Fix #1521 -- External authenticated users cannot delete events (#1523)

* Remove check password for event deletion, instead require recent login. * Reauthenticate for backends using authentication_url. * Require recent login for data shredder and prompt slug instead of password. * Fix tests for recent login required on event delete and data shred. * Pull request remarks for recent login required for event delete and data shred. * Remove unused imported check_password.
2026-05-04 15:04:03 +00:00 · 2019-12-16 10:45:01 +01:00
parent 28242e52aa
commit 82feca6e38
10 changed files with 45 additions and 41 deletions
--- a/src/tests/control/test_events.py
+++ b/src/tests/control/test_events.py
@@ -1,4 +1,5 @@
 import datetime
+import time
 from decimal import Decimal

 import pytz
@@ -1553,8 +1554,10 @@ class EventDeletionTest(SoupTest):
        self.client.login(email='dummy@dummy.dummy', password='dummy')

    def test_delete_allowed(self):
+        session = self.client.session
+        session['pretix_auth_login_time'] = int(time.time())
+        session.save()
        self.client.post('/control/event/ccc/30c3/delete/', {
-            'user_pw': 'dummy',
            'slug': '30c3'
        })

--- a/src/tests/control/test_permissions.py
+++ b/src/tests/control/test_permissions.py
@@ -1,3 +1,4 @@
+import time
 from datetime import timedelta

 import pytest
@@ -357,6 +358,9 @@ def test_correct_event_permission_all_events(perf_patch, client, env, perm, url,
    t.save()
    t.members.add(env[1])
    client.login(email='dummy@dummy.dummy', password='dummy')
+    session = client.session
+    session['pretix_auth_login_time'] = int(time.time())
+    session.save()
    response = client.get('/control/event/dummy/dummy/' + url)
    assert response.status_code == code

@@ -370,6 +374,9 @@ def test_correct_event_permission_limited(perf_patch, client, env, perm, url, co
    t.members.add(env[1])
    t.limit_events.add(env[0])
    client.login(email='dummy@dummy.dummy', password='dummy')
+    session = client.session
+    session['pretix_auth_login_time'] = int(time.time())
+    session.save()
    response = client.get('/control/event/dummy/dummy/' + url)
    assert response.status_code == code

@@ -422,5 +429,7 @@ def test_correct_organizer_permission(perf_patch, client, env, perm, url, code):
    t.save()
    t.members.add(env[1])
    client.login(email='dummy@dummy.dummy', password='dummy')
+    client.session['pretix_auth_login_time'] = int(time.time())
+    client.session.save()
    response = client.get('/control/' + url)
    assert response.status_code == code
--- a/src/tests/control/test_shredders.py
+++ b/src/tests/control/test_shredders.py
@@ -1,5 +1,6 @@
 import datetime
 import json
+import time
 from io import BytesIO
 from zipfile import ZipFile

@@ -35,6 +36,9 @@ class EventShredderTest(SoupTest):
        )

        self.client.login(email='dummy@dummy.dummy', password='dummy')
+        session = self.client.session
+        session['pretix_auth_login_time'] = int(time.time()) * 2
+        session.save()

    def test_shred_simple(self):
        doc = self.get_doc('/control/event/%s/%s/shredder/' % (self.orga1.slug, self.event1.slug))
@@ -60,7 +64,7 @@ class EventShredderTest(SoupTest):
        doc = self.post_doc('/control/event/%s/%s/shredder/shred' % (self.orga1.slug, self.event1.slug), {
            'confirm_code': indexdata['confirm_code'],
            'file': doc.select("input[name=file]")[0].attrs['value'],
-            'password': 'dummy'
+            'slug': self.event1.slug
        })
        assert doc.select('.alert-success')
        self.order.refresh_from_db()