Implement OAuth2 provider (#927)

- [x] Application management - [x] Link - [ ] Tests - [x] Authorize flow - [x] Tests - [x] Refresh token handling - [x] Tests - [x] Revocation endpoint - [x] Tests - [x] Mitigate: https://github.com/jazzband/django-oauth-toolkit/issues/585 - [x] API authenticator / permission driver - [x] Test - [x] Enforce organizer restriction - [x] Tests - [x] Enforce scope restriction - [x] Tests - [x] Show current applications to user - [x] Revoke - [x] Tests - [x] Log new authorizations - [x] notify user - [x] Ensure other grant types are not available - [x] Documentation - [x] check if revoking access toking, then refreshing gets rid of organizer constraint - [x] Show logentry foo
2026-05-05 15:14:04 +00:00 · 2018-06-05 12:58:04 +02:00
parent df031b2222
commit 69d10489b8
53 changed files with 1786 additions and 116 deletions
--- a/src/pretix/api/views/order.py
+++ b/src/pretix/api/views/order.py
@@ -17,12 +17,14 @@ from rest_framework.filters import OrderingFilter
 from rest_framework.mixins import CreateModelMixin
 from rest_framework.response import Response

+from pretix.api.models import OAuthAccessToken
 from pretix.api.serializers.order import (
    InvoiceSerializer, OrderCreateSerializer, OrderPositionSerializer,
    OrderSerializer,
 )
-from pretix.base.models import Invoice, Order, OrderPosition, Quota
-from pretix.base.models.organizer import TeamAPIToken
+from pretix.base.models import (
+    Invoice, Order, OrderPosition, Quota, TeamAPIToken,
+)
 from pretix.base.services.invoices import (
    generate_cancellation, generate_invoice, invoice_pdf, invoice_qualified,
    regenerate_invoice,
@@ -124,7 +126,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
                mark_order_paid(
                    order, manual=True,
                    user=request.user if request.user.is_authenticated else None,
-                    api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+                    auth=request.auth,
                )
            except Quota.QuotaExceededException as e:
                return Response({'detail': str(e)}, status=status.HTTP_400_BAD_REQUEST)
@@ -151,7 +153,8 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        cancel_order(
            order,
            user=request.user if request.user.is_authenticated else None,
-            api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+            api_token=request.auth if isinstance(request.auth, TeamAPIToken) else None,
+            oauth_application=request.auth.application if isinstance(request.auth, OAuthAccessToken) else None,
            send_mail=send_mail
        )
        return self.retrieve(request, [], **kwargs)
@@ -172,7 +175,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        order.log_action(
            'pretix.event.order.unpaid',
            user=request.user if request.user.is_authenticated else None,
-            api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+            auth=request.auth,
        )
        return self.retrieve(request, [], **kwargs)

@@ -189,7 +192,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        mark_order_expired(
            order,
            user=request.user if request.user.is_authenticated else None,
-            api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+            auth=request.auth,
        )
        return self.retrieve(request, [], **kwargs)

@@ -243,7 +246,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
                new_date=new_date,
                force=force,
                user=request.user if request.user.is_authenticated else None,
-                api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+                auth=request.auth,
            )
            return self.retrieve(request, [], **kwargs)
        except OrderError as e:
@@ -263,7 +266,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
            order.log_action(
                'pretix.event.order.placed',
                user=request.user if request.user.is_authenticated else None,
-                api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+                auth=request.auth,
            )
        order_placed.send(self.request.event, order=order)

@@ -437,7 +440,7 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
                    'invoice': inv.pk
                },
                user=self.request.user,
-                api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+                auth=self.request.auth,
            )
            return Response(status=204)

@@ -460,6 +463,6 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
                    'invoice': inv.pk
                },
                user=self.request.user,
-                api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+                auth=self.request.auth,
            )
            return Response(status=204)