files
if outgoing_mail.should_attach_ical and outgoing_mail.order: if outgoing_mail.should_attach_ical and outgoing_mail.order:
fname = re.sub('[^a-zA-Z0-9 ]', '-', unidecode(pgettext('attachment_filename', 'Calendar invite'))) with language(outgoing_mail.order.locale, outgoing_mail.event.settings.region):
icals = get_private_icals( fname = re.sub('[^a-zA-Z0-9 ]', '-', unidecode(pgettext('attachment_filename', 'Calendar invite')))
outgoing_mail.event, icals = get_private_icals(
[outgoing_mail.orderposition] if outgoing_mail.orderposition else outgoing_mail.order.positions.all() outgoing_mail.event,
) [outgoing_mail.orderposition] if outgoing_mail.orderposition else outgoing_mail.order.positions.all()
for i, cal in enumerate(icals): )
name = '{}{}.ics'.format(fname, f'-{i + 1}' if i > 0 else '') for i, cal in enumerate(icals):
content = cal.serialize() name = '{}{}.ics'.format(fname, f'-{i + 1}' if i > 0 else '')
mimetype = 'text/calendar' content = cal.serialize()
email.attach(name, content, mimetype) mimetype = 'text/calendar'
email.attach(name, content, mimetype)
invoices_to_mark_transmitted = [] invoices_to_mark_transmitted = []
for inv in outgoing_mail.should_attach_invoices.all(): for inv in outgoing_mail.should_attach_invoices.all():

65
src/pretix/base/settings.py
View File

@@ -345,6 +345,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.tax:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Show net prices instead of gross prices in the product list"), label=_("Show net prices instead of gross prices in the product list"),
help_text=_("Independent of your choice, the cart will show gross prices as this is the price that needs to be " help_text=_("Independent of your choice, the cart will show gross prices as this is the price that needs to be "
@@ -492,6 +493,7 @@ DEFAULTS = {
'type': str, 'type': str,
'form_class': forms.ChoiceField, 'form_class': forms.ChoiceField,
'serializer_class': serializers.ChoiceField, 'serializer_class': serializers.ChoiceField,
'write_permission': 'event.settings.tax:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Rounding of taxes"), label=_("Rounding of taxes"),
widget=forms.RadioSelect, widget=forms.RadioSelect,
@@ -511,15 +513,17 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Ask for invoice address"), label=_("Ask for invoice address"),
) ),
}, },
'invoice_address_not_asked_free': { 'invoice_address_not_asked_free': {
'default': 'False', 'default': 'False',
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_('Do not ask for invoice address if an order is free'), label=_('Do not ask for invoice address if an order is free'),
) )
@@ -529,6 +533,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Require customer name"), label=_("Require customer name"),
) )
@@ -538,6 +543,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Show attendee names on invoices"), label=_("Show attendee names on invoices"),
) )
@@ -547,6 +553,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Show event location on invoices"), label=_("Show event location on invoices"),
help_text=_("The event location will be shown below the list of products if it is the same for all " help_text=_("The event location will be shown below the list of products if it is the same for all "
@@ -558,6 +565,7 @@ DEFAULTS = {
'type': str, 'type': str,
'form_class': forms.ChoiceField, 'form_class': forms.ChoiceField,
'serializer_class': serializers.ChoiceField, 'serializer_class': serializers.ChoiceField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Show exchange rates"), label=_("Show exchange rates"),
widget=forms.RadioSelect, widget=forms.RadioSelect,
@@ -581,6 +589,7 @@ DEFAULTS = {
'default': 'False', 'default': 'False',
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'type': bool, 'type': bool,
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Require invoice address"), label=_("Require invoice address"),
@@ -591,6 +600,7 @@ DEFAULTS = {
'default': 'False', 'default': 'False',
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'type': bool, 'type': bool,
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Require a business address"), label=_("Require a business address"),
@@ -603,6 +613,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Ask for beneficiary"), label=_("Ask for beneficiary"),
widget=forms.CheckboxInput(attrs={'data-checkbox-dependency': '#id_invoice_address_asked'}), widget=forms.CheckboxInput(attrs={'data-checkbox-dependency': '#id_invoice_address_asked'}),
@@ -613,6 +624,7 @@ DEFAULTS = {
'type': LazyI18nString, 'type': LazyI18nString,
'form_class': I18nFormField, 'form_class': I18nFormField,
'serializer_class': I18nField, 'serializer_class': I18nField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Custom recipient field label"), label=_("Custom recipient field label"),
widget=I18nTextInput, widget=I18nTextInput,
@@ -628,6 +640,7 @@ DEFAULTS = {
'type': LazyI18nString, 'type': LazyI18nString,
'form_class': I18nFormField, 'form_class': I18nFormField,
'serializer_class': I18nField, 'serializer_class': I18nField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Custom recipient field help text"), label=_("Custom recipient field help text"),
widget=I18nTextInput, widget=I18nTextInput,
@@ -640,6 +653,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Ask for VAT ID"), label=_("Ask for VAT ID"),
help_text=format_lazy( help_text=format_lazy(
@@ -655,6 +669,7 @@ DEFAULTS = {
'type': list, 'type': list,
'form_class': forms.MultipleChoiceField, 'form_class': forms.MultipleChoiceField,
'serializer_class': serializers.MultipleChoiceField, 'serializer_class': serializers.MultipleChoiceField,
'write_permission': 'event.settings.invoicing:write',
'serializer_kwargs': dict( 'serializer_kwargs': dict(
choices=lazy( choices=lazy(
lambda *args: sorted([(cc, gettext(Country(cc).name)) for cc in VAT_ID_COUNTRIES], key=lambda c: c[1]), lambda *args: sorted([(cc, gettext(Country(cc).name)) for cc in VAT_ID_COUNTRIES], key=lambda c: c[1]),
@@ -682,6 +697,7 @@ DEFAULTS = {
'type': LazyI18nString, 'type': LazyI18nString,
'form_class': I18nFormField, 'form_class': I18nFormField,
'serializer_class': I18nField, 'serializer_class': I18nField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Invoice address explanation"), label=_("Invoice address explanation"),
widget=I18nMarkdownTextarea, widget=I18nMarkdownTextarea,
@@ -694,6 +710,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Show paid amount on partially paid invoices"), label=_("Show paid amount on partially paid invoices"),
help_text=_("If an invoice has already been paid partially, this option will add the paid and pending " help_text=_("If an invoice has already been paid partially, this option will add the paid and pending "
@@ -705,6 +722,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Show free products on invoices"), label=_("Show free products on invoices"),
help_text=_("Note that invoices will never be generated for orders that contain only free " help_text=_("Note that invoices will never be generated for orders that contain only free "
@@ -716,6 +734,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Show expiration date of order"), label=_("Show expiration date of order"),
help_text=_("The expiration date will not be shown if the invoice is generated after the order is paid."), help_text=_("The expiration date will not be shown if the invoice is generated after the order is paid."),
@@ -727,6 +746,7 @@ DEFAULTS = {
'form_class': forms.IntegerField, 'form_class': forms.IntegerField,
'serializer_class': serializers.IntegerField, 'serializer_class': serializers.IntegerField,
'serializer_kwargs': dict(), 'serializer_kwargs': dict(),
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Minimum length of invoice number after prefix"), label=_("Minimum length of invoice number after prefix"),
help_text=_("The part of your invoice number after your prefix will be filled up with leading zeros up to this length, e.g. INV-001 or INV-00001."), help_text=_("The part of your invoice number after your prefix will be filled up with leading zeros up to this length, e.g. INV-001 or INV-00001."),
@@ -740,6 +760,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Generate invoices with consecutive numbers"), label=_("Generate invoices with consecutive numbers"),
help_text=_("If deactivated, the order code will be used in the invoice number."), help_text=_("If deactivated, the order code will be used in the invoice number."),
@@ -750,6 +771,7 @@ DEFAULTS = {
'type': str, 'type': str,
'form_class': forms.CharField, 'form_class': forms.CharField,
'serializer_class': serializers.CharField, 'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Invoice number prefix"), label=_("Invoice number prefix"),
help_text=_("This will be prepended to invoice numbers. If you leave this field empty, your event slug will " help_text=_("This will be prepended to invoice numbers. If you leave this field empty, your event slug will "
@@ -777,6 +799,7 @@ DEFAULTS = {
'type': str, 'type': str,
'form_class': forms.CharField, 'form_class': forms.CharField,
'serializer_class': serializers.CharField, 'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Invoice number prefix for cancellations"), label=_("Invoice number prefix for cancellations"),
help_text=_("This will be prepended to invoice numbers of cancellations. If you leave this field empty, " help_text=_("This will be prepended to invoice numbers of cancellations. If you leave this field empty, "
@@ -800,6 +823,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Highlight order code to make it stand out visibly"), label=_("Highlight order code to make it stand out visibly"),
help_text=_("Only respected by some invoice renderers."), help_text=_("Only respected by some invoice renderers."),
@@ -811,6 +835,7 @@ DEFAULTS = {
'form_class': forms.ChoiceField, 'form_class': forms.ChoiceField,
'serializer_class': serializers.ChoiceField, 'serializer_class': serializers.ChoiceField,
'serializer_kwargs': lambda: dict(**invoice_font_kwargs()), 'serializer_kwargs': lambda: dict(**invoice_font_kwargs()),
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': lambda: dict( 'form_kwargs': lambda: dict(
label=_('Font'), label=_('Font'),
help_text=_("Only respected by some invoice renderers."), help_text=_("Only respected by some invoice renderers."),
@@ -821,6 +846,7 @@ DEFAULTS = {
'invoice_renderer': { 'invoice_renderer': {
'default': 'classic', # default for new events is 'modern1' 'default': 'classic', # default for new events is 'modern1'
'type': str, 'type': str,
'write_permission': 'event.settings.invoicing:write',
}, },
'ticket_secret_generator': { 'ticket_secret_generator': {
'default': 'random', 'default': 'random',
@@ -897,6 +923,7 @@ DEFAULTS = {
'type': LazyI18nString, 'type': LazyI18nString,
'form_class': I18nFormField, 'form_class': I18nFormField,
'serializer_class': I18nField, 'serializer_class': I18nField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict( 'form_kwargs': dict(
widget=I18nMarkdownTextarea, widget=I18nMarkdownTextarea,
widget_kwargs={'attrs': { widget_kwargs={'attrs': {
@@ -918,6 +945,7 @@ DEFAULTS = {
('minutes', _("in minutes")) ('minutes', _("in minutes"))
), ),
), ),
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Set payment term"), label=_("Set payment term"),
widget=forms.RadioSelect, widget=forms.RadioSelect,
@@ -935,6 +963,7 @@ DEFAULTS = {
'type': int, 'type': int,
'form_class': forms.IntegerField, 'form_class': forms.IntegerField,
'serializer_class': serializers.IntegerField, 'serializer_class': serializers.IntegerField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_('Payment term in days'), label=_('Payment term in days'),
widget=forms.NumberInput( widget=forms.NumberInput(
@@ -960,6 +989,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_('Only end payment terms on weekdays'), label=_('Only end payment terms on weekdays'),
help_text=_("If this is activated and the payment term of any order ends on a Saturday or Sunday, it will be " help_text=_("If this is activated and the payment term of any order ends on a Saturday or Sunday, it will be "
@@ -977,6 +1007,7 @@ DEFAULTS = {
'type': int, 'type': int,
'form_class': forms.IntegerField, 'form_class': forms.IntegerField,
'serializer_class': serializers.IntegerField, 'serializer_class': serializers.IntegerField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_('Payment term in minutes'), label=_('Payment term in minutes'),
help_text=_("The number of minutes after placing an order the user has to pay to preserve their reservation. " help_text=_("The number of minutes after placing an order the user has to pay to preserve their reservation. "
@@ -1001,6 +1032,7 @@ DEFAULTS = {
'type': RelativeDateWrapper, 'type': RelativeDateWrapper,
'form_class': RelativeDateField, 'form_class': RelativeDateField,
'serializer_class': SerializerRelativeDateField, 'serializer_class': SerializerRelativeDateField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_('Last date of payments'), label=_('Last date of payments'),
help_text=_("The last date any payments are accepted. This has precedence over the terms " help_text=_("The last date any payments are accepted. This has precedence over the terms "
@@ -1013,6 +1045,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_('Automatically expire unpaid orders'), label=_('Automatically expire unpaid orders'),
help_text=_("If checked, all unpaid orders will automatically go from 'pending' to 'expired' " help_text=_("If checked, all unpaid orders will automatically go from 'pending' to 'expired' "
@@ -1025,6 +1058,7 @@ DEFAULTS = {
'type': int, 'type': int,
'form_class': forms.IntegerField, 'form_class': forms.IntegerField,
'serializer_class': serializers.IntegerField, 'serializer_class': serializers.IntegerField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_('Expiration delay'), label=_('Expiration delay'),
help_text=_("The order will only actually expire this many days after the expiration date communicated " help_text=_("The order will only actually expire this many days after the expiration date communicated "
@@ -1047,6 +1081,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_('Hide "payment pending" state on customer-facing pages'), label=_('Hide "payment pending" state on customer-facing pages'),
help_text=_("The payment instructions panel will still be shown to the primary customer, but no indication " help_text=_("The payment instructions panel will still be shown to the primary customer, but no indication "
@@ -1058,9 +1093,11 @@ DEFAULTS = {
'default': 'True', 'default': 'True',
'type': bool, 'type': bool,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.payment:write',
}, },
'payment_giftcard_public_name': { 'payment_giftcard_public_name': {
'default': LazyI18nString.from_gettext(gettext_noop('Gift card')), 'default': LazyI18nString.from_gettext(gettext_noop('Gift card')),
'write_permission': 'event.settings.payment:write',
'type': LazyI18nString 'type': LazyI18nString
}, },
'payment_giftcard_public_description': { 'payment_giftcard_public_description': {
@@ -1069,10 +1106,12 @@ DEFAULTS = {
'enough credit to pay for the full order, you will be shown this page again and you can either ' 'enough credit to pay for the full order, you will be shown this page again and you can either '
'redeem another gift card or select a different payment method for the difference.' 'redeem another gift card or select a different payment method for the difference.'
)), )),
'write_permission': 'event.settings.payment:write',
'type': LazyI18nString 'type': LazyI18nString
}, },
'payment_resellers__restrict_to_sales_channels': { 'payment_resellers__restrict_to_sales_channels': {
'default': ['resellers'], 'default': ['resellers'],
'write_permission': 'event.settings.payment:write',
'type': list 'type': list
}, },
'payment_term_accept_late': { 'payment_term_accept_late': {
@@ -1080,6 +1119,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_('Accept late payments'), label=_('Accept late payments'),
help_text=_("Accept payments for orders even when they are in 'expired' state as long as enough " help_text=_("Accept payments for orders even when they are in 'expired' state as long as enough "
@@ -1109,6 +1149,7 @@ DEFAULTS = {
('none', _('Charge no taxes')), ('none', _('Charge no taxes')),
), ),
), ),
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Tax handling on payment fees"), label=_("Tax handling on payment fees"),
widget=forms.RadioSelect, widget=forms.RadioSelect,
@@ -1155,6 +1196,7 @@ DEFAULTS = {
('paid', _('Automatically on payment or when required by payment method')), ('paid', _('Automatically on payment or when required by payment method')),
), ),
), ),
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Generate invoices"), label=_("Generate invoices"),
widget=forms.RadioSelect, widget=forms.RadioSelect,
@@ -1183,6 +1225,7 @@ DEFAULTS = {
('invoice_date', _('Invoice date')), ('invoice_date', _('Invoice date')),
), ),
), ),
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Date of service"), label=_("Date of service"),
widget=forms.RadioSelect, widget=forms.RadioSelect,
@@ -1203,6 +1246,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Automatically cancel and reissue invoice on address changes"), label=_("Automatically cancel and reissue invoice on address changes"),
help_text=_("If customers change their invoice address on an existing order, the invoice will " help_text=_("If customers change their invoice address on an existing order, the invoice will "
@@ -1215,6 +1259,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Allow to update existing invoices"), label=_("Allow to update existing invoices"),
help_text=_("By default, invoices can never again be changed once they are issued. In most countries, we " help_text=_("By default, invoices can never again be changed once they are issued. In most countries, we "
@@ -1224,6 +1269,7 @@ DEFAULTS = {
}, },
'invoice_generate_sales_channels': { 'invoice_generate_sales_channels': {
'default': json.dumps(['web']), 'default': json.dumps(['web']),
'write_permission': 'event.settings.invoicing:write',
'type': list 'type': list
}, },
'invoice_generate_only_business': { 'invoice_generate_only_business': {
@@ -1240,6 +1286,7 @@ DEFAULTS = {
'type': str, 'type': str,
'form_class': forms.CharField, 'form_class': forms.CharField,
'serializer_class': serializers.CharField, 'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Address line"), label=_("Address line"),
widget=forms.Textarea(attrs={ widget=forms.Textarea(attrs={
@@ -1255,6 +1302,7 @@ DEFAULTS = {
'type': str, 'type': str,
'form_class': forms.CharField, 'form_class': forms.CharField,
'serializer_class': serializers.CharField, 'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
max_length=190, max_length=190,
label=_("Company name"), label=_("Company name"),
@@ -1265,6 +1313,7 @@ DEFAULTS = {
'type': str, 'type': str,
'form_class': forms.CharField, 'form_class': forms.CharField,
'serializer_class': serializers.CharField, 'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
widget=forms.TextInput(attrs={ widget=forms.TextInput(attrs={
'placeholder': '12345' 'placeholder': '12345'
@@ -1278,6 +1327,7 @@ DEFAULTS = {
'type': str, 'type': str,
'form_class': forms.CharField, 'form_class': forms.CharField,
'serializer_class': serializers.CharField, 'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
widget=forms.TextInput(attrs={ widget=forms.TextInput(attrs={
'placeholder': _('Random City') 'placeholder': _('Random City')
@@ -1294,6 +1344,7 @@ DEFAULTS = {
'serializer_kwargs': { 'serializer_kwargs': {
'choices': [('', '')], 'choices': [('', '')],
}, },
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': { 'form_kwargs': {
"label": pgettext_lazy('address', 'State'), "label": pgettext_lazy('address', 'State'),
'choices': [('', '')], 'choices': [('', '')],
@@ -1305,6 +1356,7 @@ DEFAULTS = {
'form_class': forms.ChoiceField, 'form_class': forms.ChoiceField,
'serializer_class': serializers.ChoiceField, 'serializer_class': serializers.ChoiceField,
'serializer_kwargs': lambda: dict(**country_choice_kwargs()), 'serializer_kwargs': lambda: dict(**country_choice_kwargs()),
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': lambda: dict( 'form_kwargs': lambda: dict(
label=_('Country'), label=_('Country'),
widget=forms.Select(attrs={ widget=forms.Select(attrs={
@@ -1318,6 +1370,7 @@ DEFAULTS = {
'type': str, 'type': str,
'form_class': forms.CharField, 'form_class': forms.CharField,
'serializer_class': serializers.CharField, 'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Domestic tax ID"), label=_("Domestic tax ID"),
help_text=_("e.g. tax number in Germany, ABN in Australia, …"), help_text=_("e.g. tax number in Germany, ABN in Australia, …"),
@@ -1329,6 +1382,7 @@ DEFAULTS = {
'type': str, 'type': str,
'form_class': forms.CharField, 'form_class': forms.CharField,
'serializer_class': serializers.CharField, 'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("EU VAT ID"), label=_("EU VAT ID"),
max_length=190, max_length=190,
@@ -1339,6 +1393,7 @@ DEFAULTS = {
'type': LazyI18nString, 'type': LazyI18nString,
'form_class': I18nFormField, 'form_class': I18nFormField,
'serializer_class': I18nField, 'serializer_class': I18nField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
widget=I18nTextarea, widget=I18nTextarea,
widget_kwargs={'attrs': { widget_kwargs={'attrs': {
@@ -1356,6 +1411,7 @@ DEFAULTS = {
'type': LazyI18nString, 'type': LazyI18nString,
'form_class': I18nFormField, 'form_class': I18nFormField,
'serializer_class': I18nField, 'serializer_class': I18nField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
widget=I18nTextarea, widget=I18nTextarea,
widget_kwargs={'attrs': { widget_kwargs={'attrs': {
@@ -1373,6 +1429,7 @@ DEFAULTS = {
'type': LazyI18nString, 'type': LazyI18nString,
'form_class': I18nFormField, 'form_class': I18nFormField,
'serializer_class': I18nField, 'serializer_class': I18nField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
widget=I18nTextarea, widget=I18nTextarea,
widget_kwargs={'attrs': { widget_kwargs={'attrs': {
@@ -1387,6 +1444,7 @@ DEFAULTS = {
}, },
'invoice_language': { 'invoice_language': {
'default': '__user__', 'default': '__user__',
'write_permission': 'event.settings.invoicing:write',
'type': str 'type': str
}, },
'invoice_email_attachment': { 'invoice_email_attachment': {
@@ -1394,6 +1452,7 @@ DEFAULTS = {
'type': bool, 'type': bool,
'form_class': forms.BooleanField, 'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField, 'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Attach invoices to emails"), label=_("Attach invoices to emails"),
help_text=_("If invoices are automatically generated for all orders, they will be attached to the order " help_text=_("If invoices are automatically generated for all orders, they will be attached to the order "
@@ -1407,6 +1466,7 @@ DEFAULTS = {
'type': str, 'type': str,
'form_class': forms.CharField, 'form_class': forms.CharField,
'serializer_class': serializers.CharField, 'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict( 'form_kwargs': dict(
label=_("Email address to receive a copy of each invoice"), label=_("Email address to receive a copy of each invoice"),
help_text=_("Each newly created invoice will be sent to this email address shortly after creation. You can " help_text=_("Each newly created invoice will be sent to this email address shortly after creation. You can "
@@ -3260,7 +3320,8 @@ Your {organizer} team""")) # noqa: W291
'image/png', 'image/jpeg', 'image/gif' 'image/png', 'image/jpeg', 'image/gif'
], ],
max_size=settings.FILE_UPLOAD_MAX_SIZE_IMAGE, max_size=settings.FILE_UPLOAD_MAX_SIZE_IMAGE,
) ),
'write_permission': 'event.settings.invoicing:write',
}, },
'frontpage_text': { 'frontpage_text': {
'default': '', 'default': '',

