CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

Pluggable permissions (#5728)

Browse Source 
* Data model draft

* Refactor query and assignment usages of old permissions

* Backend UI

* API serializer

* Big string replace

* Docs, tests and fixes for teams api

* Update docs for device auth

* Eliminate old names

* Make tests pass

* Use new permissions, remove inconsistencies

* Add test for translations

* Show plugin permissions

* Add permission for seating plans

* Fix plugin activation

* Fix failing test

* Refactor to permission groups

* Update doc/api/resources/devices.rst

Co-authored-by: luelista <weller@rami.io>

* Update doc/api/resources/events.rst

Co-authored-by: luelista <weller@rami.io>

* Update src/pretix/api/serializers/organizer.py

Co-authored-by: luelista <weller@rami.io>

* Fix typo

* Fix python version compat

* Replacement after rebase

* Add proper permission handling for exports

* Docs for exporters

* Runtime linting of permission names

* Fix typos

* Show export page even without orders permission

* More legacy compat

* Do not strongly validate before plugins are loaded

* Rebase migration

* Add permission for outgoing mails

* Review notes

* Update doc/api/resources/teams.rst

Co-authored-by: Richard Schreiber <schreiber@pretix.eu>

* Clean up logic around exporters

* Review and failures

* Fix migration leading to forbidden combination

* Handle permissions on event copying

* Remove print-statements

* Make test clearer

* Review feedback

* Add AnyPermissionOf

* migration safety

---------

Co-authored-by: luelista <weller@rami.io>
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
This commit is contained in:
Raphael Michel
2026-03-17 14:43:56 +01:00
committed by GitHub
parent eddde2b6c0
commit df0b580dd6
203 changed files with 5374 additions and 2331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/pretix/base/auth.py
View File

@@ -224,7 +224,7 @@ class HistoryPasswordValidator:
).delete()
def has_event_access_permission(request, permission='can_change_event_settings'):
def has_event_access_permission(request, permission='event.settings.general:write'):
return (
request.user.is_authenticated and
request.user.has_event_permission(request.organizer, request.event, permission, request=request)

28
src/pretix/base/exporter.py
View File

@@ -73,6 +73,9 @@ class BaseExporter:
self.events = Event.objects.filter(pk=event.pk)
self.timezone = event.timezone
if hasattr(self, 'organizer_required_permission'):
raise TypeError("Deprecated attribute organizer_required_permission no longer supported.")
def __str__(self):
return self.identifier
@@ -176,15 +179,30 @@ class BaseExporter:
"""
return True
@classmethod
def get_required_event_permission(cls) -> str:
"""
The permission level required to use this exporter for events. For multi-event-exports, this will be used
to limit the selection of events. Will be ignored if the ``OrganizerLevelExportMixin`` mixin is used.
The default implementation returns ``"event.orders:read"``.
"""
return 'event.orders:read'
class OrganizerLevelExportMixin:
@property
def organizer_required_permission(self) -> str:
@classmethod
def get_required_event_permission(cls):
raise TypeError("required_event_permission may not be called on OrganizerLevelExportMixin")
@classmethod
def get_required_organizer_permission(cls) -> str:
"""
The permission level required to use this exporter. Only useful for organizer-level exports,
not for event-level exports.
The permission level required to use this exporter. Must be set for organizer-level exports. Set to `None` to
allow everyone with any access to the organizer.
``get_required_event_permission`` will be ignored on this class.
"""
return 'can_view_orders'
raise NotImplementedError()
class ListExporter(BaseExporter):

5
src/pretix/base/exporters/customers.py
View File

@@ -47,10 +47,13 @@ from ..signals import register_multievent_data_exporters
class CustomerListExporter(OrganizerLevelExportMixin, ListExporter):
identifier = 'customerlist'
verbose_name = gettext_lazy('Customer accounts')
organizer_required_permission = 'can_manage_customers'
category = pgettext_lazy('export_category', 'Customer accounts')
description = gettext_lazy('Download a spreadsheet of all currently registered customer accounts.')
@classmethod
def get_required_organizer_permission(cls) -> str:
return 'organizer.customers:write'
@property
def additional_form_fields(self):
return OrderedDict(

16
src/pretix/base/exporters/orderlist.py
View File

@@ -271,7 +271,7 @@ class OrderListExporter(MultiSheetListExporter):
qs = self._date_filter(qs, form_data, rel='')
if form_data['paid_only']:
if form_data.get('paid_only'):
qs = qs.filter(status=Order.STATUS_PAID)
return qs
@@ -458,7 +458,7 @@ class OrderListExporter(MultiSheetListExporter):
).annotate(
payment_providers=Subquery(p_providers, output_field=CharField()),
).select_related('order', 'order__invoice_address', 'order__customer', 'tax_rule')
if form_data['paid_only']:
if form_data.get('paid_only'):
qs = qs.filter(order__status=Order.STATUS_PAID, canceled=False)
if form_data.get('items'):
@@ -562,7 +562,7 @@ class OrderListExporter(MultiSheetListExporter):
qs = OrderPosition.all.filter(
order__event__in=self.events,
)
if form_data['paid_only']:
if form_data.get('paid_only'):
qs = qs.filter(order__status=Order.STATUS_PAID, canceled=False)
if form_data.get('items'):
@@ -1239,11 +1239,14 @@ class QuotaListExporter(ListExporter):
class GiftcardTransactionListExporter(OrganizerLevelExportMixin, ListExporter):
identifier = 'giftcardtransactionlist'
verbose_name = gettext_lazy('Gift card transactions')
organizer_required_permission = 'can_manage_gift_cards'
category = pgettext_lazy('export_category', 'Gift cards')
description = gettext_lazy('Download a spreadsheet of all gift card transactions.')
repeatable_read = False
@classmethod
def get_required_organizer_permission(cls) -> str:
return 'organizer.giftcards:read'
@property
def additional_form_fields(self):
d = [
@@ -1346,10 +1349,13 @@ class GiftcardRedemptionListExporter(ListExporter):
class GiftcardListExporter(OrganizerLevelExportMixin, ListExporter):
identifier = 'giftcardlist'
verbose_name = gettext_lazy('Gift cards')
organizer_required_permission = 'can_manage_gift_cards'
category = pgettext_lazy('export_category', 'Gift cards')
description = gettext_lazy('Download a spreadsheet of all gift cards including their current value.')
@classmethod
def get_required_organizer_permission(cls) -> str:
return 'organizer.giftcards:read'
@property
def additional_form_fields(self):
return OrderedDict(

4
src/pretix/base/exporters/reusablemedia.py
View File

@@ -36,6 +36,10 @@ class ReusableMediaExporter(OrganizerLevelExportMixin, ListExporter):
description = _('Download a spread sheet with the data of all reusable medias on your account.')
repeatable_read = False
@classmethod
def get_required_organizer_permission(cls) -> str:
return "organizer.reusablemedia:read"
def iterate_list(self, form_data):
media = ReusableMedium.objects.filter(
organizer=self.organizer,

137
src/pretix/base/migrations/0298_pluggable_permissions.py Normal file
View File

@@ -0,0 +1,137 @@
from django.db import migrations, models
from pretix.helpers.permission_migration import (
OLD_TO_NEW_EVENT_MIGRATION, OLD_TO_NEW_ORGANIZER_MIGRATION,
)
def migrate_teams_forward(apps, schema_editor):
Team = apps.get_model("pretixbase", "Team")
for team in Team.objects.iterator():
if all(getattr(team, k) for k in OLD_TO_NEW_EVENT_MIGRATION.keys() if k != "can_checkin_orders"):
team.all_event_permissions = True
team.limit_event_permissions = {}
else:
team.all_event_permissions = False
for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
if getattr(team, k):
team.limit_event_permissions.update({kk: True for kk in v})
# Prevent combinations that were possible previously but no longer make sense
if team.limit_event_permissions.get("event.orders:checkin") and team.limit_event_permissions.get("event.orders:write"):
team.limit_event_permissions.pop("event.orders:checkin")
if team.limit_event_permissions.get("event.orders:write") and not team.limit_event_permissions.get("event.orders:read"):
team.limit_event_permissions.pop("event.orders:write")
if team.limit_event_permissions.get("event.vouchers:write") and not team.limit_event_permissions.get("event.vouchers:read"):
team.limit_event_permissions.pop("event.vouchers:write")
if all(getattr(team, k) for k in OLD_TO_NEW_ORGANIZER_MIGRATION.keys()):
team.all_organizer_permissions = True
team.limit_organizer_permissions = {}
else:
team.all_organizer_permissions = False
for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
if getattr(team, k):
team.limit_organizer_permissions.update({kk: True for kk in v})
team.save(update_fields=[
"all_event_permissions", "limit_event_permissions", "all_organizer_permissions", "limit_organizer_permissions"
])
def migrate_teams_backward(apps, schema_editor):
Team = apps.get_model("pretixbase", "Team")
for team in Team.objects.iterator():
for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
setattr(team, k, team.all_event_permissions or all(team.limit_event_permissions.get(kk) for kk in v))
for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
setattr(team, k, team.all_organizer_permissions or all(team.limit_organizer_permissions.get(kk) for kk in v))
team.save()
class Migration(migrations.Migration):
dependencies = [
("pretixbase", "0297_outgoingmail"),
]
operations = [
migrations.AddField(
model_name="team",
name="all_event_permissions",
field=models.BooleanField(default=False),
),
migrations.AddField(
model_name="team",
name="all_organizer_permissions",
field=models.BooleanField(default=False),
),
migrations.AddField(
model_name="team",
name="limit_event_permissions",
field=models.JSONField(default=dict),
),
migrations.AddField(
model_name="team",
name="limit_organizer_permissions",
field=models.JSONField(default=dict),
),
migrations.RunPython(
migrate_teams_forward,
migrate_teams_backward,
),
migrations.RemoveField(
model_name="team",
name="can_change_event_settings",
),
migrations.RemoveField(
model_name="team",
name="can_change_items",
),
migrations.RemoveField(
model_name="team",
name="can_change_orders",
),
migrations.RemoveField(
model_name="team",
name="can_change_organizer_settings",
),
migrations.RemoveField(
model_name="team",
name="can_change_teams",
),
migrations.RemoveField(
model_name="team",
name="can_change_vouchers",
),
migrations.RemoveField(
model_name="team",
name="can_checkin_orders",
),
migrations.RemoveField(
model_name="team",
name="can_create_events",
),
migrations.RemoveField(
model_name="team",
name="can_manage_customers",
),
migrations.RemoveField(
model_name="team",
name="can_manage_gift_cards",
),
migrations.RemoveField(
model_name="team",
name="can_manage_reusable_media",
),
migrations.RemoveField(
model_name="team",
name="can_view_orders",
),
migrations.RemoveField(
model_name="team",
name="can_view_vouchers",
),
]

