Fix #4982 -- API: Do not parse decimal input to float (#5012)

src/pretix/api/views/order.py

@@ -452,10 +452,9 @@ class EventOrderViewSet(OrderViewSetMixin, viewsets.ModelViewSet):
         comment = request.data.get('comment', None)
         cancellation_fee = request.data.get('cancellation_fee', None)
         if cancellation_fee:
-            try:
-                cancellation_fee = float(Decimal(cancellation_fee))
-            except:
-                cancellation_fee = None
+            cancellation_fee = serializers.DecimalField(max_digits=13, decimal_places=2).to_internal_value(
+                cancellation_fee,
+            )
 
         order = self.get_object()
         if not order.cancel_allowed():

src/tests/api/test_orders.py

@@ -1348,6 +1348,26 @@ def test_order_mark_canceled_pending(token_client, organizer, event, order):
         assert order.transactions.count() == 4
 
 
+@pytest.mark.django_db
+def test_order_mark_canceled_pending_fee_with_tax(token_client, organizer, event, order, taxrule):
+    djmail.outbox = []
+    event.settings.tax_rate_default = taxrule
+    resp = token_client.post(
+        '/api/v1/organizers/{}/events/{}/orders/{}/mark_canceled/'.format(
+            organizer.slug, event.slug, order.code
+        ), data={
+            'cancellation_fee': '7.00'
+        }
+    )
+    assert resp.status_code == 200
+    assert resp.data['status'] == Order.STATUS_PENDING
+    assert len(djmail.outbox) == 1
+    with scopes_disabled():
+        of = order.fees.get()
+    assert of.value == Decimal("7.00")
+    assert of.tax_rate == taxrule.rate
+
+
 @pytest.mark.django_db
 def test_order_mark_canceled_pending_fee_not_allowed(token_client, organizer, event, order):
     djmail.outbox = []