From 0236911a8891980185e1a2d8130acae2aaa0d044 Mon Sep 17 00:00:00 2001 From: Raphael Michel Date: Tue, 18 Mar 2025 09:01:13 +0100 Subject: [PATCH] Order search: Proper input validation with error feedback for advanced search (#4920) --- .../pretixcontrol/orders/search.html | 3 ++- src/pretix/control/views/orders.py | 20 +++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/src/pretix/control/templates/pretixcontrol/orders/search.html b/src/pretix/control/templates/pretixcontrol/orders/search.html index 2905bfef04..047c835d78 100644 --- a/src/pretix/control/templates/pretixcontrol/orders/search.html +++ b/src/pretix/control/templates/pretixcontrol/orders/search.html @@ -7,7 +7,8 @@ {% block title %}{% trans "Order search" %}{% endblock %} {% block content %}

{% trans "Order search" %}

-
+ + {% csrf_token %} {% for f in forms %} {% bootstrap_form_errors f layout='control' %} {% for field in f %} diff --git a/src/pretix/control/views/orders.py b/src/pretix/control/views/orders.py index 6b97bbc1ed..71a0c998cd 100644 --- a/src/pretix/control/views/orders.py +++ b/src/pretix/control/views/orders.py @@ -172,6 +172,26 @@ class OrderSearch(OrderSearchMixin, EventPermissionRequiredMixin, TemplateView): ctx['forms'] = self.get_forms() return ctx + def post(self, request, *args, **kwargs): + all_valid = True + for f in self.get_forms(): + if not f.is_valid(): + all_valid = False + + if all_valid: + data = request.POST.copy() + data.pop('csrfmiddlewaretoken', None) + return redirect(reverse( + "control:event.orders", + kwargs={ + "event": request.event.slug, + "organizer": request.event.organizer.slug, + } + ) + '?' + data.urlencode()) + else: + messages.error(request, _("We could not process your input. See below for details.")) + return self.get(request, *args, **kwargs) + class BaseOrderBulkActionView(OrderSearchMixin, EventPermissionRequiredMixin, AsyncFormView): template_name = 'pretixcontrol/orders/bulk_action.html'