48
src/pretix/base/models/auth.py
View File

@@ -213,6 +213,28 @@ class SuperuserPermissionSet:
return True
class EventPermissionSet(set):
def __contains__(self, item):
from pretix.base.permissions import assert_valid_event_permission
if super().__contains__(item):
return True
assert_valid_event_permission(item, allow_tuple=False)
return False
class OrganizerPermissionSet(set):
def __contains__(self, item):
from pretix.base.permissions import assert_valid_organizer_permission
if super().__contains__(item):
return True
assert_valid_organizer_permission(item, allow_tuple=False)
return False
class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
"""
This is the user model used by pretix for authentication.
@@ -473,7 +495,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
:return: set
"""
teams = self._get_teams_for_event(organizer, event)
sets = [t.permission_set() for t in teams]
sets = [t.event_permission_set() for t in teams]
if sets:
return set.union(*sets)
else:
@@ -487,7 +509,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
:return: set
"""
teams = self._get_teams_for_organizer(organizer)
sets = [t.permission_set() for t in teams]
sets = [t.organizer_permission_set() for t in teams]
if sets:
return set.union(*sets)
else:
@@ -502,7 +524,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
:param organizer: The organizer of the event
:param event: The event to check
:param perm_name: The permission, e.g. ``can_change_teams``
:param perm_name: The permission, e.g. ``event.orders:read``
:param request: The current request (optional)
:param session_key: The current session key (optional)
:return: bool
@@ -514,8 +536,8 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
if teams:
self._teamcache['e{}'.format(event.pk)] = teams
if isinstance(perm_name, (tuple, list)):
return any([any(team.has_permission(p) for team in teams) for p in perm_name])
if not perm_name or any([team.has_permission(perm_name) for team in teams]):
return any([any(team.has_event_permission(p) for team in teams) for p in perm_name])
if not perm_name or any([team.has_event_permission(perm_name) for team in teams]):
return True
return False
@@ -525,7 +547,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
to the organizer ``organizer``.
:param organizer: The organizer to check
:param perm_name: The permission, e.g. ``can_change_teams``
:param perm_name: The permission, e.g. ``organizer.events:create``
:param request: The current request (optional). Required to detect staff sessions properly.
:return: bool
"""
@@ -534,8 +556,8 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
teams = self._get_teams_for_organizer(organizer)
if teams:
if isinstance(perm_name, (tuple, list)):
return any([any(team.has_permission(p) for team in teams) for p in perm_name])
if not perm_name or any([team.has_permission(perm_name) for team in teams]):
return any([any(team.has_organizer_permission(p) for team in teams) for p in perm_name])
if not perm_name or any([team.has_organizer_permission(perm_name) for team in teams]):
return True
return False
@@ -566,14 +588,15 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
:return: Iterable of Events
"""
from .event import Event
from .organizer import TeamQuerySet
if request and self.has_active_staff_session(request.session.session_key):
return Event.objects.all()
if isinstance(permission, (tuple, list)):
q = reduce(operator.or_, [Q(**{p: True}) for p in permission])
q = reduce(operator.or_, [TeamQuerySet.event_permission_q(p) for p in permission])
else:
q = Q(**{permission: True})
q = TeamQuerySet.event_permission_q(permission)
return Event.objects.filter(
Q(organizer_id__in=self.teams.filter(q, all_events=True).values_list('organizer', flat=True))
@@ -606,14 +629,13 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
:return: Iterable of Organizers
"""
from .event import Organizer
from .organizer import TeamQuerySet
if request and self.has_active_staff_session(request.session.session_key):
return Organizer.objects.all()
kwargs = {permission: True}
return Organizer.objects.filter(
id__in=self.teams.filter(**kwargs).values_list('organizer', flat=True)
id__in=self.teams.filter(TeamQuerySet.organizer_permission_q(permission)).values_list('organizer', flat=True)
)
def has_active_staff_session(self, session_key=None):

42
src/pretix/base/models/devices.py
View File

@@ -29,6 +29,9 @@ from django.utils.translation import gettext_lazy as _
from django_scopes import ScopedManager, scopes_disabled
from pretix.base.models import LoggedModel
from pretix.base.permissions import (
AnyPermissionOf, assert_valid_event_permission,
)
@scopes_disabled()
@@ -189,13 +192,19 @@ class Device(LoggedModel):
kwargs['update_fields'] = {'device_id'}.union(kwargs['update_fields'])
super().save(*args, **kwargs)
def permission_set(self) -> set:
def _event_permission_set(self) -> set:
return {
'can_view_orders',
'can_change_orders',
'can_view_vouchers',
'can_manage_gift_cards',
'can_manage_reusable_media',
'event.orders:read',
'event.orders:write',
'event.vouchers:read',
}
def _organizer_permission_set(self) -> set:
return {
'organizer.giftcards:read',
'organizer.giftcards:write',
'organizer.reusablemedia:read',
'organizer.reusablemedia:write',
}
def get_event_permission_set(self, organizer, event) -> set:
@@ -209,7 +218,7 @@ class Device(LoggedModel):
has_event_access = (self.all_events and organizer == self.organizer) or (
event in self.limit_events.all()
)
return self.permission_set() if has_event_access else set()
return self._event_permission_set() if has_event_access else set()
def get_organizer_permission_set(self, organizer) -> set:
"""
@@ -218,7 +227,7 @@ class Device(LoggedModel):
:param organizer: The organizer of the event
:return: set of permissions
"""
return self.permission_set() if self.organizer == organizer else set()
return self._organizer_permission_set() if self.organizer == organizer else set()
def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
"""
@@ -227,7 +236,7 @@ class Device(LoggedModel):
:param organizer: The organizer of the event
:param event: The event to check
:param perm_name: The permission, e.g. ``can_change_teams``
:param perm_name: The permission, e.g. ``event.orders:read``
:param request: This parameter is ignored and only defined for compatibility reasons.
:return: bool
"""
@@ -235,8 +244,8 @@ class Device(LoggedModel):
event in self.limit_events.all()
)
if isinstance(perm_name, (tuple, list)):
return has_event_access and any(p in self.permission_set() for p in perm_name)
return has_event_access and (not perm_name or perm_name in self.permission_set())
return has_event_access and any(p in self._event_permission_set() for p in perm_name)
return has_event_access and (not perm_name or perm_name in self._event_permission_set())
def has_organizer_permission(self, organizer, perm_name=None, request=None):
"""
@@ -244,13 +253,13 @@ class Device(LoggedModel):
to the organizer ``organizer``.
:param organizer: The organizer to check
:param perm_name: The permission, e.g. ``can_change_teams``
:param perm_name: The permission, e.g. ``organizer.events:create``
:param request: This parameter is ignored and only defined for compatibility reasons.
:return: bool
"""
if isinstance(perm_name, (tuple, list)):
return organizer == self.organizer and any(p in self.permission_set() for p in perm_name)
return organizer == self.organizer and (not perm_name or perm_name in self.permission_set())
return organizer == self.organizer and any(p in self._organizer_permission_set() for p in perm_name)
return organizer == self.organizer and (not perm_name or perm_name in self._organizer_permission_set())
def get_events_with_any_permission(self):
"""
@@ -270,9 +279,10 @@ class Device(LoggedModel):
:param request: Ignored, for compatibility with User model
:return: Iterable of Events
"""
assert_valid_event_permission(permission)
if (
isinstance(permission, (list, tuple)) and any(p in self.permission_set() for p in permission)
) or (isinstance(permission, str) and permission in self.permission_set()):
isinstance(permission, (AnyPermissionOf, list, tuple)) and any(p in self._event_permission_set() for p in permission)
) or (isinstance(permission, str) and permission in self._event_permission_set()):
return self.get_events_with_any_permission()
else:
return self.organizer.events.none()

34
src/pretix/base/models/event.py
View File

@@ -843,6 +843,33 @@ class Event(EventMixin, LoggedModel):
time(hour=23, minute=59, second=59)
), tz)
def allow_copy_data(self, new_organizer, auth) -> bool:
"""
Returns whether it is allowed to copy the event to the target organizer. Auth can be TeamAPIToken or User.
"""
from ..permissions import get_all_event_permissions
from .auth import User
if self.organizer == new_organizer:
# Copying in the same organizer is always okay with any read access, we just need to ensure it does not
# grant more permissions than I had before, but that is handled by the view logic
return auth.has_event_permission(self.organizer, self, None)
if isinstance(auth, User):
# Cross-organizer copying requires almost full permission of source to prevent settings extraction
required_permissions = get_all_event_permissions() - {
# We do not require these, as this data is not copied
"event.orders:read", "event.orders:write", "event.vouchers:read", "event.vouchers:write",
"event.subevents:write",
}
given_permission = auth.get_event_permission_set(self.organizer, self)
return all(p in given_permission for p in required_permissions if ":" in p)
else:
# Tokens or devices can never copy between organizers, as they are organizer-bound. Kept for future
# compatibility and easier calling
return False
def copy_data_from(self, other, skip_meta_data=False):
from ..signals import event_copy_data
from . import (
@@ -1386,14 +1413,13 @@ class Event(EventMixin, LoggedModel):
from .auth import User
if permission:
kwargs = {permission: True}
qs = Team.objects.with_event_permission(permission)
else:
kwargs = {}
qs = Team.objects.all()
team_with_perm = Team.objects.filter(
team_with_perm = qs.filter(
members__pk=OuterRef('pk'),
organizer=self.organizer,
**kwargs
).filter(
Q(all_events=True) | Q(limit_events__pk=self.pk)
)

