Pin sessions to the user agent in use

src/pretix/api/auth/permission.py

@@ -1,12 +1,11 @@
-import time
-
-from django.conf import settings
-from django.contrib.auth import logout
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import SAFE_METHODS, BasePermission
 
 from pretix.base.models import Event
 from pretix.base.models.organizer import Organizer, TeamAPIToken
+from pretix.helpers.security import (
+    SessionInvalid, SessionReauthRequired, assert_session_valid,
+)
 
 
 class EventPermission(BasePermission):
@@ -24,16 +23,13 @@ class EventPermission(BasePermission):
             required_permission = None
 
         if request.user.is_authenticated:
-            # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
-            if not settings.PRETIX_LONG_SESSIONS or not request.session.get('pretix_auth_long_session', False):
-                last_used = request.session.get('pretix_auth_last_used', time.time())
-                if time.time() - request.session.get('pretix_auth_login_time', time.time()) > settings.PRETIX_SESSION_TIMEOUT_ABSOLUTE:
-                    logout(request)
-                    request.session['pretix_auth_login_time'] = 0
-                    return False
-                if time.time() - last_used > settings.PRETIX_SESSION_TIMEOUT_RELATIVE:
-                    return False
-                request.session['pretix_auth_last_used'] = int(time.time())
+            try:
+                # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
+                assert_session_valid(request)
+            except SessionInvalid:
+                return False
+            except SessionReauthRequired:
+                return False
 
         perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken)
                        else request.user)