API: Validate input locales (Z#23182219) (#4833)

src/pretix/api/serializers/order.py

@@ -1102,6 +1102,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         queryset=SalesChannel.objects.none(),
         required=False,
     )
+    locale = serializers.ChoiceField(choices=[])
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -1109,6 +1110,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         self.fields['customer'].queryset = self.context['event'].organizer.customers.all()
         self.fields['expires'].required = False
         self.fields["sales_channel"].queryset = self.context["event"].organizer.sales_channels.all()
+        self.fields["locale"].choices = self.context['event'].settings.locales
 
     class Meta:
         model = Order

src/pretix/api/serializers/organizer.py

@@ -22,6 +22,7 @@
 import logging
 from decimal import Decimal
 
+from django.conf import settings
 from django.core.exceptions import ObjectDoesNotExist
 from django.db.models import Q
 from django.utils.crypto import get_random_string
@@ -77,6 +78,7 @@ class CustomerSerializer(I18nAwareModelSerializer):
     last_login = serializers.DateTimeField(read_only=True)
     date_joined = serializers.DateTimeField(read_only=True)
     last_modified = serializers.DateTimeField(read_only=True)
+    locale = serializers.ChoiceField(choices=settings.LANGUAGES, default='en')
 
     class Meta:
         model = Customer

src/pretix/api/serializers/waitinglist.py

@@ -19,6 +19,7 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
+from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
@@ -26,12 +27,17 @@ from pretix.base.models import WaitingListEntry
 
 
 class WaitingListSerializer(I18nAwareModelSerializer):
+    locale = serializers.ChoiceField(choices=[])
 
     class Meta:
         model = WaitingListEntry
         fields = ('id', 'created', 'name', 'name_parts', 'email', 'phone', 'voucher', 'item', 'variation', 'locale', 'subevent', 'priority')
         read_only_fields = ('id', 'created', 'voucher')
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields["locale"].choices = self.context['event'].settings.locales
+
     def validate(self, data):
         data = super().validate(data)
         event = self.context['event']

src/pretix/base/shredder.py

@@ -370,7 +370,7 @@ class WaitingListShredder(BaseDataShredder):
 
     def generate_files(self) -> List[Tuple[str, str, str]]:
         yield 'waiting-list.json', 'application/json', json.dumps([
-            WaitingListSerializer(wle).data
+            WaitingListSerializer(wle, context={"event": self.event}).data
             for wle in self.event.waitinglistentries.all()
         ], indent=4)
 

src/tests/api/test_order_create.py

@@ -622,6 +622,21 @@ def test_order_create_sales_channel_invalid(token_client, organizer, event, item
     assert resp.data == {'sales_channel': ['Object with identifier=foo does not exist.']}
 
 
+@pytest.mark.django_db
+def test_order_create_locale_invalid(token_client, organizer, event, item, quota, question):
+    res = copy.deepcopy(ORDER_CREATE_PAYLOAD)
+    res['positions'][0]['item'] = item.pk
+    res['positions'][0]['answers'][0]['question'] = question.pk
+    res['locale'] = 'klingon'
+    resp = token_client.post(
+        '/api/v1/organizers/{}/events/{}/orders/'.format(
+            organizer.slug, event.slug
+        ), format='json', data=res
+    )
+    assert resp.status_code == 400
+    assert resp.data == {'locale': ['"klingon" is not a valid choice.']}
+
+
 @pytest.mark.django_db
 def test_order_create_in_test_mode(token_client, organizer, event, item, quota, question):
     res = copy.deepcopy(ORDER_CREATE_PAYLOAD)