244
src/pretix/base/models/organizer.py
View File

@@ -31,9 +31,10 @@
# Unless required by applicable law or agreed to in writing, software distributed under the Apache License 2.0 is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations under the License.
import operator
import string
from datetime import date, datetime, time
from functools import reduce
import pytz_deprecation_shim
from django.conf import settings
@@ -53,6 +54,10 @@ from i18nfield.strings import LazyI18nString
from pretix.base.models.base import LoggedModel
from pretix.base.validators import OrganizerSlugBanlistValidator
from ...helpers.permission_migration import (
OLD_TO_NEW_EVENT_COMPAT, OLD_TO_NEW_ORGANIZER_COMPAT,
LegacyPermissionProperty,
)
from ..settings import settings_hierarkey
from .auth import User
@@ -309,6 +314,38 @@ def generate_api_token():
return get_random_string(length=64, allowed_chars=string.ascii_lowercase + string.digits)
class TeamQuerySet(models.QuerySet):
@classmethod
def event_permission_q(cls, perm_name):
from ..permissions import assert_valid_event_permission
if perm_name.startswith('can_') and perm_name in OLD_TO_NEW_EVENT_COMPAT: # legacy
return reduce(operator.and_, [cls.event_permission_q(p) for p in OLD_TO_NEW_EVENT_COMPAT[perm_name]])
assert_valid_event_permission(perm_name, allow_legacy=False)
return (
Q(all_event_permissions=True) |
Q(**{f'limit_event_permissions__{perm_name}': True})
)
@classmethod
def organizer_permission_q(cls, perm_name):
from ..permissions import assert_valid_organizer_permission
if perm_name.startswith('can_') and perm_name in OLD_TO_NEW_ORGANIZER_COMPAT: # legacy
return reduce(operator.and_, [cls.organizer_permission_q(p) for p in OLD_TO_NEW_ORGANIZER_COMPAT[perm_name]])
assert_valid_organizer_permission(perm_name, allow_legacy=False)
return (
Q(all_organizer_permissions=True) |
Q(**{f'limit_organizer_permissions__{perm_name}': True})
)
def with_event_permission(self, perm_name):
return self.filter(self.event_permission_q(perm_name))
def with_organizer_permission(self, perm_name):
return self.filter(self.organizer_permission_q(perm_name))
class Team(LoggedModel):
"""
A team is a collection of people given certain access rights to one or more events of an organizer.
@@ -321,36 +358,10 @@ class Team(LoggedModel):
:param all_events: Whether this team has access to all events of this organizer
:type all_events: bool
:param limit_events: A set of events this team has access to. Irrelevant if ``all_events`` is ``True``.
:param can_create_events: Whether or not the members can create new events with this organizer account.
:type can_create_events: bool
:param can_change_teams: If ``True``, the members can change the teams of this organizer account.
:type can_change_teams: bool
:param can_manage_customers: If ``True``, the members can view and change organizer-level customer accounts.
:type can_manage_customers: bool
:param can_manage_reusable_media: If ``True``, the members can view and change organizer-level reusable media.
:type can_manage_reusable_media: bool
:param can_change_organizer_settings: If ``True``, the members can change the settings of this organizer account.
:type can_change_organizer_settings: bool
:param can_change_event_settings: If ``True``, the members can change the settings of the associated events.
:type can_change_event_settings: bool
:param can_change_items: If ``True``, the members can change and add items and related objects for the associated events.
:type can_change_items: bool
:param can_view_orders: If ``True``, the members can inspect details of all orders of the associated events.
:type can_view_orders: bool
:param can_change_orders: If ``True``, the members can change details of orders of the associated events.
:type can_change_orders: bool
:param can_checkin_orders: If ``True``, the members can perform check-in related actions.
:type can_checkin_orders: bool
:param can_view_vouchers: If ``True``, the members can inspect details of all vouchers of the associated events.
:type can_view_vouchers: bool
:param can_change_vouchers: If ``True``, the members can change and create vouchers for the associated events.
:type can_change_vouchers: bool
"""
organizer = models.ForeignKey(Organizer, related_name="teams", on_delete=models.CASCADE)
name = models.CharField(max_length=190, verbose_name=_("Team name"))
members = models.ManyToManyField(User, related_name="teams", verbose_name=_("Team members"))
all_events = models.BooleanField(default=False, verbose_name=_("All events (including newly created ones)"))
limit_events = models.ManyToManyField('Event', verbose_name=_("Limit to events"), blank=True)
require_2fa = models.BooleanField(
default=False, verbose_name=_("Require all members of this team to use two-factor authentication"),
help_text=_("If you turn this on, all members of the team will be required to either set up two-factor "
@@ -358,62 +369,33 @@ class Team(LoggedModel):
"all users.")
)
can_create_events = models.BooleanField(
default=False,
verbose_name=_("Can create events"),
)
can_change_teams = models.BooleanField(
default=False,
verbose_name=_("Can change teams and permissions"),
)
can_change_organizer_settings = models.BooleanField(
default=False,
verbose_name=_("Can change organizer settings"),
help_text=_('Someone with this setting can get access to most data of all of your events, i.e. via privacy '
'reports, so be careful who you add to this team!')
)
can_manage_customers = models.BooleanField(
default=False,
verbose_name=_("Can manage customer accounts")
)
can_manage_reusable_media = models.BooleanField(
default=False,
verbose_name=_("Can manage reusable media")
)
can_manage_gift_cards = models.BooleanField(
default=False,
verbose_name=_("Can manage gift cards")
)
can_change_event_settings = models.BooleanField(
default=False,
verbose_name=_("Can change event settings")
)
can_change_items = models.BooleanField(
default=False,
verbose_name=_("Can change product settings")
)
can_view_orders = models.BooleanField(
default=False,
verbose_name=_("Can view orders")
)
can_change_orders = models.BooleanField(
default=False,
verbose_name=_("Can change orders")
)
can_checkin_orders = models.BooleanField(
default=False,
verbose_name=_("Can perform check-ins"),
help_text=_('This includes searching for attendees, which can be used to obtain personal information about '
'attendees. Users with "can change orders" can also perform check-ins.')
)
can_view_vouchers = models.BooleanField(
default=False,
verbose_name=_("Can view vouchers")
)
can_change_vouchers = models.BooleanField(
default=False,
verbose_name=_("Can change vouchers")
)
# Scope
all_events = models.BooleanField(default=False, verbose_name=_("All events (including newly created ones)"))
limit_events = models.ManyToManyField('Event', verbose_name=_("Limit to events"), blank=True)
# Permissions
# We store them as {key: True} instead of [key] because otherwise not all lookups we need are supported on SQLite
all_event_permissions = models.BooleanField(default=False, verbose_name=_("All event permissions"))
limit_event_permissions = models.JSONField(default=dict, verbose_name=_("Event permissions"))
all_organizer_permissions = models.BooleanField(default=False, verbose_name=_("All organizer permissions"))
