CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-05 15:14:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implement OAuth2 provider (#927)

Browse Source 
- [x] Application management
  - [x] Link
  - [ ] Tests
- [x] Authorize flow
  - [x] Tests
- [x] Refresh token handling
  - [x] Tests
- [x] Revocation endpoint
  - [x] Tests
  - [x] Mitigate: https://github.com/jazzband/django-oauth-toolkit/issues/585
- [x] API authenticator / permission driver
  - [x] Test
- [x] Enforce organizer restriction
  - [x] Tests
- [x] Enforce scope restriction
  - [x] Tests
- [x] Show current applications to user
  - [x] Revoke
  - [x] Tests
- [x] Log new authorizations
  - [x] notify user
- [x] Ensure other grant types are not available
- [x] Documentation
- [x] check if revoking access toking, then refreshing gets rid of organizer constraint
- [x] Show logentry foo
This commit is contained in:
Raphael Michel
2018-06-05 12:58:04 +02:00
committed by GitHub
parent df031b2222
commit 69d10489b8
53 changed files with 1786 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/pretix/api/__init__.py
View File

@@ -0,0 +1,9 @@
from django.apps import AppConfig
class PretixApiConfig(AppConfig):
name = 'pretix.api'
label = 'pretixapi'
default_app_config = 'pretix.api.PretixApiConfig'

10
src/pretix/api/auth/permission.py
View File

@@ -1,5 +1,6 @@
from rest_framework.permissions import SAFE_METHODS, BasePermission
from pretix.api.models import OAuthAccessToken
from pretix.base.models import Event
from pretix.base.models.organizer import Organizer, TeamAPIToken
from pretix.helpers.security import (
@@ -55,6 +56,15 @@ class EventPermission(BasePermission):
if required_permission and required_permission not in request.orgapermset:
return False
if isinstance(request.auth, OAuthAccessToken):
if not request.auth.allow_scopes(['write']) and request.method not in SAFE_METHODS:
return False
if not request.auth.allow_scopes(['read']) and request.method in SAFE_METHODS:
return False
if isinstance(request.auth, OAuthAccessToken) and hasattr(request, 'organizer'):
if not request.auth.organizers.filter(pk=request.organizer.pk).exists():
return False
return True

