diff --git a/src/pretix/control/templates/pretixcontrol/orders/index.html b/src/pretix/control/templates/pretixcontrol/orders/index.html index 9beaffc171..d42a710f3f 100644 --- a/src/pretix/control/templates/pretixcontrol/orders/index.html +++ b/src/pretix/control/templates/pretixcontrol/orders/index.html @@ -122,10 +122,12 @@ - + {% if "can_change_orders" in request.eventpermset %} + + {% endif %} - {% if page_obj.paginator.num_pages > 1 %} + {% if page_obj.paginator.num_pages > 1 and "can_change_orders" in request.eventpermset %} - + {% if "can_change_orders" in request.eventpermset %} + + {% endif %}
- - + + {% trans "Order code" %} @@ -152,7 +154,7 @@
- - + + -
-
- -
    -
  • - -
    • -
  • - -
    • - {% if not request.event.settings.payment_term_expire_automatically %} + {% if "can_change_orders" in request.eventpermset %} +
    +
    + +
      • - {% endif %} -
    • - -
      • -
    +
  • + +
    • + {% if not request.event.settings.payment_term_expire_automatically %} +
  • + +
    • + {% endif %} +
  • + +
    • +
+
- + {% endif %} {% include "pretixcontrol/pagination.html" %} {% endif %} diff --git a/src/pretix/control/templates/pretixcontrol/vouchers/detail.html b/src/pretix/control/templates/pretixcontrol/vouchers/detail.html index 7e3542fab1..626a834d8b 100644 --- a/src/pretix/control/templates/pretixcontrol/vouchers/detail.html +++ b/src/pretix/control/templates/pretixcontrol/vouchers/detail.html @@ -114,10 +114,12 @@ -
- -
+ {% if "can_change_vouchers" in request.eventpermset %} +
+ +
+ {% endif %} {% endblock %} diff --git a/src/pretix/control/templates/pretixcontrol/vouchers/index.html b/src/pretix/control/templates/pretixcontrol/vouchers/index.html index 8a852a6fd4..028fd1672e 100644 --- a/src/pretix/control/templates/pretixcontrol/vouchers/index.html +++ b/src/pretix/control/templates/pretixcontrol/vouchers/index.html @@ -72,18 +72,22 @@ {% endif %}

- {% trans "Create a new voucher" %} - {% trans "Create multiple new vouchers" %} + {% if "can_change_vouchers" in request.eventpermset %} + {% trans "Create a new voucher" %} + {% trans "Create multiple new vouchers" %} + {% endif %} {% else %}

- {% trans "Create a new voucher" %} - - {% trans "Create multiple new vouchers" %} + {% if "can_change_vouchers" in request.eventpermset %} + {% trans "Create a new voucher" %} + + {% trans "Create multiple new vouchers" %} + {% endif %} {% trans "Download list" %} @@ -94,13 +98,13 @@ - + + {% endif %} {% for v in vouchers %} - + + {% endif %} {% endif %} {% endfor %} diff --git a/src/pretix/control/views/vouchers.py b/src/pretix/control/views/vouchers.py index 0dd3c0e7c9..640dfbe1b3 100644 --- a/src/pretix/control/views/vouchers.py +++ b/src/pretix/control/views/vouchers.py @@ -40,7 +40,7 @@ import bleach from defusedcsv import csv from django.conf import settings from django.contrib import messages -from django.core.exceptions import ValidationError +from django.core.exceptions import PermissionDenied, ValidationError from django.db import connection, transaction from django.db.models import Exists, OuterRef, Sum from django.http import ( @@ -269,7 +269,7 @@ class VoucherDelete(EventPermissionRequiredMixin, CompatDeleteView): class VoucherUpdate(EventPermissionRequiredMixin, UpdateView): model = Voucher template_name = 'pretixcontrol/vouchers/detail.html' - permission = 'can_change_vouchers' + permission = ('can_change_vouchers', 'can_view_vouchers') context_object_name = 'voucher' def form_invalid(self, form): @@ -283,6 +283,14 @@ class VoucherUpdate(EventPermissionRequiredMixin, UpdateView): form_class = response return form_class + def get_form(self, form_class=None): + form = super().get_form(form_class) + if not self.request.user.has_event_permission(self.request.organizer, self.request.event, 'can_change_vouchers', + request=self.request): + for f in form.fields.values(): + f.disabled = True + return form + def get_object(self, queryset=None) -> VoucherForm: url = resolve(self.request.path_info) try: @@ -304,6 +312,9 @@ class VoucherUpdate(EventPermissionRequiredMixin, UpdateView): @transaction.atomic def post(self, request, *args, **kwargs): + if not request.user.has_event_permission(request.organizer, request.event, 'can_change_vouchers', + request=request): + raise PermissionDenied() return super().post(request, *args, **kwargs) def get_success_url(self) -> str: diff --git a/src/tests/control/test_permissions.py b/src/tests/control/test_permissions.py index 710c71ff33..9e6a6f0fb6 100644 --- a/src/tests/control/test_permissions.py +++ b/src/tests/control/test_permissions.py @@ -384,7 +384,8 @@ event_permission_urls = [ ("can_change_vouchers", "vouchers/bulk_add", 200, HTTP_GET), ("can_view_vouchers", "vouchers/", 200, HTTP_GET), ("can_view_vouchers", "vouchers/tags/", 200, HTTP_GET), - ("can_change_vouchers", "vouchers/1234/", 404, HTTP_GET), + ("can_view_vouchers", "vouchers/1234/", 404, HTTP_GET), + ("can_change_vouchers", "vouchers/1234/", 404, HTTP_POST), ("can_change_vouchers", "vouchers/1234/delete", 404, HTTP_GET), ("can_view_orders", "waitinglist/", 200, HTTP_GET), ("can_change_orders", "waitinglist/auto_assign", 405, HTTP_GET),
- {% if "can_change_vouchers" in request.eventpermset %} + {% if "can_change_vouchers" in request.eventpermset %} + - {% endif %} - {% trans "Voucher code" %} @@ -139,13 +143,13 @@
- {% if "can_change_vouchers" in request.eventpermset %} + {% if "can_change_vouchers" in request.eventpermset %} + - {% endif %} - {% if not v.is_active %}{% endif %} {{ v.code }} @@ -186,11 +190,13 @@ - - - - + {% if "can_change_vouchers" in request.eventpermset %} + + + + + {% endif %}