Fix enforcement of restricted plugins (#4286)

src/tests/api/test_events.py

@@ -763,6 +763,50 @@ def test_event_update(token_client, organizer, event, item, meta_prop):
     assert cnt == event.all_logentries().count()
 
 
+@pytest.mark.django_db
+def test_event_update_plugins_validation(token_client, organizer, event, item, meta_prop):
+    resp = token_client.patch(
+        '/api/v1/organizers/{}/events/{}/'.format(organizer.slug, event.slug),
+        {
+            "plugins": ["pretix.plugins.paypal2", "unknown"]
+        },
+        format='json'
+    )
+    assert resp.status_code == 400
+    assert resp.data == {"plugins": ["Unknown plugin: 'unknown'."]}
+
+    resp = token_client.patch(
+        '/api/v1/organizers/{}/events/{}/'.format(organizer.slug, event.slug),
+        {
+            "plugins": ["pretix.plugins.paypal2", "tests.testdummyhidden"]
+        },
+        format='json'
+    )
+    assert resp.status_code == 400
+    assert resp.data == {"plugins": ["Unknown plugin: 'tests.testdummyhidden'."]}
+
+    resp = token_client.patch(
+        '/api/v1/organizers/{}/events/{}/'.format(organizer.slug, event.slug),
+        {
+            "plugins": ["pretix.plugins.paypal2", "tests.testdummyrestricted"]
+        },
+        format='json'
+    )
+    assert resp.status_code == 400
+    assert resp.data == {"plugins": ["Restricted plugin: 'tests.testdummyrestricted'."]}
+
+    organizer.settings.allowed_restricted_plugins = ["tests.testdummyrestricted"]
+
+    resp = token_client.patch(
+        '/api/v1/organizers/{}/events/{}/'.format(organizer.slug, event.slug),
+        {
+            "plugins": ["pretix.plugins.paypal2", "tests.testdummyrestricted"]
+        },
+        format='json'
+    )
+    assert resp.status_code == 200
+
+
 @pytest.mark.django_db
 def test_event_test_mode(token_client, organizer, event):
     resp = token_client.patch(

src/tests/control/test_events.py

@@ -299,6 +299,8 @@ class EventsTest(SoupTest):
         doc = self.get_doc('/control/event/%s/%s/settings/plugins' % (self.orga1.slug, self.event1.slug))
         self.assertIn("Stripe", doc.select(".form-plugins")[0].text)
         self.assertIn("Enable", doc.select("[name=\"plugin:pretix.plugins.stripe\"]")[0].text)
+        assert not doc.select("[name=\"plugin:tests.testdummyrestricted\"]")
+        assert not doc.select("[name=\"plugin:tests.testdummyhidden\"]")
 
         doc = self.post_doc('/control/event/%s/%s/settings/plugins' % (self.orga1.slug, self.event1.slug),
                             {'plugin:pretix.plugins.stripe': 'enable'})
@@ -308,6 +310,23 @@ class EventsTest(SoupTest):
                             {'plugin:pretix.plugins.stripe': 'disable'})
         self.assertIn("Enable", doc.select("[name=\"plugin:pretix.plugins.stripe\"]")[0].text)
 
+        self.post_doc('/control/event/%s/%s/settings/plugins' % (self.orga1.slug, self.event1.slug),
+                      {'plugin:tests.testdummyhidden': 'enable'})
+        self.event1.refresh_from_db()
+        assert "testdummyhidden" not in self.event1.plugins
+
+        self.post_doc('/control/event/%s/%s/settings/plugins' % (self.orga1.slug, self.event1.slug),
+                      {'plugin:tests.testdummyrestricted': 'enable'})
+        self.event1.refresh_from_db()
+        assert "testdummyrestricted" not in self.event1.plugins
+
+        self.orga1.settings.allowed_restricted_plugins = ["tests.testdummyrestricted"]
+
+        self.post_doc('/control/event/%s/%s/settings/plugins' % (self.orga1.slug, self.event1.slug),
+                      {'plugin:tests.testdummyrestricted': 'enable'})
+        self.event1.refresh_from_db()
+        assert "testdummyrestricted" in self.event1.plugins
+
     def test_testmode_enable(self):
         self.event1.testmode = False
         self.event1.save()

src/tests/settings.py

@@ -28,6 +28,8 @@ TEST_DIR = os.path.dirname(__file__)
 TEMPLATES[0]['DIRS'].append(os.path.join(TEST_DIR, 'templates'))  # NOQA
 
 INSTALLED_APPS.append('tests.testdummy')  # NOQA
+INSTALLED_APPS.append('tests.testdummyrestricted')  # NOQA
+INSTALLED_APPS.append('tests.testdummyhidden')  # NOQA
 
 PRETIX_AUTH_BACKENDS = [
     'pretix.base.auth.NativeAuthBackend',

src/tests/testdummyhidden/__init__.py

@@ -0,0 +1,21 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020 Raphael Michel and contributors
+# Copyright (C) 2020-2021 rami.io GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#

src/tests/testdummyhidden/apps.py

@@ -0,0 +1,35 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020 Raphael Michel and contributors
+# Copyright (C) 2020-2021 rami.io GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+from django.apps import AppConfig
+
+
+class TestDummyHiddenApp(AppConfig):
+    name = 'tests.testdummyhidden'
+    verbose_name = 'testdummyhidden'
+
+    class PretixPluginMeta:
+        name = 'testdummyhidden'
+        version = '1.0.0'
+        restricted = True
+
+    def is_available(self, event):
+        return False

src/tests/testdummyrestricted/__init__.py

@@ -0,0 +1,21 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020 Raphael Michel and contributors
+# Copyright (C) 2020-2021 rami.io GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#

src/tests/testdummyrestricted/apps.py

@@ -0,0 +1,32 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020 Raphael Michel and contributors
+# Copyright (C) 2020-2021 rami.io GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+from django.apps import AppConfig
+
+
+class TestDummyRestrictedApp(AppConfig):
+    name = 'tests.testdummyrestricted'
+    verbose_name = 'testdummyrestricted'
+
+    class PretixPluginMeta:
+        name = 'testdummyrestricted'
+        version = '1.0.0'
+        restricted = True