128
src/pretix/api/migrations/0001_initial.py Normal file
View File

@@ -0,0 +1,128 @@
# -*- coding: utf-8 -*-
# Generated by Django 1.11.13 on 2018-06-04 11:19
from __future__ import unicode_literals
import django.db.models.deletion
import oauth2_provider.generators
import oauth2_provider.validators
from django.conf import settings
from django.db import migrations, models
class Migration(migrations.Migration):
initial = True
dependencies = [
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
]
operations = [
migrations.CreateModel(
name='OAuthAccessToken',
fields=[
('id', models.BigAutoField(primary_key=True, serialize=False)),
('token', models.CharField(max_length=255, unique=True)),
('expires', models.DateTimeField()),
('scope', models.TextField(blank=True)),
('created', models.DateTimeField(auto_now_add=True)),
('updated', models.DateTimeField(auto_now=True)),
],
options={
'abstract': False,
},
),
migrations.CreateModel(
name='OAuthApplication',
fields=[
('id', models.BigAutoField(primary_key=True, serialize=False)),
('client_type',
models.CharField(choices=[('confidential', 'Confidential'), ('public', 'Public')], max_length=32)),
('authorization_grant_type', models.CharField(
choices=[('authorization-code', 'Authorization code'), ('implicit', 'Implicit'),
('password', 'Resource owner password-based'),
('client-credentials', 'Client credentials')], max_length=32)),
('skip_authorization', models.BooleanField(default=False)),
('created', models.DateTimeField(auto_now_add=True)),
('updated', models.DateTimeField(auto_now=True)),
('name', models.CharField(max_length=255, verbose_name='Application name')),
('redirect_uris', models.TextField(help_text='Allowed URIs list, space separated',
validators=[oauth2_provider.validators.validate_uris],
verbose_name='Redirection URIs')),
('client_id',
models.CharField(db_index=True, default=oauth2_provider.generators.generate_client_id, max_length=100,
unique=True, verbose_name='Client ID')),
('client_secret',
models.CharField(db_index=True, default=oauth2_provider.generators.generate_client_secret,
max_length=255, verbose_name='Client secret')),
('active', models.BooleanField(default=True)),
('user', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE,
related_name='pretixapi_oauthapplication', to=settings.AUTH_USER_MODEL)),
],
options={
'abstract': False,
},
),
migrations.CreateModel(
name='OAuthGrant',
fields=[
('id', models.BigAutoField(primary_key=True, serialize=False)),
('code', models.CharField(max_length=255, unique=True)),
('expires', models.DateTimeField()),
('redirect_uri', models.CharField(max_length=255)),
('scope', models.TextField(blank=True)),
('created', models.DateTimeField(auto_now_add=True)),
('updated', models.DateTimeField(auto_now=True)),
('application', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE,
to=settings.OAUTH2_PROVIDER_APPLICATION_MODEL)),
('user',
models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='pretixapi_oauthgrant',
to=settings.AUTH_USER_MODEL)),
],
options={
'abstract': False,
},
),
migrations.CreateModel(
name='OAuthRefreshToken',
fields=[
('id', models.BigAutoField(primary_key=True, serialize=False)),
('token', models.CharField(max_length=255)),
('created', models.DateTimeField(auto_now_add=True)),
('updated', models.DateTimeField(auto_now=True)),
('revoked', models.DateTimeField(null=True)),
('access_token',
models.OneToOneField(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL,
related_name='refresh_token', to=settings.OAUTH2_PROVIDER_ACCESS_TOKEN_MODEL)),
('application', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE,
to=settings.OAUTH2_PROVIDER_APPLICATION_MODEL)),
('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE,
related_name='pretixapi_oauthrefreshtoken', to=settings.AUTH_USER_MODEL)),
],
options={
'abstract': False,
},
),
migrations.AddField(
model_name='oauthaccesstoken',
name='application',
field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE,
to=settings.OAUTH2_PROVIDER_APPLICATION_MODEL),
),
migrations.AddField(
model_name='oauthaccesstoken',
name='source_refresh_token',
field=models.OneToOneField(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL,
related_name='refreshed_access_token',
to=settings.OAUTH2_PROVIDER_REFRESH_TOKEN_MODEL),
),
migrations.AddField(
model_name='oauthaccesstoken',
name='user',
field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE,
related_name='pretixapi_oauthaccesstoken', to=settings.AUTH_USER_MODEL),
),
migrations.AlterUniqueTogether(
name='oauthrefreshtoken',
unique_together=set([('token', 'revoked')]),
),
]

26
src/pretix/api/migrations/0002_auto_20180604_1120.py Normal file
View File

@@ -0,0 +1,26 @@
# -*- coding: utf-8 -*-
# Generated by Django 1.11.13 on 2018-06-04 11:20
from __future__ import unicode_literals
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('pretixbase', '0001_initial'),
('pretixapi', '0001_initial'),
]
operations = [
migrations.AddField(
model_name='oauthaccesstoken',
name='organizers',
field=models.ManyToManyField(to='pretixbase.Organizer'),
),
migrations.AddField(
model_name='oauthgrant',
name='organizers',
field=models.ManyToManyField(to='pretixbase.Organizer'),
),
]

