From 9dc5c1b266cefd0c140bc9e0c8bc57c8bab502de Mon Sep 17 00:00:00 2001 From: Mira Date: Wed, 8 May 2024 09:33:23 +0200 Subject: [PATCH] Prevent transferring files from priv/ to pub/ on event clone (#3956) * Prevent transferring files from priv/ to pub/ on event clone * Also detect file names with node prefix * Only transfer files in explicitly declared file fields * Update django-hierarkey * Add note to documentation about the new behaviour --- doc/development/implementation/settings.rst | 11 ++++++++++- pyproject.toml | 2 +- src/pretix/base/models/event.py | 3 ++- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/doc/development/implementation/settings.rst b/doc/development/implementation/settings.rst index 1d590ee43..526016b3b 100644 --- a/doc/development/implementation/settings.rst +++ b/doc/development/implementation/settings.rst @@ -15,7 +15,7 @@ includes serializers for serializing the following types: * Built-in types: ``int``, ``float``, ``decimal.Decimal``, ``dict``, ``list``, ``bool`` * ``datetime.date``, ``datetime.datetime``, ``datetime.time`` * ``LazyI18nString`` -* References to Django ``File`` objects that are already stored in a storage backend +* References to Django ``File`` objects that are already stored in a storage backend [#f1]_ * References to model instances In code, we recommend to always use the ``.get()`` method on the settings object to access a value, but for @@ -55,6 +55,9 @@ You can simply use it like this: "preserve his reservation."), ) + +.. _settings-defaults-in-plugins: + Defaults in plugins ------------------- @@ -70,3 +73,9 @@ Make sure that you include this code in a module that is imported at app loading .. _django-hierarkey: https://github.com/raphaelm/django-hierarkey .. _documentation: https://django-hierarkey.readthedocs.io/en/latest/ + +.. rubric:: Footnotes + +.. [#f1] If you store ``File`` instances in per-event settings, make sure to always register them with ``add_default`` + as described above in :ref:`settings-defaults-in-plugins`. Otherwise, the file won't get copied properly if the + user copies the settings of an existing event to a new one. diff --git a/pyproject.toml b/pyproject.toml index ee8147158..632979d47 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -43,7 +43,7 @@ dependencies = [ "django-filter==24.2", "django-formset-js-improved==0.5.0.3", "django-formtools==2.5.1", - "django-hierarkey==1.1.*", + "django-hierarkey==1.2.*", "django-hijack==3.4.*", "django-i18nfield==1.9.*,>=1.9.4", "django-libsass==0.9", diff --git a/src/pretix/base/models/event.py b/src/pretix/base/models/event.py index 15daa9627..81f3ba2cc 100644 --- a/src/pretix/base/models/event.py +++ b/src/pretix/base/models/event.py @@ -45,6 +45,7 @@ from zoneinfo import ZoneInfo import pytz_deprecation_shim from django.conf import settings from django.core.exceptions import ValidationError +from django.core.files import File from django.core.files.storage import default_storage from django.core.mail import get_connection from django.core.validators import ( @@ -1025,7 +1026,7 @@ class Event(EventMixin, LoggedModel): s.object = self s.pk = None - if s.value.startswith('file://'): + if s.value.startswith('file://') and settings_hierarkey.get_declared_type(s.key) == File: fi = default_storage.open(s.value[len('file://'):], 'rb') nonce = get_random_string(length=8) fname_base = clean_filename(os.path.basename(s.value))