Regenerate OrderPosition.web_secret when chaning other secrets

2025-01-03 15:21:45 +01:00
parent 5a5a551c21
commit 595c042624
6 changed files with 16 additions and 3 deletions
--- a/src/pretix/api/views/order.py
+++ b/src/pretix/api/views/order.py
@@ -647,6 +647,8 @@ class EventOrderViewSet(OrderViewSetMixin, viewsets.ModelViewSet):
        order = self.get_object()
        order.secret = generate_secret()
        for op in order.all_positions.all():
+            op.web_secret = generate_secret()
+            op.save(update_fields=["web_secret"])
            assign_ticket_secret(
                request.event, op, force_invalidate=True, save=True
            )
--- a/src/pretix/base/services/orders.py
+++ b/src/pretix/base/services/orders.py
@@ -2425,6 +2425,8 @@ class OrderChangeManager:
            elif isinstance(op, self.SplitOperation):
                split_positions.append(op.position)
            elif isinstance(op, self.RegenerateSecretOperation):
+                op.web_secret = generate_secret()
+                op.save(update_fields=["web_secret"])
                assign_ticket_secret(
                    event=self.event, position=op.position, force_invalidate=True, save=True
                )
@@ -2531,6 +2533,7 @@ class OrderChangeManager:
                'new_order': split_order.code,
            })
            op.order = split_order
+            op.web_secret = generate_secret()
            assign_ticket_secret(
                self.event, position=op, force_invalidate=True,
            )
--- a/src/pretix/control/forms/orders.py
+++ b/src/pretix/control/forms/orders.py
@@ -490,7 +490,9 @@ class OrderPositionChangeForm(forms.Form):
    )
    operation_secret = forms.BooleanField(
        required=False,
-        label=_('Generate a new secret')
+        label=_('Generate a new secret'),
+        help_text=_('This affects both the ticket secret (often used as a QR code) as well as the link used to '
+                    'individually access the ticket.')
    )
    operation_cancel = forms.BooleanField(
        required=False,
--- a/src/pretix/control/views/orders.py
+++ b/src/pretix/control/views/orders.py
@@ -2241,6 +2241,8 @@ class OrderContactChange(OrderView):
                changed = True
                self.order.secret = generate_secret()
                for op in self.order.all_positions.all():
+                    op.web_secret = generate_secret()
+                    op.save(update_fields=["web_secret"])
                    assign_ticket_secret(
                        self.request.event, position=op, force_invalidate=True, save=True
                    )
--- a/src/tests/api/test_order_change.py
+++ b/src/tests/api/test_order_change.py
@@ -526,6 +526,7 @@ def test_order_regenerate_secrets(token_client, organizer, event, order):
    s = order.secret
    with scopes_disabled():
        ps = order.positions.first().secret
+        psw = order.positions.first().web_secret
    resp = token_client.post(
        '/api/v1/organizers/{}/events/{}/orders/{}/regenerate_secrets/'.format(
            organizer.slug, event.slug, order.code
@@ -536,6 +537,7 @@ def test_order_regenerate_secrets(token_client, organizer, event, order):
    assert s != order.secret
    with scopes_disabled():
        assert ps != order.positions.first().secret
+        assert psw != order.positions.first().web_secret


@pytest.mark.django_db
@@ -543,6 +545,7 @@ def test_position_regenerate_secrets(token_client, organizer, event, order):
    with scopes_disabled():
        p = order.positions.first()
        ps = p.secret
+        psw = p.web_secret
    resp = token_client.post(
        '/api/v1/organizers/{}/events/{}/orderpositions/{}/regenerate_secrets/'.format(
            organizer.slug, event.slug, p.pk,
@@ -552,6 +555,7 @@ def test_position_regenerate_secrets(token_client, organizer, event, order):
    p.refresh_from_db()
    with scopes_disabled():
        assert ps != p.secret
+        assert psw != p.web_secret


@pytest.mark.django_db