0
src/pretix/api/migrations/__init__.py Normal file
View File

70
src/pretix/api/models.py Normal file
View File

@@ -0,0 +1,70 @@
from datetime import timedelta
from django.db import models
from django.urls import reverse
from django.utils.timezone import now
from django.utils.translation import ugettext_lazy as _
from oauth2_provider.generators import (
generate_client_id, generate_client_secret,
)
from oauth2_provider.models import (
AbstractAccessToken, AbstractApplication, AbstractGrant,
AbstractRefreshToken,
)
from oauth2_provider.validators import validate_uris
class OAuthApplication(AbstractApplication):
name = models.CharField(verbose_name=_("Application name"), max_length=255, blank=False)
redirect_uris = models.TextField(
blank=False, validators=[validate_uris],
verbose_name=_("Redirection URIs"),
help_text=_("Allowed URIs list, space separated")
)
client_id = models.CharField(
verbose_name=_("Client ID"),
max_length=100, unique=True, default=generate_client_id, db_index=True
)
client_secret = models.CharField(
verbose_name=_("Client secret"),
max_length=255, blank=False, default=generate_client_secret, db_index=True
)
active = models.BooleanField(default=True)
def get_absolute_url(self):
return reverse("control:user.settings.oauth.app", kwargs={'pk': self.id})
def is_usable(self, request):
return self.active and super().is_usable(request)
class OAuthGrant(AbstractGrant):
application = models.ForeignKey(
OAuthApplication, on_delete=models.CASCADE
)
organizers = models.ManyToManyField('pretixbase.Organizer')
class OAuthAccessToken(AbstractAccessToken):
source_refresh_token = models.OneToOneField(
# unique=True implied by the OneToOneField
'OAuthRefreshToken', on_delete=models.SET_NULL, blank=True, null=True,
related_name="refreshed_access_token"
)
application = models.ForeignKey(
OAuthApplication, on_delete=models.CASCADE, blank=True, null=True,
)
organizers = models.ManyToManyField('pretixbase.Organizer')
def revoke(self):
self.expires = now() - timedelta(hours=1)
self.save(update_fields=['expires'])
class OAuthRefreshToken(AbstractRefreshToken):
application = models.ForeignKey(
OAuthApplication, on_delete=models.CASCADE)
access_token = models.OneToOneField(
OAuthAccessToken, on_delete=models.SET_NULL, blank=True, null=True,
related_name="refresh_token"
)

45
src/pretix/api/oauth.py Normal file
View File

@@ -0,0 +1,45 @@
from datetime import timedelta
from django.utils import timezone
from oauth2_provider.exceptions import FatalClientError
from oauth2_provider.oauth2_validators import Grant, OAuth2Validator
from oauth2_provider.settings import oauth2_settings
class Validator(OAuth2Validator):
def save_authorization_code(self, client_id, code, request, *args, **kwargs):
if not getattr(request, 'organizers', None):
raise FatalClientError('No organizers selected.')
expires = timezone.now() + timedelta(
seconds=oauth2_settings.AUTHORIZATION_CODE_EXPIRE_SECONDS)
g = Grant(application=request.client, user=request.user, code=code["code"],
expires=expires, redirect_uri=request.redirect_uri,
scope=" ".join(request.scopes))
g.save()
g.organizers.add(*request.organizers.all())
def validate_code(self, client_id, code, client, request, *args, **kwargs):
try:
grant = Grant.objects.get(code=code, application=client)
if not grant.is_expired():
request.scopes = grant.scope.split(" ")
request.user = grant.user
request.organizers = grant.organizers.all()
return True
return False
except Grant.DoesNotExist:
return False
def _create_access_token(self, expires, request, token, source_refresh_token=None):
if not getattr(request, 'organizers', None) and not getattr(source_refresh_token, 'access_token'):
raise FatalClientError('No organizers selected.')
if hasattr(request, 'organizers'):
orgs = list(request.organizers.all())
else:
orgs = list(source_refresh_token.access_token.organizers.all())
access_token = super()._create_access_token(expires, request, token, source_refresh_token=None)
access_token.organizers.add(*orgs)
return access_token

