PayPal: Event-independent webhooks

src/pretix/plugins/paypal/migrations/0001_initial.py

@@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.3 on 2017-07-23 10:24
+from __future__ import unicode_literals
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('pretixbase', '0070_auto_20170719_0910'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ReferencedPayPalObject',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('reference', models.CharField(db_index=True, max_length=190, unique=True)),
+                ('order', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='pretixbase.Order')),
+            ],
+        ),
+    ]

src/pretix/plugins/paypal/models.py

@@ -0,0 +1,6 @@
+from django.db import models
+
+
+class ReferencedPayPalObject(models.Model):
+    reference = models.CharField(max_length=190, db_index=True, unique=True)
+    order = models.ForeignKey('pretixbase.Order')

src/pretix/plugins/paypal/payment.py

@@ -12,7 +12,9 @@ from pretix.base.models import Order, Quota, RequiredAction
 from pretix.base.payment import BasePaymentProvider, PaymentException
 from pretix.base.services.mail import SendMailException
 from pretix.base.services.orders import mark_order_paid, mark_order_refunded
+from pretix.helpers.urls import build_absolute_uri as build_global_uri
 from pretix.multidomain.urlreverse import build_absolute_uri
+from pretix.plugins.paypal.models import ReferencedPayPalObject
 
 logger = logging.getLogger('pretix.plugins.paypal')
 
@@ -55,7 +57,7 @@ class Paypal(BasePaymentProvider):
         return "<div class='alert alert-info'>%s<br /><code>%s</code></div>" % (
             _('Please configure a PayPal Webhook to the following endpoint in order to automatically cancel orders '
               'when payments are refunded externally.'),
-            build_absolute_uri(self.event, 'plugins:paypal:webhook')
+            build_global_uri('plugins:paypal:webhook')
         )
 
     def init_api(self):
@@ -154,6 +156,7 @@ class Paypal(BasePaymentProvider):
 
         self.init_api()
         payment = paypalrestsdk.Payment.find(request.session.get('payment_paypal_id'))
+        ReferencedPayPalObject.objects.get_or_create(order=order, reference=payment.id)
         if str(payment.transactions[0].amount.total) != str(order.total) or payment.transactions[0].amount.currency != \
                 self.event.currency:
             logger.error('Value mismatch: Order %s vs payment %s' % (order.id, str(payment)))

src/pretix/plugins/paypal/urls.py

@@ -1,12 +1,12 @@
 from django.conf.urls import include, url
 
-from .views import abort, refund, success, webhook
+from .views import abort, event_webbook, refund, success, webhook
 
 event_patterns = [
     url(r'^paypal/', include([
         url(r'^abort/$', abort, name='abort'),
         url(r'^return/$', success, name='return'),
-        url(r'^webhook/$', webhook, name='webhook'),
+        url(r'^webhook/$', event_webbook, name='webhook'),
     ])),
 ]
 
@@ -14,4 +14,5 @@ event_patterns = [
 urlpatterns = [
     url(r'^control/event/(?P<organizer>[^/]+)/(?P<event>[^/]+)/paypal/refund/(?P<id>\d+)/',
         refund, name='refund'),
+    url(r'^_paypal/webhook/$', webhook, name='webhook'),
 ]

src/pretix/plugins/paypal/views.py

@@ -16,6 +16,7 @@ from pretix.base.services.orders import mark_order_paid, mark_order_refunded
 from pretix.control.permissions import event_permission_required
 from pretix.multidomain.urlreverse import eventreverse
 from pretix.plugins.paypal.payment import Paypal
+from pretix.plugins.stripe.models import ReferencedStripeObject
 from pretix.presale.utils import event_view
 
 logger = logging.getLogger('pretix.plugins.paypal')
@@ -74,28 +75,44 @@ def abort(request, *args, **kwargs):
 
 @csrf_exempt
 @require_POST
-@event_view(require_live=False)
 def webhook(request, *args, **kwargs):
     event_body = request.body.decode('utf-8').strip()
     event_json = json.loads(event_body)
 
-    prov = Paypal(request.event)
-    prov.init_api()
-
     # We do not check the signature, we just use it as a trigger to look the charge up.
     if event_json['resource_type'] not in ('sale', 'refund'):
         return HttpResponse("Not interested in this resource type", status=200)
 
+    if event_json['resource_type'] == 'sale':
+        saleid = event_json['resource']['id']
+    else:
+        saleid = event_json['resource']['sale_id']
+
     try:
-        if event_json['resource_type'] == 'sale':
-            sale = paypalrestsdk.Sale.find(event_json['resource']['id'])
+        refs = [saleid]
+        if event_json['resource'].get('parent_payment'):
+            refs.append(event_json['resource'].get('parent_payment'))
+
+        rso = ReferencedStripeObject.objects.select_related('order', 'order__event').get(
+            reference__in=refs
+        )
+        event = rso.order.event
+    except ReferencedStripeObject.DoesNotExist:
+        if hasattr(request, 'event'):
+            event = request.event
         else:
-            sale = paypalrestsdk.Sale.find(event_json['resource']['sale_id'])
+            return HttpResponse("Unable to detect event", status=200)
+
+    prov = Paypal(event)
+    prov.init_api()
+
+    try:
+        sale = paypalrestsdk.Sale.find(saleid)
     except:
         logger.exception('PayPal error on webhook. Event data: %s' % str(event_json))
         return HttpResponse('Sale not found', status=500)
 
