From 0e900b74d7d95ce4318b62f517080d93c3c8401e Mon Sep 17 00:00:00 2001
From: Richard Schreiber <schreiber@rami.io>
Date: Sun, 13 Feb 2022 20:24:53 +0100
Subject: [PATCH] Fix #2434 -- Disallow manually setting SecretKeySettingsField
 to ***** (#2436)

---
 src/pretix/base/forms/__init__.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/pretix/base/forms/__init__.py b/src/pretix/base/forms/__init__.py
index 1723060f91..429c75e381 100644
--- a/src/pretix/base/forms/__init__.py
+++ b/src/pretix/base/forms/__init__.py
@@ -38,6 +38,7 @@ import i18nfield.forms
 from django import forms
 from django.forms.models import ModelFormMetaclass
 from django.utils.crypto import get_random_string
+from django.utils.translation import gettext_lazy as _
 from formtools.wizard.views import SessionWizardView
 from hierarkey.forms import HierarkeyForm
 
@@ -128,6 +129,12 @@ class SettingsForm(i18nfield.forms.I18nFormMixin, HierarkeyForm):
         # at all, it will be considered a changed value and stored. We do not want that, as it makes it very hard to add
         # languages to an organizer/event later on. So we trick it and make sure nothing gets changed in that situation.
         for name, field in self.fields.items():
+            if isinstance(field, SecretKeySettingsField) and d.get(name) == SECRET_REDACTED and not self.initial.get(name):
+                self.add_error(
+                    name,
+                    _('Due to technical reasons you cannot set inputs, that need to be masked (e.g. passwords), to %(value)s.') % {'value': SECRET_REDACTED}
+                )
+
             if isinstance(field, i18nfield.forms.I18nFormField):
                 value = d.get(name)
                 if not value: