* Add option to restrict anonymous access to order URLs
By default, users who place orders while logged in can still access
their order URLs without authentication. This raises potential
security risks, particularly if order confirmation emails are
forwarded.
This commit introduces an organiser-level setting to disable anonymous
access for such orders. When enabled, unauthenticated attempts to access
URLs starting with `/order/`, which are intended for the customer, are
redirected to the login page. Upon successful authentication, the user
is redirected back to the original order URL.
It is important to note that this change does not impact routes intended
for attendees (e.g., `/ticket/*`), which remain accessible without
authentication.
* Change name of setting for future clarity
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
* Update message wording
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
* Eliminate database query
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
* Rename feature flag to fix breaking tests
* Refactor order access verification code into `OrderDetailsMixin`
* Add test for logged-in customer accessing another customer's order
* Refactor order access conditions to remove nesting
* Handle case where customer is not yet verified
* Add additional information to help message
* Fix multidomain issue
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
* Merge order/position variants into single tests
* Add docstring explaining return type of `order` property
* Apply suggestion from @raphaelm
* Fix indentation
---------
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
Co-authored-by: Raphael Michel <michel@rami.io>
* Webhooks: Add vouchers (Z#23203072)
This also requires more consistent usage of webhook types to avoid
vouchers not being known to the external system.
* Update src/pretix/api/webhooks.py
Co-authored-by: luelista <weller@rami.io>
* Fix shredder test
---------
Co-authored-by: luelista <weller@rami.io>
* Allow to add declaration of accessibility
* add fallback for empty accessibility_title
* unify label format (not "Title for")
* move title to top and set helptext before text
---------
Co-authored-by: Richard Schreiber <schreiber@rami.io>
* Allow to use custom domains for some but not all events
* Update src/pretix/multidomain/urlreverse.py
* Apply suggestions from code review
Co-authored-by: Mira <weller@rami.io>
* Logging for domain config changes
---------
Co-authored-by: Mira <weller@rami.io>
* Make API security profiles pluggable
* Update src/pretix/api/signals.py
Co-authored-by: robbi5 <richt@rami.io>
* REmove dead class
---------
Co-authored-by: robbi5 <richt@rami.io>
* Add public filters based on meta data
* Fix licenseheaders
* ignore empty values
* Fix tests
* Full non-widget implementation
* Widget support
* Add a few tests
* Allow to reorder properties
* Fix isort
* Allow to opt-out for specific events
* Fix name clash between new and old field to make migration feasible
* feat(config): Add config options for max file upload sizes
Closes#2198
* Apply suggestions from code review
Fix docs and comment in settings.py
Co-authored-by: Richard Schreiber <wiffbi@gmail.com>
* Fix import order using isort
Co-authored-by: Richard Schreiber <wiffbi@gmail.com>