-    orders = Order.objects.filter(event=request.event, payment_provider='paypal',
+    orders = Order.objects.filter(event=event, payment_provider='paypal',
                                   payment_info__icontains=sale['id'])
     order = None
     for o in orders:
@@ -113,7 +130,7 @@ def webhook(request, *args, **kwargs):
 
     if order.status == Order.STATUS_PAID and sale['state'] in ('partially_refunded', 'refunded'):
         RequiredAction.objects.create(
-            event=request.event, action_type='pretix.plugins.paypal.refund', data=json.dumps({
+            event=event, action_type='pretix.plugins.paypal.refund', data=json.dumps({
                 'order': order.code,
                 'sale': sale['id']
             })
@@ -122,10 +139,10 @@ def webhook(request, *args, **kwargs):
         try:
             mark_order_paid(order, user=None)
         except Quota.QuotaExceededException:
-            if not RequiredAction.objects.filter(event=request.event, action_type='pretix.plugins.paypal.overpaid',
+            if not RequiredAction.objects.filter(event=event, action_type='pretix.plugins.paypal.overpaid',
                                                  data__icontains=order.code).exists():
                 RequiredAction.objects.create(
-                    event=request.event, action_type='pretix.plugins.paypal.overpaid', data=json.dumps({
+                    event=event, action_type='pretix.plugins.paypal.overpaid', data=json.dumps({
                         'order': order.code,
                         'payment': sale['parent_payment']
                     })
@@ -134,6 +151,9 @@ def webhook(request, *args, **kwargs):
     return HttpResponse(status=200)
 
 
+event_webbook = csrf_exempt(event_view(require_live=False)(webhook))
+
+
 @event_permission_required('can_view_orders')
 @require_POST
 def refund(request, **kwargs):

src/tests/plugins/paypal/test_webhook.py

@@ -8,6 +8,7 @@ from django.utils.timezone import now
 from pretix.base.models import (
     Event, Order, Organizer, RequiredAction, Team, User,
 )
+from pretix.plugins.stripe.models import ReferencedStripeObject
 
 
 @pytest.fixture
@@ -185,6 +186,46 @@ def test_webhook_all_good(env, client, monkeypatch):
     assert order.status == Order.STATUS_PAID
 
 
+@pytest.mark.django_db
+def test_webhook_global(env, client, monkeypatch):
+    order = env[1]
+    order.status = Order.STATUS_PENDING
+    order.save()
+
+    charge = get_test_charge(env[1])
+    monkeypatch.setattr("paypalrestsdk.Sale.find", lambda *args: charge)
+    monkeypatch.setattr("pretix.plugins.paypal.payment.Paypal.init_api", lambda *args: None)
+    ReferencedStripeObject.objects.create(order=order, reference="PAY-5YK922393D847794YKER7MUI")
+
+    client.post('/_paypal/webhook/', json.dumps(
+        {
+            "id": "WH-2WR32451HC0233532-67976317FL4543714",
+            "create_time": "2014-10-23T17:23:52Z",
+            "resource_type": "sale",
+            "event_type": "PAYMENT.SALE.COMPLETED",
+            "summary": "A successful sale payment was made for $ 0.48 USD",
+            "resource": {
+                "amount": {
+                    "total": "-0.01",
+                    "currency": "USD"
+                },
+                "id": "36C38912MN9658832",
+                "parent_payment": "PAY-5YK922393D847794YKER7MUI",
+                "update_time": "2014-10-31T15:41:51Z",
+                "state": "completed",
+                "create_time": "2014-10-31T15:41:51Z",
+                "links": [],
+                "sale_id": "9T0916710M1105906"
+            },
+            "links": [],
+            "event_version": "1.0"
+        }
+    ), content_type='application_json')
+
+    order.refresh_from_db()
+    assert order.status == Order.STATUS_PAID
+
+
 @pytest.mark.django_db
 def test_webhook_mark_paid(env, client, monkeypatch):
     order = env[1]

src/tests/plugins/stripe/test_webhook.py

@@ -219,7 +219,7 @@ def test_webhook_partial_refund(env, client, monkeypatch):
 
 
 @pytest.mark.django_db
-def test_webhook_organizer_level(env, client, monkeypatch):
+def test_webhook_global(env, client, monkeypatch):
     order = env[1]
     order.status = Order.STATUS_PENDING
     order.save()