From 9a807df158f86c05c7451aa3773fbce8a6e76404 Mon Sep 17 00:00:00 2001
From: Mira <weller@rami.io>
Date: Tue, 21 May 2024 13:26:12 +0200
Subject: [PATCH] Fix pretix_event_access (custom domain) sessions for staff
 users (#4158)

---
 src/pretix/base/models/auth.py | 10 +++++++---
 src/pretix/presale/utils.py    |  6 ++++--
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/pretix/base/models/auth.py b/src/pretix/base/models/auth.py
index 6b80c5a7f..3903db3b0 100644
--- a/src/pretix/base/models/auth.py
+++ b/src/pretix/base/models/auth.py
@@ -418,18 +418,22 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         else:
             return set()
 
-    def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
+    def has_event_permission(self, organizer, event, perm_name=None, request=None, session_key=None) -> bool:
         """
         Checks if this user is part of any team that grants access of type ``perm_name``
         to the event ``event``.
 
+        Either ``request`` or ``session_key`` are required to detect staff sessions properly.
+
         :param organizer: The organizer of the event
         :param event: The event to check
         :param perm_name: The permission, e.g. ``can_change_teams``
-        :param request: The current request (optional). Required to detect staff sessions properly.
+        :param request: The current request (optional)
+        :param session_key: The current session key (optional)
         :return: bool
         """
-        if request and self.has_active_staff_session(request.session.session_key):
+        assert not (session_key and request)
+        if (session_key or request) and self.has_active_staff_session(session_key or request.session.session_key):
             return True
         teams = self._get_teams_for_event(organizer, event)
         if teams:
diff --git a/src/pretix/presale/utils.py b/src/pretix/presale/utils.py
index 65aabbdc9..dcf92f5ea 100644
--- a/src/pretix/presale/utils.py
+++ b/src/pretix/presale/utils.py
@@ -327,14 +327,16 @@ def _detect_event(request, require_live=True, require_plugin=None):
                     )
                 )
                 if not can_access and 'pretix_event_access_{}'.format(request.event.pk) in request.session:
-                    sparent = SessionStore(request.session.get('pretix_event_access_{}'.format(request.event.pk)))
+                    parent_session_key = request.session.get('pretix_event_access_{}'.format(request.event.pk))
+                    sparent = SessionStore(parent_session_key)
                     try:
                         parentdata = sparent.load()
                     except:
                         pass
                     else:
                         user = _get_user_from_session_data(parentdata)
-                        if user and user.is_authenticated and user.has_event_permission(request.organizer, request.event, request=request):
+                        if user and user.is_authenticated and user.has_event_permission(
+                                request.organizer, request.event, session_key=parent_session_key):
                             can_access = True
                             request.event_access_user = user