7
src/pretix/api/urls.py
View File

@@ -4,7 +4,9 @@ from django.apps import apps
from django.conf.urls import include, url
from rest_framework import routers
from .views import checkin, event, item, order, organizer, voucher, waitinglist
from .views import (
checkin, event, item, oauth, order, organizer, voucher, waitinglist,
)
router = routers.DefaultRouter()
router.register(r'organizers', organizer.OrganizerViewSet)
@@ -52,4 +54,7 @@ urlpatterns = [
include(question_router.urls)),
url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/checkinlists/(?P<list>[^/]+)/',
include(checkinlist_router.urls)),
url(r"^oauth/authorize$", oauth.AuthorizationView.as_view(), name="authorize"),
url(r"^oauth/token$", oauth.TokenView.as_view(), name="token"),
url(r"^oauth/revoke_token$", oauth.RevokeTokenView.as_view(), name="revoke-token"),
]

7
src/pretix/api/views/checkin.py
View File

@@ -16,7 +16,6 @@ from pretix.api.serializers.order import OrderPositionSerializer
from pretix.api.views import RichOrderingFilter
from pretix.api.views.order import OrderPositionFilter
from pretix.base.models import Checkin, CheckinList, Order, OrderPosition
from pretix.base.models.organizer import TeamAPIToken
from pretix.base.services.checkin import (
CheckInError, RequiredQuestionsError, perform_checkin,
)
@@ -49,7 +48,7 @@ class CheckinListViewSet(viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.checkinlist.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -63,7 +62,7 @@ class CheckinListViewSet(viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.checkinlist.changed',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -71,7 +70,7 @@ class CheckinListViewSet(viewsets.ModelViewSet):
instance.log_action(
'pretix.event.checkinlist.deleted',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
super().perform_destroy(instance)

17
src/pretix/api/views/event.py
View File

@@ -12,7 +12,6 @@ from pretix.api.serializers.event import (
from pretix.api.views import ConditionalListView
from pretix.base.models import Event, ItemCategory, TaxRule
from pretix.base.models.event import SubEvent
from pretix.base.models.organizer import TeamAPIToken
from pretix.helpers.dicts import merge_dicts
@@ -39,7 +38,7 @@ class EventViewSet(viewsets.ModelViewSet):
serializer.instance.log_action(
log_action,
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -52,7 +51,7 @@ class EventViewSet(viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.plugins.' + action,
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data={'plugin': module}
)
@@ -61,7 +60,7 @@ class EventViewSet(viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.changed',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -70,7 +69,7 @@ class EventViewSet(viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -115,7 +114,7 @@ class CloneEventViewSet(viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -151,7 +150,7 @@ class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.taxrule.changed',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -160,7 +159,7 @@ class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.taxrule.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -171,6 +170,6 @@ class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet):
instance.log_action(
'pretix.event.taxrule.deleted',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
super().perform_destroy(instance)

