Merge branch 'security-20230306'

src/pretix/api/views/oauth.py

@@ -34,6 +34,7 @@ from oauth2_provider.views import (
 
 from pretix.api.models import OAuthApplication
 from pretix.base.models import Organizer
+from pretix.control.views.user import RecentAuthenticationRequiredMixin
 
 logger = logging.getLogger(__name__)
 
@@ -54,7 +55,7 @@ class OAuthAllowForm(AllowForm):
             del self.fields['organizers']
 
 
-class AuthorizationView(BaseAuthorizationView):
+class AuthorizationView(RecentAuthenticationRequiredMixin, BaseAuthorizationView):
     template_name = "pretixcontrol/auth/oauth_authorization.html"
     form_class = OAuthAllowForm
 

src/pretix/control/middleware.py

@@ -112,7 +112,7 @@ class PermissionMiddleware:
         url = resolve(request.path_info)
         url_name = url.url_name
 
-        if not request.path.startswith(get_script_prefix() + 'control'):
+        if not request.path.startswith(get_script_prefix() + 'control') and not (url.namespace.startswith("api-") and url_name == "authorize"):
             # This middleware should only touch the /control subpath
             return self.get_response(request)