Integrate django-scopes (#1319)

* Install django-scopes

* Fix tests.api

* Update tasks and cronjobs

* Fix remaining tests

* Remove unused import

* Fix tests after rebase

* Disable scopes for get_Events_with_any_permission

* Disable scopes for a management command

src/pretix/control/context.py

@@ -5,6 +5,7 @@ from django.conf import settings
 from django.db.models import Q
 from django.urls import Resolver404, get_script_prefix, resolve
 from django.utils.translation import get_language
+from django_scopes import scope
 
 from pretix.base.models.auth import StaffSession
 from pretix.base.settings import GlobalSettingsObject
@@ -53,10 +54,11 @@ def contextprocessor(request):
         ctx['has_domain'] = request.event.organizer.domains.exists()
 
         if not request.event.testmode:
-            complain_testmode_orders = request.event.cache.get('complain_testmode_orders')
-            if complain_testmode_orders is None:
-                complain_testmode_orders = request.event.orders.filter(testmode=True).exists()
-                request.event.cache.set('complain_testmode_orders', complain_testmode_orders, 30)
+            with scope(organizer=request.organizer):
+                complain_testmode_orders = request.event.cache.get('complain_testmode_orders')
+                if complain_testmode_orders is None:
+                    complain_testmode_orders = request.event.orders.filter(testmode=True).exists()
+                    request.event.cache.set('complain_testmode_orders', complain_testmode_orders, 30)
             ctx['complain_testmode_orders'] = complain_testmode_orders
         else:
             ctx['complain_testmode_orders'] = False

src/pretix/control/forms/checkin.py

@@ -1,6 +1,9 @@
 from django import forms
 from django.urls import reverse
 from django.utils.translation import pgettext_lazy
+from django_scopes.forms import (
+    SafeModelChoiceField, SafeModelMultipleChoiceField,
+)
 
 from pretix.base.models.checkin import CheckinList
 from pretix.control.forms.widgets import Select2
@@ -44,3 +47,7 @@ class CheckinListForm(forms.ModelForm):
                 'data-inverse-dependency': '<[name$=all_products]'
             }),
         }
+        field_classes = {
+            'limit_products': SafeModelMultipleChoiceField,
+            'subevent': SafeModelChoiceField,
+        }

src/pretix/control/forms/item.py

@@ -6,6 +6,9 @@ from django.urls import reverse
 from django.utils.translation import (
     pgettext_lazy, ugettext as __, ugettext_lazy as _,
 )
+from django_scopes.forms import (
+    SafeModelChoiceField, SafeModelMultipleChoiceField,
+)
 from i18nfield.forms import I18nFormField, I18nTextarea
 
 from pretix.base.channels import get_all_sales_channels
@@ -94,6 +97,10 @@ class QuestionForm(I18nModelForm):
             ),
             'dependency_value': forms.Select,
         }
+        field_classes = {
+            'items': SafeModelMultipleChoiceField,
+            'dependency_question': SafeModelChoiceField,
+        }
 
 
 class QuestionOptionForm(I18nModelForm):
@@ -159,6 +166,9 @@ class QuotaForm(I18nModelForm):
             'size',
             'subevent'
         ]
+        field_classes = {
+            'subevent': SafeModelChoiceField,
+        }
 
     def save(self, *args, **kwargs):
         creating = not self.instance.pk

src/pretix/control/forms/orders.py

@@ -192,7 +192,7 @@ class OrderPositionAddForm(forms.Form):
         label=_('Product')
     )
     addon_to = forms.ModelChoiceField(
-        OrderPosition.objects.none(),
+        OrderPosition.all.none(),
         required=False,
         label=_('Add-on to'),
     )

src/pretix/control/forms/organizer.py

@@ -6,6 +6,7 @@ from django.core.exceptions import ValidationError
 from django.core.validators import RegexValidator
 from django.utils.safestring import mark_safe
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
+from django_scopes.forms import SafeModelMultipleChoiceField
 from i18nfield.forms import I18nFormField, I18nTextarea
 
 from pretix.api.models import WebHook
@@ -149,6 +150,9 @@ class TeamForm(forms.ModelForm):
                 'data-inverse-dependency': '#id_all_events'
             }),
         }
+        field_classes = {
+            'limit_events': SafeModelMultipleChoiceField
+        }
 
     def clean(self):
         data = super().clean()
@@ -177,6 +181,9 @@ class DeviceForm(forms.ModelForm):
                 'data-inverse-dependency': '#id_all_events'
             }),
         }
+        field_classes = {
+            'limit_events': SafeModelMultipleChoiceField
+        }
 
 
 class OrganizerSettingsForm(SettingsForm):
@@ -307,3 +314,6 @@ class WebHookForm(forms.ModelForm):
                 'data-inverse-dependency': '#id_all_events'
             }),
         }
+        field_classes = {
+            'limit_events': SafeModelMultipleChoiceField
+        }

src/pretix/control/forms/vouchers.py

@@ -3,6 +3,7 @@ from django.core.exceptions import ObjectDoesNotExist, ValidationError
 from django.db.models.functions import Lower
 from django.urls import reverse
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
+from django_scopes.forms import SafeModelChoiceField
 
 from pretix.base.forms import I18nModelForm
 from pretix.base.models import Item, Voucher
@@ -35,6 +36,7 @@ class VoucherForm(I18nModelForm):
         ]
         field_classes = {
             'valid_until': SplitDateTimeField,
+            'subevent': SafeModelChoiceField,
         }
         widgets = {
             'valid_until': SplitDateTimePickerWidget(),
@@ -199,6 +201,7 @@ class VoucherBulkForm(VoucherForm):
         ]
         field_classes = {
             'valid_until': SplitDateTimeField,
+            'subevent': SafeModelChoiceField,
         }
         widgets = {
             'valid_until': SplitDateTimePickerWidget(),

src/pretix/control/middleware.py

@@ -4,10 +4,11 @@ from django.conf import settings
 from django.contrib.auth import REDIRECT_FIELD_NAME, logout
 from django.http import Http404
 from django.shortcuts import get_object_or_404, redirect, resolve_url
+from django.template.response import TemplateResponse
 from django.urls import get_script_prefix, resolve, reverse
-from django.utils.deprecation import MiddlewareMixin
 from django.utils.encoding import force_str
 from django.utils.translation import ugettext as _
+from django_scopes import scope
 from hijack.templatetags.hijack_tags import is_hijacked
 
 from pretix.base.models import Event, Organizer
@@ -17,7 +18,7 @@ from pretix.helpers.security import (
 )
 
 
-class PermissionMiddleware(MiddlewareMixin):
+class PermissionMiddleware:
     """
     This middleware enforces all requests to the control app to require login.
     Additionally, it enforces all requests to "control:event." URLs
@@ -34,6 +35,10 @@ class PermissionMiddleware(MiddlewareMixin):
         "user.settings.notifications.off",
     )
 
+    def __init__(self, get_response=None):
+        self.get_response = get_response
+        super().__init__()
+
     def _login_redirect(self, request):
         # Taken from django/contrib/auth/decorators.py
         path = request.build_absolute_uri()
@@ -52,19 +57,19 @@ class PermissionMiddleware(MiddlewareMixin):
         return redirect_to_login(
             path, resolved_login_url, REDIRECT_FIELD_NAME)
 
-    def process_request(self, request):
+    def __call__(self, request):
         url = resolve(request.path_info)
         url_name = url.url_name
 
         if not request.path.startswith(get_script_prefix() + 'control'):
             # This middleware should only touch the /control subpath
-            return
+            return self.get_response(request)
 
         if hasattr(request, 'organizer'):
             # If the user is on a organizer's subdomain, he should be redirected to pretix
             return redirect(urljoin(settings.SITE_URL, request.get_full_path()))
         if url_name in self.EXCEPTIONS:
-            return
+            return self.get_response(request)
         if not request.user.is_authenticated:
             return self._login_redirect(request)
 
@@ -79,10 +84,11 @@ class PermissionMiddleware(MiddlewareMixin):
                 return redirect(reverse('control:user.reauth') + '?next=' + quote(request.get_full_path()))
 
         if 'event' in url.kwargs and 'organizer' in url.kwargs:
-            request.event = Event.objects.filter(
-                slug=url.kwargs['event'],
-                organizer__slug=url.kwargs['organizer'],
-            ).select_related('organizer').first()
+            with scope(organizer=None):
+                request.event = Event.objects.filter(
+                    slug=url.kwargs['event'],
+                    organizer__slug=url.kwargs['organizer'],
+                ).select_related('organizer').first()
             if not request.event or not request.user.has_event_permission(request.event.organizer, request.event,
                                                                           request=request):
                 raise Http404(_("The selected event was not found or you "
@@ -104,6 +110,12 @@ class PermissionMiddleware(MiddlewareMixin):
             else:
                 request.orgapermset = request.user.get_organizer_permission_set(request.organizer)
 
+        with scope(organizer=getattr(request, 'organizer', None)):
+            r = self.get_response(request)
+            if isinstance(r, TemplateResponse):
+                r = r.render()
+            return r
+
 
 class AuditLogMiddleware: