License header; isort

src/pretix/base/views/applepay.py

@@ -0,0 +1,53 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020 Raphael Michel and contributors
+# Copyright (C) 2020-2021 rami.io GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+from django.http import Http404, HttpResponse
+
+from pretix.base.settings import GlobalSettingsObject
+
+
+def association(request, *args, **kwargs):
+    # This is a crutch to enable event- or organizer-level overrides for the default
+    # ApplePay MerchantID domain validation/association file.
+    # We do not provide any FormFields for this on purpose!
+    #
+    # Please refer to https://github.com/pretix/pretix/pull/3611 to get updates on
+    # the upcoming and official way to temporarily override the association-file,
+    # which will make sure that there are no conflicting requests at the same time.
+    #
+    # Should you opt to manually inject a different association-file into an organizer
+    # or event settings store, we do recommend to remove the setting once you're
+    # done and the domain has been validated.
+    #
+    # If you do not need Stripe's default domain association credential and would
+    # rather serve a different default credential, you can do so through the
+    # Global Settings editor.
+    if hasattr(request, 'event'):
+        settings = request.event.settings
+    elif hasattr(request, 'organizer'):
+        settings = request.organizer.settings
+    else:
+        settings = GlobalSettingsObject().settings
+
+    if not settings.get('apple_domain_association', None):
+        raise Http404('')
+    else:
+        return HttpResponse(settings.get('apple_domain_association'))

src/pretix/control/forms/global_settings.py

@@ -38,6 +38,7 @@ from django import forms
 from django.utils.translation import gettext_lazy as _
 from i18nfield.forms import I18nFormField, I18nTextarea, I18nTextInput
 
+from pretix import settings
 from pretix.base.forms import SecretKeySettingsField, SettingsForm
 from pretix.base.settings import GlobalSettingsObject
 from pretix.base.signals import register_global_settings
@@ -95,6 +96,13 @@ class GlobalSettingsForm(SettingsForm):
                     sample='© <a href="https://www.openstreetmap.org/copyright">OpenStreetMap</a> contributors'
                 )
             )),
+            ('apple_domain_association', forms.CharField(
+                required=False,
+                label=_("ApplePay MerchantID Domain Association"),
+                help_text=_("Will be served at {domain}/.well-known/apple-developer-merchantid-domain-association").format(
+                    domain=settings.SITE_URL
+                )
+            ))
         ])
         responses = register_global_settings.send(self)
         for r, response in sorted(responses, key=lambda r: str(r[0])):

src/pretix/locale/de_Informal/LC_MESSAGES/django.po

@@ -8,8 +8,8 @@ msgstr ""
 "Project-Id-Version: 1\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2023-09-08 13:36+0000\n"
-"PO-Revision-Date: 2023-09-24 05:00+0000\n"
-"Last-Translator: Felix Hartnagel <felix@fhcom.de>\n"
+"PO-Revision-Date: 2023-09-08 13:52+0000\n"
+"Last-Translator: Raphael Michel <michel@rami.io>\n"
 "Language-Team: German (informal) <https://translate.pretix.eu/projects/"
 "pretix/pretix/de_Informal/>\n"
 "Language: de_Informal\n"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.0.2\n"
+"X-Generator: Weblate 4.18.2\n"
 
 #: pretix/_base_settings.py:78
 msgid "English"
@@ -32035,7 +32035,7 @@ msgstr "Kundendaten ändern"
 #: pretix/presale/templates/pretixpresale/organizers/customer_login.html:11
 #, python-format
 msgid "Sign in to your account at %(org)s"
-msgstr "Log-in in dein Kundenkonto bei %(org)s"
+msgstr "Log-in in Ihr Kundenkonto bei %(org)s"
 
 #: pretix/presale/templates/pretixpresale/organizers/customer_login.html:38
 #: pretix/presale/templates/pretixpresale/organizers/customer_registration.html:20

src/pretix/locale/id/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2023-09-08 13:36+0000\n"
-"PO-Revision-Date: 2023-09-21 00:00+0000\n"
+"PO-Revision-Date: 2023-09-20 14:01+0000\n"
 "Last-Translator: Mahdia Aliyy <mahdlyy.k@gmail.com>\n"
 "Language-Team: Indonesian <https://translate.pretix.eu/projects/pretix/"
 "pretix/id/>\n"
@@ -30407,7 +30407,7 @@ msgstr "Lanjutkan dengan pembayaran"
 
