Require correct permission for refunds in all cases

src/pretix/plugins/paypal/views.py

@@ -177,7 +177,7 @@ def webhook(request, *args, **kwargs):
     return HttpResponse(status=200)
 
 
-@event_permission_required('can_view_orders')
+@event_permission_required('can_change_orders')
 @require_POST
 def refund(request, **kwargs):
     with transaction.atomic():

src/pretix/plugins/stripe/views.py

@@ -276,7 +276,7 @@ def oauth_disconnect(request, **kwargs):
     }))
 
 
-@event_permission_required('can_view_orders')
+@event_permission_required('can_change_orders')
 @require_POST
 def refund(request, **kwargs):
     with transaction.atomic():