API: Add RPC-style check-in endpoints to support multi-event scan (#2719)

src/pretix/api/serializers/checkin.py

@@ -26,7 +26,7 @@ from rest_framework.exceptions import ValidationError
 from pretix.api.serializers.event import SubEventSerializer
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.channels import get_all_sales_channels
-from pretix.base.models import CheckinList
+from pretix.base.models import Checkin, CheckinList
 
 
 class CheckinListSerializer(I18nAwareModelSerializer):
@@ -78,3 +78,31 @@ class CheckinListSerializer(I18nAwareModelSerializer):
         CheckinList.validate_rules(data.get('rules'))
 
         return data
+
+
+class CheckinRPCRedeemInputSerializer(serializers.Serializer):
+    lists = serializers.PrimaryKeyRelatedField(required=True, many=True, queryset=CheckinList.objects.none())
+    secret = serializers.CharField(required=True, allow_null=False)
+    force = serializers.BooleanField(default=False, required=False)
+    type = serializers.ChoiceField(choices=Checkin.CHECKIN_TYPES, default=Checkin.TYPE_ENTRY)
+    ignore_unpaid = serializers.BooleanField(default=False, required=False)
+    questions_supported = serializers.BooleanField(default=True, required=False)
+    nonce = serializers.CharField(required=False, allow_null=True)
+    datetime = serializers.DateTimeField(required=False, allow_null=True)
+    answers = serializers.JSONField(required=False, allow_null=True)
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields['lists'].child_relation.queryset = CheckinList.objects.filter(event__in=self.context['events']).select_related('event')
+
+
+class MiniCheckinListSerializer(I18nAwareModelSerializer):
+    event = serializers.SlugRelatedField(slug_field='slug', read_only=True)
+    subevent = serializers.PrimaryKeyRelatedField(read_only=True)
+
+    class Meta:
+        model = CheckinList
+        fields = ('id', 'name', 'event', 'subevent', 'include_pending')
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)

src/pretix/api/serializers/item.py

@@ -184,8 +184,9 @@ class ItemSerializer(I18nAwareModelSerializer):
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
-        self.fields['require_membership_types'].queryset = self.context['event'].organizer.membership_types.all()
-        self.fields['grant_membership_type'].queryset = self.context['event'].organizer.membership_types.all()
+        if not self.read_only:
+            self.fields['require_membership_types'].queryset = self.context['event'].organizer.membership_types.all()
+            self.fields['grant_membership_type'].queryset = self.context['event'].organizer.membership_types.all()
 
     def validate(self, data):
         data = super().validate(data)

src/pretix/api/serializers/order.py

@@ -341,10 +341,10 @@ class PdfDataSerializer(serializers.Field):
             # we serialize a list.
 
             if 'vars' not in self.context:
-                self.context['vars'] = get_variables(self.context['request'].event)
+                self.context['vars'] = get_variables(self.context['event'])
 
             if 'vars_images' not in self.context:
-                self.context['vars_images'] = get_images(self.context['request'].event)
+                self.context['vars_images'] = get_images(self.context['event'])
 
             for k, f in self.context['vars'].items():
                 try:
@@ -422,7 +422,14 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         request = self.context.get('request')
-        if request and (not request.query_params.get('pdf_data', 'false') == 'true' or 'can_view_orders' not in request.eventpermset):
+        pdf_data_allowed = (
+            # We check this based on permission if we are on /events/…/orders/ or /events/…/orderpositions/ or
+            # /events/…/checkinlists/…/positions/
+            # We're unable to check this on this level if we're on /checkinrpc/, in which case we rely on the view
+            # layer to not set pdf_data=true in the first place.
+            request and hasattr(request, 'event') and 'can_view_orders' not in request.eventpermset
+        )
+        if not self.context.get('pdf_data') or pdf_data_allowed:
             self.fields.pop('pdf_data', None)
 
     def validate(self, data):
@@ -481,13 +488,13 @@ class CheckinListOrderPositionSerializer(OrderPositionSerializer):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
 
-        if 'subevent' in self.context['request'].query_params.getlist('expand'):
+        if 'subevent' in self.context['expand']:
             self.fields['subevent'] = SubEventSerializer(read_only=True)
 
-        if 'item' in self.context['request'].query_params.getlist('expand'):
+        if 'item' in self.context['expand']:
             self.fields['item'] = ItemSerializer(read_only=True, context=self.context)
 
-        if 'variation' in self.context['request'].query_params.getlist('expand'):
+        if 'variation' in self.context['expand']:
             self.fields['variation'] = InlineItemVariationSerializer(read_only=True)
 
 
@@ -590,10 +597,10 @@ class OrderSerializer(I18nAwareModelSerializer):
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
-        if not self.context['request'].query_params.get('pdf_data', 'false') == 'true':
+        if not self.context['pdf_data']:
             self.fields['positions'].child.fields.pop('pdf_data', None)
 
-        for exclude_field in self.context['request'].query_params.getlist('exclude'):
+        for exclude_field in self.context['exclude']:
             p = exclude_field.split('.')
             if p[0] in self.fields:
                 if len(p) == 1: