CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-10 16:04:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Docs, tests and fixes for teams api

Browse Source
This commit is contained in:
Raphael Michel
2026-01-09 14:34:28 +01:00
parent a2a4c8a955
commit 18328d305d
5 changed files with 265 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
doc/api/resources/teams.rst
View File

@@ -24,21 +24,58 @@ all_events boolean Whether this te
limit_events list List of event slugs this team has access to limit_events list List of event slugs this team has access to
require_2fa boolean Whether members of this team are required to use require_2fa boolean Whether members of this team are required to use
two-factor authentication two-factor authentication
can_create_events boolean all_event_permissions bool Whether members of this team are granted all event-level
can_change_teams boolean permissions, including future additions
can_change_organizer_settings boolean limit_event_permissions list of strings The event-level permissions team members are granted
can_manage_customers boolean all_organizer_permissions bool Whether members of this team are granted all organizer-level
can_manage_reusable_media boolean permissions, including future additions
can_manage_gift_cards boolean all_organizer_permissions list of strings The organizer-level permissions team members are granted
can_change_event_settings boolean can_create_events boolean **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
can_change_items boolean can_change_teams boolean **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
can_view_orders boolean can_change_organizer_settings boolean **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
can_change_orders boolean can_manage_customers boolean **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
can_view_vouchers boolean can_manage_reusable_media boolean **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
can_change_vouchers boolean can_manage_gift_cards boolean **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
can_checkin_orders boolean can_change_event_settings boolean **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
can_change_items boolean **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
can_view_orders boolean **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
can_change_orders boolean **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
can_view_vouchers boolean **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
can_change_vouchers boolean **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
can_checkin_orders boolean **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
===================================== ========================== ======================================================= ===================================== ========================== =======================================================
Possible values for ``limit_organizer_permissions`` defined in the core pretix system (plugins might add more)::
organizer.events:create
organizer.settings.general:write
organizer.teams:write
organizer.giftcards:read
organizer.giftcards:write
organizer.customers:read
organizer.customers:write
organizer.reusablemedia:read
organizer.reusablemedia:write
organizer.devices:read
organizer.devices:write
Possible values for ``limit_event_permissions`` defined in the core pretix system (plugins might add more)::
event.settings.general:write
event.settings.payment:write
event.settings.plugins:write
event.settings.email.sender:write
event.settings.tax:write
event.settings.invoicing:write
event.subevents:write
event.items:write
event.orders:read
event.orders:write
event.orders:checkin
event.vouchers:read
event.vouchers:write
event:cancel
Team member resource Team member resource
-------------------- --------------------
@@ -121,6 +158,10 @@ Team endpoints
"all_events": true, "all_events": true,
"limit_events": [], "limit_events": [],
"require_2fa": true, "require_2fa": true,
"all_event_permissions": true,
"limit_event_permissions": [],
"all_organizer_permissions": true,
"limit_organizer_permissions": [],
"can_create_events": true, "can_create_events": true,
... ...
} }
@@ -159,6 +200,10 @@ Team endpoints
"all_events": true, "all_events": true,
"limit_events": [], "limit_events": [],
"require_2fa": true, "require_2fa": true,
"all_event_permissions": true,
"limit_event_permissions": [],
"all_organizer_permissions": true,
"limit_organizer_permissions": [],
"can_create_events": true, "can_create_events": true,
... ...
} }
@@ -187,7 +232,10 @@ Team endpoints
"all_events": true, "all_events": true,
"limit_events": [], "limit_events": [],
"require_2fa": true, "require_2fa": true,
"can_create_events": true, "all_event_permissions": true,
"limit_event_permissions": [],
"all_organizer_permissions": true,
"limit_organizer_permissions": [],
... ...
} }
@@ -205,6 +253,10 @@ Team endpoints
"all_events": true, "all_events": true,
"limit_events": [], "limit_events": [],
"require_2fa": true, "require_2fa": true,
"all_event_permissions": true,
"limit_event_permissions": [],
"all_organizer_permissions": true,
"limit_organizer_permissions": [],
"can_create_events": true, "can_create_events": true,
... ...
} }
@@ -232,7 +284,8 @@ Team endpoints
Content-Length: 94 Content-Length: 94
{ {
"can_create_events": true "all_organizer_permissions": false,
"limit_organizer_permissions": ["organizer.events:create"]
} }
**Example response**: **Example response**:
@@ -249,6 +302,10 @@ Team endpoints
"all_events": true, "all_events": true,
"limit_events": [], "limit_events": [],
"require_2fa": true, "require_2fa": true,
"all_event_permissions": true,
"limit_event_permissions": [],
"all_organizer_permissions": false,
"limit_organizer_permissions": ["organizer.events:create"],
"can_create_events": true, "can_create_events": true,
... ...
} }