 #: pretix/presale/templates/pretixpresale/event/fragment_cart_box.html:43
 msgid "Empty cart"
-msgstr "Kosongkan keranjang"
+msgstr "Keranjang kosong"
 
 #: pretix/presale/templates/pretixpresale/event/fragment_cart_box.html:48
 #: pretix/presale/templates/pretixpresale/event/index.html:236

src/pretix/plugins/stripe/urls.py

@@ -25,8 +25,7 @@ from pretix.multidomain import event_url
 
 from .views import (
     OrganizerSettingsFormView, ReturnView, ScaReturnView, ScaView,
-    applepay_association, oauth_disconnect, oauth_return, redirect_view,
-    webhook,
+    oauth_disconnect, oauth_return, redirect_view, webhook,
 )
 
 event_patterns = [
@@ -38,13 +37,6 @@ event_patterns = [
         re_path(r'^sca/(?P<order>[^/]+)/(?P<hash>[^/]+)/(?P<payment>[0-9]+)/return/$',
                 ScaReturnView.as_view(), name='sca.return'),
     ])),
-    re_path(r'^.well-known/apple-developer-merchantid-domain-association$',
-            applepay_association, name='applepay.association'),
-]
-
-organizer_patterns = [
-    re_path(r'^.well-known/apple-developer-merchantid-domain-association$',
-            applepay_association, name='applepay.association'),
 ]
 
 urlpatterns = [
@@ -54,6 +46,4 @@ urlpatterns = [
             OrganizerSettingsFormView.as_view(), name='settings.connect'),
     re_path(r'^_stripe/webhook/$', webhook, name='webhook'),
     re_path(r'^_stripe/oauth_return/$', oauth_return, name='oauth.return'),
-    re_path(r'^.well-known/apple-developer-merchantid-domain-association$',
-            applepay_association, name='applepay.association'),
 ]

src/pretix/plugins/stripe/views.py

@@ -476,13 +476,6 @@ def oauth_disconnect(request, **kwargs):
     }))
 
 
-@xframe_options_exempt
-def applepay_association(request, *args, **kwargs):
-    r = render(request, 'pretixplugins/stripe/apple-developer-merchantid-domain-association')
-    r._csp_ignore = True
-    return r
-
-
 class StripeOrderView:
     def dispatch(self, request, *args, **kwargs):
         try:

src/pretix/urls.py

@@ -38,7 +38,7 @@ from django.views.generic import RedirectView
 
 import pretix.control.urls
 import pretix.presale.urls
-from pretix.base.views import js_helpers
+from pretix.base.views import applepay, js_helpers
 
 from .base.views import (
     cachedfiles, csp, health, js_catalog, metrics, redirect, source,
@@ -57,7 +57,9 @@ base_patterns = [
     re_path(r'^agpl_source$', source.get_source, name='source'),
     re_path(r'^js_helpers/states/$', js_helpers.states, name='js_helpers.states'),
     re_path(r'^api/v1/', include(('pretix.api.urls', 'pretixapi'), namespace='api-v1')),
-    re_path(r'^api/$', RedirectView.as_view(url='/api/v1/'), name='redirect-api-version')
+    re_path(r'^api/$', RedirectView.as_view(url='/api/v1/'), name='redirect-api-version'),
+    re_path(r'^.well-known/apple-developer-merchantid-domain-association$',
+            applepay.association, name='applepay.association'),
 ]
 
 control_patterns = [

src/tests/concurrency_tests/test_api_order_creation_locking.py

@@ -1,189 +0,0 @@
-#
-# This file is part of pretix (Community Edition).
-#
-# Copyright (C) 2014-2020 Raphael Michel and contributors
-# Copyright (C) 2020-2021 rami.io GmbH and contributors
-#
-# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
-# Public License as published by the Free Software Foundation in version 3 of the License.
-#
-# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
-# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
-# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
-# this file, see <https://pretix.eu/about/en/license>.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
-# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
-# details.
-#
-# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
-# <https://www.gnu.org/licenses/>.
-#
-import asyncio
-from datetime import timedelta
-from importlib import import_module
-
-import pytest
-from asgiref.sync import sync_to_async
-from django.conf import settings
-from django.utils.timezone import now
-from django_scopes import scopes_disabled
-from tests.concurrency_tests.utils import post
-
-from pretix.base.models import CartPosition, OrderPosition
-
-SessionStore = import_module(settings.SESSION_ENGINE).SessionStore
-
-
-@pytest.fixture
-@scopes_disabled()
-def cart1_expired(event, organizer, item, customer):
-    cp = CartPosition.objects.create(
-        event=event,
-        item=item,
-        datetime=now(),
-        expires=now() - timedelta(days=1),
-        price=item.default_price,
-        cart_id="cart1"
-    )
-    session = SessionStore("cart1")
-    session['current_cart_event_{}'.format(event.pk)] = "cart1"
-    session['carts'] = {
-        'cart1': {
-            'payment': 'banktransfer',
-            'email': 'admin@localhost',
-            'customer': customer.pk,
-        }
-    }
-    session[f'customer_auth_id:{event.organizer.pk}'] = customer.pk
-    session[f'customer_auth_hash:{event.organizer.pk}'] = customer.get_session_auth_hash()
-    session.save()
-    return cp, session
-
-
-@pytest.fixture
-@scopes_disabled()
-def cart2_expired(event, organizer, item, customer):
-    cp = CartPosition.objects.create(
-        event=event,
-        item=item,
-        datetime=now(),
-        expires=now() - timedelta(days=1),
-        price=item.default_price,
-        cart_id="cart2"
-    )
-    session = SessionStore("cart2")
-    session['current_cart_event_{}'.format(event.pk)] = "cart2"
-    session['carts'] = {
-        'cart2': {
-            'payment': 'banktransfer',
-            'email': 'admin@localhost',
-            'customer': customer.pk,
-        }
-    }
-    session[f'customer_auth_id:{event.organizer.pk}'] = customer.pk
-    session[f'customer_auth_hash:{event.organizer.pk}'] = customer.get_session_auth_hash()
-    session.save()
-    return cp, session
-
-
-@pytest.mark.asyncio
-async def test_quota_race_condition_happens_if_we_disable_locks(live_server, session, event, item, quota,
-                                                                cart1_expired, cart2_expired):
-    # This test exists to ensure that our test setup makes sense. If it fails, all tests down below
-    # might be useless.
-    quota.size = 1
-    await sync_to_async(quota.save)()
-
-    url = f"/{event.organizer.slug}/{event.slug}/checkout/confirm/?_debug_flag=skip-csrf&_debug_flag=skip-locking&_debug_flag=sleep-after-quota-check"
-    payload = {}
-
-    r1, r2 = await asyncio.gather(
-        post(session, f"{live_server}{url}", data=payload, cookies={settings.SESSION_COOKIE_NAME: cart1_expired[1].session_key}),
-        post(session, f"{live_server}{url}", data=payload, cookies={settings.SESSION_COOKIE_NAME: cart2_expired[1].session_key}),
-    )
-    assert ['thank-you' in r1, 'thank-you' in r2].count(True) == 2
-    with scopes_disabled():
-        assert await sync_to_async(CartPosition.objects.filter(item=item).count)() == 0
-        assert await sync_to_async(OrderPosition.objects.filter(item=item).count)() == 2
-
-
-@pytest.mark.asyncio
-async def test_quota_race_condition_prevented_by_locks(live_server, session, event, item, quota, cart1_expired, cart2_expired):
-    quota.size = 1
-    await sync_to_async(quota.save)()
-
-    url = f"/{event.organizer.slug}/{event.slug}/checkout/confirm/?_debug_flag=skip-csrf&_debug_flag=sleep-after-quota-check"
-    payload = {}
-
-    r1, r2 = await asyncio.gather(
-        post(session, f"{live_server}{url}", data=payload, cookies={settings.SESSION_COOKIE_NAME: cart1_expired[1].session_key}),
-        post(session, f"{live_server}{url}", data=payload, cookies={settings.SESSION_COOKIE_NAME: cart2_expired[1].session_key}),
-    )
-    assert ['thank-you' in r1, 'thank-you' in r2].count(True) == 1
-    with scopes_disabled():
-        assert await sync_to_async(OrderPosition.objects.filter(item=item).count)() == 1
-        assert await sync_to_async(CartPosition.objects.filter(item=item).count)() == 0
-
-
-@pytest.mark.asyncio
-async def test_voucher_race_condition_prevented_by_locks(live_server, session, event, item, quota, cart1_expired, cart2_expired, voucher):
-    cart1_expired[0].voucher = voucher
-    await sync_to_async(cart1_expired[0].save)()
-    cart2_expired[0].voucher = voucher
-    await sync_to_async(cart2_expired[0].save)()
-
-    url = f"/{event.organizer.slug}/{event.slug}/checkout/confirm/?_debug_flag=skip-csrf&_debug_flag=sleep-after-quota-check"
-    payload = {}
-
-    r1, r2 = await asyncio.gather(
-        post(session, f"{live_server}{url}", data=payload, cookies={settings.SESSION_COOKIE_NAME: cart1_expired[1].session_key}),
-        post(session, f"{live_server}{url}", data=payload, cookies={settings.SESSION_COOKIE_NAME: cart2_expired[1].session_key}),
-    )
-    assert ['thank-you' in r1, 'thank-you' in r2].count(True) == 1
-    with scopes_disabled():
-        assert await sync_to_async(OrderPosition.objects.filter(item=item, voucher=voucher).count)() == 1
-        assert await sync_to_async(CartPosition.objects.filter(item=item, voucher=voucher).count)() == 0
-
-
-@pytest.mark.asyncio
-async def test_seat_race_condition_prevented_by_locks(live_server, session, event, item, quota, cart1_expired, cart2_expired, seat):
-    cart1_expired[0].seat = seat
-    await sync_to_async(cart1_expired[0].save)()
-    cart2_expired[0].seat = seat
-    await sync_to_async(cart2_expired[0].save)()
-
-    url = f"/{event.organizer.slug}/{event.slug}/checkout/confirm/?_debug_flag=skip-csrf&_debug_flag=sleep-after-quota-check"
-    payload = {}
-
-    r1, r2 = await asyncio.gather(
-        post(session, f"{live_server}{url}", data=payload, cookies={settings.SESSION_COOKIE_NAME: cart1_expired[1].session_key}),
-        post(session, f"{live_server}{url}", data=payload, cookies={settings.SESSION_COOKIE_NAME: cart2_expired[1].session_key}),
-    )
-    assert ['thank-you' in r1, 'thank-you' in r2].count(True) == 1
-    with scopes_disabled():
-        assert await sync_to_async(OrderPosition.objects.filter(item=item, seat=seat).count)() == 1
-        assert await sync_to_async(CartPosition.objects.filter(item=item, seat=seat).count)() == 0
-
-
-@pytest.mark.asyncio
-async def test_membership_race_condition_prevented_by_locks(live_server, session, event, item, quota, cart1_expired, cart2_expired, membership):
-    cart1_expired[0].used_membership = membership
-    await sync_to_async(cart1_expired[0].save)()
-    cart2_expired[0].used_membership = membership
-    await sync_to_async(cart2_expired[0].save)()
-    item.require_membership = True
-    await sync_to_async(item.save)()
-    await sync_to_async(item.require_membership_types.set)([membership.membership_type])
-
-    url = f"/{event.organizer.slug}/{event.slug}/checkout/confirm/?_debug_flag=skip-csrf&_debug_flag=sleep-after-quota-check"
-    payload = {}
-
-    r1, r2 = await asyncio.gather(
-        post(session, f"{live_server}{url}", data=payload, cookies={settings.SESSION_COOKIE_NAME: cart1_expired[1].session_key}),
-        post(session, f"{live_server}{url}", data=payload, cookies={settings.SESSION_COOKIE_NAME: cart2_expired[1].session_key}),
-    )
-    assert ['thank-you' in r1, 'thank-you' in r2].count(True) == 1
-    with scopes_disabled():
-        assert await sync_to_async(OrderPosition.objects.filter(item=item).count)() == 1
-        assert await sync_to_async(CartPosition.objects.filter(item=item).count)() == 1