limit_organizer_permissions = models.JSONField(default=dict, verbose_name=_("Organizer permissions"))
# Legacy lookups for plugin compatibility
can_change_event_settings = LegacyPermissionProperty()
can_change_items = LegacyPermissionProperty()
can_view_orders = LegacyPermissionProperty()
can_change_orders = LegacyPermissionProperty()
can_checkin_orders = LegacyPermissionProperty()
can_view_vouchers = LegacyPermissionProperty()
can_change_vouchers = LegacyPermissionProperty()
can_create_events = LegacyPermissionProperty()
can_change_organizer_settings = LegacyPermissionProperty()
can_change_teams = LegacyPermissionProperty()
can_manage_gift_cards = LegacyPermissionProperty()
can_manage_customers = LegacyPermissionProperty()
can_manage_reusable_media = LegacyPermissionProperty()
objects = TeamQuerySet.as_manager()
def __str__(self) -> str:
return _("%(name)s on %(object)s") % {
@@ -421,21 +403,62 @@ class Team(LoggedModel):
'object': str(self.organizer),
}
def permission_set(self) -> set:
attribs = dir(self)
return {
a for a in attribs if a.startswith('can_') and self.has_permission(a)
}
def event_permission_set(self, include_legacy=True) -> set:
from ..permissions import get_all_event_permission_groups
result = set()
for pg in get_all_event_permission_groups().values():
for action in pg.actions:
if self.all_event_permissions or self.limit_event_permissions.get(f"{pg.name}:{action}"):
result.add(f"{pg.name}:{action}")
if include_legacy:
# Add legacy permissions as well for plugin compatibility
for k, v in OLD_TO_NEW_EVENT_COMPAT.items():
if self.all_event_permissions or all(self.limit_event_permissions.get(kk) for kk in v):
result.add(k)
if "can_change_event_settings" in result:
result.add("can_change_settings")
return result
def organizer_permission_set(self, include_legacy=True) -> set:
from ..permissions import get_all_organizer_permission_groups
result = set()
for pg in get_all_organizer_permission_groups().values():
for action in pg.actions:
if self.all_organizer_permissions or self.limit_organizer_permissions.get(f"{pg.name}:{action}"):
result.add(f"{pg.name}:{action}")
if include_legacy:
# Add legacy permissions as well for plugin compatibility
for k, v in OLD_TO_NEW_ORGANIZER_COMPAT.items():
if self.all_organizer_permissions or all(self.limit_organizer_permissions.get(kk) for kk in v):
result.add(k)
return result
@property
def can_change_settings(self): # Legacy compatiblilty
def can_change_settings(self): # Legacy compatibility
return self.can_change_event_settings
def has_permission(self, perm_name):
try:
def has_event_permission(self, perm_name):
from ..permissions import assert_valid_event_permission
if perm_name.startswith('can_') and hasattr(self, perm_name): # legacy
return getattr(self, perm_name)
except AttributeError:
raise ValueError('Invalid required permission: %s' % perm_name)
assert_valid_event_permission(perm_name, allow_legacy=False)
return self.all_event_permissions or self.limit_event_permissions.get(perm_name, False)
def has_organizer_permission(self, perm_name):
from ..permissions import assert_valid_organizer_permission
if perm_name.startswith('can_') and hasattr(self, perm_name): # legacy
return getattr(self, perm_name)
assert_valid_organizer_permission(perm_name, allow_legacy=False)
return self.all_organizer_permissions or self.limit_organizer_permissions.get(perm_name, False)
def permission_for_event(self, event):
if self.all_events:
@@ -447,6 +470,19 @@ class Team(LoggedModel):
def active_tokens(self):
return self.tokens.filter(active=True)
def save(self, **kwargs):
if not isinstance(self.limit_event_permissions, dict):
raise TypeError("Permissions must be a dictionary")
if not isinstance(self.limit_organizer_permissions, dict):
raise TypeError("Permissions must be a dictionary")
for k in self.limit_event_permissions.values():
if k is not True:
raise TypeError("Permissions must only contain True values")
for k in self.limit_organizer_permissions.values():
if k is not True:
raise TypeError("Permissions must only contain True values")
return super().save(**kwargs)
class Meta:
verbose_name = _("Team")
verbose_name_plural = _("Teams")
@@ -503,7 +539,7 @@ class TeamAPIToken(models.Model):
has_event_access = (self.team.all_events and organizer == self.team.organizer) or (
event in self.team.limit_events.all()
)
return self.team.permission_set() if has_event_access else set()
return self.team.event_permission_set() if has_event_access else set()
def get_organizer_permission_set(self, organizer) -> set:
"""
@@ -512,7 +548,7 @@ class TeamAPIToken(models.Model):
:param organizer: The organizer of the event
:return: set of permissions
"""
return self.team.permission_set() if self.team.organizer == organizer else set()
return self.team.organizer_permission_set() if self.team.organizer == organizer else set()
def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
"""
@@ -521,7 +557,7 @@ class TeamAPIToken(models.Model):
:param organizer: The organizer of the event
:param event: The event to check
:param perm_name: The permission, e.g. ``can_change_teams``
:param perm_name: The permission, e.g. ``event.orders:read``
:param request: This parameter is ignored and only defined for compatibility reasons.
:return: bool
"""
@@ -529,8 +565,8 @@ class TeamAPIToken(models.Model):
event in self.team.limit_events.all()
)
if isinstance(perm_name, (tuple, list)):
return has_event_access and any(self.team.has_permission(p) for p in perm_name)
return has_event_access and (not perm_name or self.team.has_permission(perm_name))
return has_event_access and any(self.team.has_event_permission(p) for p in perm_name)
return has_event_access and (not perm_name or self.team.has_event_permission(perm_name))
def has_organizer_permission(self, organizer, perm_name=None, request=None):
"""
@@ -538,13 +574,13 @@ class TeamAPIToken(models.Model):
to the organizer ``organizer``.
:param organizer: The organizer to check
:param perm_name: The permission, e.g. ``can_change_teams``
:param perm_name: The permission, e.g. ``organizer.events:create``
:param request: This parameter is ignored and only defined for compatibility reasons.
:return: bool
"""
if isinstance(perm_name, (tuple, list)):
return organizer == self.team.organizer and any(self.team.has_permission(p) for p in perm_name)
return organizer == self.team.organizer and (not perm_name or self.team.has_permission(perm_name))
return organizer == self.team.organizer and any(self.team.has_organizer_permission(p) for p in perm_name)
return organizer == self.team.organizer and (not perm_name or self.team.has_organizer_permission(perm_name))
def get_events_with_any_permission(self):
"""
@@ -564,9 +600,11 @@ class TeamAPIToken(models.Model):
:param request: Ignored, for compatibility with User model
:return: Iterable of Events
"""
from pretix.base.permissions import AnyPermissionOf
if (
isinstance(permission, (list, tuple)) and any(getattr(self.team, p, False) for p in permission)
) or (isinstance(permission, str) and getattr(self.team, permission, False)):
isinstance(permission, (AnyPermissionOf, list, tuple)) and any(self.team.has_event_permission(p) for p in permission)
) or (isinstance(permission, str) and self.team.has_event_permission(permission)):
return self.get_events_with_any_permission()
else:
return self.team.organizer.events.none()

