From 4cc249e20eb849140c1dc65d2d733df29dd1ca9d Mon Sep 17 00:00:00 2001
From: Raphael Michel <michel@rami.io>
Date: Thu, 21 Jul 2022 09:11:33 +0200
Subject: [PATCH] Fix pdf_data selection

---
 src/pretix/api/serializers/order.py |  4 +--
 src/tests/api/test_checkin.py       |  1 +
 src/tests/api/test_order_create.py  | 18 ++++++++++
 src/tests/api/test_orders.py        | 53 +++++++++++++++++++++++++++++
 4 files changed, 74 insertions(+), 2 deletions(-)

diff --git a/src/pretix/api/serializers/order.py b/src/pretix/api/serializers/order.py
index 48c5e8097..2b96a198e 100644
--- a/src/pretix/api/serializers/order.py
+++ b/src/pretix/api/serializers/order.py
@@ -422,14 +422,14 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         request = self.context.get('request')
-        pdf_data_allowed = (
+        pdf_data_forbidden = (
             # We check this based on permission if we are on /events/…/orders/ or /events/…/orderpositions/ or
             # /events/…/checkinlists/…/positions/
             # We're unable to check this on this level if we're on /checkinrpc/, in which case we rely on the view
             # layer to not set pdf_data=true in the first place.
             request and hasattr(request, 'event') and 'can_view_orders' not in request.eventpermset
         )
-        if not self.context.get('pdf_data') or pdf_data_allowed:
+        if ('pdf_data' in self.context and not self.context['pdf_data']) or pdf_data_forbidden:
             self.fields.pop('pdf_data', None)
 
     def validate(self, data):
diff --git a/src/tests/api/test_checkin.py b/src/tests/api/test_checkin.py
index 0c33d8d2d..6ef20442e 100644
--- a/src/tests/api/test_checkin.py
+++ b/src/tests/api/test_checkin.py
@@ -1303,6 +1303,7 @@ def test_search(token_client, organizer, event, clist, clist_all, item, other_it
         ))
     assert resp.status_code == 200
     assert [p1] == resp.data['results']
+    assert not resp.data['results'][0].get('pdf_data')
 
 
 @pytest.mark.django_db
diff --git a/src/tests/api/test_order_create.py b/src/tests/api/test_order_create.py
index 1bb7e0f0c..24b99b60b 100644
--- a/src/tests/api/test_order_create.py
+++ b/src/tests/api/test_order_create.py
@@ -211,6 +211,7 @@ def test_order_create(token_client, organizer, event, item, quota, question):
         ), format='json', data=res
     )
     assert resp.status_code == 201
+    assert not resp.data['positions'][0].get('pdf_data')
     with scopes_disabled():
         o = Order.objects.get(code=resp.data['code'])
     assert o.customer == customer
@@ -2549,3 +2550,20 @@ def test_order_create_voucher_block_quota(token_client, organizer, event, item,
         ), format='json', data=res
     )
     assert resp.status_code == 201
+
+
+@pytest.mark.django_db
+def test_order_create_pdf_data(token_client, organizer, event, item, quota, question):
+    res = copy.deepcopy(ORDER_CREATE_PAYLOAD)
+    res['positions'][0]['item'] = item.pk
+    res['positions'][0]['answers'][0]['question'] = question.pk
+    with scopes_disabled():
+        customer = organizer.customers.create()
+    res['customer'] = customer.identifier
+    resp = token_client.post(
+        '/api/v1/organizers/{}/events/{}/orders/?pdf_data=true'.format(
+            organizer.slug, event.slug
+        ), format='json', data=res
+    )
+    assert resp.status_code == 201
+    assert 'secret' in resp.data['positions'][0]['pdf_data']
diff --git a/src/tests/api/test_orders.py b/src/tests/api/test_orders.py
index 7062d3632..67845d9f2 100644
--- a/src/tests/api/test_orders.py
+++ b/src/tests/api/test_orders.py
@@ -1654,3 +1654,56 @@ def test_revoked_secret_list(token_client, organizer, event):
     ))
     assert resp.status_code == 200
     assert [res] == resp.data['results']
+
+
+@pytest.mark.django_db
+def test_pdf_data(token_client, organizer, event, order):
+    # order detail
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orders/{}/?pdf_data=true'.format(
+        organizer.slug, event.slug, order.code
+    ))
+    assert resp.status_code == 200
+    assert resp.data['positions'][0].get('pdf_data')
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orders/{}/'.format(
+        organizer.slug, event.slug, order.code
+    ))
+    assert resp.status_code == 200
+    assert not resp.data['positions'][0].get('pdf_data')
+
+    # order list
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orders/?pdf_data=true'.format(
+        organizer.slug, event.slug
+    ))
+    assert resp.status_code == 200
+    assert resp.data['results'][0]['positions'][0].get('pdf_data')
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orders/'.format(
+        organizer.slug, event.slug
+    ))
+    assert resp.status_code == 200
+    assert not resp.data['results'][0]['positions'][0].get('pdf_data')
+
+    # position list
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orderpositions/?pdf_data=true'.format(
+        organizer.slug, event.slug
+    ))
+    assert resp.status_code == 200
+    assert resp.data['results'][0].get('pdf_data')
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orderpositions/'.format(
+        organizer.slug, event.slug
+    ))
+    assert resp.status_code == 200
+    assert not resp.data['results'][0].get('pdf_data')
+
+    posid = resp.data['results'][0]['id']
+
+    # position detail
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orderpositions/{}/?pdf_data=true'.format(
+        organizer.slug, event.slug, posid
+    ))
+    assert resp.status_code == 200
+    assert resp.data.get('pdf_data')
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orderpositions/{}/'.format(
+        organizer.slug, event.slug, posid
+    ))
+    assert resp.status_code == 200
+    assert not resp.data.get('pdf_data')