From df41caacf7004b17109ed5f864398c63996a18d1 Mon Sep 17 00:00:00 2001 From: Raphael Michel Date: Wed, 8 Feb 2023 13:33:31 +0100 Subject: [PATCH] API: Clear permission errors from idempotency storage when chaning permissions --- src/pretix/control/views/organizer.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/pretix/control/views/organizer.py b/src/pretix/control/views/organizer.py index a9be06d84..a1f7c954c 100644 --- a/src/pretix/control/views/organizer.py +++ b/src/pretix/control/views/organizer.py @@ -36,6 +36,7 @@ import json import re from datetime import time, timedelta from decimal import Decimal +from hashlib import sha1 import bleach from django import forms @@ -63,7 +64,7 @@ from django.views.generic import ( UpdateView, ) -from pretix.api.models import WebHook +from pretix.api.models import WebHook, ApiCall from pretix.api.webhooks import manually_retry_all_calls from pretix.base.auth import get_auth_backends from pretix.base.channels import get_all_sales_channels @@ -1003,6 +1004,15 @@ class DeviceUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixi k: getattr(self.object, k) if k != 'limit_events' else [e.id for e in getattr(self.object, k).all()] for k in form.changed_data }) + + # If the permission of the device have changed, let's clear "permission denied" errors from the idempotency store + auth_hash_parts = f'Device {self.object.api_token}:' + auth_hash = sha1(auth_hash_parts.encode()).hexdigest() + ApiCall.objects.filter( + auth_hash=auth_hash, + response_code=403, + ).delete() + messages.success(self.request, _('Your changes have been saved.')) return super().form_valid(form)