53
src/pretix/api/serializers/organizer.py
View File

@@ -316,7 +316,7 @@ class EventSlugField(serializers.SlugRelatedField):
class PermissionMultipleChoiceField(serializers.MultipleChoiceField): class PermissionMultipleChoiceField(serializers.MultipleChoiceField):
def to_internal_value(self, data): def to_internal_value(self, data):
return { return {
p: True for p in data p: True for p in super().to_internal_value(data)
} }
def to_representation(self, value): def to_representation(self, value):
@@ -328,11 +328,29 @@ class TeamSerializer(serializers.ModelSerializer):
limit_event_permissions = PermissionMultipleChoiceField(choices=[], required=False, allow_null=False, allow_empty=True) limit_event_permissions = PermissionMultipleChoiceField(choices=[], required=False, allow_null=False, allow_empty=True)
limit_organizer_permissions = PermissionMultipleChoiceField(choices=[], required=False, allow_null=False, allow_empty=True) limit_organizer_permissions = PermissionMultipleChoiceField(choices=[], required=False, allow_null=False, allow_empty=True)
# Legacy fields, handled in to_representation and validate
can_change_event_settings = serializers.BooleanField(required=False, write_only=True)
can_change_items = serializers.BooleanField(required=False, write_only=True)
can_view_orders = serializers.BooleanField(required=False, write_only=True)
can_change_orders = serializers.BooleanField(required=False, write_only=True)
can_checkin_orders = serializers.BooleanField(required=False, write_only=True)
can_view_vouchers = serializers.BooleanField(required=False, write_only=True)
can_change_vouchers = serializers.BooleanField(required=False, write_only=True)
can_create_events = serializers.BooleanField(required=False, write_only=True)
can_change_organizer_settings = serializers.BooleanField(required=False, write_only=True)
can_change_teams = serializers.BooleanField(required=False, write_only=True)
can_manage_gift_cards = serializers.BooleanField(required=False, write_only=True)
can_manage_customers = serializers.BooleanField(required=False, write_only=True)
can_manage_reusable_media = serializers.BooleanField(required=False, write_only=True)
class Meta: class Meta:
model = Team model = Team
fields = ( fields = (
'id', 'name', 'require_2fa', 'all_events', 'limit_events', 'all_event_permissions', 'limit_event_permissions', 'id', 'name', 'require_2fa', 'all_events', 'limit_events', 'all_event_permissions', 'limit_event_permissions',
'all_organizer_permissions', 'limit_organizer_permissions', 'all_organizer_permissions', 'limit_organizer_permissions', 'can_change_event_settings',
'can_change_items', 'can_view_orders', 'can_change_orders', 'can_checkin_orders', 'can_view_vouchers',
'can_change_vouchers', 'can_create_events', 'can_change_organizer_settings', 'can_change_teams',
'can_manage_gift_cards', 'can_manage_customers', 'can_manage_reusable_media'
) )
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
@@ -356,35 +374,36 @@ class TeamSerializer(serializers.ModelSerializer):
if old_data_set and new_data_set: if old_data_set and new_data_set:
raise ValidationError("You cannot set deprecated and current permission attributes at the same time.") raise ValidationError("You cannot set deprecated and current permission attributes at the same time.")
full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
full_data.update(data)
if new_data_set: if new_data_set:
if data.get('limit_event_permissions') and data.get('all_event_permissions'): if full_data.get('limit_event_permissions') and full_data.get('all_event_permissions'):
raise ValidationError('Do not set both limit_event_permissions and all_event_permissions.') raise ValidationError('Do not set both limit_event_permissions and all_event_permissions.')
if data.get('limit_organizer_permissions') and data.get('all_organizer_permissions'): if full_data.get('limit_organizer_permissions') and full_data.get('all_organizer_permissions'):
raise ValidationError('Do not set both limit_organizer_permissions and all_organizer_permissions.') raise ValidationError('Do not set both limit_organizer_permissions and all_organizer_permissions.')
if old_data_set: if old_data_set:
# Migrate with same logic as in migration 0297_plugable_permissions # Migrate with same logic as in migration 0297_plugable_permissions
if all(data.get("k") is True for k in OLD_TO_NEW_EVENT_MIGRATION.keys() if k != "can_checkin_orders"): if all(full_data.get(k) is True for k in OLD_TO_NEW_EVENT_MIGRATION.keys() if k != "can_checkin_orders"):
data["all_event_permissions"] = True data["all_event_permissions"] = True
data["limit_event_permissions"] = [] data["limit_event_permissions"] = {}
else: else:
data["all_event_permissions"] = False data["all_event_permissions"] = False
data["limit_event_permissions"] = [] data["limit_event_permissions"] = {}
for k, v in OLD_TO_NEW_EVENT_MIGRATION.items(): for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
if data.get(k) is True: if full_data.get(k) is True:
data["limit_event_permissions"].extend(v) data["limit_event_permissions"].update({kk: True for kk in v})
if all(data.get("k") is True for k in OLD_TO_NEW_ORGANIZER_MIGRATION.keys() if k != "can_checkin_orders"): if all(full_data.get(k) is True for k in OLD_TO_NEW_ORGANIZER_MIGRATION.keys() if k != "can_checkin_orders"):
data["all_organizer_permissions"] = True data["all_organizer_permissions"] = True
data["limit_organizer_permissions"] = [] data["limit_organizer_permissions"] = {}
else: else:
data["all_organizer_permissions"] = False data["all_organizer_permissions"] = False
data["limit_organizer_permissions"] = [] data["limit_organizer_permissions"] = {}
for k, v in OLD_TO_NEW_EVENT_MIGRATION.items(): for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
if data.get(k) is True: if full_data.get(k) is True:
data["limit_organizer_permissions"].extend(v) data["limit_organizer_permissions"].update({kk: True for kk in v})
full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
full_data.update(data)
if full_data.get('limit_events') and full_data.get('all_events'): if full_data.get('limit_events') and full_data.get('all_events'):
raise ValidationError('Do not set both limit_events and all_events.') raise ValidationError('Do not set both limit_events and all_events.')
return data return data