2
src/pretix/base/notifications.py
View File

@@ -151,7 +151,7 @@ def get_all_notification_types(event=None):
class ParametrizedOrderNotificationType(NotificationType):
required_permission = "can_view_orders"
required_permission = "event.orders:read"
def __init__(self, event, action_type, verbose_name, title):
self._action_type = action_type

334
src/pretix/base/permissions.py Normal file
View File

@@ -0,0 +1,334 @@
#
# This file is part of pretix (Community Edition).
#
# Copyright (C) 2014-2020 Raphael Michel and contributors
# Copyright (C) 2020-today pretix GmbH and contributors
#
# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
# Public License as published by the Free Software Foundation in version 3 of the License.
#
# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
# this file, see <https://pretix.eu/about/en/license>.
#
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License along with this program. If not, see
# <https://www.gnu.org/licenses/>.
#
import functools
import logging
import warnings
from collections import OrderedDict
from typing import Callable, Dict, List, NamedTuple, Set, Tuple
from django.apps import apps
from django.dispatch import receiver
from django.utils.functional import Promise
from django.utils.translation import gettext_lazy as _, pgettext_lazy
from pretix.base.signals import (
register_event_permission_groups, register_organizer_permission_groups,
)
logger = logging.getLogger(__name__)
def cache_until_change(input_value: Callable):
def decorator(func):
old_input_value = None
cached_result = None
@functools.wraps(func)
def wrapper():
nonlocal cached_result, old_input_value
if cached_result is None or old_input_value != input_value():
cached_result = func()
old_input_value = input_value()
return cached_result
return wrapper
return decorator
class PermissionOption(NamedTuple):
actions: Tuple[str, ...]
label: str | Promise
help_text: str | Promise = None
class PermissionGroup(NamedTuple):
name: str
label: str | Promise
actions: List[str]
options: List[PermissionOption]
help_text: str | Promise = None
@cache_until_change(input_value=lambda: apps.ready)
def get_all_event_permission_groups() -> Dict[str, PermissionGroup]:
types = OrderedDict()
for recv, ret in register_event_permission_groups.send(None):
if isinstance(ret, (list, tuple)):
for r in ret:
types[r.name] = r
else:
types[ret.name] = ret
return types
@cache_until_change(input_value=lambda: apps.ready)
def get_all_organizer_permission_groups() -> Dict[str, PermissionGroup]:
types = OrderedDict()
for recv, ret in register_organizer_permission_groups.send(None):
if isinstance(ret, (list, tuple)):
for r in ret:
types[r.name] = r
else:
types[ret.name] = ret
return types
@cache_until_change(input_value=lambda: apps.ready)
def get_all_event_permissions() -> Set[str]:
from pretix.helpers.permission_migration import OLD_TO_NEW_EVENT_COMPAT
res = set(OLD_TO_NEW_EVENT_COMPAT.keys())
for pg in get_all_event_permission_groups().values():
for a in pg.actions:
res.add(f"{pg.name}:{a}")
return res
@cache_until_change(input_value=lambda: apps.ready)
def get_all_organizer_permissions() -> Set[str]:
from pretix.helpers.permission_migration import OLD_TO_NEW_ORGANIZER_COMPAT
res = set(OLD_TO_NEW_ORGANIZER_COMPAT.keys())
for pg in get_all_organizer_permission_groups().values():
for a in pg.actions:
res.add(f"{pg.name}:{a}")
return res
def assert_valid_event_permission(permission, allow_legacy=True, allow_tuple=True):
if not apps.ready:
# can't really check yet
return
if allow_legacy and permission == "can_change_settings":
permission = "can_change_event_settings"
if permission is None:
return
if isinstance(permission, (AnyPermissionOf, list, tuple)) and allow_tuple:
for p in permission:
assert_valid_event_permission(p)
return
if not allow_legacy and ':' not in permission:
raise ValueError(f"Not allowed to use legacy permission '{permission}'")
all_permissions = get_all_event_permissions()
if permission not in all_permissions:
# Warning *and* exception because warning is silently caught when used in if statements in Django templates
warnings.warn(f"Use of undefined permission '{permission}'")
raise Exception(f"Undefined permission '{permission}'")
def assert_valid_organizer_permission(permission, allow_legacy=True, allow_tuple=True):
if not apps.ready:
# can't really check yet
return
if permission is None:
return
if isinstance(permission, (AnyPermissionOf, list, tuple)) and allow_tuple:
for p in permission:
assert_valid_organizer_permission(p)
return
if not allow_legacy and ':' not in permission:
raise ValueError(f"Not allowed to use legacy permission '{permission}'")
all_permissions = get_all_organizer_permissions()
if permission not in all_permissions:
# Warning *and* exception because warning is silently caught when used in if statements in Django templates
warnings.warn(f"Use of undefined permission '{permission}'")
raise Exception(f"Undefined permission '{permission}'")
class AnyPermissionOf(list):
def __init__(self, *items):
super().__init__(items)
OPTS_ALL_READ = [
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "View")),
PermissionOption(actions=("write",), label=pgettext_lazy("permission_level", "View and change")),
]
OPTS_ALL_READ_SETTINGS_API = [
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "View"),
help_text=_("API only")),
PermissionOption(actions=("write",), label=pgettext_lazy("permission_level", "View and change")),
]
OPTS_ALL_READ_SETTINGS_PARENT = [
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "View"),
help_text=_("Menu item will only show up if the user has permission for general settings.")),
PermissionOption(actions=("write",), label=pgettext_lazy("permission_level", "View and change")),
]
OPTS_READ_WRITE = [
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "No access")),
PermissionOption(actions=("read",), label=pgettext_lazy("permission_level", "View")),
PermissionOption(actions=("read", "write"), label=pgettext_lazy("permission_level", "View and change")),
]
@receiver(register_event_permission_groups, dispatch_uid="base_register_default_event_permissions")
def register_default_event_permissions(sender, **kwargs):
return [
PermissionGroup(
name="event.settings.general",
label=_("General settings"),
actions=["write"],
options=OPTS_ALL_READ_SETTINGS_API,
help_text=_(
"This includes access to all settings not listed explicitly below, including plugin settings."
),
),
PermissionGroup(
name="event.settings.payment",
label=_("Payment settings"),
actions=["write"],
options=OPTS_ALL_READ_SETTINGS_PARENT,
),
PermissionGroup(
name="event.settings.tax",
label=_("Tax settings"),
actions=["write"],
options=OPTS_ALL_READ_SETTINGS_PARENT,
),
PermissionGroup(
name="event.settings.invoicing",
label=_("Invoicing settings"),
actions=["write"],
options=OPTS_ALL_READ_SETTINGS_PARENT,
),
PermissionGroup(
name="event.subevents",
label=_("Event series dates"),
actions=["write"],
options=OPTS_ALL_READ,
),
PermissionGroup(
name="event.items",
label=_("Products, quotas and questions"),
actions=["write"],
options=OPTS_ALL_READ,
help_text=_("Also includes related objects like categories or discounts."),
),
PermissionGroup(
name="event.orders",
label=_("Orders"),
actions=["read", "write", "checkin"],
options=[
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "No access")),
PermissionOption(actions=("checkin",), label=pgettext_lazy("permission_level", "Only check-in")),
PermissionOption(actions=("read",), label=pgettext_lazy("permission_level", "View all")),
PermissionOption(actions=("read", "checkin"), label=pgettext_lazy("permission_level", "View all and check-in")),
PermissionOption(actions=("read", "write"), label=pgettext_lazy("permission_level", "View all and change"),
help_text=_("Includes the ability to cancel and refund individual orders.")),
],
help_text=_("Also includes related objects like the waiting list."),
),
PermissionGroup(
name="event.vouchers",
label=_("Vouchers"),
actions=["read", "write"],
options=OPTS_READ_WRITE,
),
PermissionGroup(
name="event",
label=_("Full event or date cancellation"),
actions=["cancel"],
options=[
# If we ever add more actions, we need a new UI idea here
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "Not allowed")),
PermissionOption(actions=("cancel",), label=pgettext_lazy("permission_level", "Allowed")),
],
help_text="",
),
]
@receiver(register_organizer_permission_groups, dispatch_uid="base_register_default_organizer_permissions")
def register_default_organizer_permissions(sender, **kwargs):
return [
PermissionGroup(
name="organizer.events",
label=_("Events"),
actions=["create"],
options=[
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "Access existing events")),
PermissionOption(actions=("create",), label=pgettext_lazy("permission_level", "Access existing and create new events")),
],
help_text=_("The level of access to events is determined in detail by the settings below."),
),
PermissionGroup(
name="organizer.settings.general",
label=_("Settings"),
actions=["write"],
options=OPTS_ALL_READ_SETTINGS_API,
help_text=_("This includes access to all organizer-level functionality not listed explicitly below, including plugin settings."),
),
PermissionGroup(
name="organizer.teams",
label=_("Teams"),
actions=["write"],
options=[
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "No access")),
PermissionOption(actions=("write",), label=pgettext_lazy("permission_level", "View and change"),
help_text=_("Includes the ability to give someone (including oneself) additional permissions.")),
],
),
PermissionGroup(
name="organizer.giftcards",
label=_("Gift cards"),
actions=["read", "write"],
options=OPTS_READ_WRITE,
),
PermissionGroup(
name="organizer.customers",
label=_("Customers"),
actions=["read", "write"],
options=OPTS_READ_WRITE,
),
PermissionGroup(
name="organizer.reusablemedia",
label=_("Reusable media"),
actions=["read", "write"],
options=OPTS_READ_WRITE,
),
PermissionGroup(
name="organizer.devices",
label=_("Devices"),
actions=["read", "write"],
options=[
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "No access")),
PermissionOption(actions=("read",), label=pgettext_lazy("permission_level", "View")),
PermissionOption(actions=("read", "write"), label=pgettext_lazy("permission_level", "View and change"),
help_text=_("Includes the ability to give access to events and data oneself does not have access to.")),
],
),
PermissionGroup(
name="organizer.seatingplans",
label=_("Seating plans"),
actions=["write"],
options=OPTS_ALL_READ,
),
PermissionGroup(
name="organizer.outgoingmails",
label=_("Outgoing emails"),
actions=["read"],
options=[
PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "No access")),
PermissionOption(actions=("read",), label=pgettext_lazy("permission_level", "View")),
],
),
]