28
src/pretix/base/signals.py
View File

@@ -305,6 +305,19 @@ class GlobalSignal(django.dispatch.Signal):
response = receiver(signal=self, sender=sender, **named) response = receiver(signal=self, sender=sender, **named)
return response return response
def _live_receivers(self, sender):
# Ensure consistent sorting of receivers
orig_list = super()._live_receivers(sender)
sorted_list = sorted(
orig_list,
key=lambda receiver: (
0 if any(receiver.__module__.startswith(m) for m in settings.CORE_MODULES) else 1,
receiver.__module__,
receiver.__name__,
)
)
return sorted_list
class DeprecatedSignal(GlobalSignal): class DeprecatedSignal(GlobalSignal):
@@ -561,6 +574,18 @@ however for this signal, the ``sender`` **may also be None** to allow creating t
notification settings! notification settings!
""" """
register_event_permission_groups = GlobalSignal()
"""
This signal is sent out to get all known permissions. Receivers should return an
instance of pretix.base.permissions.PermissionGroup or a list of such instances.
"""
register_organizer_permission_groups = GlobalSignal()
"""
This signal is sent out to get all known permissions. Receivers should return an
instance of pretix.base.permissions.PermissionGroup or a list of such instances.
"""
notification = EventPluginSignal() notification = EventPluginSignal()
""" """
Arguments: ``logentry_id``, ``notification_type`` Arguments: ``logentry_id``, ``notification_type``
@@ -1106,6 +1131,9 @@ api_event_settings_fields = EventPluginSignal()
This signal is sent out to collect serializable settings fields for the API. You are expected to This signal is sent out to collect serializable settings fields for the API. You are expected to
return a dictionary mapping names of attributes in the settings store to DRF serializer field instances. return a dictionary mapping names of attributes in the settings store to DRF serializer field instances.
These are readable for all users with access to the events, therefore secrets stored in the settings store
should not be included!
As with all event-plugin signals, the ``sender`` keyword argument will contain the event. As with all event-plugin signals, the ``sender`` keyword argument will contain the event.
""" """

83
src/pretix/base/timeline.py
View File

@@ -32,7 +32,11 @@ from pretix.base.models import ItemVariation
from pretix.base.reldate import RelativeDateWrapper from pretix.base.reldate import RelativeDateWrapper
from pretix.base.signals import timeline_events from pretix.base.signals import timeline_events
TimelineEvent = namedtuple('TimelineEvent', ('event', 'subevent', 'datetime', 'description', 'edit_url')) TimelineEvent = namedtuple(
'TimelineEvent',
('event', 'subevent', 'datetime', 'description', 'edit_url', 'edit_permission'),
defaults=(None, None, None, None, None, 'event.settings.general:write')
)
def timeline_for_event(event, subevent=None): def timeline_for_event(event, subevent=None):
@@ -46,6 +50,7 @@ def timeline_for_event(event, subevent=None):
'subevent': subevent.pk 'subevent': subevent.pk
} }
) )
ev_edit_permission = 'event.subevents:write'
else: else:
ev_edit_url = reverse( ev_edit_url = reverse(
'control:event.settings', kwargs={ 'control:event.settings', kwargs={
@@ -53,12 +58,14 @@ def timeline_for_event(event, subevent=None):
'organizer': event.organizer.slug 'organizer': event.organizer.slug
} }
) )
ev_edit_permission = 'event.settings.general:write'
tl.append(TimelineEvent( tl.append(TimelineEvent(
event=event, subevent=subevent, event=event, subevent=subevent,
datetime=ev.date_from, datetime=ev.date_from,
description=pgettext_lazy('timeline', 'Your event starts'), description=pgettext_lazy('timeline', 'Your event starts'),
edit_url=ev_edit_url + '#id_date_from_0' edit_url=ev_edit_url + '#id_date_from_0',
edit_permission=ev_edit_permission,
)) ))
if ev.date_to: if ev.date_to:
@@ -66,7 +73,8 @@ def timeline_for_event(event, subevent=None):
event=event, subevent=subevent, event=event, subevent=subevent,
datetime=ev.date_to, datetime=ev.date_to,
description=pgettext_lazy('timeline', 'Your event ends'), description=pgettext_lazy('timeline', 'Your event ends'),
edit_url=ev_edit_url + '#id_date_to_0' edit_url=ev_edit_url + '#id_date_to_0',
edit_permission=ev_edit_permission,
)) ))
if ev.date_admission: if ev.date_admission:
@@ -74,7 +82,8 @@ def timeline_for_event(event, subevent=None):
event=event, subevent=subevent, event=event, subevent=subevent,
datetime=ev.date_admission, datetime=ev.date_admission,
description=pgettext_lazy('timeline', 'Admissions for your event start'), description=pgettext_lazy('timeline', 'Admissions for your event start'),
edit_url=ev_edit_url + '#id_date_admission_0' edit_url=ev_edit_url + '#id_date_admission_0',
edit_permission=ev_edit_permission,
)) ))
if ev.presale_start: if ev.presale_start:
@@ -82,7 +91,8 @@ def timeline_for_event(event, subevent=None):
event=event, subevent=subevent, event=event, subevent=subevent,
datetime=ev.presale_start, datetime=ev.presale_start,
description=pgettext_lazy('timeline', 'Start of ticket sales'), description=pgettext_lazy('timeline', 'Start of ticket sales'),
edit_url=ev_edit_url + '#id_presale_start_0' edit_url=ev_edit_url + '#id_presale_start_0',
edit_permission=ev_edit_permission,
)) ))
tl.append(TimelineEvent( tl.append(TimelineEvent(
@@ -97,7 +107,8 @@ def timeline_for_event(event, subevent=None):
) if not ev.presale_end else ( ) if not ev.presale_end else (
pgettext_lazy('timeline', 'End of ticket sales') pgettext_lazy('timeline', 'End of ticket sales')
), ),
edit_url=ev_edit_url + '#id_presale_end_0' edit_url=ev_edit_url + '#id_presale_end_0',
edit_permission=ev_edit_permission,
)) ))
rd = event.settings.get('last_order_modification_date', as_type=RelativeDateWrapper) rd = event.settings.get('last_order_modification_date', as_type=RelativeDateWrapper)
@@ -106,7 +117,8 @@ def timeline_for_event(event, subevent=None):
event=event, subevent=subevent, event=event, subevent=subevent,
datetime=rd.datetime(ev), datetime=rd.datetime(ev),
description=pgettext_lazy('timeline', 'Customers can no longer modify their order information'), description=pgettext_lazy('timeline', 'Customers can no longer modify their order information'),
edit_url=ev_edit_url + '#id_settings-last_order_modification_date_0_0' edit_url=ev_edit_url + '#id_settings-last_order_modification_date_0_0',
edit_permission='event.settings.general:write',
)) ))
rd = event.settings.get('payment_term_last', as_type=RelativeDateWrapper) rd = event.settings.get('payment_term_last', as_type=RelativeDateWrapper)
@@ -122,7 +134,8 @@ def timeline_for_event(event, subevent=None):
edit_url=reverse('control:event.settings.payment', kwargs={ edit_url=reverse('control:event.settings.payment', kwargs={
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug 'organizer': event.organizer.slug
}) }),
edit_permission='event.settings.payment:write',
)) ))
rd = event.settings.get('ticket_download_date', as_type=RelativeDateWrapper) rd = event.settings.get('ticket_download_date', as_type=RelativeDateWrapper)
@@ -134,7 +147,8 @@ def timeline_for_event(event, subevent=None):
edit_url=reverse('control:event.settings.tickets', kwargs={ edit_url=reverse('control:event.settings.tickets', kwargs={
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug 'organizer': event.organizer.slug
}) }),
edit_permission='event.settings.general:write',
)) ))
rd = event.settings.get('cancel_allow_user_until', as_type=RelativeDateWrapper) rd = event.settings.get('cancel_allow_user_until', as_type=RelativeDateWrapper)
@@ -146,7 +160,8 @@ def timeline_for_event(event, subevent=None):
edit_url=reverse('control:event.settings.cancel', kwargs={ edit_url=reverse('control:event.settings.cancel', kwargs={
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug 'organizer': event.organizer.slug
}) }),
edit_permission='event.settings.general:write',
)) ))
rd = event.settings.get('cancel_allow_user_paid_until', as_type=RelativeDateWrapper) rd = event.settings.get('cancel_allow_user_paid_until', as_type=RelativeDateWrapper)
@@ -158,7 +173,8 @@ def timeline_for_event(event, subevent=None):
edit_url=reverse('control:event.settings.cancel', kwargs={ edit_url=reverse('control:event.settings.cancel', kwargs={
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug 'organizer': event.organizer.slug
}) }),
edit_permission='event.settings.general:write',
)) ))
rd = event.settings.get('change_allow_user_until', as_type=RelativeDateWrapper) rd = event.settings.get('change_allow_user_until', as_type=RelativeDateWrapper)
@@ -170,7 +186,8 @@ def timeline_for_event(event, subevent=None):
edit_url=reverse('control:event.settings.cancel', kwargs={ edit_url=reverse('control:event.settings.cancel', kwargs={
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug 'organizer': event.organizer.slug
}) }),
edit_permission='event.settings.general:write',
)) ))
rd = event.settings.get('waiting_list_auto_disable', as_type=RelativeDateWrapper) rd = event.settings.get('waiting_list_auto_disable', as_type=RelativeDateWrapper)
@@ -182,7 +199,8 @@ def timeline_for_event(event, subevent=None):
edit_url=reverse('control:event.settings', kwargs={ edit_url=reverse('control:event.settings', kwargs={
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug 'organizer': event.organizer.slug
}) + '#waiting-list-open' }) + '#waiting-list-open',
edit_permission='event.settings.general:write',
)) ))
if not event.has_subevents: if not event.has_subevents:
@@ -196,7 +214,8 @@ def timeline_for_event(event, subevent=None):
edit_url=reverse('control:event.settings.mail', kwargs={ edit_url=reverse('control:event.settings.mail', kwargs={
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug 'organizer': event.organizer.slug
}) }),
edit_permission='event.settings.general:write',
)) ))
if subevent: if subevent:
@@ -210,7 +229,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug, 'organizer': event.organizer.slug,
'subevent': subevent.pk, 'subevent': subevent.pk,
}) }),
edit_permission='event.subevents:write',
)) ))
if sei.available_until: if sei.available_until:
tl.append(TimelineEvent( tl.append(TimelineEvent(
@@ -221,7 +241,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug, 'organizer': event.organizer.slug,
'subevent': subevent.pk, 'subevent': subevent.pk,
}) }),
edit_permission='event.subevents:write',
)) ))
for sei in subevent.var_overrides.values(): for sei in subevent.var_overrides.values():
if sei.available_from: if sei.available_from:
@@ -234,7 +255,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug, 'organizer': event.organizer.slug,
'subevent': subevent.pk, 'subevent': subevent.pk,
}) }),
edit_permission='event.subevents:write',
)) ))
if sei.available_until: if sei.available_until:
tl.append(TimelineEvent( tl.append(TimelineEvent(
@@ -246,7 +268,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug, 'organizer': event.organizer.slug,
'subevent': subevent.pk, 'subevent': subevent.pk,
}) }),
edit_permission='event.subevents:write',
)) ))
for d in event.discounts.filter(Q(available_from__isnull=False) | Q(available_until__isnull=False)): for d in event.discounts.filter(Q(available_from__isnull=False) | Q(available_until__isnull=False)):
@@ -259,7 +282,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug, 'organizer': event.organizer.slug,
'discount': d.pk, 'discount': d.pk,
}) }),
edit_permission='event.items:write',
)) ))
if d.available_until: if d.available_until:
tl.append(TimelineEvent( tl.append(TimelineEvent(
@@ -270,7 +294,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug, 'organizer': event.organizer.slug,
'discount': d.pk, 'discount': d.pk,
}) }),
edit_permission='event.items:write',
)) ))
for p in event.items.filter(Q(available_from__isnull=False) | Q(available_until__isnull=False)): for p in event.items.filter(Q(available_from__isnull=False) | Q(available_until__isnull=False)):
@@ -283,7 +308,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug, 'organizer': event.organizer.slug,
'item': p.pk, 'item': p.pk,
}) + '#id_available_from_0' }) + '#id_available_from_0',
edit_permission='event.items:write',
)) ))
if p.available_until: if p.available_until:
tl.append(TimelineEvent( tl.append(TimelineEvent(
@@ -294,7 +320,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug, 'organizer': event.organizer.slug,
'item': p.pk, 'item': p.pk,
}) + '#id_available_until_0' }) + '#id_available_until_0',
edit_permission='event.items:write',
)) ))
for v in ItemVariation.objects.filter( for v in ItemVariation.objects.filter(
@@ -313,7 +340,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug, 'organizer': event.organizer.slug,
'item': v.item.pk, 'item': v.item.pk,
}) + '#tab-0-3-open' }) + '#tab-0-3-open',
edit_permission='event.items:write',
)) ))
if v.available_until: if v.available_until:
tl.append(TimelineEvent( tl.append(TimelineEvent(
@@ -327,7 +355,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug, 'organizer': event.organizer.slug,
'item': v.item.pk, 'item': v.item.pk,
}) + '#tab-0-3-open' }) + '#tab-0-3-open',
edit_permission='event.items:write',
)) ))
pprovs = event.get_payment_providers() pprovs = event.get_payment_providers()
@@ -357,7 +386,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug, 'organizer': event.organizer.slug,
'provider': pprov.identifier, 'provider': pprov.identifier,
}) }),
edit_permission='event.settings.payment:write',
)) ))
availability_date = pprov.settings.get('_availability_date', as_type=RelativeDateWrapper) availability_date = pprov.settings.get('_availability_date', as_type=RelativeDateWrapper)
if availability_date: if availability_date:
@@ -375,7 +405,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug, 'event': event.slug,
'organizer': event.organizer.slug, 'organizer': event.organizer.slug,
'provider': pprov.identifier, 'provider': pprov.identifier,
}) }),
edit_permission='event.settings.payment:write',
)) ))
for recv, resp in timeline_events.send(sender=event, subevent=subevent): for recv, resp in timeline_events.send(sender=event, subevent=subevent):

2
src/pretix/control/context.py
View File

@@ -102,7 +102,7 @@ def _default_context(request):
complain_testmode_orders = request.event.orders.filter(testmode=True).exists() complain_testmode_orders = request.event.orders.filter(testmode=True).exists()
request.event.cache.set('complain_testmode_orders', complain_testmode_orders, 30) request.event.cache.set('complain_testmode_orders', complain_testmode_orders, 30)
ctx['complain_testmode_orders'] = complain_testmode_orders and request.user.has_event_permission( ctx['complain_testmode_orders'] = complain_testmode_orders and request.user.has_event_permission(
request.organizer, request.event, 'can_view_orders', request=request request.organizer, request.event, 'event.orders:read', request=request
) )
else: else:
ctx['complain_testmode_orders'] = False ctx['complain_testmode_orders'] = False

62
src/pretix/control/forms/event.py
View File

@@ -62,6 +62,7 @@ from pretix.base.forms import (
) )
from pretix.base.models import Event, Organizer, TaxRule, Team from pretix.base.models import Event, Organizer, TaxRule, Team
from pretix.base.models.event import EventFooterLink, EventMetaValue, SubEvent from pretix.base.models.event import EventFooterLink, EventMetaValue, SubEvent
from pretix.base.models.organizer import TeamQuerySet
from pretix.base.models.tax import TAX_CODE_LISTS from pretix.base.models.tax import TAX_CODE_LISTS
from pretix.base.reldate import RelativeDateField, RelativeDateTimeField from pretix.base.reldate import RelativeDateField, RelativeDateTimeField
from pretix.base.services.placeholders import FormPlaceholderMixin from pretix.base.services.placeholders import FormPlaceholderMixin
@@ -100,11 +101,12 @@ class EventWizardFoundationForm(forms.Form):
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
self.user = kwargs.pop('user') self.user = kwargs.pop('user')
self.session = kwargs.pop('session') self.session = kwargs.pop('session')
self.clone_from = kwargs.pop('clone_from')
super().__init__(*args, **kwargs) super().__init__(*args, **kwargs)
qs = Organizer.objects.all() qs = Organizer.objects.all()
if not self.user.has_active_staff_session(self.session.session_key): if not self.user.has_active_staff_session(self.session.session_key):
qs = qs.filter( qs = qs.filter(
id__in=self.user.teams.filter(can_create_events=True).values_list('organizer', flat=True) id__in=self.user.teams.filter(TeamQuerySet.organizer_permission_q("organizer.events:create")).values_list('organizer', flat=True)
) )
self.fields['organizer'] = forms.ModelChoiceField( self.fields['organizer'] = forms.ModelChoiceField(
label=_("Organizer"), label=_("Organizer"),
@@ -125,6 +127,16 @@ class EventWizardFoundationForm(forms.Form):
self.fields['organizer'].initial = organizer self.fields['organizer'].initial = organizer
self.fields['locales'].initial = organizer.settings.locales self.fields['locales'].initial = organizer.settings.locales
def clean(self):
d = super().clean()
if d.get('organizer') and self.clone_from and not self.user.has_active_staff_session(self.session.session_key):
if not self.clone_from.allow_copy_data(d['organizer'], self.user):
raise ValidationError({
"organizer": _("You do not have a sufficient level of access on the event you selected "
"to copy it to the desired organizer.")
})
return d
class EventWizardBasicsForm(I18nModelForm): class EventWizardBasicsForm(I18nModelForm):
error_messages = { error_messages = {
@@ -198,6 +210,7 @@ class EventWizardBasicsForm(I18nModelForm):
self.has_subevents = kwargs.pop('has_subevents') self.has_subevents = kwargs.pop('has_subevents')
self.user = kwargs.pop('user') self.user = kwargs.pop('user')
self.session = kwargs.pop('session') self.session = kwargs.pop('session')
self.clone_from = kwargs.pop('clone_from')
super().__init__(*args, **kwargs) super().__init__(*args, **kwargs)
if 'timezone' not in self.initial: if 'timezone' not in self.initial:
self.initial['timezone'] = get_current_timezone_name() self.initial['timezone'] = get_current_timezone_name()
@@ -238,6 +251,16 @@ class EventWizardBasicsForm(I18nModelForm):
'check "{field}" above.').format(field=self.fields["no_taxes"].label) 'check "{field}" above.').format(field=self.fields["no_taxes"].label)
}) })
if self.clone_from and not self.user.has_active_staff_session(self.session.session_key):
if data.get("team"):
source_event_perms = self.user.get_event_permission_set(self.organizer, self.clone_from)
team_perms = data["team"].event_permission_set(include_legacy=False)
if any(t not in source_event_perms for t in team_perms):
raise ValidationError({
"team": _("You cannot choose a team that would give you more access than you have on "
"the event you are copying.")
})
# change timezone # change timezone
zone = ZoneInfo(data.get('timezone')) zone = ZoneInfo(data.get('timezone'))
data['date_from'] = self.reset_timezone(zone, data.get('date_from')) data['date_from'] = self.reset_timezone(zone, data.get('date_from'))
@@ -261,9 +284,12 @@ class EventWizardBasicsForm(I18nModelForm):
@staticmethod @staticmethod
def has_control_rights(user, organizer, session): def has_control_rights(user, organizer, session):
# It's mostly pointless to let a user create an event where they can't event change the name or create products,
# so we detect if the user has sufficient access for that on a new event.
return user.teams.filter( return user.teams.filter(
organizer=organizer, all_events=True, can_change_event_settings=True, can_change_items=True, TeamQuerySet.event_permission_q("event.settings.general:write"),
can_change_orders=True, can_change_vouchers=True organizer=organizer,
all_events=True,
).exists() or user.has_active_staff_session(session.session_key) ).exists() or user.has_active_staff_session(session.session_key)
@@ -293,18 +319,24 @@ class EventWizardCopyForm(forms.Form):
if user.has_active_staff_session(session.session_key): if user.has_active_staff_session(session.session_key):
return Event.objects.all() return Event.objects.all()
return Event.objects.filter( return Event.objects.filter(
# It is generally pointless to let users copy events when they would not even be able to change the
# date of the event they have just created. Therefore, even if it looks wrong, we're checking a write
# permission for read access.
Q(organizer_id__in=user.teams.filter( Q(organizer_id__in=user.teams.filter(
all_events=True, can_change_event_settings=True, can_change_items=True TeamQuerySet.event_permission_q("event.settings.general:write"),
all_events=True,
).values_list('organizer', flat=True)) | Q(id__in=user.teams.filter( ).values_list('organizer', flat=True)) | Q(id__in=user.teams.filter(
can_change_event_settings=True, can_change_items=True TeamQuerySet.event_permission_q("event.settings.general:write"),
).values_list('limit_events__id', flat=True)) ).values_list('limit_events__id', flat=True))
) )
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
kwargs.pop('organizer') self.organizer = kwargs.pop('organizer')
kwargs.pop('locales') kwargs.pop('locales')
self.session = kwargs.pop('session') self.session = kwargs.pop('session')
self.team = kwargs.pop('team')
kwargs.pop('has_subevents') kwargs.pop('has_subevents')
kwargs.pop('clone_from')
self.user = kwargs.pop('user') self.user = kwargs.pop('user')
super().__init__(*args, **kwargs) super().__init__(*args, **kwargs)
@@ -323,6 +355,24 @@ class EventWizardCopyForm(forms.Form):
) )
self.fields['copy_from_event'].widget.choices = self.fields['copy_from_event'].choices self.fields['copy_from_event'].widget.choices = self.fields['copy_from_event'].choices
def clean(self):
d = super().clean()
if d.get('copy_from_event') and not self.user.has_active_staff_session(self.session.session_key):
if not d['copy_from_event'].allow_copy_data(self.organizer, self.user):
raise ValidationError({
"copy_from_event": _("You do not have a sufficient level of access on the event you selected "
"to copy it to the desired organizer.")
})
if self.team:
source_event_perms = self.user.get_event_permission_set(self.organizer, d['copy_from_event'])
team_perms = self.team.event_permission_set(include_legacy=False)
if any(t not in source_event_perms for t in team_perms):
raise ValidationError({
"copy_from_event": _("You cannot choose an event on which you have less access than the "
"team you selected in the previous step.")
})
return d
class EventMetaValueForm(forms.ModelForm): class EventMetaValueForm(forms.ModelForm):

