forked from CGM_Public/pretix_original
add permission checks in to_representation
This commit is contained in:
Lukas Bockstaller
@@ -31,7 +31,7 @@ from pretix.api.serializers.order import OrderPositionSerializer
|
|||||||
from pretix.api.serializers.organizer import (
|
from pretix.api.serializers.organizer import (
|
||||||
CustomerSerializer, GiftCardSerializer,
|
CustomerSerializer, GiftCardSerializer,
|
||||||
)
|
)
|
||||||
from pretix.base.models import Order, OrderPosition, ReusableMedium
|
from pretix.base.models import Device, Order, OrderPosition, ReusableMedium, TeamAPIToken, User
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
@@ -80,8 +80,7 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
|
|||||||
)
|
)
|
||||||
|
|
||||||
if 'linked_orderposition' in self.context['request'].query_params.getlist('expand'):
|
if 'linked_orderposition' in self.context['request'].query_params.getlist('expand'):
|
||||||
# No additional permission check performed, documented limitation of the permission system
|
# Permission Check performed in to_representation
|
||||||
# Would get to complex/unusable otherwise since the permission depends on the event
|
|
||||||
self.fields['linked_orderposition'] = NestedOrderPositionSerializer(read_only=True)
|
self.fields['linked_orderposition'] = NestedOrderPositionSerializer(read_only=True)
|
||||||
else:
|
else:
|
||||||
self.fields['linked_orderposition'] = serializers.PrimaryKeyRelatedField(
|
self.fields['linked_orderposition'] = serializers.PrimaryKeyRelatedField(
|
||||||
@@ -117,6 +116,40 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
|
|||||||
)
|
)
|
||||||
return data
|
return data
|
||||||
|
|
||||||
|
def to_representation(self, instance):
|
||||||
|
request = self.context.get('request')
|
||||||
|
|
||||||
|
# late permission evaluations for checks that depend on the actual linked events
|
||||||
|
if 'linked_orderposition' in self.context['request'].query_params.getlist('expand'):
|
||||||
|
if instance.linked_orderposition is not None:
|
||||||
|
event = instance.linked_orderposition.order.event
|
||||||
|
if not (
|
||||||
|
request.user if request.user and request.user.is_authenticated else request.auth
|
||||||
|
).has_event_permission(organizer=event.organizer, event=event, perm_name='event.orders:read', request=request):
|
||||||
|
pos_serializer = self.fields['linked_orderposition']
|
||||||
|
allowed = {'id'}
|
||||||
|
for field_name in list(pos_serializer.fields.keys()):
|
||||||
|
if field_name not in allowed:
|
||||||
|
pos_serializer.fields.pop(field_name)
|
||||||
|
|
||||||
|
if 'linked_giftcard.owner_ticket' in self.context['request'].query_params.getlist('expand'):
|
||||||
|
gc = instance.linked_giftcard
|
||||||
|
if gc is not None and gc.owner_ticket is not None:
|
||||||
|
event = gc.owner_ticket.order.event
|
||||||
|
if not (
|
||||||
|
request.user if request.user and request.user.is_authenticated else request.auth
|
||||||
|
).has_event_permission(organizer=event.organizer, event=event, perm_name='event.orders:read', request=request):
|
||||||
|
ticket_serializer = self.fields['linked_giftcard'].fields['owner_ticket']
|
||||||
|
allowed = {'id'}
|
||||||
|
for field_name in list(ticket_serializer.fields.keys()):
|
||||||
|
if field_name not in allowed:
|
||||||
|
ticket_serializer.fields.pop(field_name)
|
||||||
|
|
||||||
|
|
||||||
|
return super().to_representation(instance)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
model = ReusableMedium
|
model = ReusableMedium
|
||||||
fields = (
|
fields = (
|
||||||
|
|||||||
@@ -286,6 +286,25 @@ class GiftCardSerializer(I18nAwareModelSerializer):
|
|||||||
)
|
)
|
||||||
return data
|
return data
|
||||||
|
|
||||||
|
def to_representation(self, instance):
|
||||||
|
request = self.context.get('request')
|
||||||
|
|
||||||
|
# late permission evaluations for checks that depend on the actual linked events
|
||||||
|
if 'owner_ticket' in self.context['request'].query_params.getlist('expand'):
|
||||||
|
owner_ticket = instance.owner_ticket
|
||||||
|
if owner_ticket:
|
||||||
|
event = owner_ticket.order.event
|
||||||
|
if not (
|
||||||
|
request.user if request.user and request.user.is_authenticated else request.auth
|
||||||
|
).has_event_permission(organizer=event.organizer, event=event, perm_name='event.orders:read', request=request):
|
||||||
|
ticket_serializer = self.fields['owner_ticket'].read
|
||||||
|
allowed = {'id'}
|
||||||
|
for field_name in list(ticket_serializer.fields.keys()):
|
||||||
|
if field_name not in allowed:
|
||||||
|
ticket_serializer.fields.pop(field_name)
|
||||||
|
|
||||||
|
return super().to_representation(instance)
|
||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
model = GiftCard
|
model = GiftCard
|
||||||
fields = ('id', 'secret', 'issuance', 'value', 'currency', 'testmode', 'expires', 'conditions', 'owner_ticket',
|
fields = ('id', 'secret', 'issuance', 'value', 'currency', 'testmode', 'expires', 'conditions', 'owner_ticket',
|
||||||
|
|||||||
Reference in New Issue
Block a user