53
src/pretix/api/views/item.py
View File

@@ -18,7 +18,6 @@ from pretix.base.models import (
Item, ItemAddOn, ItemCategory, ItemVariation, Question, QuestionOption,
Quota,
)
from pretix.base.models.organizer import TeamAPIToken
from pretix.helpers.dicts import merge_dicts
@@ -54,7 +53,7 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.item.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -69,7 +68,7 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.item.changed',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -82,7 +81,7 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
instance.log_action(
'pretix.event.item.deleted',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
super().perform_destroy(instance)
@@ -114,7 +113,7 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
item.log_action(
'pretix.event.item.variation.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=merge_dicts(self.request.data, {'ORDER': serializer.instance.position}, {'id': serializer.instance.pk},
{'value': serializer.instance.value})
)
@@ -124,7 +123,7 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
serializer.instance.item.log_action(
'pretix.event.item.variation.changed',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=merge_dicts(self.request.data, {'ORDER': serializer.instance.position}, {'id': serializer.instance.pk},
{'value': serializer.instance.value})
)
@@ -141,7 +140,7 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
instance.item.log_action(
'pretix.event.item.variation.deleted',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data={
'value': instance.value,
'id': self.kwargs['pk']
@@ -175,7 +174,7 @@ class ItemAddOnViewSet(viewsets.ModelViewSet):
item.log_action(
'pretix.event.item.addons.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=merge_dicts(self.request.data, {'ORDER': serializer.instance.position}, {'id': serializer.instance.pk})
)
@@ -184,7 +183,7 @@ class ItemAddOnViewSet(viewsets.ModelViewSet):
serializer.instance.base_item.log_action(
'pretix.event.item.addons.changed',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=merge_dicts(self.request.data, {'ORDER': serializer.instance.position}, {'id': serializer.instance.pk})
)
@@ -193,7 +192,7 @@ class ItemAddOnViewSet(viewsets.ModelViewSet):
instance.base_item.log_action(
'pretix.event.item.addons.removed',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data={'category': instance.addon_category.pk}
)
@@ -222,7 +221,7 @@ class ItemCategoryViewSet(ConditionalListView, viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.category.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -236,7 +235,7 @@ class ItemCategoryViewSet(ConditionalListView, viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.category.changed',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -247,7 +246,7 @@ class ItemCategoryViewSet(ConditionalListView, viewsets.ModelViewSet):
instance.log_action(
'pretix.event.category.deleted',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
super().perform_destroy(instance)
@@ -275,7 +274,7 @@ class QuestionViewSet(ConditionalListView, viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.question.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -289,7 +288,7 @@ class QuestionViewSet(ConditionalListView, viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.question.changed',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -297,7 +296,7 @@ class QuestionViewSet(ConditionalListView, viewsets.ModelViewSet):
instance.log_action(
'pretix.event.question.deleted',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
super().perform_destroy(instance)
@@ -327,7 +326,7 @@ class QuestionOptionViewSet(viewsets.ModelViewSet):
q.log_action(
'pretix.event.question.option.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=merge_dicts(self.request.data, {'ORDER': serializer.instance.position}, {'id': serializer.instance.pk})
)
@@ -336,7 +335,7 @@ class QuestionOptionViewSet(viewsets.ModelViewSet):
serializer.instance.question.log_action(
'pretix.event.question.option.changed',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=merge_dicts(self.request.data, {'ORDER': serializer.instance.position}, {'id': serializer.instance.pk})
)
@@ -344,7 +343,7 @@ class QuestionOptionViewSet(viewsets.ModelViewSet):
instance.question.log_action(
'pretix.event.question.option.deleted',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data={'id': instance.pk}
)
super().perform_destroy(instance)
@@ -374,14 +373,14 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.quota.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
if serializer.instance.subevent:
serializer.instance.subevent.log_action(
'pretix.subevent.quota.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -397,7 +396,7 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.quota.changed',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
if current_subevent == request_subevent:
@@ -405,7 +404,7 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
current_subevent.log_action(
'pretix.subevent.quota.changed',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
else:
@@ -413,14 +412,14 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
request_subevent.log_action(
'pretix.subevent.quota.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
if current_subevent is not None:
current_subevent.log_action(
'pretix.subevent.quota.deleted',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
serializer.instance.rebuild_cache()
@@ -428,13 +427,13 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
instance.log_action(
'pretix.event.quota.deleted',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
if instance.subevent:
instance.subevent.log_action(
'pretix.subevent.quota.deleted',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
super().perform_destroy(instance)

