CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

include review

Browse Source
This commit is contained in:
Lukas Bockstaller
2026-04-15 15:20:51 +02:00
parent 5bb6a09549
commit 55f3bb3c1d
2 changed files with 11 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/pretix/api/serializers/media.py
View File

@@ -31,7 +31,9 @@ from pretix.api.serializers.order import OrderPositionSerializer
from pretix.api.serializers.organizer import ( from pretix.api.serializers.organizer import (
CustomerSerializer, GiftCardSerializer, CustomerSerializer, GiftCardSerializer,
) )
from pretix.base.models import Order, OrderPosition, ReusableMedium from pretix.base.models import (
Device, Order, OrderPosition, ReusableMedium, TeamAPIToken,
)
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@@ -120,21 +122,19 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
r = super().to_representation(instance) r = super().to_representation(instance)
request = self.context.get('request') request = self.context.get('request')
# late permission evaluations for checks that depend on the actual linked events # late permission evaluations for checks that depend on the actual linked events
if 'linked_orderposition' in self.context['request'].query_params.getlist('expand'): expand_nested = self.context['request'].query_params.getlist('expand')
perm_holder = request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user
if 'linked_orderposition' in expand_nested:
if instance.linked_orderposition is not None: if instance.linked_orderposition is not None:
event = instance.linked_orderposition.order.event event = instance.linked_orderposition.order.event
if not ( if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
request.user if request.user and request.user.is_authenticated else request.auth
).has_event_permission(organizer=event.organizer, event=event, perm_name='event.orders:read', request=request):
r['linked_orderposition'] = {'id': instance.linked_orderposition.id} r['linked_orderposition'] = {'id': instance.linked_orderposition.id}
if 'linked_giftcard.owner_ticket' in self.context['request'].query_params.getlist('expand'): if 'linked_giftcard.owner_ticket' in expand_nested:
gc = instance.linked_giftcard gc = instance.linked_giftcard
if gc is not None and gc.owner_ticket is not None: if gc is not None and gc.owner_ticket is not None:
event = gc.owner_ticket.order.event event = gc.owner_ticket.order.event
if not ( if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
request.user if request.user and request.user.is_authenticated else request.auth
).has_event_permission(organizer=event.organizer, event=event, perm_name='event.orders:read', request=request):
r['linked_giftcard']['owner_ticket'] = {'id': instance.linked_giftcard.owner_ticket.id} r['linked_giftcard']['owner_ticket'] = {'id': instance.linked_giftcard.owner_ticket.id}
return r return r

5
src/pretix/api/serializers/organizer.py
View File

@@ -294,9 +294,8 @@ class GiftCardSerializer(I18nAwareModelSerializer):
owner_ticket = instance.owner_ticket owner_ticket = instance.owner_ticket
if owner_ticket: if owner_ticket:
event = owner_ticket.order.event event = owner_ticket.order.event
if not ( perm_holder = request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user
request.user if request.user and request.user.is_authenticated else request.auth if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
).has_event_permission(organizer=event.organizer, event=event, perm_name='event.orders:read', request=request):
r['owner_ticket'] = {'id': instance.owner_ticket.id} r['owner_ticket'] = {'id': instance.owner_ticket.id}
return r return r