2
src/pretix/helpers/permission_migration.py
View File

@@ -30,7 +30,7 @@ OLD_TO_NEW_EVENT_MIGRATION = {
"event.settings.payment:write", "event.settings.payment:write",
"event.settings.plugins:write", "event.settings.plugins:write",
"event.settings.email.sender:write", "event.settings.email.sender:write",
"event.settings.tax:write" "event.settings.tax:write",
"event.settings.invoicing:write", "event.settings.invoicing:write",
"event.subevents:write", "event.subevents:write",
], ],

2
src/tests/api/conftest.py
View File

@@ -131,6 +131,7 @@ def user():
@pytest.fixture @pytest.fixture
@scopes_disabled() @scopes_disabled()
def user_client(client, team, user): def user_client(client, team, user):
if not team.all_event_permissions:
team.limit_event_permissions["event.orders:read"] = True team.limit_event_permissions["event.orders:read"] = True
team.limit_event_permissions["event.vouchers:read"] = True team.limit_event_permissions["event.vouchers:read"] = True
team.all_events = True team.all_events = True
@@ -143,6 +144,7 @@ def user_client(client, team, user):
@pytest.fixture @pytest.fixture
@scopes_disabled() @scopes_disabled()
def token_client(client, team): def token_client(client, team):
if not team.all_event_permissions:
team.limit_event_permissions["event.orders:read"] = True team.limit_event_permissions["event.orders:read"] = True
team.limit_event_permissions["event.vouchers:read"] = True team.limit_event_permissions["event.vouchers:read"] = True
team.all_events = True team.all_events = True