2
src/pretix/control/forms/filter.py
View File

@@ -1111,7 +1111,7 @@ class OrderPaymentSearchFilterForm(forms.Form):
self.fields['organizer'].queryset = Organizer.objects.filter( self.fields['organizer'].queryset = Organizer.objects.filter(
pk__in=self.request.user.teams.values_list('organizer', flat=True) pk__in=self.request.user.teams.values_list('organizer', flat=True)
) )
self.fields['event'].queryset = self.request.user.get_events_with_permission('can_view_orders') self.fields['event'].queryset = self.request.user.get_events_with_permission('event.orders:read')
self.fields['provider'].choices += get_all_payment_providers() self.fields['provider'].choices += get_all_payment_providers()

138
src/pretix/control/forms/organizer.py
View File

@@ -75,7 +75,10 @@ from pretix.base.models import (
ReusableMedium, SalesChannel, Team, ReusableMedium, SalesChannel, Team,
) )
from pretix.base.models.customers import CustomerSSOClient, CustomerSSOProvider from pretix.base.models.customers import CustomerSSOClient, CustomerSSOProvider
from pretix.base.models.organizer import OrganizerFooterLink from pretix.base.models.organizer import OrganizerFooterLink, TeamQuerySet
from pretix.base.permissions import (
get_all_event_permission_groups, get_all_organizer_permission_groups,
)
from pretix.base.settings import ( from pretix.base.settings import (
PERSON_NAME_SCHEMES, PERSON_NAME_TITLE_GROUPS, validate_organizer_settings, PERSON_NAME_SCHEMES, PERSON_NAME_TITLE_GROUPS, validate_organizer_settings,
) )
@@ -297,7 +300,34 @@ class MembershipTypeForm(I18nModelForm):
fields = ['name', 'transferable', 'allow_parallel_usage', 'max_usages'] fields = ['name', 'transferable', 'allow_parallel_usage', 'max_usages']
class PermissionMultipleChoiceField(forms.MultipleChoiceField):
def to_python(self, value):
return {
k: True for k in super().to_python(value) if k
}
def prepare_value(self, value):
if isinstance(value, dict):
return [k for k, v in value.items() if v is True]
return super().prepare_value(value)
class TeamForm(forms.ModelForm): class TeamForm(forms.ModelForm):
def _make_label(self, p):
source = '{}'
params = [p.label]
if p.plugin_name:
source = '<span class="fa fa-puzzle-piece text-muted" data-toggle="tooltip" title="{}"></span> ' + source
params.insert(0, _("Provided by a plugin"))
if p.help_text:
source += ' <span class="fa fa-info-circle text-muted" data-toggle="tooltip" title="{}"></span>'
params.append(p.help_text)
source += ' (<code>{}</code>)'
params.append(p.name)
return format_html(source, *params)
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
organizer = kwargs.pop('organizer') organizer = kwargs.pop('organizer')
@@ -305,16 +335,62 @@ class TeamForm(forms.ModelForm):
self.fields['limit_events'].queryset = organizer.events.all().order_by( self.fields['limit_events'].queryset = organizer.events.all().order_by(
'-has_subevents', '-date_from' '-has_subevents', '-date_from'
) )
self.event_field_names = []
for pg in get_all_event_permission_groups().values():
initial = ",".join(sorted(
a for a in pg.actions if self.instance and self.instance.limit_event_permissions.get(f"{pg.name}:{a}")
)) or "EMPTY"
self.fields[f'event_{pg.name}'] = forms.ChoiceField(
choices=[
(
",".join(sorted(opt.actions)) or "EMPTY",
format_html(
'{label} '
'<span class="fa fa-question-circle fa-fw text-muted" data-toggle="tooltip"'
' data-placement="right" title="{help_text}"></span>',
label=opt.label,
help_text=opt.help_text,
) if opt.help_text else opt.label,
)
for opt in pg.options
],
label=pg.label,
help_text=pg.help_text,
initial=initial,
widget=forms.RadioSelect,
)
self.event_field_names.append(f'event_{pg.name}')
self.organizer_field_names = []
for pg in get_all_organizer_permission_groups().values():
initial = ",".join(sorted(
a for a in pg.actions if self.instance and self.instance.limit_organizer_permissions.get(f"{pg.name}:{a}")
)) or "EMPTY"
self.fields[f'organizer_{pg.name}'] = forms.ChoiceField(
choices=[
(
",".join(sorted(opt.actions)) or "EMPTY",
format_html(
'{label} '
'<span class="fa fa-question-circle fa-fw text-muted" data-toggle="tooltip"'
' data-placement="right" title="{help_text}"></span>',
label=opt.label,
help_text=opt.help_text,
) if opt.help_text else opt.label,
)
for opt in pg.options
],
label=pg.label,
help_text=pg.help_text,
initial=initial,
widget=forms.RadioSelect,
)
self.organizer_field_names.append(f'organizer_{pg.name}')
class Meta: class Meta:
model = Team model = Team
fields = ['name', 'require_2fa', 'all_events', 'limit_events', 'can_create_events', fields = ['name', 'require_2fa', 'all_events', 'limit_events',
'can_change_teams', 'can_change_organizer_settings', 'all_event_permissions',
'can_manage_gift_cards', 'can_manage_customers', 'all_organizer_permissions',]
'can_manage_reusable_media',
'can_change_event_settings', 'can_change_items',
'can_view_orders', 'can_change_orders', 'can_checkin_orders',
'can_view_vouchers', 'can_change_vouchers']
widgets = { widgets = {
'limit_events': forms.CheckboxSelectMultiple(attrs={ 'limit_events': forms.CheckboxSelectMultiple(attrs={
'data-inverse-dependency': '#id_all_events', 'data-inverse-dependency': '#id_all_events',
@@ -327,15 +403,57 @@ class TeamForm(forms.ModelForm):
def clean(self): def clean(self):
data = super().clean() data = super().clean()
if self.instance.pk and not data['can_change_teams']:
data['limit_event_permissions'] = {}
if not data['all_event_permissions']:
for pg in get_all_event_permission_groups().values():
selected = data.get(f'event_{pg.name}', 'EMPTY')
if selected == "EMPTY":
selected_actions = []
else:
selected_actions = selected.split(',')
for action in pg.actions:
if action in selected_actions:
data['limit_event_permissions'][f"{pg.name}:{action}"] = True
self.instance.limit_event_permissions = data['limit_event_permissions']
data['limit_organizer_permissions'] = {}
if not data['all_organizer_permissions']:
for pg in get_all_organizer_permission_groups().values():
selected = data.get(f'organizer_{pg.name}', 'EMPTY')
if selected == "EMPTY":
selected_actions = []
else:
selected_actions = selected.split(',')
for action in pg.actions:
if action in selected_actions:
data['limit_organizer_permissions'][f"{pg.name}:{action}"] = True
self.instance.limit_organizer_permissions = data['limit_organizer_permissions']
if self.instance.pk and not data['all_organizer_permissions'] and 'organizer.teams:write' not in data.get('limit_organizer_permissions', []):
if not self.instance.organizer.teams.exclude(pk=self.instance.pk).filter( if not self.instance.organizer.teams.exclude(pk=self.instance.pk).filter(
can_change_teams=True, members__isnull=False TeamQuerySet.organizer_permission_q("organizer.teams:write"),
members__isnull=False
).exists(): ).exists():
raise ValidationError(_('The changes could not be saved because there would be no remaining team with ' raise ValidationError(_('The changes could not be saved because there would be no remaining team with '
'the permission to change teams and permissions.')) 'the permission to change teams and permissions.'))
return data return data
@property
def changed_data_for_log(self):
r = {}
for k in self.changed_data:
if k == "limit_events":
r[k] = [e.id for e in getattr(self.instance, k).all()]
elif k.startswith("event_"):
r["limit_event_permissions"] = self.instance.limit_event_permissions
elif k.startswith("organizer_"):
r["limit_organizer_permissions"] = self.instance.limit_organizer_permissions
else:
r[k] = getattr(self.instance, k)
return r
class GateForm(forms.ModelForm): class GateForm(forms.ModelForm):

1
src/pretix/control/logdisplay.py
View File

@@ -641,6 +641,7 @@ class TeamMembershipLogEntryType(LogEntryType):
'pretix.team.member.added': _('{user} has been added to the team.'), 'pretix.team.member.added': _('{user} has been added to the team.'),
'pretix.team.member.removed': _('{user} has been removed from the team.'), 'pretix.team.member.removed': _('{user} has been removed from the team.'),
'pretix.team.invite.created': _('{user} has been invited to the team.'), 'pretix.team.invite.created': _('{user} has been invited to the team.'),
'pretix.team.invite.deleted': _('Invite for {user} has been deleted.'),
'pretix.team.invite.resent': _('Invite for {user} has been resent.'), 'pretix.team.invite.resent': _('Invite for {user} has been resent.'),
}) })
class CoreTeamMembershipLogEntryType(TeamMembershipLogEntryType): class CoreTeamMembershipLogEntryType(TeamMembershipLogEntryType):

8
src/pretix/control/middleware.py
View File

@@ -45,7 +45,9 @@ from django.utils.translation import gettext as _
from django_scopes import scope from django_scopes import scope
from pretix.base.models import Event, Organizer from pretix.base.models import Event, Organizer
from pretix.base.models.auth import SuperuserPermissionSet, User from pretix.base.models.auth import (
EventPermissionSet, OrganizerPermissionSet, SuperuserPermissionSet, User,
)
from pretix.helpers.http import redirect_to_url from pretix.helpers.http import redirect_to_url
from pretix.helpers.security import ( from pretix.helpers.security import (
Session2FASetupRequired, SessionInvalid, SessionPasswordChangeRequired, Session2FASetupRequired, SessionInvalid, SessionPasswordChangeRequired,
@@ -170,7 +172,7 @@ class PermissionMiddleware:
if request.user.has_active_staff_session(request.session.session_key): if request.user.has_active_staff_session(request.session.session_key):
request.eventpermset = SuperuserPermissionSet() request.eventpermset = SuperuserPermissionSet()
else: else:
request.eventpermset = request.user.get_event_permission_set(request.organizer, request.event) request.eventpermset = EventPermissionSet(request.user.get_event_permission_set(request.organizer, request.event))
elif 'organizer' in url.kwargs: elif 'organizer' in url.kwargs:
if url.kwargs['organizer'] == '-': if url.kwargs['organizer'] == '-':
# This is a hack that just takes the user to ANY organizer. It's useful to link to features in support # This is a hack that just takes the user to ANY organizer. It's useful to link to features in support
@@ -192,7 +194,7 @@ class PermissionMiddleware:
if request.user.has_active_staff_session(request.session.session_key): if request.user.has_active_staff_session(request.session.session_key):
request.orgapermset = SuperuserPermissionSet() request.orgapermset = SuperuserPermissionSet()
else: else:
request.orgapermset = request.user.get_organizer_permission_set(request.organizer) request.orgapermset = OrganizerPermissionSet(request.user.get_organizer_permission_set(request.organizer))
with scope(organizer=getattr(request, 'organizer', None)): with scope(organizer=getattr(request, 'organizer', None)):
r = self.get_response(request) r = self.get_response(request)

335
src/pretix/control/navigation.py
View File

@@ -43,24 +43,29 @@ def get_event_navigation(request: HttpRequest):
'icon': 'dashboard', 'icon': 'dashboard',
} }
] ]
if 'can_change_event_settings' in request.eventpermset: event_settings = []
event_settings = [ if "event.settings.general:write" in request.eventpermset:
{ event_settings.append({
'label': _('General'), 'label': _('General'),
'url': reverse('control:event.settings', kwargs={ 'url': reverse('control:event.settings', kwargs={
'event': request.event.slug, 'event': request.event.slug,
'organizer': request.event.organizer.slug, 'organizer': request.event.organizer.slug,
}), }),
'active': url.url_name == 'event.settings', 'active': url.url_name == 'event.settings',
}, })
{
'label': _('Payment'), if "event.settings.payment:write" in request.eventpermset or "event.settings.general:write" in request.eventpermset:
'url': reverse('control:event.settings.payment', kwargs={ event_settings.append({
'event': request.event.slug, 'label': _('Payment'),
'organizer': request.event.organizer.slug, 'url': reverse('control:event.settings.payment', kwargs={
}), 'event': request.event.slug,
'active': url.url_name in ('event.settings.payment', 'event.settings.payment.provider'), 'organizer': request.event.organizer.slug,
}, }),
'active': url.url_name in ('event.settings.payment', 'event.settings.payment.provider'),
})
if "event.settings.general:write" in request.eventpermset:
event_settings += [
{ {
'label': _('Plugins'), 'label': _('Plugins'),
'url': reverse('control:event.settings.plugins', kwargs={ 'url': reverse('control:event.settings.plugins', kwargs={
@@ -84,23 +89,31 @@ def get_event_navigation(request: HttpRequest):
'organizer': request.event.organizer.slug, 'organizer': request.event.organizer.slug,
}), }),
'active': url.url_name == 'event.settings.mail', 'active': url.url_name == 'event.settings.mail',
}, }
{ ]
'label': _('Taxes'),
'url': reverse('control:event.settings.tax', kwargs={ if "event.settings.tax:write" in request.eventpermset or "event.settings.general:write" in request.eventpermset:
'event': request.event.slug, event_settings.append({
'organizer': request.event.organizer.slug, 'label': _('Taxes'),
}), 'url': reverse('control:event.settings.tax', kwargs={
'active': url.url_name.startswith('event.settings.tax'), 'event': request.event.slug,
}, 'organizer': request.event.organizer.slug,
{ }),
'label': _('Invoicing'), 'active': url.url_name.startswith('event.settings.tax'),
'url': reverse('control:event.settings.invoice', kwargs={ })
'event': request.event.slug,
'organizer': request.event.organizer.slug, if "event.settings.invoicing:write" in request.eventpermset or "event.settings.general:write" in request.eventpermset:
}), event_settings.append({
'active': url.url_name == 'event.settings.invoice', 'label': _('Invoicing'),
}, 'url': reverse('control:event.settings.invoice', kwargs={
'event': request.event.slug,
'organizer': request.event.organizer.slug,
}),
'active': url.url_name == 'event.settings.invoice',
})
if "event.settings.general:write" in request.eventpermset:
event_settings += [
{ {
'label': pgettext_lazy('action', 'Cancellation'), 'label': pgettext_lazy('action', 'Cancellation'),
'url': reverse('control:event.settings.cancel', kwargs={ 'url': reverse('control:event.settings.cancel', kwargs={
@@ -118,88 +131,87 @@ def get_event_navigation(request: HttpRequest):
'active': url.url_name == 'event.settings.widget', 'active': url.url_name == 'event.settings.widget',
}, },
] ]
# It would be better to allow plugins to handle the permission themselves, but for backwards compatibility
# we need to have it in the "if" statement
event_settings += sorted( event_settings += sorted(
sum((list(a[1]) for a in nav_event_settings.send(request.event, request=request)), []), sum((list(a[1]) for a in nav_event_settings.send(request.event, request=request)), []),
key=lambda r: r['label'] key=lambda r: r['label']
) )
if event_settings:
nav.append({ nav.append({
'label': _('Settings'), 'label': _('Settings'),
'url': reverse('control:event.settings', kwargs={ 'url': event_settings[0]["url"],
'event': request.event.slug,
'organizer': request.event.organizer.slug,
}),
'active': False, 'active': False,
'icon': 'wrench', 'icon': 'wrench',
'children': event_settings 'children': event_settings
}) })
if 'can_change_items' in request.eventpermset: nav.append({
nav.append({ 'label': _('Products'),
'label': _('Products'), 'url': reverse('control:event.items', kwargs={
'url': reverse('control:event.items', kwargs={ 'event': request.event.slug,
'event': request.event.slug, 'organizer': request.event.organizer.slug,
'organizer': request.event.organizer.slug, }),
}), 'active': False,
'active': False, 'icon': 'ticket',
'icon': 'ticket', 'children': [
'children': [ {
{ 'label': _('Products'),
'label': _('Products'), 'url': reverse('control:event.items', kwargs={
'url': reverse('control:event.items', kwargs={
'event': request.event.slug,
'organizer': request.event.organizer.slug,
}),
'active': url.url_name in (
'event.item', 'event.items.add', 'event.items') or "event.item." in url.url_name,
},
{
'label': _('Quotas'),
'url': reverse('control:event.items.quotas', kwargs={
'event': request.event.slug,
'organizer': request.event.organizer.slug,
}),
'active': 'event.items.quota' in url.url_name,
},
{
'label': _('Categories'),
'url': reverse('control:event.items.categories', kwargs={
'event': request.event.slug,
'organizer': request.event.organizer.slug,
}),
'active': 'event.items.categories' in url.url_name,
},
{
'label': _('Questions'),
'url': reverse('control:event.items.questions', kwargs={
'event': request.event.slug,
'organizer': request.event.organizer.slug,
}),
'active': 'event.items.questions' in url.url_name,
},
{
'label': _('Discounts'),
'url': reverse('control:event.items.discounts', kwargs={
'event': request.event.slug,
'organizer': request.event.organizer.slug,
}),
'active': 'event.items.discounts' in url.url_name,
},
]
})
if 'can_change_event_settings' in request.eventpermset:
if request.event.has_subevents:
nav.append({
'label': pgettext_lazy('subevent', 'Dates'),
'url': reverse('control:event.subevents', kwargs={
'event': request.event.slug, 'event': request.event.slug,
'organizer': request.event.organizer.slug, 'organizer': request.event.organizer.slug,
}), }),
'active': ('event.subevent' in url.url_name), 'active': url.url_name in (
'icon': 'calendar', 'event.item', 'event.items.add', 'event.items') or "event.item." in url.url_name,
}) },
{
'label': _('Quotas'),
'url': reverse('control:event.items.quotas', kwargs={
'event': request.event.slug,
'organizer': request.event.organizer.slug,
}),
'active': 'event.items.quota' in url.url_name,
},
{
'label': _('Categories'),
'url': reverse('control:event.items.categories', kwargs={
'event': request.event.slug,
'organizer': request.event.organizer.slug,
}),
'active': 'event.items.categories' in url.url_name,
},
{
'label': _('Questions'),
'url': reverse('control:event.items.questions', kwargs={
'event': request.event.slug,
'organizer': request.event.organizer.slug,
}),
'active': 'event.items.questions' in url.url_name,
},
{
'label': _('Discounts'),
'url': reverse('control:event.items.discounts', kwargs={
'event': request.event.slug,
'organizer': request.event.organizer.slug,
}),
'active': 'event.items.discounts' in url.url_name,
},
]
})
if 'can_view_orders' in request.eventpermset: if request.event.has_subevents:
nav.append({
'label': pgettext_lazy('subevent', 'Dates'),
'url': reverse('control:event.subevents', kwargs={
'event': request.event.slug,
'organizer': request.event.organizer.slug,
}),
'active': ('event.subevent' in url.url_name),
'icon': 'calendar',
})
if 'event.orders:read' in request.eventpermset:
children = [ children = [
{ {
'label': _('All orders'), 'label': _('All orders'),
@@ -242,7 +254,7 @@ def get_event_navigation(request: HttpRequest):
'active': 'event.orders.waitinglist' in url.url_name, 'active': 'event.orders.waitinglist' in url.url_name,
}, },
] ]
if 'can_change_orders' in request.eventpermset: if 'event.orders:write' in request.eventpermset:
children.append({ children.append({
'label': _('Import'), 'label': _('Import'),
'url': reverse('control:event.orders.import', kwargs={ 'url': reverse('control:event.orders.import', kwargs={
@@ -261,8 +273,18 @@ def get_event_navigation(request: HttpRequest):
'icon': 'shopping-cart', 'icon': 'shopping-cart',
'children': children 'children': children
}) })
else:
nav.append({
'label': _('Export'),
'url': reverse('control:event.orders.export', kwargs={
'event': request.event.slug,
'organizer': request.event.organizer.slug,
}),
'active': 'event.orders.export' in url.url_name,
'icon': 'download',
})
if 'can_view_vouchers' in request.eventpermset: if 'event.vouchers:read' in request.eventpermset:
nav.append({ nav.append({
'label': _('Vouchers'), 'label': _('Vouchers'),
'url': reverse('control:event.vouchers', kwargs={ 'url': reverse('control:event.vouchers', kwargs={
@@ -291,7 +313,7 @@ def get_event_navigation(request: HttpRequest):
] ]
}) })
if 'can_view_orders' in request.eventpermset: if 'event.orders:read' in request.eventpermset or 'event.settings.general:write' in request.eventpermset:
nav.append({ nav.append({
'label': pgettext_lazy('navigation', 'Check-in'), 'label': pgettext_lazy('navigation', 'Check-in'),
'url': reverse('control:event.orders.checkinlists', kwargs={ 'url': reverse('control:event.orders.checkinlists', kwargs={
@@ -340,38 +362,43 @@ def get_global_navigation(request):
'active': (url.url_name == 'index'), 'active': (url.url_name == 'index'),
'icon': 'dashboard', 'icon': 'dashboard',
}, },
{ ]
'label': _('Events'), if request.user.is_in_any_teams:
'url': reverse('control:events'), nav += [
'active': 'events' in url.url_name, {
'icon': 'calendar', 'label': _('Events'),
}, 'url': reverse('control:events'),
{ 'active': 'events' in url.url_name,
'label': _('Organizers'), 'icon': 'calendar',
'url': reverse('control:organizers'), },
'active': 'organizers' in url.url_name, {
'icon': 'group', 'label': _('Organizers'),
}, 'url': reverse('control:organizers'),
{ 'active': 'organizers' in url.url_name,
'label': _('Search'), 'icon': 'group',
'url': reverse('control:search.orders'), },
'active': False, {
'icon': 'search', 'label': _('Search'),
'children': [ 'url': reverse('control:search.orders'),
{ 'active': False,
'label': _('Orders'), 'icon': 'search',
'url': reverse('control:search.orders'), 'children': [
'active': 'search.orders' in url.url_name, {
'icon': 'search', 'label': _('Orders'),
}, 'url': reverse('control:search.orders'),
{ 'active': 'search.orders' in url.url_name,
'label': _('Payments'), 'icon': 'search',
'url': reverse('control:search.payments'), },
'active': 'search.payments' in url.url_name, {
'icon': 'search', 'label': _('Payments'),
}, 'url': reverse('control:search.payments'),
] 'active': 'search.payments' in url.url_name,
}, 'icon': 'search',
},
]
},
]
nav += [
{ {
'label': _('User settings'), 'label': _('User settings'),
'url': reverse('control:user.settings'), 'url': reverse('control:user.settings'),
@@ -480,7 +507,7 @@ def get_organizer_navigation(request):
'icon': 'calendar', 'icon': 'calendar',
}, },
] ]
if 'can_change_organizer_settings' in request.orgapermset: if 'organizer.settings.general:write' in request.orgapermset:
nav.append({ nav.append({
'label': _('Settings'), 'label': _('Settings'),
'url': reverse('control:organizer.edit', kwargs={ 'url': reverse('control:organizer.edit', kwargs={
@@ -534,7 +561,7 @@ def get_organizer_navigation(request):
] ]
}) })
if 'can_change_teams' in request.orgapermset: if 'organizer.teams:write' in request.orgapermset:
nav.append({ nav.append({
'label': _('Teams'), 'label': _('Teams'),
'url': reverse('control:organizer.teams', kwargs={ 'url': reverse('control:organizer.teams', kwargs={
@@ -544,7 +571,7 @@ def get_organizer_navigation(request):
'icon': 'group', 'icon': 'group',
}) })
if 'can_manage_gift_cards' in request.orgapermset: if 'organizer.giftcards:read' in request.orgapermset or 'organizer.giftcards:write' in request.orgapermset:
children = [] children = []
children.append({ children.append({
'label': _('Gift cards'), 'label': _('Gift cards'),
@@ -554,7 +581,7 @@ def get_organizer_navigation(request):
'active': 'organizer.giftcard' in url.url_name and 'acceptance' not in url.url_name, 'active': 'organizer.giftcard' in url.url_name and 'acceptance' not in url.url_name,
'children': children, 'children': children,
}) })
if 'can_change_organizer_settings' in request.orgapermset: if 'organizer.settings.general:write' in request.orgapermset:
children.append( children.append(
{ {
'label': _('Acceptance'), 'label': _('Acceptance'),
@@ -575,7 +602,7 @@ def get_organizer_navigation(request):
if request.organizer.settings.customer_accounts: if request.organizer.settings.customer_accounts:
children = [] children = []
if 'can_manage_customers' in request.orgapermset: if 'organizer.customers:read' in request.orgapermset or 'organizer.customers:write' in request.orgapermset:
children.append( children.append(
{ {
'label': _('Customers'), 'label': _('Customers'),
@@ -585,7 +612,7 @@ def get_organizer_navigation(request):
'active': 'organizer.customer' in url.url_name, 'active': 'organizer.customer' in url.url_name,
} }
) )
if 'can_change_organizer_settings' in request.orgapermset: if 'organizer.settings.general:write' in request.orgapermset:
children.append( children.append(
{ {
'label': _('Membership types'), 'label': _('Membership types'),
@@ -624,16 +651,17 @@ def get_organizer_navigation(request):
}) })
if request.organizer.settings.reusable_media_active: if request.organizer.settings.reusable_media_active:
nav.append({ if 'organizer.reusablemedia:read' in request.orgapermset or 'organizer.reusablemedia:write' in request.orgapermset:
'label': _('Reusable media'), nav.append({
'url': reverse('control:organizer.reusable_media', kwargs={ 'label': _('Reusable media'),
'organizer': request.organizer.slug 'url': reverse('control:organizer.reusable_media', kwargs={
}), 'organizer': request.organizer.slug
'icon': 'key', }),
'active': 'organizer.reusable_medi' in url.url_name, 'icon': 'key',
}) 'active': 'organizer.reusable_medi' in url.url_name,
})
if 'can_change_organizer_settings' in request.orgapermset: if 'organizer.devices:read' in request.orgapermset or 'organizer.devices:write' in request.orgapermset:
nav.append({ nav.append({
'label': _('Devices'), 'label': _('Devices'),
'url': reverse('control:organizer.devices', kwargs={ 'url': reverse('control:organizer.devices', kwargs={
@@ -667,7 +695,7 @@ def get_organizer_navigation(request):
'icon': 'download', 'icon': 'download',
}) })
if 'can_change_organizer_settings' in request.orgapermset: if 'organizer.settings.general:write' in request.orgapermset:
merge_in(nav, [{ merge_in(nav, [{
'parent': reverse('control:organizer.export', kwargs={ 'parent': reverse('control:organizer.export', kwargs={
'organizer': request.organizer.slug, 'organizer': request.organizer.slug,
@@ -679,6 +707,7 @@ def get_organizer_navigation(request):
'active': (url.url_name == 'organizer.datasync.failedjobs'), 'active': (url.url_name == 'organizer.datasync.failedjobs'),
}]) }])
if 'organizer.outgoingmails:read' in request.orgapermset:
nav.append({ nav.append({
'label': _('Outgoing emails'), 'label': _('Outgoing emails'),
'url': reverse('control:organizer.outgoingmails', kwargs={ 'url': reverse('control:organizer.outgoingmails', kwargs={

17
src/pretix/control/permissions.py
View File

@@ -38,6 +38,9 @@ from django.core.exceptions import PermissionDenied
from django.urls import reverse from django.urls import reverse
from django.utils.translation import gettext as _ from django.utils.translation import gettext as _
from pretix.base.permissions import (
assert_valid_event_permission, assert_valid_organizer_permission,
)
from pretix.helpers.http import redirect_to_url from pretix.helpers.http import redirect_to_url
@@ -55,7 +58,9 @@ def event_permission_required(permission):
""" """
if permission == 'can_change_settings': if permission == 'can_change_settings':
# Legacy support # Legacy support
permission = 'can_change_event_settings' permission = 'event.settings.general:write'
assert_valid_event_permission(permission)
def decorator(function): def decorator(function):
def wrapper(request, *args, **kw): def wrapper(request, *args, **kw):
@@ -79,7 +84,7 @@ class EventPermissionRequiredMixin:
This mixin is equivalent to the event_permission_required view decorator but This mixin is equivalent to the event_permission_required view decorator but
is in a form suitable for class-based views. is in a form suitable for class-based views.
""" """
permission = '' permission = None # None means "any permission"
@classmethod @classmethod
def as_view(cls, **initkwargs): def as_view(cls, **initkwargs):
@@ -92,9 +97,11 @@ def organizer_permission_required(permission):
This view decorator rejects all requests with a 403 response which are not from This view decorator rejects all requests with a 403 response which are not from
users having the given permission for the event the request is associated with. users having the given permission for the event the request is associated with.
""" """
if permission == 'can_change_settings': if permission in ('event.settings.general:write', 'can_change_settings', 'can_change_event_settings'):
# Legacy support # Legacy support
permission = 'can_change_organizer_settings' permission = 'organizer.settings.general:write'
assert_valid_organizer_permission(permission)
def decorator(function): def decorator(function):
def wrapper(request, *args, **kw): def wrapper(request, *args, **kw):
@@ -116,7 +123,7 @@ class OrganizerPermissionRequiredMixin:
This mixin is equivalent to the organizer_permission_required view decorator but This mixin is equivalent to the organizer_permission_required view decorator but
is in a form suitable for class-based views. is in a form suitable for class-based views.
""" """
permission = '' permission = None # None means "any permission"
@classmethod @classmethod
def as_view(cls, **initkwargs): def as_view(cls, **initkwargs):

10
src/pretix/control/templates/pretixcontrol/checkin/index.html
View File

@@ -9,7 +9,7 @@
{% block content %} {% block content %}
<h1> <h1>
{% blocktrans with name=checkinlist.name %}Check-in list: {{ name }}{% endblocktrans %} {% blocktrans with name=checkinlist.name %}Check-in list: {{ name }}{% endblocktrans %}
{% if 'can_change_event_settings' in request.eventpermset %} {% if 'event.settings.general:write' in request.eventpermset %}
<a href="{% url "control:event.orders.checkinlists.edit" event=request.event.slug organizer=request.event.organizer.slug list=checkinlist.pk %}" <a href="{% url "control:event.orders.checkinlists.edit" event=request.event.slug organizer=request.event.organizer.slug list=checkinlist.pk %}"
class="btn btn-default"> class="btn btn-default">
<span class="fa fa-wrench"></span> <span class="fa fa-wrench"></span>
@@ -87,7 +87,7 @@
<thead> <thead>
<tr> <tr>
<th> <th>
{% if "can_change_orders" in request.eventpermset or "can_checkin_orders" in request.eventpermset %} {% if "event.orders:write" in request.eventpermset or "event.orders:checkin" in request.eventpermset %}
<label aria-label="{% trans "select all rows for batch-operation" %}" <label aria-label="{% trans "select all rows for batch-operation" %}"
class="batch-select-label"><input type="checkbox" data-toggle-table/></label> class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
{% endif %} {% endif %}
@@ -132,7 +132,7 @@
{% for e in entries %} {% for e in entries %}
<tr> <tr>
<td> <td>
{% if "can_change_orders" in request.eventpermset or "can_checkin_orders" in request.eventpermset %} {% if "event.orders:write" in request.eventpermset or "event.orders:checkin" in request.eventpermset %}
<input type="checkbox" name="checkin" id="id_checkin" class="" value="{{ e.pk }}"/> <input type="checkbox" name="checkin" id="id_checkin" class="" value="{{ e.pk }}"/>
{% endif %} {% endif %}
</td> </td>
@@ -207,7 +207,7 @@
</table> </table>
</div> </div>
<div class="batch-select-actions"> <div class="batch-select-actions">
{% if "can_change_orders" in request.eventpermset or "can_checkin_orders" in request.eventpermset %} {% if "event.orders:write" in request.eventpermset or "event.orders:checkin" in request.eventpermset %}
<button type="submit" class="btn btn-primary btn-save"> <button type="submit" class="btn btn-primary btn-save">
<span class="fa fa-sign-in" aria-hidden="true"></span> <span class="fa fa-sign-in" aria-hidden="true"></span>
{% trans "Check-In selected attendees" %} {% trans "Check-In selected attendees" %}
@@ -217,7 +217,7 @@
{% trans "Check-Out selected attendees" %} {% trans "Check-Out selected attendees" %}
</button> </button>
{% endif %} {% endif %}
{% if "can_change_orders" in request.eventpermset %} {% if "event.orders:write" in request.eventpermset %}
<button type="submit" class="btn btn-danger btn-save" name="revert" <button type="submit" class="btn btn-danger btn-save" name="revert"
formaction="{% url "control:event.orders.checkinlists.bulk_revert" event=request.event.slug organizer=request.event.organizer.slug list=checkinlist.pk %}" formaction="{% url "control:event.orders.checkinlists.bulk_revert" event=request.event.slug organizer=request.event.organizer.slug list=checkinlist.pk %}"
data-no-asynctask data-no-asynctask

50
src/pretix/control/templates/pretixcontrol/checkin/lists.html
View File

@@ -63,27 +63,27 @@
{% endif %} {% endif %}
</p> </p>
{% if "can_change_event_settings" in request.eventpermset %} {% if "event.settings.general:write" in request.eventpermset %}
<a href="{% url "control:event.orders.checkinlists.add" organizer=request.event.organizer.slug event=request.event.slug %}" <a href="{% url "control:event.orders.checkinlists.add" organizer=request.event.organizer.slug event=request.event.slug %}"
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new check-in list" %} class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new check-in list" %}
</a> </a>
{% endif %} {% endif %}
{% if can_change_organizer_settings %} {% if link_device_settings %}
<a href="{% url "control:organizer.devices" organizer=request.organizer.slug %}" <a href="{% url "control:organizer.devices" organizer=request.organizer.slug %}"
class="btn btn-default btn-lg"><i class="fa fa-tablet"></i> {% trans "Connected devices" %}</a> class="btn btn-default btn-lg"><i class="fa fa-tablet"></i> {% trans "Connected devices" %}</a>
{% endif %} {% endif %}
</div> </div>
{% else %} {% else %}
<p> <p>
{% if "can_change_event_settings" in request.eventpermset %} {% if "event.settings.general:write" in request.eventpermset %}
<a href="{% url "control:event.orders.checkinlists.add" organizer=request.event.organizer.slug event=request.event.slug %}" <a href="{% url "control:event.orders.checkinlists.add" organizer=request.event.organizer.slug event=request.event.slug %}"
class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new check-in list" %}</a> class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new check-in list" %}</a>
{% endif %} {% endif %}
{% if can_change_organizer_settings %} {% if link_device_settings %}
<a href="{% url "control:organizer.devices" organizer=request.organizer.slug %}" <a href="{% url "control:organizer.devices" organizer=request.organizer.slug %}"
class="btn btn-default"><i class="fa fa-tablet"></i> {% trans "Connected devices" %}</a> class="btn btn-default"><i class="fa fa-tablet"></i> {% trans "Connected devices" %}</a>
{% endif %} {% endif %}
{% if "can_change_orders" in request.eventpermset %} {% if "event.settings.general:write" in request.eventpermset and "event.orders:write" in request.eventpermset %}
<a href="{% url "control:event.orders.checkinlists.reset" organizer=request.event.organizer.slug event=request.event.slug %}" <a href="{% url "control:event.orders.checkinlists.reset" organizer=request.event.organizer.slug event=request.event.slug %}"
class="btn btn-default"> class="btn btn-default">
<span class="fa fa-repeat"></span> <span class="fa fa-repeat"></span>
@@ -100,7 +100,9 @@
<a href="?{% url_replace request 'ordering' '-name' %}"><i class="fa fa-caret-down"></i></a> <a href="?{% url_replace request 'ordering' '-name' %}"><i class="fa fa-caret-down"></i></a>
<a href="?{% url_replace request 'ordering' 'name' %}"><i class="fa fa-caret-up"></i></a> <a href="?{% url_replace request 'ordering' 'name' %}"><i class="fa fa-caret-up"></i></a>
</th> </th>
<th>{% trans "Checked in" %}</th> {% if "event.orders:read" in request.eventpermset %}
<th>{% trans "Checked in" %}</th>
{% endif %}
{% if request.event.has_subevents %} {% if request.event.has_subevents %}
<th> <th>
{% trans "Date" context "subevent" %} {% trans "Date" context "subevent" %}
@@ -119,18 +121,20 @@
<strong><a <strong><a
href="{% url "control:event.orders.checkinlists.show" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}">{{ cl.name }}</a></strong> href="{% url "control:event.orders.checkinlists.show" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}">{{ cl.name }}</a></strong>
</td> </td>
<td> {% if "event.orders:read" in request.eventpermset %}
<div class="quotabox availability"> <td>
<div class="progress"> <div class="quotabox availability">
<div class="progress-bar progress-bar-success progress-bar-{{ cl.percent }}"> <div class="progress">
<div class="progress-bar progress-bar-success progress-bar-{{ cl.percent }}">
</div>
</div>
<div class="numbers">
{{ cl.checkin_count|default_if_none:"0" }} /
{{ cl.position_count|default_if_none:"0" }}
</div> </div>
</div> </div>
<div class="numbers"> </td>
{{ cl.checkin_count|default_if_none:"0" }} / {% endif %}
{{ cl.position_count|default_if_none:"0" }}
</div>
</div>
</td>
{% if request.event.has_subevents %} {% if request.event.has_subevents %}
{% if cl.subevent %} {% if cl.subevent %}
<td> <td>
@@ -156,16 +160,18 @@
{% endif %} {% endif %}
</td> </td>
<td class="text-right flip"> <td class="text-right flip">
<a href="{% url "control:event.orders.checkinlists.show" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}" {% if "event.orders:read" in request.eventpermset %}
class="btn btn-default btn-sm"><i class="fa fa-eye"></i></a> <a href="{% url "control:event.orders.checkinlists.show" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"
{% if "can_change_event_settings" in request.eventpermset %} class="btn btn-default btn-sm"><i class="fa fa-eye"></i></a>
<a href="{% url "control:event.orders.checkinlists.simulator" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"
title="{% trans "Check-in simulator" %}" data-toggle="tooltip"
class="btn btn-default btn-sm"><i class="fa fa-flask"></i></a>
{% endif %}
{% if "event.settings.general:write" in request.eventpermset %}
<a href="{% url "control:event.orders.checkinlists.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ cl.id }}" <a href="{% url "control:event.orders.checkinlists.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ cl.id }}"
class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip"> class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
<span class="fa fa-copy"></span> <span class="fa fa-copy"></span>
</a> </a>
<a href="{% url "control:event.orders.checkinlists.simulator" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"
title="{% trans "Check-in simulator" %}" data-toggle="tooltip"
class="btn btn-default btn-sm"><i class="fa fa-flask"></i></a>
<a href="{% url "control:event.orders.checkinlists.edit" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}" <a href="{% url "control:event.orders.checkinlists.edit" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"
class="btn btn-default btn-sm"><i class="fa fa-wrench"></i></a> class="btn btn-default btn-sm"><i class="fa fa-wrench"></i></a>
<a href="{% url "control:event.orders.checkinlists.delete" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}" <a href="{% url "control:event.orders.checkinlists.delete" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"

2
src/pretix/control/templates/pretixcontrol/checkin/simulator.html
View File

@@ -10,7 +10,7 @@
{% block inside %} {% block inside %}
<h1> <h1>
{% blocktrans with name=checkinlist.name %}Check-in list: {{ name }}{% endblocktrans %} {% blocktrans with name=checkinlist.name %}Check-in list: {{ name }}{% endblocktrans %}
{% if 'can_change_event_settings' in request.eventpermset %} {% if 'event.settings.general:write' in request.eventpermset %}
<a href="{% url "control:event.orders.checkinlists.edit" event=request.event.slug organizer=request.event.organizer.slug list=checkinlist.pk %}" <a href="{% url "control:event.orders.checkinlists.edit" event=request.event.slug organizer=request.event.organizer.slug list=checkinlist.pk %}"
class="btn btn-default"> class="btn btn-default">
<span class="fa fa-wrench"></span> <span class="fa fa-wrench"></span>

42
src/pretix/control/templates/pretixcontrol/dashboard.html
View File

@@ -12,27 +12,29 @@
class="event-dropdown dropdown-menu"> class="event-dropdown dropdown-menu">
</ul> </ul>
</div> </div>
<h2>{% trans "Your upcoming events" %}</h2> {% if upcoming or can_create_event %}
<div class="dashboard"> <h2>{% trans "Your upcoming events" %}</h2>
{% if can_create_event %} <div class="dashboard">
<div class="widget-small widget-container"> {% if can_create_event %}
<a href="{% url "control:events.add" %}" class="widget"> <div class="widget-small widget-container">
<div class="newevent"><span class="fa fa-plus-circle"></span>{% trans "Create a new event" %}</div> <a href="{% url "control:events.add" %}" class="widget">
</a> <div class="newevent"><span class="fa fa-plus-circle"></span>{% trans "Create a new event" %}</div>
</div> </a>
{% endif %}
{% for w in upcoming %}
<div class="widget-{{ w.display_size|default:"small" }} {{ w.container_class|default:"widget-container" }} {% if w.lazy %}widget-lazy-loading{% endif %}" data-lazy-id="{{ w.lazy }}">
<div class="widget">
{% if w.lazy %}
<span class="fa fa-cog fa-4x"></span>
{% else %}
{{ w.content|safe }}
{% endif %}
</div> </div>
</div> {% endif %}
{% endfor %} {% for w in upcoming %}
</div> <div class="widget-{{ w.display_size|default:"small" }} {{ w.container_class|default:"widget-container" }} {% if w.lazy %}widget-lazy-loading{% endif %}" data-lazy-id="{{ w.lazy }}">
<div class="widget">
{% if w.lazy %}
<span class="fa fa-cog fa-4x"></span>
{% else %}
{{ w.content|safe }}
{% endif %}
</div>
</div>
{% endfor %}
</div>
{% endif %}
{% if upcoming %} {% if upcoming %}
<p class=""> <p class="">
<a href="{% url "control:events" %}?ordering=date_from&status=date_future" class=""> <a href="{% url "control:events" %}?ordering=date_from&status=date_future" class="">

24
src/pretix/control/templates/pretixcontrol/datasync/control_order_info.html
View File

@@ -11,18 +11,20 @@
<ul class="list-group"> <ul class="list-group">
{% for identifier, display_name, pending, objects in providers %} {% for identifier, display_name, pending, objects in providers %}
<li class="list-group-item"> <li class="list-group-item">
<form action="{% url "control:event.order.sync_job" organizer=event.organizer.slug event=event.slug code=order.code provider=identifier %}" method="post" class="form-inline pull-right"> {% if "event.orders:write" in request.eventpermset %}
{% csrf_token %} <form action="{% url "control:event.order.sync_job" organizer=event.organizer.slug event=event.slug code=order.code provider=identifier %}" method="post" class="form-inline pull-right">
{% if pending %} {% csrf_token %}
{% if pending.not_before > now or pending.need_manual_retry %} {% if pending %}
<button type="submit" name="run_job_now" value="{{ pending.pk }}" class="btn btn-default"><i class="fa fa-refresh"></i> {% trans "Retry now" %}</button> {% if pending.not_before > now or pending.need_manual_retry %}
<button type="submit" name="run_job_now" value="{{ pending.pk }}" class="btn btn-default"><i class="fa fa-refresh"></i> {% trans "Retry now" %}</button>
{% endif %}
<button type="submit" name="cancel_job" value="{{ pending.pk }}" class="btn btn-danger"><i class="fa fa-times"></i> {% trans "Cancel" %}</button>
{% else %}
<button type="submit" class="btn btn-default"><i class="fa fa-refresh"></i> {% trans "Sync now" %}</button>
<input type="hidden" name="queue_sync" value="true">
{% endif %} {% endif %}
<button type="submit" name="cancel_job" value="{{ pending.pk }}" class="btn btn-danger"><i class="fa fa-times"></i> {% trans "Cancel" %}</button> </form>
{% else %} {% endif %}
<button type="submit" class="btn btn-default"><i class="fa fa-refresh"></i> {% trans "Sync now" %}</button>
<input type="hidden" name="queue_sync" value="true">
{% endif %}
</form>
<p><b>{{ display_name }}</b></p> <p><b>{{ display_name }}</b></p>
{% if pending %} {% if pending %}
<p> <p>

16
src/pretix/control/templates/pretixcontrol/event/dangerzone.html
View File

@@ -40,12 +40,16 @@
this option. this option.
{% endblocktrans %} {% endblocktrans %}
</div> </div>
<div class="col-sm-12 col-md-3"> <div class="col-sm-12 col-md-3 text-center">
<a href="{% url "control:event.cancel" organizer=request.organizer.slug event=request.event.slug %}" {% if "event:cancel" in request.eventpermset %}
class="btn btn-danger btn-block btn-lg"> <a href="{% url "control:event.cancel" organizer=request.organizer.slug event=request.event.slug %}"
<span class="fa fa-ban"></span> class="btn btn-danger btn-block btn-lg">
{% trans "Cancel event" %} <span class="fa fa-ban"></span>
</a> {% trans "Cancel event" %}
</a>
{% else %}
{% trans "No permission" %}
{% endif %}
</div> </div>
</div> </div>
</div> </div>

2
src/pretix/control/templates/pretixcontrol/event/fragment_timeline.html
View File

@@ -19,7 +19,7 @@
<span class="{% if e.time < nearly_now %}text-muted{% endif %}"> <span class="{% if e.time < nearly_now %}text-muted{% endif %}">
{{ e.entry.description }} {{ e.entry.description }}
</span> </span>
{% if e.entry.edit_url %} {% if e.entry.edit_url and e.entry.edit_permission in request.eventpermset %}
&nbsp; &nbsp;
<a href="{{ e.entry.edit_url }}" class="text-muted"> <a href="{{ e.entry.edit_url }}" class="text-muted">
<span class="fa fa-edit"></span> <span class="fa fa-edit"></span>

32
src/pretix/control/templates/pretixcontrol/event/index.html
View File

@@ -155,22 +155,24 @@
</form> </form>
</div> </div>
</div> </div>
<div class="panel panel-default"> {% if "event.orders:read" in request.eventpermset or "event.orders:write" in request.eventpermset or "event.settings.general:write" in request.eventpermset or "event.items:write" in request.eventpermset %}
<div class="panel-heading"> <div class="panel panel-default">
<h3 class="panel-title"> <div class="panel-heading">
{% trans "Event logs" %} <h3 class="panel-title">
</h3> {% trans "Event logs" %}
</div> </h3>
<ul class="list-group" id="logs_target"> </div>
<div class="logs-lazy-loading"> <ul class="list-group" id="logs_target">
<span class="fa fa-cog fa-4x"></span> <div class="logs-lazy-loading">
<span class="fa fa-cog fa-4x"></span>
</div>
</ul>
<div class="panel-footer">
<a href="{% url "control:event.log" event=request.event.slug organizer=request.event.organizer.slug %}">
{% trans "Show more logs" %}
</a>
</div> </div>
</ul>
<div class="panel-footer">
<a href="{% url "control:event.log" event=request.event.slug organizer=request.event.organizer.slug %}">
{% trans "Show more logs" %}
</a>
</div> </div>
</div> {% endif %}
{% endblock %} {% endblock %}

18
src/pretix/control/templates/pretixcontrol/event/invoicing.html
View File

@@ -165,13 +165,15 @@
</p> </p>
</fieldset> </fieldset>
</div> </div>
<div class="form-group submit-group"> {% if "event.settings.invoicing:write" in request.eventpermset %}
<button type="submit" class="btn btn-default btn-lg" name="preview" value="preview" formtarget="_blank"> <div class="form-group submit-group">
{% trans "Save and show preview" %} <button type="submit" class="btn btn-default btn-lg" name="preview" value="preview" formtarget="_blank">
</button> {% trans "Save and show preview" %}
<button type="submit" class="btn btn-primary btn-save"> </button>
{% trans "Save" %} <button type="submit" class="btn btn-primary btn-save">
</button> {% trans "Save" %}
</div> </button>
</div>
{% endif %}
</form> </form>
{% endblock %} {% endblock %}

26
src/pretix/control/templates/pretixcontrol/event/payment.html
View File

@@ -41,14 +41,17 @@
{% endfor %} {% endfor %}
</td> </td>
<td class="text-right flip"> <td class="text-right flip">
<a href="{% url 'control:event.settings.payment.provider' event=request.event.slug organizer=request.organizer.slug provider=provider.identifier %}" {% if "event.settings.payment:write" in request.eventpermset %}
class="btn btn-default"> <a href="{% url 'control:event.settings.payment.provider' event=request.event.slug organizer=request.organizer.slug provider=provider.identifier %}"
<span class="fa fa-cog"></span> class="btn btn-default">
{% trans "Settings" %} <span class="fa fa-cog"></span>
</a> {% trans "Settings" %}
</a>
{% endif %}
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}
{% if "event.settings.general:write" in request.eventpermset %}
<tr> <tr>
<td colspan="4"> <td colspan="4">
<br> <br>
@@ -58,6 +61,7 @@
</a> </a>
</td> </td>
</tr> </tr>
{% endif %}
</tbody> </tbody>
</table> </table>
@@ -83,10 +87,12 @@
{% bootstrap_field form.payment_explanation layout="control" %} {% bootstrap_field form.payment_explanation layout="control" %}
</fieldset> </fieldset>
</div> </div>
<div class="form-group submit-group"> {% if "event.settings.payment:write" in request.eventpermset %}
<button type="submit" class="btn btn-primary btn-save"> <div class="form-group submit-group">
{% trans "Save" %} <button type="submit" class="btn btn-primary btn-save">
</button> {% trans "Save" %}
</div> </button>
</div>
{% endif %}
</form> </form>
{% endblock %} {% endblock %}

50
src/pretix/control/templates/pretixcontrol/event/tax.html
View File

@@ -23,8 +23,10 @@
{% endblocktrans %} {% endblocktrans %}
</p> </p>
<a href="{% url "control:event.settings.tax.add" organizer=request.event.organizer.slug event=request.event.slug %}" {% if "event.settings.tax:write" in request.eventpermset %}
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new tax rule" %}</a> <a href="{% url "control:event.settings.tax.add" organizer=request.event.organizer.slug event=request.event.slug %}"
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new tax rule" %}</a>
{% endif %}
</div> </div>
{% else %} {% else %}
<div class="table-responsive"> <div class="table-responsive">
@@ -42,10 +44,14 @@
{% for tr in taxrules %} {% for tr in taxrules %}
<tr> <tr>
<td> <td>
<strong><a {% if "event.settings.tax:write" in request.eventpermset %}
href="{% url "control:event.settings.tax.edit" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}"> <strong><a
{{ tr.internal_name|default:tr.name }} href="{% url "control:event.settings.tax.edit" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}">
</a></strong> {{ tr.internal_name|default:tr.name }}
</a></strong>
{% else %}
<strong>{{ tr.internal_name|default:tr.name }}</strong>
{% endif %}
</td> </td>
<td> <td>
{% if tr.default %} {% if tr.default %}
@@ -53,7 +59,7 @@
<span class="fa fa-check"></span> <span class="fa fa-check"></span>
{% trans "Default" %} {% trans "Default" %}
</span> </span>
{% else %} {% elif "event.settings.tax:write" in request.eventpermset %}
<form class="form-inline" method="post" <form class="form-inline" method="post"
action="{% url "control:event.settings.tax.default" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}"> action="{% url "control:event.settings.tax.default" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}">
{% csrf_token %} {% csrf_token %}
@@ -83,10 +89,12 @@
{% endif %} {% endif %}
</td> </td>
<td class="text-right flip"> <td class="text-right flip">
<a href="{% url "control:event.settings.tax.edit" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}" {% if "event.settings.tax:write" in request.eventpermset %}
class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a> <a href="{% url "control:event.settings.tax.edit" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}"
<a href="{% url "control:event.settings.tax.delete" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a> <a href="{% url "control:event.settings.tax.delete" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}"
class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
{% endif %}
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}
@@ -94,9 +102,11 @@
<tfoot> <tfoot>
<tr> <tr>
<td colspan="5"> <td colspan="5">
<a href="{% url "control:event.settings.tax.add" organizer=request.event.organizer.slug event=request.event.slug %}" {% if "event.settings.tax:write" in request.eventpermset %}
class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new tax rule" %} <a href="{% url "control:event.settings.tax.add" organizer=request.event.organizer.slug event=request.event.slug %}"
</a> class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new tax rule" %}
</a>
{% endif %}
</td> </td>
</tr> </tr>
</tfoot> </tfoot>
@@ -111,10 +121,12 @@
{% bootstrap_field form.tax_rounding layout="control" %} {% bootstrap_field form.tax_rounding layout="control" %}
{% bootstrap_field form.display_net_prices layout="control" %} {% bootstrap_field form.display_net_prices layout="control" %}
</fieldset> </fieldset>
<div class="form-group submit-group"> {% if "event.settings.tax:write" in request.eventpermset %}
<button type="submit" class="btn btn-primary btn-save"> <div class="form-group submit-group">
{% trans "Save" %} <button type="submit" class="btn btn-primary btn-save">
</button> {% trans "Save" %}
</div> </button>
</div>
{% endif %}
</form> </form>
{% endblock %} {% endblock %}

30
src/pretix/control/templates/pretixcontrol/giftcards/payment.html
View File

@@ -3,16 +3,26 @@
<dl class="dl-horizontal"> <dl class="dl-horizontal">
<dt>{% trans "Gift card code" %}</dt> <dt>{% trans "Gift card code" %}</dt>
<dd> <dd>
<a href="{% url "control:organizer.giftcard" organizer=gc.issuer.slug giftcard=gc.pk %}"> {% if gc %}
{{ gc.secret }} <a href="{% url "control:organizer.giftcard" organizer=gc.issuer.slug giftcard=gc.pk %}">
</a> {{ gc.secret }}
{% if gc.issuer != request.organizer %} </a>
<span class="text-muted"> {% if gc.issuer.slug != request.organizer %}
<br> <span class="text-muted">
<span class="fa fa-group"></span> {{ gc.issuer }} <br>
</span> <span class="fa fa-group"></span> {{ gc.issuer }}
</span>
{% endif %}
{% elif gift_card_secret %}
{{ gift_card_secret }}
{% endif %} {% endif %}
</dd> </dd>
<dt>{% trans "Issuer" %}</dt> {% if gc %}
<dd>{{ gc.issuer }}</dd> <dt>{% trans "Issuer" %}</dt>
<dd>{{ gc.issuer }}</dd>
{% endif %}
{% if error %}
<dt>{% trans "Error" %}</dt>
<dd>{{ error }}</dd>
{% endif %}
</dl> </dl>

42
src/pretix/control/templates/pretixcontrol/items/categories.html
View File

@@ -16,14 +16,18 @@
{% endblocktrans %} {% endblocktrans %}
</p> </p>
<a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}" {% if 'event.items:write' in request.eventpermset %}
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new category" %}</a> <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}"
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new category" %}</a>
{% endif %}
</div> </div>
{% else %} {% else %}
<p> {% if 'event.items:write' in request.eventpermset %}
<a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new category" %} <p>
</a> <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new category" %}
</p> </a>
</p>
{% endif %}
<form method="post"> <form method="post">
{% csrf_token %} {% csrf_token %}
<div class="table-responsive"> <div class="table-responsive">
@@ -39,7 +43,11 @@
{% for c in categories %} {% for c in categories %}
<tr data-dnd-id="{{ c.id }}"> <tr data-dnd-id="{{ c.id }}">
<td> <td>
<strong><a href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}">{{ c.internal_name|default:c.name }}</a></strong> {% if 'event.items:write' in request.eventpermset %}
<strong><a href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}">{{ c.internal_name|default:c.name }}</a></strong>
{% else %}
<strong>{{ c.internal_name|default:c.name }}</strong>
{% endif %}
<br> <br>
<small class="text-muted"> <small class="text-muted">
#{{ c.pk }} #{{ c.pk }}
@@ -49,15 +57,17 @@
{{ c.get_category_type_display }} {{ c.get_category_type_display }}
</td> </td>
<td class="text-right flip"> <td class="text-right flip">
<button title="{% trans "Move up" %}" formaction="{% url "control:event.items.categories.up" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm sortable-up"{% if forloop.counter0 == 0 and not page_obj.has_previous %} disabled{% endif %}><i class="fa fa-arrow-up"></i></button> {% if 'event.items:write' in request.eventpermset %}
<button title="{% trans "Move down" %}" formaction="{% url "control:event.items.categories.down" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm sortable-down"{% if forloop.revcounter0 == 0 and not page_obj.has_next %} disabled{% endif %}><i class="fa fa-arrow-down"></i></button> <button title="{% trans "Move up" %}" formaction="{% url "control:event.items.categories.up" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm sortable-up"{% if forloop.counter0 == 0 and not page_obj.has_previous %} disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
<span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span> <button title="{% trans "Move down" %}" formaction="{% url "control:event.items.categories.down" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm sortable-down"{% if forloop.revcounter0 == 0 and not page_obj.has_next %} disabled{% endif %}><i class="fa fa-arrow-down"></i></button>
<a title="{% trans "Edit" %}" href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a> <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
<a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ c.id }}" <a title="{% trans "Edit" %}" href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip"> <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ c.id }}"
<span class="fa fa-copy"></span> class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
</a> <span class="fa fa-copy"></span>
<a title="{% trans "Delete" %}" href="{% url "control:event.items.categories.delete" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a> </a>
<a title="{% trans "Delete" %}" href="{% url "control:event.items.categories.delete" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
{% endif %}
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}

60
src/pretix/control/templates/pretixcontrol/items/discounts.html
View File

@@ -39,15 +39,19 @@
{% endblocktrans %} {% endblocktrans %}
</p> </p>
<a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}" {% if 'event.items:write' in request.eventpermset %}
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new discount" %}</a> <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}"
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new discount" %}</a>
{% endif %}
</div> </div>
{% else %} {% else %}
<p> {% if 'event.items:write' in request.eventpermset %}
<a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}" <p>
class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new discount" %} <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}"
</a> class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new discount" %}
</p> </a>
</p>
{% endif %}
<form method="post"> <form method="post">
{% csrf_token %} {% csrf_token %}
<div class="table-responsive"> <div class="table-responsive">
@@ -70,8 +74,12 @@
{% else %} {% else %}
<del> <del>
{% endif %} {% endif %}
<a href="{% url "control:event.items.discounts.edit" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"> {% if 'event.items:write' in request.eventpermset %}
<a href="{% url "control:event.items.discounts.edit" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}">
{{ d.internal_name }}</a> {{ d.internal_name }}</a>
{% else %}
{{ d.internal_name }}
{% endif %}
{% if d.active %} {% if d.active %}
</strong> </strong>
{% else %} {% else %}
@@ -134,23 +142,25 @@
</td> </td>
{% endif %} {% endif %}
<td class="text-right flip"> <td class="text-right flip">
<button formaction="{% url "control:event.items.discounts.up" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}" {% if 'event.items:write' in request.eventpermset %}
class="btn btn-default btn-sm sortable-up" title="{% trans "Move up" %}" <button formaction="{% url "control:event.items.discounts.up" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
{% if forloop.counter0 == 0 and not page_obj.has_previous %} class="btn btn-default btn-sm sortable-up" title="{% trans "Move up" %}"
disabled{% endif %}><i class="fa fa-arrow-up"></i></button> {% if forloop.counter0 == 0 and not page_obj.has_previous %}
<button formaction="{% url "control:event.items.discounts.down" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}" disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
class="btn btn-default btn-sm sortable-down" title="{% trans "Move down" %}" <button formaction="{% url "control:event.items.discounts.down" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
{% if forloop.revcounter0 == 0 and not page_obj.has_next %} disabled{% endif %}> class="btn btn-default btn-sm sortable-down" title="{% trans "Move down" %}"
<i class="fa fa-arrow-down"></i></button> {% if forloop.revcounter0 == 0 and not page_obj.has_next %} disabled{% endif %}>
<span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span> <i class="fa fa-arrow-down"></i></button>
<a href="{% url "control:event.items.discounts.edit" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}" <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a> <a href="{% url "control:event.items.discounts.edit" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
<a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ d.id }}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip"> <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ d.id }}"
<span class="fa fa-copy"></span> class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
</a> <span class="fa fa-copy"></span>
<a href="{% url "control:event.items.discounts.delete" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}" </a>
class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a> <a href="{% url "control:event.items.discounts.delete" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
{% endif %}
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}

40
src/pretix/control/templates/pretixcontrol/items/index.html
View File

@@ -21,14 +21,18 @@
{% endblocktrans %} {% endblocktrans %}
</p> </p>
<a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}" {% if 'event.items:write' in request.eventpermset %}
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new product" %}</a> <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}"
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new product" %}</a>
{% endif %}
</div> </div>
{% else %} {% else %}
<p> {% if 'event.items:write' in request.eventpermset %}
<a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}" <p>
class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new product" %}</a> <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}"
</p> class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new product" %}</a>
</p>
{% endif %}
<form method="post"> <form method="post">
{% csrf_token %} {% csrf_token %}
<div class="table-responsive"> <div class="table-responsive">
@@ -51,7 +55,9 @@
<tbody> <tbody>
<tr class="sortable-disabled"><th colspan="9" scope="colgroup" class="text-muted"> <tr class="sortable-disabled"><th colspan="9" scope="colgroup" class="text-muted">
{{ c.internal_name|default:c.name }}{% if c.category_type != "normal" %} <span class="font-normal">({{ c.get_category_type_display }})</span>{% endif %} {{ c.internal_name|default:c.name }}{% if c.category_type != "normal" %} <span class="font-normal">({{ c.get_category_type_display }})</span>{% endif %}
<a href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" title="{% trans "Edit" %}"><span class="fa fa-edit fa-fw"></span></a> {% if 'event.items:write' in request.eventpermset %}
<a href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" title="{% trans "Edit" %}"><span class="fa fa-edit fa-fw"></span></a>
{% endif %}
</th></tr> </th></tr>
</tbody> </tbody>
{% endif %} {% endif %}
@@ -62,7 +68,11 @@
<tr data-dnd-id="{{ i.id }}" {% if not i.active %}class="row-muted"{% endif %}> <tr data-dnd-id="{{ i.id }}" {% if not i.active %}class="row-muted"{% endif %}>
<td><strong> <td><strong>
{% if not i.active %}<strike>{% endif %} {% if not i.active %}<strike>{% endif %}
<a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}">{{ i }}</a> {% if 'event.items:write' in request.eventpermset %}
<a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}">{{ i }}</a>
{% else %}
{{ i }}
{% endif %}
{% if not i.active %}</strike>{% endif %} {% if not i.active %}</strike>{% endif %}
</strong> </strong>
<br> <br>
@@ -158,12 +168,14 @@
{% endif %} {% endif %}
</td> </td>
<td class="text-right flip col-actions"> <td class="text-right flip col-actions">
<button title="{% trans "Move up" %}" formaction="{% url "control:event.items.up" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm sortable-up"{% if forloop.counter0 == 0 %} disabled{% endif %}><i class="fa fa-arrow-up"></i></button> {% if 'event.items:write' in request.eventpermset %}
<button title="{% trans "Move down" %}" formaction="{% url "control:event.items.down" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm sortable-down"{% if forloop.revcounter0 == 0 %} disabled{% endif %}><i class="fa fa-arrow-down"></i></button> <button title="{% trans "Move up" %}" formaction="{% url "control:event.items.up" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm sortable-up"{% if forloop.counter0 == 0 %} disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
<span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span> <button title="{% trans "Move down" %}" formaction="{% url "control:event.items.down" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm sortable-down"{% if forloop.revcounter0 == 0 %} disabled{% endif %}><i class="fa fa-arrow-down"></i></button>
<a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm" title="{% trans "Edit" %}"><i class="fa fa-edit"></i></a> <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
<a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ i.id }}" class="btn btn-default btn-sm" title="{% trans "Clone" %}" data-toggle="tooltip"><i class="fa fa-copy"></i></a> <a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm" title="{% trans "Edit" %}"><i class="fa fa-edit"></i></a>
<a href="{% url "control:event.items.delete" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-danger btn-sm" title="{% trans "Delete" %}"><i class="fa fa-trash"></i></a> <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ i.id }}" class="btn btn-default btn-sm" title="{% trans "Clone" %}" data-toggle="tooltip"><i class="fa fa-copy"></i></a>
<a href="{% url "control:event.items.delete" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-danger btn-sm" title="{% trans "Delete" %}"><i class="fa fa-trash"></i></a>
{% endif %}
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}

