From 55f3bb3c1db05224e9b51a2446a81dfb7a4fec9f Mon Sep 17 00:00:00 2001
From: Lukas Bockstaller <bockstaller@pretix.eu>
Date: Wed, 15 Apr 2026 15:20:51 +0200
Subject: [PATCH] include review

---
 src/pretix/api/serializers/media.py     | 18 +++++++++---------
 src/pretix/api/serializers/organizer.py |  5 ++---
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/src/pretix/api/serializers/media.py b/src/pretix/api/serializers/media.py
index 82cb6b43c4..d759f14684 100644
--- a/src/pretix/api/serializers/media.py
+++ b/src/pretix/api/serializers/media.py
@@ -31,7 +31,9 @@ from pretix.api.serializers.order import OrderPositionSerializer
 from pretix.api.serializers.organizer import (
     CustomerSerializer, GiftCardSerializer,
 )
-from pretix.base.models import Order, OrderPosition, ReusableMedium
+from pretix.base.models import (
+    Device, Order, OrderPosition, ReusableMedium, TeamAPIToken,
+)
 
 logger = logging.getLogger(__name__)
 
@@ -120,21 +122,19 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
         r = super().to_representation(instance)
         request = self.context.get('request')
         # late permission evaluations for checks that depend on the actual linked events
-        if 'linked_orderposition' in self.context['request'].query_params.getlist('expand'):
+        expand_nested = self.context['request'].query_params.getlist('expand')
+        perm_holder = request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user
+        if 'linked_orderposition' in expand_nested:
             if instance.linked_orderposition is not None:
                 event = instance.linked_orderposition.order.event
-                if not (
-                    request.user if request.user and request.user.is_authenticated else request.auth
-                ).has_event_permission(organizer=event.organizer, event=event, perm_name='event.orders:read', request=request):
+                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
                     r['linked_orderposition'] = {'id': instance.linked_orderposition.id}
 
-        if 'linked_giftcard.owner_ticket' in self.context['request'].query_params.getlist('expand'):
+        if 'linked_giftcard.owner_ticket' in expand_nested:
             gc = instance.linked_giftcard
             if gc is not None and gc.owner_ticket is not None:
                 event = gc.owner_ticket.order.event
-                if not (
-                    request.user if request.user and request.user.is_authenticated else request.auth
-                ).has_event_permission(organizer=event.organizer, event=event, perm_name='event.orders:read', request=request):
+                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
                     r['linked_giftcard']['owner_ticket'] = {'id': instance.linked_giftcard.owner_ticket.id}
 
         return r
diff --git a/src/pretix/api/serializers/organizer.py b/src/pretix/api/serializers/organizer.py
index 068cfa9ea1..47c141aeef 100644
--- a/src/pretix/api/serializers/organizer.py
+++ b/src/pretix/api/serializers/organizer.py
@@ -294,9 +294,8 @@ class GiftCardSerializer(I18nAwareModelSerializer):
             owner_ticket = instance.owner_ticket
             if owner_ticket:
                 event = owner_ticket.order.event
-                if not (
-                    request.user if request.user and request.user.is_authenticated else request.auth
-                ).has_event_permission(organizer=event.organizer, event=event, perm_name='event.orders:read', request=request):
+                perm_holder = request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user
+                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
                     r['owner_ticket'] = {'id': instance.owner_ticket.id}
         return r