From d8cf3552ba2da8b8c5607f4a98bfb3f13eeb3337 Mon Sep 17 00:00:00 2001
From: Raphael Michel <michel@rami.io>
Date: Thu, 10 Mar 2022 17:02:11 +0100
Subject: [PATCH] Do not allow self-service cancel of pending orders if they
 have any payments

---
 src/pretix/base/models/orders.py |  7 ++++---
 src/tests/presale/test_orders.py | 15 +++++++++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/src/pretix/base/models/orders.py b/src/pretix/base/models/orders.py
index 6af6f739a..ec7ff5393 100644
--- a/src/pretix/base/models/orders.py
+++ b/src/pretix/base/models/orders.py
@@ -638,12 +638,13 @@ class Order(LockModel, LoggedModel):
                 return False
         if self.user_cancel_deadline and now() > self.user_cancel_deadline:
             return False
-        if self.status == Order.STATUS_PENDING:
-            return self.event.settings.cancel_allow_user
-        elif self.status == Order.STATUS_PAID:
+
+        if self.status == Order.STATUS_PAID or self.payment_refund_sum > Decimal('0.00'):
             if self.total == Decimal('0.00'):
                 return self.event.settings.cancel_allow_user
             return self.event.settings.cancel_allow_user_paid
+        elif self.status == Order.STATUS_PENDING:
+            return self.event.settings.cancel_allow_user
         return False
 
     def propose_auto_refunds(self, amount: Decimal, payments: list=None):
diff --git a/src/tests/presale/test_orders.py b/src/tests/presale/test_orders.py
index d0b1d15ef..0e04d6c13 100644
--- a/src/tests/presale/test_orders.py
+++ b/src/tests/presale/test_orders.py
@@ -710,6 +710,21 @@ class OrdersTest(BaseOrdersTest):
         with scopes_disabled():
             assert self.order.refunds.count() == 0
 
+    def test_orders_cancel_forbidden_if_any_payment_made(self):
+        self.event.settings.set('cancel_allow_user', True)
+        self.event.settings.set('cancel_allow_user_paid', False)
+        with scopes_disabled():
+            self.order.payments.create(
+                state=OrderPayment.PAYMENT_STATE_CONFIRMED,
+                amount=12,
+                provider='manual',
+            )
+        self.client.post(
+            '/%s/%s/order/%s/%s/cancel/do' % (self.orga.slug, self.event.slug, self.order.code, self.order.secret), {
+            }, follow=True)
+        self.order.refresh_from_db()
+        assert self.order.status == Order.STATUS_PENDING
+
     def test_orders_cancel_forbidden(self):
         self.event.settings.set('cancel_allow_user', False)
         self.client.post(