299
src/pretix/base/services/export.py
View File

@@ -34,7 +34,7 @@ from django_scopes import scopes_disabled
from i18nfield.strings import LazyI18nString
from pretix.base.email import get_email_context
from pretix.base.exporter import OrganizerLevelExportMixin
from pretix.base.exporter import BaseExporter, OrganizerLevelExportMixin
from pretix.base.i18n import LazyLocaleException, language
from pretix.base.models import (
CachedFile, Device, Event, Organizer, ScheduledEventExport, TeamAPIToken,
@@ -64,7 +64,15 @@ class ExportEmptyError(ExportError):
@app.task(base=ProfiledEventTask, throws=(ExportError, ExportEmptyError), bind=True)
def export(self, event: Event, fileid: str, provider: str, form_data: Dict[str, Any]) -> None:
def export(self, event: Event, user: User, device: int, token: int, fileid: str, provider: str,
form_data: Dict[str, Any], staff_session=False) -> None:
if user:
user = User.objects.get(pk=user)
if device:
device = Device.objects.get(pk=device)
if token:
device = TeamAPIToken.objects.get(pk=token)
def set_progress(val):
if not self.request.called_directly:
self.update_state(
@@ -72,30 +80,38 @@ def export(self, event: Event, fileid: str, provider: str, form_data: Dict[str,
meta={'value': val}
)
ex = init_event_exporter(
identifier=provider,
event=event,
user=user,
token=token,
device=device,
staff_session=staff_session,
progress_callback=set_progress,
)
if not ex:
raise ExportError(
gettext('Export not found or you do not have sufficient permission to perform this export.')
)
file = CachedFile.objects.get(id=fileid)
with language(event.settings.locale, event.settings.region), override(event.settings.timezone):
responses = register_data_exporters.send(event)
for recv, response in responses:
if not response:
continue
ex = response(event, event.organizer, set_progress)
if ex.identifier == provider:
if ex.repeatable_read:
with repeatable_reads_transaction():
d = ex.render(form_data)
else:
d = ex.render(form_data)
if ex.repeatable_read:
with repeatable_reads_transaction():
d = ex.render(form_data)
else:
d = ex.render(form_data)
if d is None:
raise ExportError(
gettext('Your export did not contain any data.')
)
file.filename, file.type, data = d
if d is None:
raise ExportError(
gettext('Your export did not contain any data.')
)
file.filename, file.type, data = d
close_old_connections() # This task can run very long, we might need a new DB connection
close_old_connections() # This task can run very long, we might need a new DB connection
f = ContentFile(data)
file.file.save(cachedfile_name(file, file.filename), f)
f = ContentFile(data)
file.file.save(cachedfile_name(file, file.filename), f)
return str(file.pk)
@@ -105,10 +121,7 @@ def multiexport(self, organizer: Organizer, user: User, device: int, token: int,
if device:
device = Device.objects.get(pk=device)
if token:
device = TeamAPIToken.objects.get(pk=token)
allowed_events = (device or token or user).get_events_with_permission('can_view_orders')
if user and staff_session:
allowed_events = organizer.events.all()
token = TeamAPIToken.objects.get(pk=token)
def set_progress(val):
if not self.request.called_directly:
@@ -118,12 +131,35 @@ def multiexport(self, organizer: Organizer, user: User, device: int, token: int,
)
file = CachedFile.objects.get(id=fileid)
event_qs = organizer.events.all()
if form_data.get('events') is not None and not form_data.get('all_events'):
if form_data['events'] and isinstance(form_data['events'][0], str): # legacy API-created schedules
event_qs = event_qs.filter(slug__in=form_data.get('events'))
else:
event_qs = event_qs.filter(pk__in=form_data.get('events'))
ex = init_organizer_exporter(
identifier=provider,
organizer=organizer,
user=user,
token=token,
device=device,
staff_session=staff_session,
progress_callback=set_progress,
event_qs=event_qs,
)
if not ex:
raise ExportError(
gettext('Export not found or you do not have sufficient permission to perform this export.')
)
if user:
locale = user.locale
timezone = user.timezone
region = None # todo: add to user?
else:
e = allowed_events.first()
e = ex.events.first()
if e:
locale = e.settings.locale
timezone = e.settings.timezone
@@ -133,47 +169,140 @@ def multiexport(self, organizer: Organizer, user: User, device: int, token: int,
timezone = organizer.settings.timezone or settings.TIME_ZONE
region = organizer.settings.region
with language(locale, region), override(timezone):
if form_data.get('events') is not None and not form_data.get('all_events'):
if isinstance(form_data['events'][0], str):
events = allowed_events.filter(slug__in=form_data.get('events'), organizer=organizer)
else:
events = allowed_events.filter(pk__in=form_data.get('events'), organizer=organizer)
if ex.repeatable_read:
with repeatable_reads_transaction():
d = ex.render(form_data)
else:
events = allowed_events.filter(organizer=organizer)
responses = register_multievent_data_exporters.send(organizer)
d = ex.render(form_data)
if d is None:
raise ExportError(
gettext('Your export did not contain any data.')
)
file.filename, file.type, data = d
for recv, response in responses:
if not response:
continue
ex = response(events, organizer, set_progress)
if ex.identifier == provider:
if (
isinstance(ex, OrganizerLevelExportMixin) and
not staff_session and
not (device or token or user).has_organizer_permission(organizer, ex.organizer_required_permission)
):
raise ExportError(
gettext('You do not have sufficient permission to perform this export.')
)
close_old_connections() # This task can run very long, we might need a new DB connection
if ex.repeatable_read:
with repeatable_reads_transaction():
d = ex.render(form_data)
else:
d = ex.render(form_data)
if d is None:
raise ExportError(
gettext('Your export did not contain any data.')
)
file.filename, file.type, data = d
close_old_connections() # This task can run very long, we might need a new DB connection
f = ContentFile(data)
file.file.save(cachedfile_name(file, file.filename), f)
f = ContentFile(data)
file.file.save(cachedfile_name(file, file.filename), f)
return str(file.pk)
def init_event_exporter(identifier, **kwargs):
for ex in init_event_exporters(**kwargs):
if ex.identifier == identifier:
return ex
return None
def init_event_exporters(event, user=None, token=None, device=None, request=None, staff_session=False, **kwargs):
if not user and not token and not device:
raise ValueError("No auth source given.")
perm_holder = device or token or user
responses = register_data_exporters.send(event)
for r, response in responses:
if not response:
continue
if issubclass(response, OrganizerLevelExportMixin):
raise TypeError("Cannot user organizer-level exporter on event level")
permission_name = response.get_required_event_permission()
if not perm_holder.has_event_permission(event.organizer, event, permission_name, request) and not staff_session:
continue
exporter: BaseExporter = response(event=event, organizer=event.organizer, **kwargs)
if not exporter.available_for_user(user if user and user.is_authenticated else None):
continue
yield exporter
def init_organizer_exporter(identifier, **kwargs):
for ex in init_organizer_exporters(**kwargs):
if ex.identifier == identifier:
return ex
return None
def init_organizer_exporters(
organizer, user=None, token=None, device=None, request=None, staff_session=False, event_qs=None, **kwargs
):
if not user and not token and not device:
raise ValueError("No auth source given.")
perm_holder = device or token or user
_event_list_cache = {}
_has_permission_on_any_team_cache = {}
_team_cache = None
responses = register_multievent_data_exporters.send(organizer)
for r, response in responses:
if not response:
continue
if issubclass(response, OrganizerLevelExportMixin):
exporter: BaseExporter = response(event=Event.objects.none(), organizer=organizer, **kwargs)
try:
if not perm_holder.has_organizer_permission(organizer, response.get_required_organizer_permission(), request) and not staff_session:
continue
except NotImplementedError:
logger.error(f"Not showing export {response} because get_required_organizer_permission() is not implemented.")
continue
else:
permission_name = response.get_required_event_permission()
if permission_name not in _event_list_cache:
if staff_session:
events = event_qs.all()
elif event_qs is not None:
events = event_qs.filter(
pk__in=perm_holder.get_events_with_permission(
permission_name, request=request
).filter(
organizer=organizer
).values("id")
)
else:
events = perm_holder.get_events_with_permission(
permission_name, request=request
).filter(
organizer=organizer
)
_event_list_cache[permission_name] = events
if permission_name not in _has_permission_on_any_team_cache:
# Check if the user has this event permission on any teams they are part of to decide whether to show
# the export at all.
# This is different from _event_list_cache[permission_name].exists() for the case of an organizer with
# zero events in total, or a team with zero events. In these cases, we still want people to be able
# to see waht exports they'll get once they have events.
if user:
if _team_cache is None:
_team_cache = list(user.teams.filter(organizer=organizer))
_has_permission_on_any_team_cache[permission_name] = staff_session or any(
t.has_event_permission(permission_name) for t in _team_cache
)
elif token:
_has_permission_on_any_team_cache[permission_name] = token.team.has_event_permission(permission_name)
elif device:
_has_permission_on_any_team_cache[permission_name] = device.has_event_permission(permission_name)
if not _has_permission_on_any_team_cache[permission_name]:
continue
exporter: BaseExporter = response(event=_event_list_cache[permission_name], organizer=organizer, **kwargs)
if not exporter.available_for_user(user if user and user.is_authenticated else None):
continue
yield exporter
def _run_scheduled_export(schedule, context: Union[Event, Organizer], exporter, config_url, retry_func, has_permission):
with language(schedule.locale, context.settings.region), override(schedule.tz):
file = CachedFile(web_download=False)
@@ -217,7 +346,7 @@ def _run_scheduled_export(schedule, context: Union[Event, Organizer], exporter,
try:
if not exporter:
raise ExportError("Export type not found.")
raise ExportError("Export type not found or permission denied.")
if exporter.repeatable_read:
with repeatable_reads_transaction():
d = exporter.render(schedule.export_form_data)
@@ -291,31 +420,20 @@ def _run_scheduled_export(schedule, context: Union[Event, Organizer], exporter,
def scheduled_organizer_export(self, organizer: Organizer, schedule: int) -> None:
schedule = organizer.scheduled_exports.get(pk=schedule)
allowed_events = schedule.owner.get_events_with_permission('can_view_orders')
event_qs = organizer.events.all()
if schedule.export_form_data.get('events') is not None and not schedule.export_form_data.get('all_events'):
if isinstance(schedule.export_form_data['events'][0], str):
events = allowed_events.filter(slug__in=schedule.export_form_data.get('events'), organizer=organizer)
event_qs = event_qs.filter(slug__in=schedule.export_form_data.get('events'))
else:
events = allowed_events.filter(pk__in=schedule.export_form_data.get('events'), organizer=organizer)
else:
events = allowed_events.filter(organizer=organizer)
responses = register_multievent_data_exporters.send(organizer)
exporter = None
for recv, response in responses:
if not response:
continue
ex = response(events, organizer)
if ex.identifier == schedule.export_identifier:
exporter = ex
break
event_qs = event_qs.filter(pk__in=schedule.export_form_data.get('events'))
exporter = init_organizer_exporter(
identifier=schedule.export_identifier,
organizer=organizer,
user=schedule.owner,
event_qs=event_qs,
)
has_permission = schedule.owner.is_active
if isinstance(exporter, OrganizerLevelExportMixin):
if not schedule.owner.has_organizer_permission(organizer, exporter.organizer_required_permission):
has_permission = False
if exporter and not exporter.available_for_user(schedule.owner):
has_permission = False
_run_scheduled_export(
schedule,
@@ -336,17 +454,12 @@ def scheduled_organizer_export(self, organizer: Organizer, schedule: int) -> Non
def scheduled_event_export(self, event: Event, schedule: int) -> None:
schedule = event.scheduled_exports.get(pk=schedule)
responses = register_data_exporters.send(event)
exporter = None
for recv, response in responses:
if not response:
continue
ex = response(event, event.organizer)
if ex.identifier == schedule.export_identifier:
exporter = ex
break
has_permission = schedule.owner.is_active and schedule.owner.has_event_permission(event.organizer, event, 'can_view_orders')
exporter = init_event_exporter(
identifier=schedule.export_identifier,
event=event,
user=schedule.owner,
)
has_permission = schedule.owner.is_active
_run_scheduled_export(
schedule,