92
src/pretix/api/views/oauth.py Normal file
View File

@@ -0,0 +1,92 @@
import logging
from django import forms
from django.conf import settings
from django.utils.translation import ugettext as _
from oauth2_provider.exceptions import OAuthToolkitError
from oauth2_provider.forms import AllowForm
from oauth2_provider.views import (
AuthorizationView as BaseAuthorizationView,
RevokeTokenView as BaseRevokeTokenView, TokenView as BaseTokenView,
)
from pretix.api.models import OAuthApplication
from pretix.base.models import Organizer
logger = logging.getLogger(__name__)
class OAuthAllowForm(AllowForm):
organizers = forms.ModelMultipleChoiceField(
queryset=Organizer.objects.none(),
widget=forms.CheckboxSelectMultiple
)
def __init__(self, *args, **kwargs):
user = kwargs.pop('user')
super().__init__(*args, **kwargs)
self.fields['organizers'].queryset = Organizer.objects.filter(
pk__in=user.teams.values_list('organizer', flat=True))
class AuthorizationView(BaseAuthorizationView):
template_name = "pretixcontrol/auth/oauth_authorization.html"
form_class = OAuthAllowForm
def get_form_kwargs(self):
kwargs = super().get_form_kwargs()
kwargs['user'] = self.request.user
return kwargs
def get_context_data(self, **kwargs):
ctx = super().get_context_data(**kwargs)
ctx['settings'] = settings
return ctx
def create_authorization_response(self, request, scopes, credentials, allow, organizers):
credentials["organizers"] = organizers
return super().create_authorization_response(request, scopes, credentials, allow)
def form_valid(self, form):
client_id = form.cleaned_data["client_id"]
application = OAuthApplication.objects.get(client_id=client_id)
credentials = {
"client_id": form.cleaned_data.get("client_id"),
"redirect_uri": form.cleaned_data.get("redirect_uri"),
"response_type": form.cleaned_data.get("response_type", None),
"state": form.cleaned_data.get("state", None),
}
scopes = form.cleaned_data.get("scope")
allow = form.cleaned_data.get("allow")
try:
uri, headers, body, status = self.create_authorization_response(
request=self.request, scopes=scopes, credentials=credentials, allow=allow,
organizers=form.cleaned_data.get("organizers")
)
except OAuthToolkitError as error:
return self.error_response(error, application)
self.success_url = uri
logger.debug("Success url for the request: {0}".format(self.success_url))
msgs = [
_('The application "{application_name}" has been authorized to access your account.').format(
application_name=application.name
)
]
self.request.user.send_security_notice(msgs)
self.request.user.log_action('pretix.user.oauth.authorized', user=self.request.user, data={
'application_id': application.pk,
'application_name': application.name,
})
return self.redirect(self.success_url, application)
class TokenView(BaseTokenView):
pass
class RevokeTokenView(BaseRevokeTokenView):
pass

23
src/pretix/api/views/order.py
View File

@@ -17,12 +17,14 @@ from rest_framework.filters import OrderingFilter
from rest_framework.mixins import CreateModelMixin
from rest_framework.response import Response
from pretix.api.models import OAuthAccessToken
from pretix.api.serializers.order import (
InvoiceSerializer, OrderCreateSerializer, OrderPositionSerializer,
OrderSerializer,
)
from pretix.base.models import Invoice, Order, OrderPosition, Quota
from pretix.base.models.organizer import TeamAPIToken
from pretix.base.models import (
Invoice, Order, OrderPosition, Quota, TeamAPIToken,
)
from pretix.base.services.invoices import (
generate_cancellation, generate_invoice, invoice_pdf, invoice_qualified,
regenerate_invoice,
@@ -124,7 +126,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
mark_order_paid(
order, manual=True,
user=request.user if request.user.is_authenticated else None,
api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
auth=request.auth,
)
except Quota.QuotaExceededException as e:
return Response({'detail': str(e)}, status=status.HTTP_400_BAD_REQUEST)
@@ -151,7 +153,8 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
cancel_order(
order,
user=request.user if request.user.is_authenticated else None,
api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
api_token=request.auth if isinstance(request.auth, TeamAPIToken) else None,
oauth_application=request.auth.application if isinstance(request.auth, OAuthAccessToken) else None,
send_mail=send_mail
)
return self.retrieve(request, [], **kwargs)
@@ -172,7 +175,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
order.log_action(
'pretix.event.order.unpaid',
user=request.user if request.user.is_authenticated else None,
api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
auth=request.auth,
)
return self.retrieve(request, [], **kwargs)
@@ -189,7 +192,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
mark_order_expired(
order,
user=request.user if request.user.is_authenticated else None,
api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
auth=request.auth,
)
return self.retrieve(request, [], **kwargs)
@@ -243,7 +246,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
new_date=new_date,
force=force,
user=request.user if request.user.is_authenticated else None,
api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
auth=request.auth,
)
return self.retrieve(request, [], **kwargs)
except OrderError as e:
@@ -263,7 +266,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
order.log_action(
'pretix.event.order.placed',
user=request.user if request.user.is_authenticated else None,
api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
auth=request.auth,
)
order_placed.send(self.request.event, order=order)
@@ -437,7 +440,7 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
'invoice': inv.pk
},
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
return Response(status=204)
@@ -460,6 +463,6 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
'invoice': inv.pk
},
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
return Response(status=204)

