From b43523ea6539094c76d9647779498842555244e3 Mon Sep 17 00:00:00 2001 From: Raphael Michel Date: Wed, 6 Sep 2023 09:38:31 +0200 Subject: [PATCH] API: Fix order and invoice viewset with staff permissions --- src/pretix/api/views/order.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/pretix/api/views/order.py b/src/pretix/api/views/order.py index a4774133a..bf9ffa3a5 100644 --- a/src/pretix/api/views/order.py +++ b/src/pretix/api/views/order.py @@ -298,12 +298,12 @@ class OrganizerOrderViewSet(OrderViewSetMixin, viewsets.ReadOnlyModelViewSet): if isinstance(self.request.auth, (TeamAPIToken, Device)): return Order.objects.filter( event__organizer=self.request.organizer, - event__in=self.request.auth.get_events_with_permission(perm) + event__in=self.request.auth.get_events_with_permission(perm, request=self.request) ) elif self.request.user.is_authenticated: return Order.objects.filter( event__organizer=self.request.organizer, - event__in=self.request.user.get_events_with_permission(perm) + event__in=self.request.user.get_events_with_permission(perm, request=self.request) ) else: raise PermissionDenied() @@ -1829,12 +1829,12 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet): elif isinstance(self.request.auth, (TeamAPIToken, Device)): qs = Invoice.objects.filter( event__organizer=self.request.organizer, - event__in=self.request.auth.get_events_with_permission(perm) + event__in=self.request.auth.get_events_with_permission(perm, request=self.request) ) elif self.request.user.is_authenticated: qs = Invoice.objects.filter( event__organizer=self.request.organizer, - event__in=self.request.user.get_events_with_permission(perm) + event__in=self.request.user.get_events_with_permission(perm, request=self.request) ) return qs.prefetch_related('lines').select_related('order', 'refers').annotate( nr=Concat('prefix', 'invoice_no')