From 7baabcef96a232effe16e4231437e68f53817008 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Wed, 4 Apr 2018 12:52:36 +0200
Subject: [PATCH] Require correct permission for refunds in all cases

---
 src/pretix/plugins/paypal/views.py | 2 +-
 src/pretix/plugins/stripe/views.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/pretix/plugins/paypal/views.py b/src/pretix/plugins/paypal/views.py
index 8f320fa036..4e2c1a1319 100644
--- a/src/pretix/plugins/paypal/views.py
+++ b/src/pretix/plugins/paypal/views.py
@@ -177,7 +177,7 @@ def webhook(request, *args, **kwargs):
     return HttpResponse(status=200)
 
 
-@event_permission_required('can_view_orders')
+@event_permission_required('can_change_orders')
 @require_POST
 def refund(request, **kwargs):
     with transaction.atomic():
diff --git a/src/pretix/plugins/stripe/views.py b/src/pretix/plugins/stripe/views.py
index 46fad3cd00..30ebdc58aa 100644
--- a/src/pretix/plugins/stripe/views.py
+++ b/src/pretix/plugins/stripe/views.py
@@ -276,7 +276,7 @@ def oauth_disconnect(request, **kwargs):
     }))
 
 
-@event_permission_required('can_view_orders')
+@event_permission_required('can_change_orders')
 @require_POST
 def refund(request, **kwargs):
     with transaction.atomic():