7
src/pretix/api/views/organizer.py
View File

@@ -1,5 +1,6 @@
from rest_framework import viewsets
from pretix.api.models import OAuthAccessToken
from pretix.api.serializers.organizer import OrganizerSerializer
from pretix.base.models import Organizer
@@ -14,6 +15,12 @@ class OrganizerViewSet(viewsets.ReadOnlyModelViewSet):
if self.request.user.is_authenticated():
if self.request.user.has_active_staff_session(self.request.session.session_key):
return Organizer.objects.all()
elif isinstance(self.request.auth, OAuthAccessToken):
return Organizer.objects.filter(
pk__in=self.request.user.teams.values_list('organizer', flat=True)
).filter(
pk__in=self.request.auth.organizers.values_list('pk', flat=True)
)
else:
return Organizer.objects.filter(pk__in=self.request.user.teams.values_list('organizer', flat=True))
else:

7
src/pretix/api/views/voucher.py
View File

@@ -9,7 +9,6 @@ from rest_framework.filters import OrderingFilter
from pretix.api.serializers.voucher import VoucherSerializer
from pretix.base.models import Voucher
from pretix.base.models.organizer import TeamAPIToken
class VoucherFilter(FilterSet):
@@ -51,7 +50,7 @@ class VoucherViewSet(viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.voucher.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -69,7 +68,7 @@ class VoucherViewSet(viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.voucher.changed',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
data=self.request.data
)
@@ -80,6 +79,6 @@ class VoucherViewSet(viewsets.ModelViewSet):
instance.log_action(
'pretix.voucher.deleted',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
super().perform_destroy(instance)

10
src/pretix/api/views/waitinglist.py
View File

@@ -7,7 +7,7 @@ from rest_framework.filters import OrderingFilter
from rest_framework.response import Response
from pretix.api.serializers.waitinglist import WaitingListSerializer
from pretix.base.models import TeamAPIToken, WaitingListEntry
from pretix.base.models import WaitingListEntry
from pretix.base.models.waitinglist import WaitingListException
@@ -45,7 +45,7 @@ class WaitingListViewSet(viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.orders.waitinglist.added',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
def perform_update(self, serializer):
@@ -55,7 +55,7 @@ class WaitingListViewSet(viewsets.ModelViewSet):
serializer.instance.log_action(
'pretix.event.orders.waitinglist.changed',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
def perform_destroy(self, instance):
@@ -65,7 +65,7 @@ class WaitingListViewSet(viewsets.ModelViewSet):
instance.log_action(
'pretix.event.orders.waitinglist.deleted',
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
super().perform_destroy(instance)
@@ -74,7 +74,7 @@ class WaitingListViewSet(viewsets.ModelViewSet):
try:
self.get_object().send_voucher(
user=self.request.user,
api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
auth=self.request.auth,
)
except WaitingListException as e:
raise ValidationError(str(e))