Fix #1521 -- External authenticated users cannot delete events (#1523)

* Remove check password for event deletion, instead require recent login. * Reauthenticate for backends using authentication_url. * Require recent login for data shredder and prompt slug instead of password. * Fix tests for recent login required on event delete and data shred. * Pull request remarks for recent login required for event delete and data shred. * Remove unused imported check_password.
2026-05-04 15:04:03 +00:00 · 2019-12-16 10:45:01 +01:00
parent 28242e52aa
commit 82feca6e38
10 changed files with 45 additions and 41 deletions
--- a/src/tests/control/test_permissions.py
+++ b/src/tests/control/test_permissions.py
@@ -1,3 +1,4 @@
+import time
 from datetime import timedelta

 import pytest
@@ -357,6 +358,9 @@ def test_correct_event_permission_all_events(perf_patch, client, env, perm, url,
    t.save()
    t.members.add(env[1])
    client.login(email='dummy@dummy.dummy', password='dummy')
+    session = client.session
+    session['pretix_auth_login_time'] = int(time.time())
+    session.save()
    response = client.get('/control/event/dummy/dummy/' + url)
    assert response.status_code == code

@@ -370,6 +374,9 @@ def test_correct_event_permission_limited(perf_patch, client, env, perm, url, co
    t.members.add(env[1])
    t.limit_events.add(env[0])
    client.login(email='dummy@dummy.dummy', password='dummy')
+    session = client.session
+    session['pretix_auth_login_time'] = int(time.time())
+    session.save()
    response = client.get('/control/event/dummy/dummy/' + url)
    assert response.status_code == code

@@ -422,5 +429,7 @@ def test_correct_organizer_permission(perf_patch, client, env, perm, url, code):
    t.save()
    t.members.add(env[1])
    client.login(email='dummy@dummy.dummy', password='dummy')
+    client.session['pretix_auth_login_time'] = int(time.time())
+    client.session.save()
    response = client.get('/control/' + url)
    assert response.status_code == code