80
src/pretix/control/templates/pretixcontrol/items/question.html
View File

@@ -7,45 +7,57 @@
{% block inside %} {% block inside %}
<h1> <h1>
{% blocktrans with name=question.question %}Question: {{ name }}{% endblocktrans %} {% blocktrans with name=question.question %}Question: {{ name }}{% endblocktrans %}
<a href="{% url "control:event.items.questions.edit" event=request.event.slug organizer=request.event.organizer.slug question=question.pk %}" {% if 'event.items:write' in request.eventpermset %}
class="btn btn-default"> <a href="{% url "control:event.items.questions.edit" event=request.event.slug organizer=request.event.organizer.slug question=question.pk %}"
<span class="fa fa-edit"></span> class="btn btn-default">
{% trans "Edit question" %} <span class="fa fa-edit"></span>
</a> {% trans "Edit question" %}
</a>
{% endif %}
</h1> </h1>
<div class="panel panel-default"> {% if 'event.orders:read' in request.eventpermset %}
<div class="panel-heading"> <div class="panel panel-default">
<h3 class="panel-title">{% trans "Filter" %}</h3> <div class="panel-heading">
<h3 class="panel-title">{% trans "Filter" %}</h3>
</div>
<form class="panel-body filter-form" action="" method="get">
<div class="row">
<div class="col-md-2 col-xs-6">
{% bootstrap_field form.status %}
</div>
<div class="col-md-3 col-xs-6">
{% bootstrap_field form.item %}
</div>
{% if has_subevents %}
<div class="col-md-3 col-xs-6">
{% bootstrap_field form.subevent %}
</div>
<div class="col-md-4 col-xs-6">
{% bootstrap_field form.date_range %}
</div>
{% endif %}
</div>
<div class="text-right">
<button class="btn btn-primary btn-lg" type="submit">
<span class="fa fa-filter"></span>
{% trans "Filter" %}
</button>
</div>
</form>
</div> </div>
<form class="panel-body filter-form" action="" method="get"> {% endif %}
<div class="row">
<div class="col-md-2 col-xs-6">
{% bootstrap_field form.status %}
</div>
<div class="col-md-3 col-xs-6">
{% bootstrap_field form.item %}
</div>
{% if has_subevents %}
<div class="col-md-3 col-xs-6">
{% bootstrap_field form.subevent %}
</div>
<div class="col-md-4 col-xs-6">
{% bootstrap_field form.date_range %}
</div>
{% endif %}
</div>
<div class="text-right">
<button class="btn btn-primary btn-lg" type="submit">
<span class="fa fa-filter"></span>
{% trans "Filter" %}
</button>
</div>
</form>
</div>
<div class="row"> <div class="row">
{% if not stats %} {% if 'event.orders:read' not in request.eventpermset %}
<div class="empty-collection col-md-10 col-xs-12">
<p>
{% blocktrans trimmed %}
No permission to view answers.
{% endblocktrans %}
</p>
</div>
{% elif not stats %}
<div class="empty-collection col-md-10 col-xs-12"> <div class="empty-collection col-md-10 col-xs-12">
<p> <p>
{% blocktrans trimmed %} {% blocktrans trimmed %}

32
src/pretix/control/templates/pretixcontrol/items/questions.html
View File

@@ -10,10 +10,12 @@
{% endblocktrans %} {% endblocktrans %}
</p> </p>
{% csrf_token %} {% csrf_token %}
<p> {% if 'event.items:write' in request.eventpermset %}
<a href="{% url "control:event.items.questions.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new question" %} <p>
</a> <a href="{% url "control:event.items.questions.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new question" %}
</p> </a>
</p>
{% endif %}
<div class="table-responsive"> <div class="table-responsive">
<table class="table table-hover table-quotas"> <table class="table table-hover table-quotas">
<thead> <thead>
@@ -24,7 +26,9 @@
<th class="iconcol"></th> <th class="iconcol"></th>
<th class="iconcol"></th> <th class="iconcol"></th>
<th>{% trans "Products" %}</th> <th>{% trans "Products" %}</th>
<th class="action-col-2"></th> {% if 'event.items:write' in request.eventpermset %}
<th class="action-col-2"></th>
{% endif %}
<th class="action-col-2"></th> <th class="action-col-2"></th>
</tr> </tr>
</thead> </thead>
@@ -79,16 +83,22 @@
<small>{% trans "All personalized products" %}</small> <small>{% trans "All personalized products" %}</small>
{% endif %} {% endif %}
</td> </td>
<td class="dnd-container"> {% if 'event.items:write' in request.eventpermset %}
</td> <td class="dnd-container">
</td>
{% endif %}
<td class="text-right flip"> <td class="text-right flip">
{% if q.pk %} {% if q.pk %}
<a href="{% url "control:event.items.questions.show" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-bar-chart"></i></a> <a href="{% url "control:event.items.questions.show" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-bar-chart"></i></a>
<a href="{% url "control:event.items.questions.edit" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a> {% if 'event.items:write' in request.eventpermset %}
<a href="{% url "control:event.items.questions.delete" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a> <a href="{% url "control:event.items.questions.edit" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
<a href="{% url "control:event.items.questions.delete" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
{% endif %}
{% else %} {% else %}
<a href="{% url "control:event.settings" organizer=request.event.organizer.slug event=request.event.slug %}#tab-0-2-open" {% if 'event.settings.general:write' in request.eventpermset %}
class="btn btn-default btn-sm"><i class="fa fa-wrench"></i></a> <a href="{% url "control:event.settings" organizer=request.event.organizer.slug event=request.event.slug %}#tab-0-2-open"
class="btn btn-default btn-sm"><i class="fa fa-wrench"></i></a>
{% endif %}
{% endif %} {% endif %}
</td> </td>
</tr> </tr>

2
src/pretix/control/templates/pretixcontrol/items/quota.html
View File

@@ -7,7 +7,7 @@
{% block inside %} {% block inside %}
<h1> <h1>
{% blocktrans with name=quota.name %}Quota: {{ name }}{% endblocktrans %} {% blocktrans with name=quota.name %}Quota: {{ name }}{% endblocktrans %}
{% if 'can_change_items' in request.eventpermset %} {% if 'event.items:write' in request.eventpermset %}
<a href="{% url "control:event.items.quotas.edit" event=request.event.slug organizer=request.event.organizer.slug quota=quota.pk %}" <a href="{% url "control:event.items.quotas.edit" event=request.event.slug organizer=request.event.organizer.slug quota=quota.pk %}"
class="btn btn-default"> class="btn btn-default">
<span class="fa fa-edit"></span> <span class="fa fa-edit"></span>

30
src/pretix/control/templates/pretixcontrol/items/quotas.html
View File

@@ -30,14 +30,18 @@
{% endif %} {% endif %}
</p> </p>
<a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}" {% if 'event.items:write' in request.eventpermset %}
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new quota" %}</a> <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}"
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new quota" %}</a>
{% endif %}
</div> </div>
{% else %} {% else %}
<p> {% if 'event.items:write' in request.eventpermset %}
<a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new quota" %} <p>
</a> <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new quota" %}
</p> </a>
</p>
{% endif %}
<div class="table-responsive"> <div class="table-responsive">
<table class="table table-hover table-quotas"> <table class="table table-hover table-quotas">
<thead> <thead>
@@ -91,12 +95,14 @@
<td>{% if q.size == None %}Unlimited{% else %}{{ q.size }}{% endif %}</td> <td>{% if q.size == None %}Unlimited{% else %}{{ q.size }}{% endif %}</td>
<td>{% include "pretixcontrol/items/fragment_quota_availability.html" with availability=q.cached_avail closed=q.closed %}</td> <td>{% include "pretixcontrol/items/fragment_quota_availability.html" with availability=q.cached_avail closed=q.closed %}</td>
<td class="text-right flip"> <td class="text-right flip">
<a href="{% url "control:event.items.quotas.edit" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a> {% if 'event.items:write' in request.eventpermset %}
<a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ q.id }}" <a href="{% url "control:event.items.quotas.edit" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip"> <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ q.id }}"
<span class="fa fa-copy"></span> class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
</a> <span class="fa fa-copy"></span>
<a href="{% url "control:event.items.quotas.delete" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a> </a>
<a href="{% url "control:event.items.quotas.delete" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
{% endif %}
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}

28
src/pretix/control/templates/pretixcontrol/order/index.html
View File

@@ -26,7 +26,7 @@
{% endif %} {% endif %}
{% include "pretixcontrol/orders/fragment_order_status.html" with order=order class="pull-right flip" %} {% include "pretixcontrol/orders/fragment_order_status.html" with order=order class="pull-right flip" %}
</h1> </h1>
{% if 'can_change_orders' in request.eventpermset %} {% if 'event.orders:write' in request.eventpermset %}
<form action="{% url "control:event.order.transition" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" <form action="{% url "control:event.order.transition" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}"
method="post"> method="post">
{% csrf_token %} {% csrf_token %}
@@ -193,7 +193,7 @@
<dt>{% trans "Order locale" %}</dt> <dt>{% trans "Order locale" %}</dt>
<dd> <dd>
{{ display_locale }} {{ display_locale }}
{% if "can_change_orders" in request.eventpermset %} {% if "event.orders:write" in request.eventpermset %}
<a href="{% url "control:event.order.locale" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs"> <a href="{% url "control:event.order.locale" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs">
<span class="fa fa-edit"></span> <span class="fa fa-edit"></span>
</a> </a>
@@ -220,7 +220,7 @@
{{ order.customer.identifier }} {{ order.customer.email }} {{ order.customer.identifier }} {{ order.customer.email }}
</a> </a>
{% endif %} {% endif %}
{% if "can_change_orders" in request.eventpermset %} {% if "event.orders:write" in request.eventpermset %}
<a href="{% url "control:event.order.contact" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs"> <a href="{% url "control:event.order.contact" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs">
<span class="fa fa-edit"></span> <span class="fa fa-edit"></span>
</a> </a>
@@ -233,7 +233,7 @@
{% if order.email and order.email_known_to_work %} {% if order.email and order.email_known_to_work %}
<span class="fa fa-check-circle text-success" data-toggle="tooltip" title="{% trans "We know that this email address works because the user clicked a link we sent them." %}"></span> <span class="fa fa-check-circle text-success" data-toggle="tooltip" title="{% trans "We know that this email address works because the user clicked a link we sent them." %}"></span>
{% endif %} {% endif %}
{% if "can_change_orders" in request.eventpermset %} {% if "event.orders:write" in request.eventpermset %}
<a href="{% url "control:event.order.contact" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs"> <a href="{% url "control:event.order.contact" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs">
<span class="fa fa-edit"></span> <span class="fa fa-edit"></span>
</a> </a>
@@ -257,7 +257,7 @@
<dt>{% trans "Phone number" %}</dt> <dt>{% trans "Phone number" %}</dt>
<dd> <dd>
{{ order.phone|default_if_none:""|phone_format }} {{ order.phone|default_if_none:""|phone_format }}
{% if "can_change_orders" in request.eventpermset %} {% if "event.orders:write" in request.eventpermset %}
<a href="{% url "control:event.order.contact" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs"> <a href="{% url "control:event.order.contact" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs">
<span class="fa fa-edit"></span> <span class="fa fa-edit"></span>
</a> </a>
@@ -319,7 +319,7 @@
<span class="fa fa-check text-success fa-stack-1x fa-stack-shifted"></span> <span class="fa fa-check text-success fa-stack-1x fa-stack-shifted"></span>
</span> </span>
{% endif %} {% endif %}
{% if i.transmission_status != "inflight" %} {% if i.transmission_status != "inflight" and "event.orders:write" in request.eventpermset %}
<form class="form-inline helper-display-inline" method="post" <form class="form-inline helper-display-inline" method="post"
action="{% url "control:event.order.retransmitinvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code id=i.pk %}"> action="{% url "control:event.order.retransmitinvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code id=i.pk %}">
{% csrf_token %} {% csrf_token %}
@@ -334,7 +334,7 @@
</form> </form>
{% endif %} {% endif %}
{% if not i.canceled %} {% if not i.canceled %}
{% if i.regenerate_allowed %} {% if i.regenerate_allowed and "event.orders:write" in request.eventpermset %}
<form class="form-inline helper-display-inline" method="post" <form class="form-inline helper-display-inline" method="post"
action="{% url "control:event.order.regeninvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code id=i.pk %}"> action="{% url "control:event.order.regeninvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code id=i.pk %}">
{% csrf_token %} {% csrf_token %}
@@ -344,7 +344,7 @@
</button> </button>
</form> </form>
{% endif %} {% endif %}
{% if not i.is_cancellation %} {% if not i.is_cancellation and "event.orders:write" in request.eventpermset %}
<form class="form-inline helper-display-inline" method="post" <form class="form-inline helper-display-inline" method="post"
action="{% url "control:event.order.reissueinvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code id=i.pk %}"> action="{% url "control:event.order.reissueinvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code id=i.pk %}">
{% csrf_token %} {% csrf_token %}
@@ -371,7 +371,7 @@
<br/> <br/>
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% if can_generate_invoice and 'can_change_orders' in request.eventpermset %} {% if can_generate_invoice and 'event.orders:write' in request.eventpermset %}
<br/> <br/>
<form class="form-inline helper-display-inline" method="post" <form class="form-inline helper-display-inline" method="post"
action="{% url "control:event.order.geninvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}"> action="{% url "control:event.order.geninvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}">
@@ -382,7 +382,7 @@
</form> </form>
{% endif %} {% endif %}
</dd> </dd>
{% elif can_generate_invoice and 'can_change_orders' in request.eventpermset %} {% elif can_generate_invoice and 'event.orders:write' in request.eventpermset %}
<dt>{% trans "Invoices" %}</dt> <dt>{% trans "Invoices" %}</dt>
<dd> <dd>
<form class="form-inline helper-display-inline" method="post" <form class="form-inline helper-display-inline" method="post"
@@ -400,7 +400,7 @@
<div class="panel panel-default items"> <div class="panel panel-default items">
<div class="panel-heading"> <div class="panel-heading">
<div class="pull-right flip"> <div class="pull-right flip">
{% if 'can_change_orders' in request.eventpermset %} {% if 'event.orders:write' in request.eventpermset %}
<a href="{% url "control:event.order.info" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}"> <a href="{% url "control:event.order.info" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}">
<span class="fa fa-edit"></span> <span class="fa fa-edit"></span>
{% trans "Change answers" %} {% trans "Change answers" %}
@@ -893,7 +893,7 @@
{% endfor %} {% endfor %}
</tbody> </tbody>
</table> </table>
{% if order.payment_refund_sum > 0 and "can_change_orders" in request.eventpermset %} {% if order.payment_refund_sum > 0 and "event.orders:write" in request.eventpermset %}
<a href="{% url "control:event.order.refunds.start" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default"> <a href="{% url "control:event.order.refunds.start" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default">
{% trans "Create a refund" %} {% trans "Create a refund" %}
</a> </a>
@@ -1012,7 +1012,7 @@
<div class="panel panel-default"> <div class="panel panel-default">
<div class="panel-heading"> <div class="panel-heading">
<div class="pull-right flip"> <div class="pull-right flip">
{% if 'can_change_orders' in request.eventpermset %} {% if 'event.orders:write' in request.eventpermset %}
<a href="{% url "control:event.order.info" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}"> <a href="{% url "control:event.order.info" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}">
<span class="fa fa-edit"></span> <span class="fa fa-edit"></span>
{% trans "Change" %} {% trans "Change" %}
@@ -1088,7 +1088,7 @@
{% bootstrap_field comment_form.custom_followup_at %} {% bootstrap_field comment_form.custom_followup_at %}
{% bootstrap_field comment_form.checkin_attention show_help=True show_label=False %} {% bootstrap_field comment_form.checkin_attention show_help=True show_label=False %}
{% bootstrap_field comment_form.checkin_text show_help=True show_label=False %} {% bootstrap_field comment_form.checkin_text show_help=True show_label=False %}
{% if "can_change_orders" in request.eventpermset %} {% if "event.orders:write" in request.eventpermset %}
<button class="btn btn-default"> <button class="btn btn-default">
{% trans "Update comment" %} {% trans "Update comment" %}
</button> </button>

6
src/pretix/control/templates/pretixcontrol/orders/export.html
View File

@@ -34,7 +34,7 @@
{% if s.export_verbose_name == "?" %} {% if s.export_verbose_name == "?" %}
<strong class="text-danger"> <strong class="text-danger">
<span class="fa fa-warning fa-fw"></span> <span class="fa fa-warning fa-fw"></span>
{% trans "Exporter not found" %} {% trans "Exporter not found or no permission" %}
</strong> </strong>
{% elif s.error_counter >= 5 %} {% elif s.error_counter >= 5 %}
<strong class="text-danger"> <strong class="text-danger">
@@ -115,5 +115,9 @@
</a> </a>
{% endfor %} {% endfor %}
</div> </div>
{% empty %}
<p class="empty-collection">
{% trans "There are no exporters available for you." %}
</p>
{% endfor %} {% endfor %}
{% endblock %} {% endblock %}

22
src/pretix/control/templates/pretixcontrol/orders/export_form.html
View File

@@ -39,16 +39,18 @@
</fieldset> </fieldset>
{% if schedule_form %} {% if schedule_form %}
{% include "pretixcontrol/orders/fragment_export_schedule_form.html" %} {% include "pretixcontrol/orders/fragment_export_schedule_form.html" %}
<div class="form-group submit-group"> {% if not no_save %}
<button formaction="{{ request.get_full_path }}" name="schedule" value="save" type="submit" <div class="form-group submit-group">
class="btn btn-primary btn-save" data-no-asynctask> <button formaction="{{ request.get_full_path }}" name="schedule" value="save" type="submit"
{% if scheduled_copy_from %} class="btn btn-primary btn-save" data-no-asynctask>
{% trans "Save copy" %} {% if scheduled_copy_from %}
{% else %} {% trans "Save copy" %}
{% trans "Save" %} {% else %}
{% endif %} {% trans "Save" %}
</button> {% endif %}
</div> </button>
</div>
{% endif %}
{% else %} {% else %}
<div class="form-group submit-group"> <div class="form-group submit-group">
<button type="submit" class="btn btn-primary btn-save"> <button type="submit" class="btn btn-primary btn-save">

8
src/pretix/control/templates/pretixcontrol/orders/index.html
View File

@@ -122,7 +122,7 @@
<table class="table table-condensed table-hover table-orders"> <table class="table table-condensed table-hover table-orders">
<thead> <thead>
<tr> <tr>
{% if "can_change_orders" in request.eventpermset %} {% if "event.orders:write" in request.eventpermset %}
<th> <th>
<label aria-label="{% trans "select all rows for batch-operation" %}" <label aria-label="{% trans "select all rows for batch-operation" %}"
class="batch-select-label"><input type="checkbox" data-toggle-table/></label> class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
@@ -154,7 +154,7 @@
<a href="?{% url_replace request 'ordering' 'status' %}"><i class="fa fa-caret-up"></i></a> <a href="?{% url_replace request 'ordering' 'status' %}"><i class="fa fa-caret-up"></i></a>
</th> </th>
</tr> </tr>
{% if page_obj.paginator.num_pages > 1 and "can_change_orders" in request.eventpermset %} {% if page_obj.paginator.num_pages > 1 and "event.orders:write" in request.eventpermset %}
<tr class="table-select-all warning hidden"> <tr class="table-select-all warning hidden">
<td> <td>
<input type="checkbox" name="__ALL" id="__all" <input type="checkbox" name="__ALL" id="__all"
@@ -171,7 +171,7 @@
<tbody> <tbody>
{% for o in orders %} {% for o in orders %}
<tr> <tr>
{% if "can_change_orders" in request.eventpermset %} {% if "event.orders:write" in request.eventpermset %}
<td> <td>
<label aria-label="{% trans "select row for batch-operation" %}" <label aria-label="{% trans "select row for batch-operation" %}"
class="batch-select-label"><input type="checkbox" name="order" class="batch-select-label"><input type="checkbox" name="order"
@@ -281,7 +281,7 @@
{% endif %} {% endif %}
</table> </table>
</div> </div>
{% if "can_change_orders" in request.eventpermset %} {% if "event.orders:write" in request.eventpermset %}
<div class="batch-select-actions"> <div class="batch-select-actions">
<div class="btn-group dropup"> <div class="btn-group dropup">
<button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown" <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown"

44
src/pretix/control/templates/pretixcontrol/orders/refunds.html
View File

@@ -100,28 +100,30 @@
{{ r.amount|money:request.event.currency }} {{ r.amount|money:request.event.currency }}
</td> </td>
<td class="text-right flip"> <td class="text-right flip">
{% if r.state == "transit" or r.state == "created" %} {% if "event.orders:write" in request.eventpermset %}
<a href="{% url "control:event.order.refunds.cancel" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}" {% if r.state == "transit" or r.state == "created" %}
class="btn btn-danger btn-xs" data-toggle="tooltip"> <a href="{% url "control:event.order.refunds.cancel" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
<span class="fa fa-times"></span> class="btn btn-danger btn-xs" data-toggle="tooltip">
{% trans "Cancel" %} <span class="fa fa-times"></span>
</a> {% trans "Cancel" %}
<a href="{% url "control:event.order.refunds.done" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}" </a>
class="btn btn-primary btn-xs" data-toggle="tooltip"> <a href="{% url "control:event.order.refunds.done" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
<span class="fa fa-check"></span> class="btn btn-primary btn-xs" data-toggle="tooltip">
{% trans "Confirm as done" %} <span class="fa fa-check"></span>
</a> {% trans "Confirm as done" %}
</a>
{% elif r.state == "external" %} {% elif r.state == "external" %}
<a href="{% url "control:event.order.refunds.cancel" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}" <a href="{% url "control:event.order.refunds.cancel" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
class="btn btn-default btn-xs" data-toggle="tooltip"> class="btn btn-default btn-xs" data-toggle="tooltip">
<span class="fa fa-times"></span> <span class="fa fa-times"></span>
{% trans "Ignore" %} {% trans "Ignore" %}
</a> </a>
<a href="{% url "control:event.order.refunds.process" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}" <a href="{% url "control:event.order.refunds.process" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
class="btn btn-primary btn-xs" data-toggle="tooltip"> class="btn btn-primary btn-xs" data-toggle="tooltip">
<span class="fa fa-check"></span> <span class="fa fa-check"></span>
{% trans "Process refund" %} {% trans "Process refund" %}
</a> </a>
{% endif %}
{% endif %} {% endif %}
</td> </td>
</tr> </tr>

