Fix enforcement of restricted plugins (#4286)

2024-07-03 17:14:03 +02:00
parent 4513e31f0d
commit 73038b0d97
9 changed files with 180 additions and 2 deletions
--- a/src/pretix/api/serializers/event.py
+++ b/src/pretix/api/serializers/event.py
@@ -281,13 +281,17 @@ class EventSerializer(SalesChannelMigrationMixin, I18nAwareModelSerializer):
        from pretix.base.plugins import get_all_plugins

        plugins_available = {
-            p.module for p in get_all_plugins(self.instance)
+            p.module: p for p in get_all_plugins(self.instance)
            if not p.name.startswith('.') and getattr(p, 'visible', True)
        }
+        settings_holder = self.instance if self.instance and self.instance.pk else self.context['organizer']

        for plugin in value.get('plugins'):
            if plugin not in plugins_available:
                raise ValidationError(_('Unknown plugin: \'{name}\'.').format(name=plugin))
+            if getattr(plugins_available[plugin], 'restricted', False):
+                if plugin not in settings_holder.settings.allowed_restricted_plugins:
+                    raise ValidationError(_('Restricted plugin: \'{name}\'.').format(name=plugin))

        return value

--- a/src/pretix/control/views/event.py
+++ b/src/pretix/control/views/event.py
@@ -400,7 +400,7 @@ class EventPlugins(EventSettingsViewMixin, EventPermissionRequiredMixin, Templat
                if key.startswith("plugin:"):
                    module = key.split(":")[1]
                    if value == "enable" and module in plugins_available:
-                        if getattr(plugins_available[module].app, 'restricted', False):
+                        if getattr(plugins_available[module], 'restricted', False):
                            if module not in request.event.settings.allowed_restricted_plugins:
                                continue