API: Allow organizer-level access of orders and invoices (#3547)

2026-05-04 15:04:03 +00:00 · 2023-08-28 16:54:42 +02:00
parent 5b819b76f0
commit 8d2224e725
9 changed files with 319 additions and 32 deletions
--- a/src/tests/api/test_orders.py
+++ b/src/tests/api/test_orders.py
@@ -139,6 +139,37 @@ def order(event, item, taxrule, question):
        return o


+@pytest.fixture
+def order2(event2, item2):
+    testtime = datetime.datetime(2017, 12, 1, 10, 0, 0, tzinfo=datetime.timezone.utc)
+
+    with mock.patch('django.utils.timezone.now') as mock_now:
+        mock_now.return_value = testtime
+        o = Order.objects.create(
+            code='BAR', event=event2, email='dummy@dummy.test',
+            status=Order.STATUS_PENDING, secret="asd436cvbfd1",
+            datetime=datetime.datetime(2017, 12, 1, 10, 0, 0, tzinfo=datetime.timezone.utc),
+            expires=datetime.datetime(2017, 12, 10, 10, 0, 0, tzinfo=datetime.timezone.utc),
+            total=23, locale='en'
+        )
+        o.payments.create(
+            provider='banktransfer',
+            state='pending',
+            amount=Decimal('23.00'),
+        )
+        OrderPosition.objects.create(
+            order=o,
+            item=item2,
+            variation=None,
+            price=Decimal("23"),
+            attendee_name_parts={"full_name": "Peter", "_scheme": "full"},
+            secret="asdlfksdgdfgxcbfgdhfg",
+            pseudonymization_id="AC892345",
+            positionid=1,
+        )
+        return o
+
+
@pytest.fixture
 def clist_autocheckin(event):
    c = event.checkin_lists.create(name="Default", all_products=True, auto_checkin_sales_channels=['web'])
@@ -228,6 +259,7 @@ TEST_REFUNDS_RES = [
 ]
 TEST_ORDER_RES = {
    "code": "FOO",
+    "event": "dummy",
    "status": "n",
    "testmode": False,
    "secret": "k24fiuwvu8kxz3y1",
@@ -460,6 +492,34 @@ def test_order_detail(token_client, organizer, event, order, item, taxrule, ques
    assert len(resp.data['fees']) == 2


+@pytest.mark.django_db
+def test_organizer_level(token_client, organizer, team, event, event2, order, order2):
+    resp = token_client.get('/api/v1/organizers/{}/orders/'.format(organizer.slug))
+    assert resp.status_code == 200
+    assert len(resp.data['results']) == 2
+
+    resp = token_client.get('/api/v1/organizers/{}/orders/FOO/'.format(organizer.slug))
+    assert resp.status_code == 200
+
+    resp = token_client.get('/api/v1/organizers/{}/orders/BAR/'.format(organizer.slug))
+    assert resp.status_code == 200
+
+    with scopes_disabled():
+        team.all_events = False
+        team.save()
+        team.limit_events.set([event2])
+
+    resp = token_client.get('/api/v1/organizers/{}/orders/'.format(organizer.slug))
+    assert resp.status_code == 200
+    assert len(resp.data['results']) == 1
+
+    resp = token_client.get('/api/v1/organizers/{}/orders/FOO/'.format(organizer.slug))
+    assert resp.status_code == 404
+
+    resp = token_client.get('/api/v1/organizers/{}/orders/BAR/'.format(organizer.slug))
+    assert resp.status_code == 200
+
+
@pytest.mark.django_db
 def test_include_exclude_fields(token_client, organizer, event, order, item, taxrule, question):
    resp = token_client.get('/api/v1/organizers/{}/events/{}/orders/{}/?exclude=positions.secret'.format(