155
src/tests/api/test_teams.py
View File

@@ -31,6 +31,7 @@ def second_team(organizer, event):
t = organizer.teams.create( t = organizer.teams.create(
name='User team', name='User team',
all_events=False, all_events=False,
limit_event_permissions={"event.orders:read": True},
) )
t.limit_events.add(event) t.limit_events.add(event)
return t return t
@@ -41,8 +42,10 @@ TEST_TEAM_RES = {
'can_change_teams': True, 'can_change_organizer_settings': True, 'can_manage_gift_cards': True, 'can_change_teams': True, 'can_change_organizer_settings': True, 'can_manage_gift_cards': True,
'can_manage_customers': True, 'can_manage_reusable_media': True, 'can_manage_customers': True, 'can_manage_reusable_media': True,
'can_change_event_settings': True, 'can_change_items': True, 'can_view_orders': True, 'can_change_orders': True, 'can_change_event_settings': True, 'can_change_items': True, 'can_view_orders': True, 'can_change_orders': True,
'can_view_vouchers': True, 'can_change_vouchers': True, 'can_checkin_orders': False, 'can_view_vouchers': True, 'can_change_vouchers': True, 'can_checkin_orders': True,
'require_2fa': False, 'require_2fa': False,
'all_event_permissions': True, 'limit_event_permissions': [],
'all_organizer_permissions': True, 'limit_organizer_permissions': [],
} }
SECOND_TEAM_RES = { SECOND_TEAM_RES = {
@@ -50,9 +53,11 @@ SECOND_TEAM_RES = {
'can_create_events': False, 'can_create_events': False,
'can_manage_customers': False, 'can_manage_reusable_media': False, 'can_manage_customers': False, 'can_manage_reusable_media': False,
'can_change_teams': False, 'can_change_organizer_settings': False, 'can_manage_gift_cards': False, 'can_change_teams': False, 'can_change_organizer_settings': False, 'can_manage_gift_cards': False,
'can_change_event_settings': False, 'can_change_items': False, 'can_view_orders': False, 'can_change_orders': False, 'can_change_event_settings': False, 'can_change_items': False, 'can_view_orders': True, 'can_change_orders': False,
'can_view_vouchers': False, 'can_change_vouchers': False, 'can_checkin_orders': False, 'can_view_vouchers': False, 'can_change_vouchers': False, 'can_checkin_orders': False,
'require_2fa': False, 'require_2fa': False,
'all_event_permissions': False, 'limit_event_permissions': ["event.orders:read"],
'all_organizer_permissions': False, 'limit_organizer_permissions': [],
} }
@@ -95,8 +100,68 @@ def test_team_create(token_client, organizer, event):
@pytest.mark.django_db @pytest.mark.django_db
def test_team_update(token_client, organizer, event, second_team): def test_team_update(token_client, organizer, event, team, second_team):
assert not second_team.can_change_event_settings resp = token_client.patch(
'/api/v1/organizers/{}/teams/{}/'.format(organizer.slug, second_team.pk),
{
'all_event_permission': False,
'limit_event_permissions': ["event.settings.general:write"],
},
format='json'
)
assert resp.status_code == 200
second_team.refresh_from_db()
assert second_team.limit_event_permissions == {
'event.settings.general:write': True,
}
assert not second_team.all_event_permissions
resp = token_client.patch(
'/api/v1/organizers/{}/teams/{}/'.format(organizer.slug, second_team.pk),
{
'all_event_permission': False,
'limit_event_permissions': ["INVALID"],
},
format='json'
)
assert resp.status_code == 400
assert "invalid" in str(resp.data)
resp = token_client.patch(
'/api/v1/organizers/{}/teams/{}/'.format(organizer.slug, team.pk),
{
'limit_event_permissions': ["event.settings.general:write"],
},
format='json'
)
assert resp.status_code == 400
assert "Do not set both" in str(resp.data)
resp = token_client.patch(
'/api/v1/organizers/{}/teams/{}/'.format(organizer.slug, second_team.pk),
{
'all_organizer_permissions': True,
'limit_organizer_permissions': ["organizer.events:create"],
},
format='json'
)
