Fix pdf_data selection

2022-07-21 09:11:33 +02:00
parent 0d1ebf4e58
commit 4cc249e20e
4 changed files with 74 additions and 2 deletions
--- a/src/pretix/api/serializers/order.py
+++ b/src/pretix/api/serializers/order.py
@@ -422,14 +422,14 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        request = self.context.get('request')
-        pdf_data_allowed = (
+        pdf_data_forbidden = (
            # We check this based on permission if we are on /events/…/orders/ or /events/…/orderpositions/ or
            # /events/…/checkinlists/…/positions/
            # We're unable to check this on this level if we're on /checkinrpc/, in which case we rely on the view
            # layer to not set pdf_data=true in the first place.
            request and hasattr(request, 'event') and 'can_view_orders' not in request.eventpermset
        )
-        if not self.context.get('pdf_data') or pdf_data_allowed:
+        if ('pdf_data' in self.context and not self.context['pdf_data']) or pdf_data_forbidden:
            self.fields.pop('pdf_data', None)

    def validate(self, data):
--- a/src/tests/api/test_checkin.py
+++ b/src/tests/api/test_checkin.py
@@ -1303,6 +1303,7 @@ def test_search(token_client, organizer, event, clist, clist_all, item, other_it
        ))
    assert resp.status_code == 200
    assert [p1] == resp.data['results']
+    assert not resp.data['results'][0].get('pdf_data')


@pytest.mark.django_db
--- a/src/tests/api/test_order_create.py
+++ b/src/tests/api/test_order_create.py
@@ -211,6 +211,7 @@ def test_order_create(token_client, organizer, event, item, quota, question):
        ), format='json', data=res
    )
    assert resp.status_code == 201
+    assert not resp.data['positions'][0].get('pdf_data')
    with scopes_disabled():
        o = Order.objects.get(code=resp.data['code'])
    assert o.customer == customer
@@ -2549,3 +2550,20 @@ def test_order_create_voucher_block_quota(token_client, organizer, event, item,
        ), format='json', data=res
    )
    assert resp.status_code == 201
+
+
+@pytest.mark.django_db
+def test_order_create_pdf_data(token_client, organizer, event, item, quota, question):
+    res = copy.deepcopy(ORDER_CREATE_PAYLOAD)
+    res['positions'][0]['item'] = item.pk
+    res['positions'][0]['answers'][0]['question'] = question.pk
+    with scopes_disabled():
+        customer = organizer.customers.create()
+    res['customer'] = customer.identifier
+    resp = token_client.post(
+        '/api/v1/organizers/{}/events/{}/orders/?pdf_data=true'.format(
+            organizer.slug, event.slug
+        ), format='json', data=res
+    )
+    assert resp.status_code == 201
+    assert 'secret' in resp.data['positions'][0]['pdf_data']
--- a/src/tests/api/test_orders.py
+++ b/src/tests/api/test_orders.py
@@ -1654,3 +1654,56 @@ def test_revoked_secret_list(token_client, organizer, event):
    ))
    assert resp.status_code == 200
    assert [res] == resp.data['results']
+
+
+@pytest.mark.django_db
+def test_pdf_data(token_client, organizer, event, order):
+    # order detail
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orders/{}/?pdf_data=true'.format(
+        organizer.slug, event.slug, order.code
+    ))
+    assert resp.status_code == 200
+    assert resp.data['positions'][0].get('pdf_data')
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orders/{}/'.format(
+        organizer.slug, event.slug, order.code
+    ))
+    assert resp.status_code == 200
+    assert not resp.data['positions'][0].get('pdf_data')
+
+    # order list
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orders/?pdf_data=true'.format(
+        organizer.slug, event.slug
+    ))
+    assert resp.status_code == 200
+    assert resp.data['results'][0]['positions'][0].get('pdf_data')
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orders/'.format(
+        organizer.slug, event.slug
+    ))
+    assert resp.status_code == 200
+    assert not resp.data['results'][0]['positions'][0].get('pdf_data')
+
+    # position list
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orderpositions/?pdf_data=true'.format(
+        organizer.slug, event.slug
+    ))
+    assert resp.status_code == 200
+    assert resp.data['results'][0].get('pdf_data')
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orderpositions/'.format(
+        organizer.slug, event.slug
+    ))
+    assert resp.status_code == 200
+    assert not resp.data['results'][0].get('pdf_data')
+
+    posid = resp.data['results'][0]['id']
+
+    # position detail
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orderpositions/{}/?pdf_data=true'.format(
+        organizer.slug, event.slug, posid
+    ))
+    assert resp.status_code == 200
+    assert resp.data.get('pdf_data')
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orderpositions/{}/'.format(
+        organizer.slug, event.slug, posid
+    ))
+    assert resp.status_code == 200
+    assert not resp.data.get('pdf_data')