65
src/pretix/base/settings.py
View File

@@ -345,6 +345,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.tax:write',
'form_kwargs': dict(
label=_("Show net prices instead of gross prices in the product list"),
help_text=_("Independent of your choice, the cart will show gross prices as this is the price that needs to be "
@@ -492,6 +493,7 @@ DEFAULTS = {
'type': str,
'form_class': forms.ChoiceField,
'serializer_class': serializers.ChoiceField,
'write_permission': 'event.settings.tax:write',
'form_kwargs': dict(
label=_("Rounding of taxes"),
widget=forms.RadioSelect,
@@ -511,15 +513,17 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Ask for invoice address"),
)
),
},
'invoice_address_not_asked_free': {
'default': 'False',
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_('Do not ask for invoice address if an order is free'),
)
@@ -529,6 +533,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Require customer name"),
)
@@ -538,6 +543,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Show attendee names on invoices"),
)
@@ -547,6 +553,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Show event location on invoices"),
help_text=_("The event location will be shown below the list of products if it is the same for all "
@@ -558,6 +565,7 @@ DEFAULTS = {
'type': str,
'form_class': forms.ChoiceField,
'serializer_class': serializers.ChoiceField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Show exchange rates"),
widget=forms.RadioSelect,
@@ -581,6 +589,7 @@ DEFAULTS = {
'default': 'False',
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'type': bool,
'form_kwargs': dict(
label=_("Require invoice address"),
@@ -591,6 +600,7 @@ DEFAULTS = {
'default': 'False',
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'type': bool,
'form_kwargs': dict(
label=_("Require a business address"),
@@ -603,6 +613,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Ask for beneficiary"),
widget=forms.CheckboxInput(attrs={'data-checkbox-dependency': '#id_invoice_address_asked'}),
@@ -613,6 +624,7 @@ DEFAULTS = {
'type': LazyI18nString,
'form_class': I18nFormField,
'serializer_class': I18nField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Custom recipient field label"),
widget=I18nTextInput,
@@ -628,6 +640,7 @@ DEFAULTS = {
'type': LazyI18nString,
'form_class': I18nFormField,
'serializer_class': I18nField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Custom recipient field help text"),
widget=I18nTextInput,
@@ -640,6 +653,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Ask for VAT ID"),
help_text=format_lazy(
@@ -655,6 +669,7 @@ DEFAULTS = {
'type': list,
'form_class': forms.MultipleChoiceField,
'serializer_class': serializers.MultipleChoiceField,
'write_permission': 'event.settings.invoicing:write',
'serializer_kwargs': dict(
choices=lazy(
lambda *args: sorted([(cc, gettext(Country(cc).name)) for cc in VAT_ID_COUNTRIES], key=lambda c: c[1]),
@@ -682,6 +697,7 @@ DEFAULTS = {
'type': LazyI18nString,
'form_class': I18nFormField,
'serializer_class': I18nField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Invoice address explanation"),
widget=I18nMarkdownTextarea,
@@ -694,6 +710,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Show paid amount on partially paid invoices"),
help_text=_("If an invoice has already been paid partially, this option will add the paid and pending "
@@ -705,6 +722,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Show free products on invoices"),
help_text=_("Note that invoices will never be generated for orders that contain only free "
@@ -716,6 +734,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Show expiration date of order"),
help_text=_("The expiration date will not be shown if the invoice is generated after the order is paid."),
@@ -727,6 +746,7 @@ DEFAULTS = {
'form_class': forms.IntegerField,
'serializer_class': serializers.IntegerField,
'serializer_kwargs': dict(),
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Minimum length of invoice number after prefix"),
help_text=_("The part of your invoice number after your prefix will be filled up with leading zeros up to this length, e.g. INV-001 or INV-00001."),
@@ -740,6 +760,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Generate invoices with consecutive numbers"),
help_text=_("If deactivated, the order code will be used in the invoice number."),
@@ -750,6 +771,7 @@ DEFAULTS = {
'type': str,
'form_class': forms.CharField,
'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Invoice number prefix"),
help_text=_("This will be prepended to invoice numbers. If you leave this field empty, your event slug will "
@@ -777,6 +799,7 @@ DEFAULTS = {
'type': str,
'form_class': forms.CharField,
'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Invoice number prefix for cancellations"),
help_text=_("This will be prepended to invoice numbers of cancellations. If you leave this field empty, "
@@ -800,6 +823,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Highlight order code to make it stand out visibly"),
help_text=_("Only respected by some invoice renderers."),
@@ -811,6 +835,7 @@ DEFAULTS = {
'form_class': forms.ChoiceField,
'serializer_class': serializers.ChoiceField,
'serializer_kwargs': lambda: dict(**invoice_font_kwargs()),
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': lambda: dict(
label=_('Font'),
help_text=_("Only respected by some invoice renderers."),
@@ -821,6 +846,7 @@ DEFAULTS = {
'invoice_renderer': {
'default': 'classic', # default for new events is 'modern1'
'type': str,
'write_permission': 'event.settings.invoicing:write',
},
'ticket_secret_generator': {
'default': 'random',
@@ -897,6 +923,7 @@ DEFAULTS = {
'type': LazyI18nString,
'form_class': I18nFormField,
'serializer_class': I18nField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict(
widget=I18nMarkdownTextarea,
widget_kwargs={'attrs': {
@@ -918,6 +945,7 @@ DEFAULTS = {
('minutes', _("in minutes"))
),
),
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict(
label=_("Set payment term"),
widget=forms.RadioSelect,
@@ -935,6 +963,7 @@ DEFAULTS = {
'type': int,
'form_class': forms.IntegerField,
'serializer_class': serializers.IntegerField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict(
label=_('Payment term in days'),
widget=forms.NumberInput(
@@ -960,6 +989,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict(
label=_('Only end payment terms on weekdays'),
help_text=_("If this is activated and the payment term of any order ends on a Saturday or Sunday, it will be "
@@ -977,6 +1007,7 @@ DEFAULTS = {
'type': int,
'form_class': forms.IntegerField,
'serializer_class': serializers.IntegerField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict(
label=_('Payment term in minutes'),
help_text=_("The number of minutes after placing an order the user has to pay to preserve their reservation. "
@@ -1001,6 +1032,7 @@ DEFAULTS = {
'type': RelativeDateWrapper,
'form_class': RelativeDateField,
'serializer_class': SerializerRelativeDateField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict(
label=_('Last date of payments'),
help_text=_("The last date any payments are accepted. This has precedence over the terms "
@@ -1013,6 +1045,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict(
label=_('Automatically expire unpaid orders'),
help_text=_("If checked, all unpaid orders will automatically go from 'pending' to 'expired' "
@@ -1025,6 +1058,7 @@ DEFAULTS = {
'type': int,
'form_class': forms.IntegerField,
'serializer_class': serializers.IntegerField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict(
label=_('Expiration delay'),
help_text=_("The order will only actually expire this many days after the expiration date communicated "
@@ -1047,6 +1081,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict(
label=_('Hide "payment pending" state on customer-facing pages'),
help_text=_("The payment instructions panel will still be shown to the primary customer, but no indication "
@@ -1058,9 +1093,11 @@ DEFAULTS = {
'default': 'True',
'type': bool,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.payment:write',
},
'payment_giftcard_public_name': {
'default': LazyI18nString.from_gettext(gettext_noop('Gift card')),
'write_permission': 'event.settings.payment:write',
'type': LazyI18nString
},
'payment_giftcard_public_description': {
@@ -1069,10 +1106,12 @@ DEFAULTS = {
'enough credit to pay for the full order, you will be shown this page again and you can either '
'redeem another gift card or select a different payment method for the difference.'
)),
'write_permission': 'event.settings.payment:write',
'type': LazyI18nString
},
'payment_resellers__restrict_to_sales_channels': {
'default': ['resellers'],
'write_permission': 'event.settings.payment:write',
'type': list
},
'payment_term_accept_late': {
@@ -1080,6 +1119,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict(
label=_('Accept late payments'),
help_text=_("Accept payments for orders even when they are in 'expired' state as long as enough "
@@ -1109,6 +1149,7 @@ DEFAULTS = {
('none', _('Charge no taxes')),
),
),
'write_permission': 'event.settings.payment:write',
'form_kwargs': dict(
label=_("Tax handling on payment fees"),
widget=forms.RadioSelect,
@@ -1155,6 +1196,7 @@ DEFAULTS = {
('paid', _('Automatically on payment or when required by payment method')),
),
),
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Generate invoices"),
widget=forms.RadioSelect,
@@ -1183,6 +1225,7 @@ DEFAULTS = {
('invoice_date', _('Invoice date')),
),
),
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Date of service"),
widget=forms.RadioSelect,
@@ -1203,6 +1246,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Automatically cancel and reissue invoice on address changes"),
help_text=_("If customers change their invoice address on an existing order, the invoice will "
@@ -1215,6 +1259,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Allow to update existing invoices"),
help_text=_("By default, invoices can never again be changed once they are issued. In most countries, we "
@@ -1224,6 +1269,7 @@ DEFAULTS = {
},
'invoice_generate_sales_channels': {
'default': json.dumps(['web']),
'write_permission': 'event.settings.invoicing:write',
'type': list
},
'invoice_generate_only_business': {
@@ -1240,6 +1286,7 @@ DEFAULTS = {
'type': str,
'form_class': forms.CharField,
'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Address line"),
widget=forms.Textarea(attrs={
@@ -1255,6 +1302,7 @@ DEFAULTS = {
'type': str,
'form_class': forms.CharField,
'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
max_length=190,
label=_("Company name"),
@@ -1265,6 +1313,7 @@ DEFAULTS = {
'type': str,
'form_class': forms.CharField,
'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
widget=forms.TextInput(attrs={
'placeholder': '12345'
@@ -1278,6 +1327,7 @@ DEFAULTS = {
'type': str,
'form_class': forms.CharField,
'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
widget=forms.TextInput(attrs={
'placeholder': _('Random City')
@@ -1294,6 +1344,7 @@ DEFAULTS = {
'serializer_kwargs': {
'choices': [('', '')],
},
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': {
"label": pgettext_lazy('address', 'State'),
'choices': [('', '')],
@@ -1305,6 +1356,7 @@ DEFAULTS = {
'form_class': forms.ChoiceField,
'serializer_class': serializers.ChoiceField,
'serializer_kwargs': lambda: dict(**country_choice_kwargs()),
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': lambda: dict(
label=_('Country'),
widget=forms.Select(attrs={
@@ -1318,6 +1370,7 @@ DEFAULTS = {
'type': str,
'form_class': forms.CharField,
'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Domestic tax ID"),
help_text=_("e.g. tax number in Germany, ABN in Australia, …"),
@@ -1329,6 +1382,7 @@ DEFAULTS = {
'type': str,
'form_class': forms.CharField,
'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("EU VAT ID"),
max_length=190,
@@ -1339,6 +1393,7 @@ DEFAULTS = {
'type': LazyI18nString,
'form_class': I18nFormField,
'serializer_class': I18nField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
widget=I18nTextarea,
widget_kwargs={'attrs': {
@@ -1356,6 +1411,7 @@ DEFAULTS = {
'type': LazyI18nString,
'form_class': I18nFormField,
'serializer_class': I18nField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
widget=I18nTextarea,
widget_kwargs={'attrs': {
@@ -1373,6 +1429,7 @@ DEFAULTS = {
'type': LazyI18nString,
'form_class': I18nFormField,
'serializer_class': I18nField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
widget=I18nTextarea,
widget_kwargs={'attrs': {
@@ -1387,6 +1444,7 @@ DEFAULTS = {
},
'invoice_language': {
'default': '__user__',
'write_permission': 'event.settings.invoicing:write',
'type': str
},
'invoice_email_attachment': {
@@ -1394,6 +1452,7 @@ DEFAULTS = {
'type': bool,
'form_class': forms.BooleanField,
'serializer_class': serializers.BooleanField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Attach invoices to emails"),
help_text=_("If invoices are automatically generated for all orders, they will be attached to the order "
@@ -1407,6 +1466,7 @@ DEFAULTS = {
'type': str,
'form_class': forms.CharField,
'serializer_class': serializers.CharField,
'write_permission': 'event.settings.invoicing:write',
'form_kwargs': dict(
label=_("Email address to receive a copy of each invoice"),
help_text=_("Each newly created invoice will be sent to this email address shortly after creation. You can "
@@ -3260,7 +3320,8 @@ Your {organizer} team""")) # noqa: W291
'image/png', 'image/jpeg', 'image/gif'
],
max_size=settings.FILE_UPLOAD_MAX_SIZE_IMAGE,
)
),
'write_permission': 'event.settings.invoicing:write',
},
'frontpage_text': {
'default': '',

15
src/pretix/base/signals.py
View File

@@ -561,6 +561,18 @@ however for this signal, the ``sender`` **may also be None** to allow creating t
notification settings!
"""
register_event_permission_groups = GlobalSignal()
"""
This signal is sent out to get all known permissions. Receivers should return an
instance of pretix.base.permissions.PermissionGroup or a list of such instances.
"""
register_organizer_permission_groups = GlobalSignal()
"""
This signal is sent out to get all known permissions. Receivers should return an
instance of pretix.base.permissions.PermissionGroup or a list of such instances.
"""
notification = EventPluginSignal()
"""
Arguments: ``logentry_id``, ``notification_type``
@@ -1106,6 +1118,9 @@ api_event_settings_fields = EventPluginSignal()
This signal is sent out to collect serializable settings fields for the API. You are expected to
return a dictionary mapping names of attributes in the settings store to DRF serializer field instances.
These are readable for all users with access to the events, therefore secrets stored in the settings store
should not be included!
As with all event-plugin signals, the ``sender`` keyword argument will contain the event.
"""

83
src/pretix/base/timeline.py
View File

@@ -32,7 +32,11 @@ from pretix.base.models import ItemVariation
from pretix.base.reldate import RelativeDateWrapper
from pretix.base.signals import timeline_events
TimelineEvent = namedtuple('TimelineEvent', ('event', 'subevent', 'datetime', 'description', 'edit_url'))
TimelineEvent = namedtuple(
'TimelineEvent',
('event', 'subevent', 'datetime', 'description', 'edit_url', 'edit_permission'),
defaults=(None, None, None, None, None, 'event.settings.general:write')
)
def timeline_for_event(event, subevent=None):
@@ -46,6 +50,7 @@ def timeline_for_event(event, subevent=None):
'subevent': subevent.pk
}
)
ev_edit_permission = 'event.subevents:write'
else:
ev_edit_url = reverse(
'control:event.settings', kwargs={
@@ -53,12 +58,14 @@ def timeline_for_event(event, subevent=None):
'organizer': event.organizer.slug
}
)
ev_edit_permission = 'event.settings.general:write'
tl.append(TimelineEvent(
event=event, subevent=subevent,
datetime=ev.date_from,
description=pgettext_lazy('timeline', 'Your event starts'),
edit_url=ev_edit_url + '#id_date_from_0'
edit_url=ev_edit_url + '#id_date_from_0',
edit_permission=ev_edit_permission,
))
if ev.date_to:
@@ -66,7 +73,8 @@ def timeline_for_event(event, subevent=None):
event=event, subevent=subevent,
datetime=ev.date_to,
description=pgettext_lazy('timeline', 'Your event ends'),
edit_url=ev_edit_url + '#id_date_to_0'
edit_url=ev_edit_url + '#id_date_to_0',
edit_permission=ev_edit_permission,
))
if ev.date_admission:
@@ -74,7 +82,8 @@ def timeline_for_event(event, subevent=None):
event=event, subevent=subevent,
datetime=ev.date_admission,
description=pgettext_lazy('timeline', 'Admissions for your event start'),
edit_url=ev_edit_url + '#id_date_admission_0'
edit_url=ev_edit_url + '#id_date_admission_0',
edit_permission=ev_edit_permission,
))
if ev.presale_start:
@@ -82,7 +91,8 @@ def timeline_for_event(event, subevent=None):
event=event, subevent=subevent,
datetime=ev.presale_start,
description=pgettext_lazy('timeline', 'Start of ticket sales'),
edit_url=ev_edit_url + '#id_presale_start_0'
edit_url=ev_edit_url + '#id_presale_start_0',
edit_permission=ev_edit_permission,
))
tl.append(TimelineEvent(
@@ -97,7 +107,8 @@ def timeline_for_event(event, subevent=None):
) if not ev.presale_end else (
pgettext_lazy('timeline', 'End of ticket sales')
),
edit_url=ev_edit_url + '#id_presale_end_0'
edit_url=ev_edit_url + '#id_presale_end_0',
edit_permission=ev_edit_permission,
))
rd = event.settings.get('last_order_modification_date', as_type=RelativeDateWrapper)
@@ -106,7 +117,8 @@ def timeline_for_event(event, subevent=None):
event=event, subevent=subevent,
datetime=rd.datetime(ev),
description=pgettext_lazy('timeline', 'Customers can no longer modify their order information'),
edit_url=ev_edit_url + '#id_settings-last_order_modification_date_0_0'
edit_url=ev_edit_url + '#id_settings-last_order_modification_date_0_0',
edit_permission='event.settings.general:write',
))
rd = event.settings.get('payment_term_last', as_type=RelativeDateWrapper)
@@ -122,7 +134,8 @@ def timeline_for_event(event, subevent=None):
edit_url=reverse('control:event.settings.payment', kwargs={
'event': event.slug,
'organizer': event.organizer.slug
})
}),
edit_permission='event.settings.payment:write',
))
rd = event.settings.get('ticket_download_date', as_type=RelativeDateWrapper)
@@ -134,7 +147,8 @@ def timeline_for_event(event, subevent=None):
edit_url=reverse('control:event.settings.tickets', kwargs={
'event': event.slug,
'organizer': event.organizer.slug
})
}),
edit_permission='event.settings.general:write',
))
rd = event.settings.get('cancel_allow_user_until', as_type=RelativeDateWrapper)
@@ -146,7 +160,8 @@ def timeline_for_event(event, subevent=None):
edit_url=reverse('control:event.settings.cancel', kwargs={
'event': event.slug,
'organizer': event.organizer.slug
})
}),
edit_permission='event.settings.general:write',
))
rd = event.settings.get('cancel_allow_user_paid_until', as_type=RelativeDateWrapper)
@@ -158,7 +173,8 @@ def timeline_for_event(event, subevent=None):
edit_url=reverse('control:event.settings.cancel', kwargs={
'event': event.slug,
'organizer': event.organizer.slug
})
}),
edit_permission='event.settings.general:write',
))
rd = event.settings.get('change_allow_user_until', as_type=RelativeDateWrapper)
@@ -170,7 +186,8 @@ def timeline_for_event(event, subevent=None):
edit_url=reverse('control:event.settings.cancel', kwargs={
'event': event.slug,
'organizer': event.organizer.slug
})
}),
edit_permission='event.settings.general:write',
))
rd = event.settings.get('waiting_list_auto_disable', as_type=RelativeDateWrapper)
@@ -182,7 +199,8 @@ def timeline_for_event(event, subevent=None):
edit_url=reverse('control:event.settings', kwargs={
'event': event.slug,
'organizer': event.organizer.slug
}) + '#waiting-list-open'
}) + '#waiting-list-open',
edit_permission='event.settings.general:write',
))
if not event.has_subevents:
@@ -196,7 +214,8 @@ def timeline_for_event(event, subevent=None):
edit_url=reverse('control:event.settings.mail', kwargs={
'event': event.slug,
'organizer': event.organizer.slug
})
}),
edit_permission='event.settings.general:write',
))
if subevent:
@@ -210,7 +229,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug,
'organizer': event.organizer.slug,
'subevent': subevent.pk,
})
}),
edit_permission='event.subevents:write',
))
if sei.available_until:
tl.append(TimelineEvent(
@@ -221,7 +241,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug,
'organizer': event.organizer.slug,
'subevent': subevent.pk,
})
}),
edit_permission='event.subevents:write',
))
for sei in subevent.var_overrides.values():
if sei.available_from:
@@ -234,7 +255,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug,
'organizer': event.organizer.slug,
'subevent': subevent.pk,
})
}),
edit_permission='event.subevents:write',
))
if sei.available_until:
tl.append(TimelineEvent(
@@ -246,7 +268,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug,
'organizer': event.organizer.slug,
'subevent': subevent.pk,
})
}),
edit_permission='event.subevents:write',
))
for d in event.discounts.filter(Q(available_from__isnull=False) | Q(available_until__isnull=False)):
@@ -259,7 +282,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug,
'organizer': event.organizer.slug,
'discount': d.pk,
})
}),
edit_permission='event.items:write',
))
if d.available_until:
tl.append(TimelineEvent(
@@ -270,7 +294,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug,
'organizer': event.organizer.slug,
'discount': d.pk,
})
}),
edit_permission='event.items:write',
))
for p in event.items.filter(Q(available_from__isnull=False) | Q(available_until__isnull=False)):
@@ -283,7 +308,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug,
'organizer': event.organizer.slug,
'item': p.pk,
}) + '#id_available_from_0'
}) + '#id_available_from_0',
edit_permission='event.items:write',
))
if p.available_until:
tl.append(TimelineEvent(
@@ -294,7 +320,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug,
'organizer': event.organizer.slug,
'item': p.pk,
}) + '#id_available_until_0'
}) + '#id_available_until_0',
edit_permission='event.items:write',
))
for v in ItemVariation.objects.filter(
@@ -313,7 +340,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug,
'organizer': event.organizer.slug,
'item': v.item.pk,
}) + '#tab-0-3-open'
}) + '#tab-0-3-open',
edit_permission='event.items:write',
))
if v.available_until:
tl.append(TimelineEvent(
@@ -327,7 +355,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug,
'organizer': event.organizer.slug,
'item': v.item.pk,
}) + '#tab-0-3-open'
}) + '#tab-0-3-open',
edit_permission='event.items:write',
))
pprovs = event.get_payment_providers()
@@ -357,7 +386,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug,
'organizer': event.organizer.slug,
'provider': pprov.identifier,
})
}),
edit_permission='event.settings.payment:write',
))
availability_date = pprov.settings.get('_availability_date', as_type=RelativeDateWrapper)
if availability_date:
@@ -375,7 +405,8 @@ def timeline_for_event(event, subevent=None):
'event': event.slug,
'organizer': event.organizer.slug,
'provider': pprov.identifier,
})
}),
edit_permission='event.settings.payment:write',
))
for recv, resp in timeline_events.send(sender=event, subevent=subevent):