From 5d449ea3134b8856d28b82cf34b5cab8d3b7073b Mon Sep 17 00:00:00 2001
From: Richard Schreiber <schreiber@pretix.eu>
Date: Tue, 9 Jun 2026 13:20:48 +0200
Subject: [PATCH] [SECURITY] Reusable media export: Respect giftcard
 permissions (CVE-2026-11764) (#6261)

---
 src/pretix/base/exporters/reusablemedia.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/pretix/base/exporters/reusablemedia.py b/src/pretix/base/exporters/reusablemedia.py
index fbc600590..e880f1716 100644
--- a/src/pretix/base/exporters/reusablemedia.py
+++ b/src/pretix/base/exporters/reusablemedia.py
@@ -61,18 +61,23 @@ class ReusableMediaExporter(OrganizerLevelExportMixin, ListExporter):
         yield headers
         yield self.ProgressSetTotal(total=media.count())
 
+        can_read_giftcards = self.permission_holder.has_organizer_permission(self.organizer, 'organizer.giftcards:read')
+
         for medium in media.iterator(chunk_size=1000):
-            row = [
+            giftcard_secret = medium.linked_giftcard.secret if medium.linked_giftcard_id else ''
+            if giftcard_secret and not can_read_giftcards:
+                giftcard_secret = giftcard_secret[:3] + "…"
+
+            yield [
                 medium.type,
                 medium.identifier,
                 _('Yes') if medium.active else _('No'),
                 date_format(medium.expires, 'SHORT_DATETIME_FORMAT') if medium.expires else '',
                 medium.customer.identifier if medium.customer_id else '',
                 f"{medium.linked_orderposition.order.code}-{medium.linked_orderposition.positionid}" if medium.linked_orderposition_id else '',
-                medium.linked_giftcard.secret if medium.linked_giftcard_id else '',
+                giftcard_secret,
                 medium.notes,
             ]
-            yield row
 
     def get_filename(self):
         return f'{self.organizer.slug}_media'