CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-03 14:54:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

[SECURITY] Add untrusted_input flag to ticket redemption API

Browse Source
This commit is contained in:
Raphael Michel
2022-07-04 18:10:18 +02:00
parent 3c0ba3c8e8
commit 39f7bfe16f
4 changed files with 61 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
src/tests/api/test_checkin.py
View File

@@ -1199,7 +1199,6 @@ def test_redeem_unknown_legacy_device_bug(device, device_client, organizer, clis
), {
'force': True
}, format='json')
print(resp.data)
assert resp.status_code == 400
assert resp.data["status"] == "error"
assert resp.data["reason"] == "already_redeemed"
@@ -1219,3 +1218,43 @@ def test_redeem_unknown_legacy_device_bug(device, device_client, organizer, clis
assert resp.data["reason"] == "invalid"
with scopes_disabled():
assert not Checkin.objects.last()
@pytest.mark.django_db
def test_redeem_by_id_not_allowed_if_pretixscan(device, device_client, organizer, clist, event, order):
with scopes_disabled():
p = order.positions.first()
device.software_brand = "pretixSCAN"
device.software_version = "1.14.2"
device.save()
resp = device_client.post('/api/v1/organizers/{}/events/{}/checkinlists/{}/positions/{}/redeem/'.format(
organizer.slug, event.slug, clist.pk, p.pk
), {
'force': True
}, format='json')
print(resp.data)
assert resp.status_code == 404
resp = device_client.post('/api/v1/organizers/{}/events/{}/checkinlists/{}/positions/{}/redeem/'.format(
organizer.slug, event.slug, clist.pk, p.secret
), {
'force': True
}, format='json')
assert resp.status_code == 201
@pytest.mark.django_db
def test_redeem_by_id_not_allowed_if_untrusted(device, device_client, organizer, clist, event, order):
with scopes_disabled():
p = order.positions.first()
resp = device_client.post('/api/v1/organizers/{}/events/{}/checkinlists/{}/positions/{}/redeem/?untrusted_input=true'.format(
organizer.slug, event.slug, clist.pk, p.pk
), {
'force': True
}, format='json')
assert resp.status_code == 404
resp = device_client.post('/api/v1/organizers/{}/events/{}/checkinlists/{}/positions/{}/redeem/?untrusted_input=true'.format(
organizer.slug, event.slug, clist.pk, p.secret
), {
'force': True
}, format='json')
assert resp.status_code == 201