Fix #1521 -- External authenticated users cannot delete events (#1523)

* Remove check password for event deletion, instead require recent login. * Reauthenticate for backends using authentication_url. * Require recent login for data shredder and prompt slug instead of password. * Fix tests for recent login required on event delete and data shred. * Pull request remarks for recent login required for event delete and data shred. * Remove unused imported check_password.
2026-05-07 15:34:02 +00:00 · 2019-12-16 10:45:01 +01:00
parent 28242e52aa
commit 82feca6e38
10 changed files with 45 additions and 41 deletions
--- a/src/pretix/control/views/event.py
+++ b/src/pretix/control/views/event.py
@@ -44,6 +44,7 @@ from pretix.control.forms.event import (
    TicketSettingsForm, WidgetCodeForm,
 )
 from pretix.control.permissions import EventPermissionRequiredMixin
+from pretix.control.views.user import RecentAuthenticationRequiredMixin
 from pretix.helpers.database import rolledback_transaction
 from pretix.multidomain.urlreverse import get_domain
 from pretix.plugins.stripe.payment import StripeSettingsHolder
@@ -824,7 +825,7 @@ class EventLive(EventPermissionRequiredMixin, TemplateView):
        })


-class EventDelete(EventPermissionRequiredMixin, FormView):
+class EventDelete(RecentAuthenticationRequiredMixin, EventPermissionRequiredMixin, FormView):
    permission = 'can_change_event_settings'
    template_name = 'pretixcontrol/event/delete.html'
    form_class = EventDeleteForm
@@ -837,7 +838,6 @@ class EventDelete(EventPermissionRequiredMixin, FormView):

    def get_form_kwargs(self):
        kwargs = super().get_form_kwargs()
-        kwargs['user'] = self.request.user
        kwargs['event'] = self.request.event
        return kwargs

--- a/src/pretix/control/views/shredder.py
+++ b/src/pretix/control/views/shredder.py
@@ -13,6 +13,7 @@ from pretix.base.services.shredder import export, shred
 from pretix.base.shredder import ShredError, shred_constraints
 from pretix.base.views.tasks import AsyncAction
 from pretix.control.permissions import EventPermissionRequiredMixin
+from pretix.control.views.user import RecentAuthenticationRequiredMixin

 logger = logging.getLogger(__name__)

@@ -26,7 +27,7 @@ class ShredderMixin:
        )


-class StartShredView(EventPermissionRequiredMixin, ShredderMixin, TemplateView):
+class StartShredView(RecentAuthenticationRequiredMixin, EventPermissionRequiredMixin, ShredderMixin, TemplateView):
    permission = 'can_change_orders'
    template_name = 'pretixcontrol/shredder/index.html'

@@ -37,7 +38,7 @@ class StartShredView(EventPermissionRequiredMixin, ShredderMixin, TemplateView):
        return ctx


-class ShredDownloadView(EventPermissionRequiredMixin, ShredderMixin, TemplateView):
+class ShredDownloadView(RecentAuthenticationRequiredMixin, EventPermissionRequiredMixin, ShredderMixin, TemplateView):
    permission = 'can_change_orders'
    template_name = 'pretixcontrol/shredder/download.html'

@@ -48,7 +49,7 @@ class ShredDownloadView(EventPermissionRequiredMixin, ShredderMixin, TemplateVie
        return ctx


-class ShredExportView(EventPermissionRequiredMixin, ShredderMixin, AsyncAction, View):
+class ShredExportView(RecentAuthenticationRequiredMixin, EventPermissionRequiredMixin, ShredderMixin, AsyncAction, View):
    permission = 'can_change_orders'
    task = export
    known_errortypes = ['ShredError']
@@ -77,7 +78,7 @@ class ShredExportView(EventPermissionRequiredMixin, ShredderMixin, AsyncAction,
        return self.do(self.request.event.id, request.POST.getlist("shredder"))


-class ShredDoView(EventPermissionRequiredMixin, ShredderMixin, AsyncAction, View):
+class ShredDoView(RecentAuthenticationRequiredMixin, EventPermissionRequiredMixin, ShredderMixin, AsyncAction, View):
    permission = 'can_change_orders'
    task = shred
    known_errortypes = ['ShredError']
@@ -103,7 +104,7 @@ class ShredDoView(EventPermissionRequiredMixin, ShredderMixin, AsyncAction, View
        if constr:
            return self.error(ShredError(self.get_error_url()))

-        if not self.request.user.check_password(request.POST.get("password")):
-            return self.error(ShredError(_("The current password you entered was not correct.")))
+        if request.event.slug != request.POST.get("slug"):
+            return self.error(ShredError(_("The slug you entered was not correct.")))

        return self.do(self.request.event.id, request.POST.get("file"), request.POST.get("confirm_code"))