100
src/pretix/control/templates/pretixcontrol/organizers/customer.html
View File

@@ -93,16 +93,18 @@
{% endif %} {% endif %}
</dl> </dl>
</form> </form>
<div class="text-right"> {% if "organizer.customers:write" in request.orgapermset %}
<a href="{% url "control:organizer.customer.edit" organizer=request.organizer.slug customer=customer.identifier %}" <div class="text-right">
class="btn btn-default"> <a href="{% url "control:organizer.customer.edit" organizer=request.organizer.slug customer=customer.identifier %}"
<i class="fa fa-edit"></i> {% trans "Edit" %} class="btn btn-default">
</a> <i class="fa fa-edit"></i> {% trans "Edit" %}
<a href="{% url "control:organizer.customer.anonymize" organizer=request.organizer.slug customer=customer.identifier %}" </a>
class="btn btn-danger"> <a href="{% url "control:organizer.customer.anonymize" organizer=request.organizer.slug customer=customer.identifier %}"
<i class="fa fa-trash"></i> {% trans "Anonymize" %} class="btn btn-danger">
</a> <i class="fa fa-trash"></i> {% trans "Anonymize" %}
</div> </a>
</div>
{% endif %}
</div> </div>
</div> </div>
<div class="panel panel-default items"> <div class="panel panel-default items">
@@ -162,35 +164,39 @@
</div> </div>
</td> </td>
<td class="text-right flip"> <td class="text-right flip">
<a href="{% url "control:organizer.customer.membership.edit" organizer=request.organizer.slug customer=customer.identifier id=m.pk %}" {% if "organizer.customers:write" in request.orgapermset %}
data-toggle="tooltip" <a href="{% url "control:organizer.customer.membership.edit" organizer=request.organizer.slug customer=customer.identifier id=m.pk %}"
title="{% trans "Edit" %}"
class="btn btn-default">
<i class="fa fa-edit"></i>
</a>
{% if m.testmode %}
<a href="{% url "control:organizer.customer.membership.delete" organizer=request.organizer.slug customer=customer.identifier id=m.pk %}"
data-toggle="tooltip" data-toggle="tooltip"
title="{% trans "Delete" %}" title="{% trans "Edit" %}"
class="btn btn-danger"> class="btn btn-default">
<i class="fa fa-trash"></i> <i class="fa fa-edit"></i>
</a> </a>
{% if m.testmode %}
<a href="{% url "control:organizer.customer.membership.delete" organizer=request.organizer.slug customer=customer.identifier id=m.pk %}"
data-toggle="tooltip"
title="{% trans "Delete" %}"
class="btn btn-danger">
<i class="fa fa-trash"></i>
</a>
{% endif %}
{% endif %} {% endif %}
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}
</tbody> </tbody>
<tfoot> {% if "organizer.customers:write" in request.orgapermset %}
<tr> <tfoot>
<td colspan="7"> <tr>
<a href="{% url "control:organizer.customer.membership.add" organizer=request.organizer.slug customer=customer.identifier %}" <td colspan="7">
class="btn btn-default"> <a href="{% url "control:organizer.customer.membership.add" organizer=request.organizer.slug customer=customer.identifier %}"
<i class="fa fa-plus"></i> class="btn btn-default">
{% trans "Add membership" %} <i class="fa fa-plus"></i>
</a> {% trans "Add membership" %}
</td> </a>
</tr> </td>
</tfoot> </tr>
</tfoot>
{% endif %}
</table> </table>
</div> </div>
<div class="panel panel-default items"> <div class="panel panel-default items">
@@ -300,14 +306,18 @@
{% for gc in gift_cards %} {% for gc in gift_cards %}
<tr> <tr>
<td> <td>
<a href="{% url "control:organizer.giftcard" organizer=organizer.slug giftcard=gc.id %}"> {% if "organizer.giftcards:read" in request.orgapermset %}
<strong>{{ gc.secret }}</strong></a> <a href="{% url "control:organizer.giftcard" organizer=organizer.slug giftcard=gc.id %}">
{% if gc.testmode %} <strong>{{ gc.secret }}</strong></a>
<span class="label label-warning">{% trans "TEST MODE" %}</span> {% else %}
{% endif %} <strong>{{ gc.secret|slice:":3" }}…</strong>
{% if gc.expired %} {% endif %}
<span class="label label-danger">{% trans "Expired" %}</span> {% if gc.testmode %}
{% endif %} <span class="label label-warning">{% trans "TEST MODE" %}</span>
{% endif %}
{% if gc.expired %}
<span class="label label-danger">{% trans "Expired" %}</span>
{% endif %}
</td> </td>
<td>{{ gc.issuance|date:"SHORT_DATETIME_FORMAT" }}</td> <td>{{ gc.issuance|date:"SHORT_DATETIME_FORMAT" }}</td>
<td>{% if gc.expires %}{{ gc.expires|date:"SHORT_DATETIME_FORMAT" }}{% endif %}</td> <td>{% if gc.expires %}{{ gc.expires|date:"SHORT_DATETIME_FORMAT" }}{% endif %}</td>
@@ -316,10 +326,12 @@
<p class="text-right">{{ gc.value|money:gc.currency }}</p> <p class="text-right">{{ gc.value|money:gc.currency }}</p>
</td> </td>
<td class="text-right"> <td class="text-right">
<a href="{% url "control:organizer.giftcard" organizer=organizer.slug giftcard=gc.id %}" {% if "organizer.giftcards:read" in request.orgapermset %}
class="btn btn-default btn-sm" data-toggle="tooltip" title="{% trans "Details" %}"> <a href="{% url "control:organizer.giftcard" organizer=organizer.slug giftcard=gc.id %}"
<i class="fa fa-eye"></i> class="btn btn-default btn-sm" data-toggle="tooltip" title="{% trans "Details" %}">
</a> <i class="fa fa-eye"></i>
</a>
{% endif %}
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}

16
src/pretix/control/templates/pretixcontrol/organizers/customers.html
View File

@@ -15,8 +15,10 @@
No customer accounts have been created yet. No customer accounts have been created yet.
{% endblocktrans %} {% endblocktrans %}
</p> </p>
<a href="{% url "control:organizer.customer.create" organizer=request.organizer.slug %}" {% if "organizer.customers:write" in request.orgapermset %}
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new customer" %}</a> <a href="{% url "control:organizer.customer.create" organizer=request.organizer.slug %}"
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new customer" %}</a>
{% endif %}
</div> </div>
{% else %} {% else %}
<div class="panel panel-default"> <div class="panel panel-default">
@@ -43,10 +45,12 @@
</div> </div>
</form> </form>
</div> </div>
<p> {% if "organizer.customers:write" in request.orgapermset %}
<a href="{% url "control:organizer.customer.create" organizer=request.organizer.slug %}" <p>
class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new customer" %}</a> <a href="{% url "control:organizer.customer.create" organizer=request.organizer.slug %}"
</p> class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new customer" %}</a>
</p>
{% endif %}
<div class="table-responsive"> <div class="table-responsive">
<table class="table table-condensed table-hover"> <table class="table table-condensed table-hover">
<thead> <thead>

6
src/pretix/control/templates/pretixcontrol/organizers/detail.html
View File

@@ -7,7 +7,7 @@
{% blocktrans with name=request.organizer.name %}Organizer: {{ name }}{% endblocktrans %} {% blocktrans with name=request.organizer.name %}Organizer: {{ name }}{% endblocktrans %}
</h1> </h1>
{% if events|length == 0 and not filter_form.filtered %} {% if events|length == 0 and not filter_form.filtered %}
{% if "can_create_events" in request.orgapermset %} {% if "organizer.events:create" in request.orgapermset %}
<p> <p>
<a href="{% url "control:events.add" %}?organizer={{ request.organizer.slug }}" class="btn btn-primary"> <a href="{% url "control:events.add" %}?organizer={{ request.organizer.slug }}" class="btn btn-primary">
<span class="fa fa-plus"></span> <span class="fa fa-plus"></span>
@@ -51,7 +51,7 @@
</div> </div>
</form> </form>
</div> </div>
{% if "can_create_events" in request.orgapermset %} {% if "organizer.events:create" in request.orgapermset %}
<p> <p>
<a href="{% url "control:events.add" %}?organizer={{ request.organizer.slug }}" class="btn btn-primary"> <a href="{% url "control:events.add" %}?organizer={{ request.organizer.slug }}" class="btn btn-primary">
<span class="fa fa-plus"></span> <span class="fa fa-plus"></span>
@@ -147,7 +147,7 @@
data-toggle="tooltip"> data-toggle="tooltip">
<span class="fa fa-eye"></span> <span class="fa fa-eye"></span>
</a> </a>
{% if "can_create_events" in request.orgapermset %} {% if "organizer.events:create" in request.orgapermset %}
<a href="{% url "control:events.add" %}?clone={{ e.pk }}" class="btn btn-sm btn-default" <a href="{% url "control:events.add" %}?clone={{ e.pk }}" class="btn btn-sm btn-default"
title="{% trans "Clone event" %}" data-toggle="tooltip"> title="{% trans "Clone event" %}" data-toggle="tooltip">
<span class="fa fa-copy"></span> <span class="fa fa-copy"></span>

72
src/pretix/control/templates/pretixcontrol/organizers/devices.html
View File

@@ -51,10 +51,12 @@
</div> </div>
</form> </form>
</div> </div>
<p> {% if "organizer.devices:write" in request.orgapermset %}
<a href="{% url "control:organizer.device.add" organizer=request.organizer.slug %}" <p>
class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Connect a device" %}</a> <a href="{% url "control:organizer.device.add" organizer=request.organizer.slug %}"
</p> class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Connect a device" %}</a>
</p>
{% endif %}
<form action="{% url "control:organizer.device.bulk_edit" organizer=request.organizer.slug %}" method="post"> <form action="{% url "control:organizer.device.bulk_edit" organizer=request.organizer.slug %}" method="post">
{% csrf_token %} {% csrf_token %}
{% for field in filter_form %} {% for field in filter_form %}
@@ -64,10 +66,12 @@
<table class="table table-condensed table-hover table-quotas"> <table class="table table-condensed table-hover table-quotas">
<thead> <thead>
<tr> <tr>
<th> {% if "organizer.devices:write" in request.orgapermset %}
<label aria-label="{% trans "select all rows for batch-operation" %}" <th>
class="batch-select-label"><input type="checkbox" data-toggle-table/></label> <label aria-label="{% trans "select all rows for batch-operation" %}"
</th> class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
</th>
{% endif %}
<th>{% trans "Device ID" %} <th>{% trans "Device ID" %}
<a href="?{% url_replace request 'ordering' '-device_id' %}"><i <a href="?{% url_replace request 'ordering' '-device_id' %}"><i
class="fa fa-caret-down"></i></a> class="fa fa-caret-down"></i></a>
@@ -105,12 +109,14 @@
<tbody> <tbody>
{% for d in devices %} {% for d in devices %}
<tr {% if d.revoked %}class="text-muted"{% endif %}> <tr {% if d.revoked %}class="text-muted"{% endif %}>
<td> {% if "organizer.devices:write" in request.orgapermset %}
<label aria-label="{% trans "select row for batch-operation" %}" <td>
class="batch-select-label"><input type="checkbox" name="device" <label aria-label="{% trans "select row for batch-operation" %}"
class="batch-select-checkbox" class="batch-select-label"><input type="checkbox" name="device"
value="{{ d.pk }}"/></label> class="batch-select-checkbox"
</td> value="{{ d.pk }}"/></label>
</td>
{% endif %}
<td> <td>
{{ d.device_id }} {{ d.device_id }}
</td> </td>
@@ -158,15 +164,17 @@
{% endif %} {% endif %}
</td> </td>
<td class="text-right flip"> <td class="text-right flip">
{% if not d.initialized %} {% if "organizer.devices:write" in request.orgapermset %}
<a href="{% url "control:organizer.device.connect" organizer=request.organizer.slug device=d.id %}" {% if not d.initialized %}
class="btn btn-primary btn-sm"><i class="fa fa-link"></i> <a href="{% url "control:organizer.device.connect" organizer=request.organizer.slug device=d.id %}"
{% trans "Connect" %}</a> class="btn btn-primary btn-sm"><i class="fa fa-link"></i>
{% endif %} {% trans "Connect" %}</a>
{% if not d.initialized or d.api_token %} {% endif %}
<a href="{% url "control:organizer.device.revoke" organizer=request.organizer.slug device=d.id %}" {% if not d.initialized or d.api_token %}
class="btn btn-default btn-sm"> <a href="{% url "control:organizer.device.revoke" organizer=request.organizer.slug device=d.id %}"
{% trans "Revoke access" %}</a> class="btn btn-default btn-sm">
{% trans "Revoke access" %}</a>
{% endif %}
{% endif %} {% endif %}
{% if d.initialized %} {% if d.initialized %}
<a href="{% url "control:organizer.device.logs" organizer=request.organizer.slug device=d.id %}" <a href="{% url "control:organizer.device.logs" organizer=request.organizer.slug device=d.id %}"
@@ -175,19 +183,23 @@
{% trans "Logs" %} {% trans "Logs" %}
</a> </a>
{% endif %} {% endif %}
<a href="{% url "control:organizer.device.edit" organizer=request.organizer.slug device=d.id %}" {% if "organizer.devices:write" in request.orgapermset %}
class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a> <a href="{% url "control:organizer.device.edit" organizer=request.organizer.slug device=d.id %}"
class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
{% endif %}
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}
</tbody> </tbody>
</table> </table>
</div> </div>
<div class="batch-select-actions"> {% if "organizer.devices:write" in request.orgapermset %}
<button type="submit" class="btn btn-primary btn-save" name="action" value="edit"> <div class="batch-select-actions">
<i class="fa fa-edit"></i>{% trans "Edit selected" %} <button type="submit" class="btn btn-primary btn-save" name="action" value="edit">
</button> <i class="fa fa-edit"></i>{% trans "Edit selected" %}
</div> </button>
</div>
{% endif %}
</form> </form>
{% include "pretixcontrol/pagination.html" %} {% include "pretixcontrol/pagination.html" %}
{% endif %} {% endif %}

6
src/pretix/control/templates/pretixcontrol/organizers/export.html
View File

@@ -34,7 +34,7 @@
{% if s.export_verbose_name == "?" %} {% if s.export_verbose_name == "?" %}
<strong class="text-danger"> <strong class="text-danger">
<span class="fa fa-warning fa-fw"></span> <span class="fa fa-warning fa-fw"></span>
{% trans "Exporter not found" %} {% trans "Exporter not found or no permission" %}
</strong> </strong>
{% elif s.error_counter >= 5 %} {% elif s.error_counter >= 5 %}
<strong class="text-danger"> <strong class="text-danger">
@@ -115,5 +115,9 @@
</a> </a>
{% endfor %} {% endfor %}
</div> </div>
{% empty %}
<p class="empty-collection">
{% trans "There are no exporters available for you." %}
</p>
{% endfor %} {% endfor %}
{% endblock %} {% endblock %}

22
src/pretix/control/templates/pretixcontrol/organizers/export_form.html
View File

@@ -40,16 +40,18 @@
</fieldset> </fieldset>
{% if schedule_form %} {% if schedule_form %}
{% include "pretixcontrol/orders/fragment_export_schedule_form.html" %} {% include "pretixcontrol/orders/fragment_export_schedule_form.html" %}
<div class="form-group submit-group"> {% if not no_save %}
<button formaction="{{ request.get_full_path }}" name="schedule" value="save" type="submit" <div class="form-group submit-group">
class="btn btn-primary btn-save" data-no-asynctask> <button formaction="{{ request.get_full_path }}" name="schedule" value="save" type="submit"
{% if scheduled_copy_from %} class="btn btn-primary btn-save" data-no-asynctask>
{% trans "Save copy" %} {% if scheduled_copy_from %}
{% else %} {% trans "Save copy" %}
{% trans "Save" %} {% else %}
{% endif %} {% trans "Save" %}
</button> {% endif %}
</div> </button>
</div>
{% endif %}
{% else %} {% else %}
<div class="form-group submit-group"> <div class="form-group submit-group">
<button type="submit" class="btn btn-primary btn-save"> <button type="submit" class="btn btn-primary btn-save">

28
src/pretix/control/templates/pretixcontrol/organizers/gates.html
View File

@@ -6,10 +6,12 @@
<p> <p>
{% trans "The list below shows gates that you can use to group check-in devices." %} {% trans "The list below shows gates that you can use to group check-in devices." %}
</p> </p>
<a href="{% url "control:organizer.gate.add" organizer=request.organizer.slug %}" class="btn btn-default"> {% if "organizer.devices:write" in request.orgapermset %}
<span class="fa fa-plus"></span> <a href="{% url "control:organizer.gate.add" organizer=request.organizer.slug %}" class="btn btn-default">
{% trans "Create a new gate" %} <span class="fa fa-plus"></span>
</a> {% trans "Create a new gate" %}
</a>
{% endif %}
<table class="table table-condensed table-hover"> <table class="table table-condensed table-hover">
<thead> <thead>
<tr> <tr>
@@ -21,15 +23,21 @@
{% for g in gates %} {% for g in gates %}
<tr> <tr>
<td><strong> <td><strong>
<a href="{% url "control:organizer.gate.edit" organizer=request.organizer.slug gate=g.id %}"> {% if "organizer.devices:write" in request.orgapermset %}
<a href="{% url "control:organizer.gate.edit" organizer=request.organizer.slug gate=g.id %}">
{{ g.name }}
</a>
{% else %}
{{ g.name }} {{ g.name }}
</a> {% endif %}
</strong></td> </strong></td>
<td class="text-right flip"> <td class="text-right flip">
<a href="{% url "control:organizer.gate.edit" organizer=request.organizer.slug gate=g.id %}" {% if "organizer.devices:write" in request.orgapermset %}
class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a> <a href="{% url "control:organizer.gate.edit" organizer=request.organizer.slug gate=g.id %}"
<a href="{% url "control:organizer.gate.delete" organizer=request.organizer.slug gate=g.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a> <a href="{% url "control:organizer.gate.delete" organizer=request.organizer.slug gate=g.id %}"
class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
{% endif %}
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}

42
src/pretix/control/templates/pretixcontrol/organizers/giftcard.html
View File

@@ -10,10 +10,12 @@
{% if card.testmode %} {% if card.testmode %}
<span class="label label-warning">{% trans "TEST MODE" %}</span> <span class="label label-warning">{% trans "TEST MODE" %}</span>
{% endif %} {% endif %}
<a href="{% url "control:organizer.giftcard.edit" organizer=request.organizer.slug giftcard=card.id %}" {% if "organizer.giftcards:write" in request.orgapermset %}
class="btn btn-default"> <a href="{% url "control:organizer.giftcard.edit" organizer=request.organizer.slug giftcard=card.id %}"
<i class="fa fa-edit"></i> {% trans "Edit" %} class="btn btn-default">
</a> <i class="fa fa-edit"></i> {% trans "Edit" %}
</a>
{% endif %}
</h1> </h1>
<div class="row"> <div class="row">
<div class="col-md-10 col-xs-12"> <div class="col-md-10 col-xs-12">
@@ -112,22 +114,24 @@
</tr> </tr>
{% endfor %} {% endfor %}
</tbody> </tbody>
<tfoot> {% if "organizer.giftcards:write" in request.orgapermset %}
<tr> <tfoot>
<td></td> <tr>
<td> <td></td>
<input type="text" class="form-control helper-display-block" placeholder="{% trans "Text" %}" <td>
name="text"> <input type="text" class="form-control helper-display-block" placeholder="{% trans "Text" %}"
</td> name="text">
<td class="text-right form-inline"> </td>
<input type="text" class="form-control input-sm" placeholder="{% trans "Value" %}" name="value"> <td class="text-right form-inline">
<button type="submit" class="btn btn-primary"> <input type="text" class="form-control input-sm" placeholder="{% trans "Value" %}" name="value">
<span class="fa fa-plus"></span> <button type="submit" class="btn btn-primary">
</button> <span class="fa fa-plus"></span>
</td> </button>
</td>
</tr> </tr>
</tfoot> </tfoot>
{% endif %}
</table> </table>
</form> </form>
</div> </div>

19
src/pretix/control/templates/pretixcontrol/organizers/giftcards.html
View File

@@ -15,10 +15,11 @@
or you can manually issue gift cards. or you can manually issue gift cards.
{% endblocktrans %} {% endblocktrans %}
</p> </p>
{% if "organizer.giftcards:write" in request.orgapermset %}
<a href="{% url "control:organizer.giftcard.add" organizer=request.organizer.slug %}" <a href="{% url "control:organizer.giftcard.add" organizer=request.organizer.slug %}"
class="btn btn-default btn-lg"><i class="fa fa-plus"></i> {% trans "Manually issue a gift card" %} class="btn btn-default btn-lg"><i class="fa fa-plus"></i> {% trans "Manually issue a gift card" %}
</a> </a>
{% endif %}
</div> </div>
{% else %} {% else %}
<div class="panel panel-default"> <div class="panel panel-default">
@@ -45,10 +46,12 @@
</div> </div>
</form> </form>
</div> </div>
<p> {% if "organizer.giftcards:write" in request.orgapermset %}
<a href="{% url "control:organizer.giftcard.add" organizer=request.organizer.slug %}" <p>
class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Manually issue a gift card" %}</a> <a href="{% url "control:organizer.giftcard.add" organizer=request.organizer.slug %}"
</p> class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Manually issue a gift card" %}</a>
</p>
{% endif %}
<div class="table-responsive"> <div class="table-responsive">
<table class="table table-condensed table-hover"> <table class="table table-condensed table-hover">
<thead> <thead>