assert resp.status_code == 400
assert "Do not set both" in str(resp.data)
resp = token_client.patch(
'/api/v1/organizers/{}/teams/{}/'.format(organizer.slug, second_team.pk),
{
'all_events': True,
},
format='json'
)
assert resp.status_code == 400
assert "Do not set both" in str(resp.data)
@pytest.mark.django_db
@pytest.mark.filterwarnings("ignore")
def test_team_update_legacy_add_perm(token_client, organizer, event, second_team):
resp = token_client.patch( resp = token_client.patch(
'/api/v1/organizers/{}/teams/{}/'.format(organizer.slug, second_team.pk), '/api/v1/organizers/{}/teams/{}/'.format(organizer.slug, second_team.pk),
{ {
@@ -107,15 +172,95 @@ def test_team_update(token_client, organizer, event, second_team):
assert resp.status_code == 200 assert resp.status_code == 200
second_team.refresh_from_db() second_team.refresh_from_db()
assert second_team.can_change_event_settings assert second_team.can_change_event_settings
assert second_team.limit_event_permissions == {
"event.settings.general:write": True,
"event.settings.payment:write": True,
"event.settings.plugins:write": True,
"event.settings.email.sender:write": True,
"event.settings.tax:write": True,
"event.settings.invoicing:write": True,
"event.subevents:write": True,
"event.orders:read": True,
}
@pytest.mark.django_db
@pytest.mark.filterwarnings("ignore")
def test_team_update_legacy_add_all_perms(token_client, organizer, event, second_team):
resp = token_client.patch(
'/api/v1/organizers/{}/teams/{}/'.format(organizer.slug, second_team.pk),
{
'can_change_event_settings': True,
'can_change_items': True,
# can_view_orders omitted because already set
'can_change_orders': True,
'can_checkin_orders': True,
'can_view_vouchers': True,
'can_change_vouchers': True,
},
format='json'
)
assert resp.status_code == 200
second_team.refresh_from_db()
assert second_team.all_event_permissions
assert second_team.limit_event_permissions == {}
resp = token_client.patch( resp = token_client.patch(
'/api/v1/organizers/{}/teams/{}/'.format(organizer.slug, second_team.pk), '/api/v1/organizers/{}/teams/{}/'.format(organizer.slug, second_team.pk),
{ {
'all_events': True, 'can_create_events': True,
'can_change_organizer_settings': True,
'can_change_teams': True,
'can_manage_gift_cards': True,
'can_manage_customers': True,
'can_manage_reusable_media': True,
},
format='json'
)
assert resp.status_code == 200
second_team.refresh_from_db()
assert second_team.all_organizer_permissions
assert second_team.limit_organizer_permissions == {}
resp = token_client.patch(
'/api/v1/organizers/{}/teams/{}/'.format(organizer.slug, second_team.pk),
{
'can_change_teams': False,
},
format='json'
)
assert resp.status_code == 200
second_team.refresh_from_db()
assert not second_team.all_organizer_permissions
assert second_team.limit_organizer_permissions == {
'organizer.settings.general:write': True,
'organizer.giftcards:read': True,
'organizer.giftcards:write': True,
'organizer.events:create': True,
'organizer.customers:read': True,
'organizer.customers:write': True,
'organizer.reusablemedia:read': True,
'organizer.reusablemedia:write': True,
'organizer.devices:read': True,
'organizer.devices:write': True,
}
assert resp.data["can_manage_customers"] is True
assert resp.data["can_change_teams"] is False
@pytest.mark.django_db
@pytest.mark.filterwarnings("ignore")
def test_team_update_legacy_and_new(token_client, organizer, event, second_team):
resp = token_client.patch(
'/api/v1/organizers/{}/teams/{}/'.format(organizer.slug, second_team.pk),
{
'can_change_event_settings': True,
'all_organizer_permissions': True,
}, },
format='json' format='json'
) )
assert resp.status_code == 400 assert resp.status_code == 400
assert "You cannot set deprecated and current permission attributes" in str(resp.data)
@pytest.mark.django_db @pytest.mark.django_db