32
src/pretix/control/templates/pretixcontrol/organizers/reusable_media.html
View File

@@ -15,8 +15,10 @@
No media have been created yet. No media have been created yet.
{% endblocktrans %} {% endblocktrans %}
</p> </p>
<a href="{% url "control:organizer.reusable_medium.create" organizer=request.organizer.slug %}" {% if "organizer.reusablemedia:write" in request.orgapermset %}
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new medium" %}</a> <a href="{% url "control:organizer.reusable_medium.create" organizer=request.organizer.slug %}"
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new medium" %}</a>
{% endif %}
</div> </div>
{% else %} {% else %}
<div class="panel panel-default"> <div class="panel panel-default">
@@ -40,10 +42,12 @@
</div> </div>
</form> </form>
</div> </div>
<p> {% if "organizer.reusablemedia:write" in request.orgapermset %}
<a href="{% url "control:organizer.reusable_medium.create" organizer=request.organizer.slug %}" <p>
class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new medium" %}</a> <a href="{% url "control:organizer.reusable_medium.create" organizer=request.organizer.slug %}"
</p> class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new medium" %}</a>
</p>
{% endif %}
<div class="table-responsive"> <div class="table-responsive">
<table class="table table-condensed table-hover"> <table class="table table-condensed table-hover">
<thead> <thead>
@@ -77,9 +81,13 @@
{% if m.customer %} {% if m.customer %}
<span class="helper-display-block"> <span class="helper-display-block">
<span class="fa fa-user fa-fw"></span> <span class="fa fa-user fa-fw"></span>
<a href="{% url "control:organizer.customer" organizer=request.organizer.slug customer=m.customer.identifier %}"> {% if "organizer.customers:read" in request.orgapermset %}
<a href="{% url "control:organizer.customer" organizer=request.organizer.slug customer=m.customer.identifier %}">
{{ m.customer }}
</a>
{% else %}
{{ m.customer }} {{ m.customer }}
</a> {% endif %}
</span> </span>
{% endif %} {% endif %}
{% if m.linked_orderposition %} {% if m.linked_orderposition %}
@@ -92,8 +100,12 @@
{% if m.linked_giftcard %} {% if m.linked_giftcard %}
<span class="helper-display-block"> <span class="helper-display-block">
<span class="fa fa-credit-card fa-fw"></span> <span class="fa fa-credit-card fa-fw"></span>
<a href="{% url "control:organizer.giftcard" organizer=request.organizer.slug giftcard=m.linked_giftcard.id %}"> {% if "organizer.giftcards:read" in request.orgapermset %}
{{ m.linked_giftcard.secret }}</a> <a href="{% url "control:organizer.giftcard" organizer=request.organizer.slug giftcard=m.linked_giftcard.id %}">
{{ m.linked_giftcard.secret }}</a>
{% else %}
{{ m.linked_giftcard.secret|slice:":3" }}…
{% endif %}
</span> </span>
{% endif %} {% endif %}
</td> </td>

106
src/pretix/control/templates/pretixcontrol/organizers/reusable_medium.html
View File

@@ -22,60 +22,68 @@
</h3> </h3>
</div> </div>
<div class="panel-body"> <div class="panel-body">
<form action="" method="post"> <dl class="dl-horizontal">
{% csrf_token %} <dt>{% trans "Media type" context "reusable_media" %}</dt>
<dl class="dl-horizontal"> <dd>{{ medium.get_type_display }}</dd>
<dt>{% trans "Media type" context "reusable_media" %}</dt> <dt>{% trans "Identifier" context "reusable_media" %}</dt>
<dd>{{ medium.get_type_display }}</dd> <dd><code>{{ medium.identifier }}</code></dd>
<dt>{% trans "Identifier" context "reusable_media" %}</dt> <dt>{% trans "Status" %}</dt>
<dd><code>{{ medium.identifier }}</code></dd> <dd>
<dt>{% trans "Status" %}</dt> {% if not medium.active %}
<dd> {% trans "disabled" %}
{% if not medium.active %} {% elif medium.is_expired %}
{% trans "disabled" %} {% trans "expired" %}
{% elif medium.is_expired %} {% else %}
{% trans "expired" %} {% trans "active" %}
{% else %} {% endif %}
{% trans "active" %} </dd>
{% endif %} <dt>{% trans "Connections" context "reusable_media" %}</dt>
</dd> <dd>
<dt>{% trans "Connections" context "reusable_media" %}</dt> {% if medium.customer %}
<dd> <span class="helper-display-block">
{% if medium.customer %} <span class="fa fa-user fa-fw"></span>
<span class="helper-display-block"> {% if "organizer.customers:read" in request.orgapermset %}
<span class="fa fa-user fa-fw"></span>
<a href="{% url "control:organizer.customer" organizer=request.organizer.slug customer=medium.customer.identifier %}"> <a href="{% url "control:organizer.customer" organizer=request.organizer.slug customer=medium.customer.identifier %}">
{{ medium.customer }} {{ medium.customer }}
</a> </a>
</span> {% else %}
{{ medium.customer }}
{% endif %} {% endif %}
{% if medium.linked_orderposition %} </span>
<span class="helper-display-block">
<span class="fa fa-ticket fa-fw"></span>
<a href="{% url "control:event.order" event=medium.linked_orderposition.order.event.slug organizer=request.organizer.slug code=medium.linked_orderposition.order.code %}">
{{ medium.linked_orderposition.order.code }}</a>-{{ medium.linked_orderposition.positionid }}
</span>
{% endif %}
{% if medium.linked_giftcard %}
<span class="helper-display-block">
<span class="fa fa-credit-card fa-fw"></span>
<a href="{% url "control:organizer.giftcard" organizer=request.organizer.slug giftcard=medium.linked_giftcard.id %}">
{{ medium.linked_giftcard.secret }}</a>
</span>
{% endif %}
</dd>
{% if medium.notes %}
<dt>{% trans "Notes" %}</dt>
<dd>{{ medium.notes }}</dd>
{% endif %} {% endif %}
</dl> {% if medium.linked_orderposition %}
</form> <span class="helper-display-block">
<div class="text-right"> <span class="fa fa-ticket fa-fw"></span>
<a href="{% url "control:organizer.reusable_medium.edit" organizer=request.organizer.slug pk=medium.pk %}" <a href="{% url "control:event.order" event=medium.linked_orderposition.order.event.slug organizer=request.organizer.slug code=medium.linked_orderposition.order.code %}">
class="btn btn-default"> {{ medium.linked_orderposition.order.code }}</a>-{{ medium.linked_orderposition.positionid }}
<i class="fa fa-edit"></i> {% trans "Edit" %} </span>
</a> {% endif %}
</div> {% if medium.linked_giftcard %}
<span class="helper-display-block">
<span class="fa fa-credit-card fa-fw"></span>
{% if "organizer.giftcards:read" in request.orgapermset %}
<a href="{% url "control:organizer.giftcard" organizer=request.organizer.slug giftcard=medium.linked_giftcard.id %}">
{{ medium.linked_giftcard.secret }}
</a>
{% else %}
{{ medium.linked_giftcard.secret|slice:":3" }}…
{% endif %}
</span>
{% endif %}
</dd>
{% if medium.notes %}
<dt>{% trans "Notes" %}</dt>
<dd>{{ medium.notes }}</dd>
{% endif %}
</dl>
{% if "organizer.reusablemedia:write" in request.orgapermset %}
<div class="text-right">
<a href="{% url "control:organizer.reusable_medium.edit" organizer=request.organizer.slug pk=medium.pk %}"
class="btn btn-default">
<i class="fa fa-edit"></i> {% trans "Edit" %}
</a>
</div>
{% endif %}
</div> </div>
</div> </div>
</div> </div>

26
src/pretix/control/templates/pretixcontrol/organizers/team_edit.html
View File

@@ -1,6 +1,7 @@
{% extends "pretixcontrol/organizers/base.html" %} {% extends "pretixcontrol/organizers/base.html" %}
{% load i18n %} {% load i18n %}
{% load bootstrap3 %} {% load bootstrap3 %}
{% load getitem %}
{% block inner %} {% block inner %}
{% if team %} {% if team %}
<h1>{% trans "Team:" %} {{ team.name }}</h1> <h1>{% trans "Team:" %} {{ team.name }}</h1>
@@ -22,25 +23,24 @@
</fieldset> </fieldset>
<fieldset> <fieldset>
<legend>{% trans "Organizer permissions" %}</legend> <legend>{% trans "Organizer permissions" %}</legend>
{% bootstrap_field form.can_create_events layout="control" %} {% bootstrap_field form.all_organizer_permissions layout="control" %}
{% bootstrap_field form.can_manage_gift_cards layout="control" %} <div class="team-permission-groups col-md-9 col-md-offset-3" data-display-dependency="#id_all_organizer_permissions" data-inverse>
{% bootstrap_field form.can_manage_customers layout="control" %} {% for f in form.organizer_field_names %}
{% bootstrap_field form.can_manage_reusable_media layout="control" %} {% bootstrap_field form|getitem:f layout="control" %}
{% bootstrap_field form.can_change_teams layout="control" %} {% endfor %}
{% bootstrap_field form.can_change_organizer_settings layout="control" %} </div>
</fieldset> </fieldset>
<fieldset> <fieldset>
<legend>{% trans "Event permissions" %}</legend> <legend>{% trans "Event permissions" %}</legend>
{% bootstrap_field form.all_events layout="control" %} {% bootstrap_field form.all_events layout="control" %}
{% bootstrap_field form.limit_events layout="control" %} {% bootstrap_field form.limit_events layout="control" %}
{% bootstrap_field form.can_change_event_settings layout="control" %} {% bootstrap_field form.all_event_permissions layout="control" %}
{% bootstrap_field form.can_change_items layout="control" %} <div class="team-permission-groups col-md-9 col-md-offset-3" data-display-dependency="#id_all_event_permissions" data-inverse>
{% bootstrap_field form.can_view_orders layout="control" %} {% for f in form.event_field_names %}
{% bootstrap_field form.can_change_orders layout="control" %} {% bootstrap_field form|getitem:f layout="control" %}
{% bootstrap_field form.can_checkin_orders layout="control" %} {% endfor %}
{% bootstrap_field form.can_view_vouchers layout="control" %} </div>
{% bootstrap_field form.can_change_vouchers layout="control" %}
</fieldset> </fieldset>
<div class="form-group submit-group"> <div class="form-group submit-group">
<button type="submit" class="btn btn-primary btn-save"> <button type="submit" class="btn btn-primary btn-save">

86
src/pretix/control/templates/pretixcontrol/subevents/index.html
View File

@@ -13,12 +13,14 @@
{% endblocktrans %} {% endblocktrans %}
</p> </p>
<a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}" {% if "event.subevents:write" in request.eventpermset %}
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> <a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}"
{% trans "Create a new date" context "subevent" %}</a> class="btn btn-primary btn-lg"><i class="fa fa-plus"></i>
<a href="{% url "control:event.subevents.bulk" organizer=request.event.organizer.slug event=request.event.slug %}" {% trans "Create a new date" context "subevent" %}</a>
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> <a href="{% url "control:event.subevents.bulk" organizer=request.event.organizer.slug event=request.event.slug %}"
{% trans "Create many new dates" context "subevent" %}</a> class="btn btn-primary btn-lg"><i class="fa fa-plus"></i>
{% trans "Create many new dates" context "subevent" %}</a>
{% endif %}
</div> </div>
{% else %} {% else %}
<div class="panel panel-default"> <div class="panel panel-default">
@@ -65,7 +67,7 @@
</div> </div>
</form> </form>
</div> </div>
{% if "can_change_event_settings" in request.eventpermset %} {% if "event.subevents:write" in request.eventpermset %}
<p> <p>
<a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}" <a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}"
class="btn btn-default"><i class="fa fa-plus"></i> class="btn btn-default"><i class="fa fa-plus"></i>
@@ -84,11 +86,13 @@
<table class="table table-hover table-quotas"> <table class="table table-hover table-quotas">
<thead> <thead>
<tr> <tr>
<th> {% if "event.subevents:write" in request.eventpermset %}
{% if "can_change_event_settings" in request.eventpermset %} <th>
<label aria-label="{% trans "select all rows for batch-operation" %}" class="batch-select-label"><input type="checkbox" data-toggle-table/></label> {% if "event.subevents:write" in request.eventpermset %}
{% endif %} <label aria-label="{% trans "select all rows for batch-operation" %}" class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
</th> {% endif %}
</th>
{% endif %}
<th> <th>
{% trans "Name" %} {% trans "Name" %}
</th> </th>
@@ -107,7 +111,7 @@
</th> </th>
<th></th> <th></th>
</tr> </tr>
{% if "can_change_event_settings" in request.eventpermset and page_obj.paginator.num_pages > 1 %} {% if "event.subevents:write" in request.eventpermset and page_obj.paginator.num_pages > 1 %}
<tr class="table-select-all warning hidden"> <tr class="table-select-all warning hidden">
<td> <td>
<input type="checkbox" name="__ALL" id="__all" data-results-total="{{ page_obj.paginator.count }}"> <input type="checkbox" name="__ALL" id="__all" data-results-total="{{ page_obj.paginator.count }}">
@@ -123,11 +127,11 @@
<tbody> <tbody>
{% for s in subevents %} {% for s in subevents %}
<tr> <tr>
<td> {% if "event.subevents:write" in request.eventpermset %}
{% if "can_change_event_settings" in request.eventpermset %} <td>
<label aria-label="{% trans "select row for batch-operation" %}" class="batch-select-label"><input type="checkbox" name="subevent" class="batch-select-checkbox" value="{{ s.pk }}"/></label> <label aria-label="{% trans "select row for batch-operation" %}" class="batch-select-label"><input type="checkbox" name="subevent" class="batch-select-checkbox" value="{{ s.pk }}"/></label>
{% endif %} </td>
</td> {% endif %}
<td> <td>
<strong><a href="{% url "control:event.subevent" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}"> <strong><a href="{% url "control:event.subevent" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}">
{{ s.name }}</a></strong><br> {{ s.name }}</a></strong><br>
@@ -173,35 +177,39 @@
{% endif %} {% endif %}
</td> </td>
<td class="text-right flip"> <td class="text-right flip">
<a href="{% url "control:event.orders" organizer=request.event.organizer.slug event=request.event.slug %}?subevent={{ s.id }}" class="btn btn-default btn-sm" title="{% trans "Show orders" %}"><i class="fa fa-shopping-cart" aria-hidden="true"></i></a> {% if "event.orders:read" in request.eventpermset %}
<a href="{% url "control:event.orders" organizer=request.event.organizer.slug event=request.event.slug %}?subevent={{ s.id }}" class="btn btn-default btn-sm" title="{% trans "Show orders" %}"><i class="fa fa-shopping-cart" aria-hidden="true"></i></a>
{% endif %}
<a href="{% url "control:event.subevent" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a> {% if "event.subevents:write" in request.eventpermset %}
<div class="btn-group {% if forloop.revcounter0 < 2 %}dropup{% endif %}"> <a href="{% url "control:event.subevent" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
<button type="button" class="btn btn-default btn-sm dropdown-toggle" <div class="btn-group {% if forloop.revcounter0 < 2 %}dropup{% endif %}">
data-toggle="dropdown"> <button type="button" class="btn btn-default btn-sm dropdown-toggle"
<span class="fa fa-copy"></span> data-toggle="dropdown">
</button> <span class="fa fa-copy"></span>
<ul class="dropdown-menu dropdown-menu-right"> </button>
<li> <ul class="dropdown-menu dropdown-menu-right">
<a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ s.id }}"> <li>
{% trans "Use as a template for a new date" context "subevent" %} <a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ s.id }}">
</a> {% trans "Use as a template for a new date" context "subevent" %}
</li> </a>
<li> </li>
<a href="{% url "control:event.subevents.bulk" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ s.id }}"> <li>
{% trans "Use as a template for many new dates" context "subevent" %} <a href="{% url "control:event.subevents.bulk" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ s.id }}">
</a> {% trans "Use as a template for many new dates" context "subevent" %}
</li> </a>
</ul> </li>
</div> </ul>
<a href="{% url "control:event.subevent.delete" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a> </div>
<a href="{% url "control:event.subevent.delete" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
{% endif %}
</td> </td>
</tr> </tr>
{% endfor %} {% endfor %}
</tbody> </tbody>
</table> </table>
</div> </div>
{% if "can_change_event_settings" in request.eventpermset %} {% if "event.subevents:write" in request.eventpermset %}
<div class="batch-select-actions"> <div class="batch-select-actions">
<button type="submit" class="btn btn-danger btn-save" name="action" value="delete"> <button type="submit" class="btn btn-danger btn-save" name="action" value="delete">
<i class="fa fa-trash"></i>{% trans "Delete selected" %} <i class="fa fa-trash"></i>{% trans "Delete selected" %}

2
src/pretix/control/templates/pretixcontrol/vouchers/detail.html
View File

@@ -120,7 +120,7 @@
</div> </div>
</div> </div>
</div> </div>
{% if "can_change_vouchers" in request.eventpermset %} {% if "event.vouchers:write" in request.eventpermset %}
<div class="form-group submit-group"> <div class="form-group submit-group">
<button type="submit" class="btn btn-primary btn-save"> <button type="submit" class="btn btn-primary btn-save">
{% trans "Save" %} {% trans "Save" %}

12
src/pretix/control/templates/pretixcontrol/vouchers/index.html
View File

@@ -72,7 +72,7 @@
{% endif %} {% endif %}
</p> </p>
{% if "can_change_vouchers" in request.eventpermset %} {% if "event.vouchers:write" in request.eventpermset %}
<a href="{% url "control:event.vouchers.add" organizer=request.event.organizer.slug event=request.event.slug %}" <a href="{% url "control:event.vouchers.add" organizer=request.event.organizer.slug event=request.event.slug %}"
class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new voucher" %}</a> class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new voucher" %}</a>
<a href="{% url "control:event.vouchers.bulk" organizer=request.event.organizer.slug event=request.event.slug %}" <a href="{% url "control:event.vouchers.bulk" organizer=request.event.organizer.slug event=request.event.slug %}"
@@ -83,7 +83,7 @@
</div> </div>
{% else %} {% else %}
<p> <p>
{% if "can_change_vouchers" in request.eventpermset %} {% if "event.vouchers:write" in request.eventpermset %}
<a href="{% url "control:event.vouchers.add" organizer=request.event.organizer.slug event=request.event.slug %}" <a href="{% url "control:event.vouchers.add" organizer=request.event.organizer.slug event=request.event.slug %}"
class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new voucher" %}</a> class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new voucher" %}</a>
<a href="{% url "control:event.vouchers.bulk" organizer=request.event.organizer.slug event=request.event.slug %}" <a href="{% url "control:event.vouchers.bulk" organizer=request.event.organizer.slug event=request.event.slug %}"
@@ -103,7 +103,7 @@
<table class="table table-hover table-quotas"> <table class="table table-hover table-quotas">
<thead> <thead>
<tr> <tr>
{% if "can_change_vouchers" in request.eventpermset %} {% if "event.vouchers:write" in request.eventpermset %}
<th> <th>
<label aria-label="{% trans "select all rows for batch-operation" %}" class="batch-select-label"> <label aria-label="{% trans "select all rows for batch-operation" %}" class="batch-select-label">
<input type="checkbox" data-toggle-table /> <input type="checkbox" data-toggle-table />
@@ -148,7 +148,7 @@
<tbody> <tbody>
{% for v in vouchers %} {% for v in vouchers %}
<tr> <tr>
{% if "can_change_vouchers" in request.eventpermset %} {% if "event.vouchers:write" in request.eventpermset %}
<td> <td>
<label aria-label="{% trans "select row for batch-operation" %}" class="batch-select-label"> <label aria-label="{% trans "select row for batch-operation" %}" class="batch-select-label">
<input type="checkbox" name="voucher" class="batch-select-checkbox" value="{{ v.pk }}"/> <input type="checkbox" name="voucher" class="batch-select-checkbox" value="{{ v.pk }}"/>
@@ -192,7 +192,7 @@
</td> </td>
{% endif %} {% endif %}
<td class="text-right flip"> <td class="text-right flip">
{% if "can_change_vouchers" in request.eventpermset %} {% if "event.vouchers:write" in request.eventpermset %}
<a href="{% url "control:event.vouchers.bulk" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ v.id }}" <a href="{% url "control:event.vouchers.bulk" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ v.id }}"
class="btn btn-sm btn-default" title="{% trans "Use as a template for new vouchers" %}" data-toggle="tooltip"> class="btn btn-sm btn-default" title="{% trans "Use as a template for new vouchers" %}" data-toggle="tooltip">
<span class="fa fa-copy"></span> <span class="fa fa-copy"></span>
@@ -205,7 +205,7 @@
</tbody> </tbody>
</table> </table>
</div> </div>
{% if "can_change_vouchers" in request.eventpermset %} {% if "event.vouchers:write" in request.eventpermset %}
<div class="batch-select-actions"> <div class="batch-select-actions">
<button type="submit" class="btn btn-danger" name="action" value="delete"> <button type="submit" class="btn btn-danger" name="action" value="delete">
<i class="fa fa-trash" aria-hidden="true"></i> <i class="fa fa-trash" aria-hidden="true"></i>

Some files were not shown because too many files have changed in this diff Show More