Fix #277 -- Embeddable shop (#622)

* Vendor vue.js

* Refactor item_group_by_category to support vouchers

* Widget: Show product list

* Widget: free prices

* Widget: pictures and loading indicator

* Widget: First iframe steps

* Widget: Do not rerender iframe

* Widget: Error handling

* Improve widget

* Widget: localization tech

* Fix invoice style

* Voucher attribute and waiting list

* Add some iframe chrome

* First step to namespaced carts

* More isolation steps

* More cart isolation things

* More cart isolation things

* Mobile stuff

* Show cart on checkout pages

* PayPal and Stripe support

* Enable downloads

* Locale handling

* change text "save URL to this exact page"

* Widget: voucher redemption

* Widget: CSS

* CSS: Responsive

* Widget: CSS improvements

* Widget: Add embedding code generator

* Widget: Error messages and SSL check

* First tests

* Widget: tests

* Don't use IDs in widgets

* Widget: static files caching

src/pretix/plugins/paypal/views.py

@@ -3,11 +3,13 @@ import logging
 
 import paypalrestsdk
 from django.contrib import messages
+from django.core import signing
 from django.db import transaction
-from django.http import HttpResponse
-from django.shortcuts import get_object_or_404, redirect
+from django.http import HttpResponse, HttpResponseBadRequest
+from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
 from django.utils.translation import ugettext_lazy as _
+from django.views.decorators.clickjacking import xframe_options_exempt
 from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.http import require_POST
 
@@ -17,12 +19,25 @@ from pretix.control.permissions import event_permission_required
 from pretix.multidomain.urlreverse import eventreverse
 from pretix.plugins.paypal.payment import Paypal
 from pretix.plugins.stripe.models import ReferencedStripeObject
-from pretix.presale.utils import event_view
 
 logger = logging.getLogger('pretix.plugins.paypal')
 
 
-@event_view(require_live=False)
+@xframe_options_exempt
+def redirect_view(request, *args, **kwargs):
+    signer = signing.Signer(salt='safe-redirect')
+    try:
+        url = signer.unsign(request.GET.get('url', ''))
+    except signing.BadSignature:
+        return HttpResponseBadRequest('Invalid parameter')
+
+    r = render(request, 'pretixplugins/paypal/redirect.html', {
+        'url': url,
+    })
+    r._csp_ignore = True
+    return r
+
+
 def success(request, *args, **kwargs):
     pid = request.GET.get('paymentId')
     token = request.GET.get('token')
@@ -30,6 +45,10 @@ def success(request, *args, **kwargs):
     request.session['payment_paypal_token'] = token
     request.session['payment_paypal_payer'] = payer
 
+    urlkwargs = {}
+    if 'cart_namespace' in kwargs:
+        urlkwargs['cart_namespace'] = kwargs['cart_namespace']
+
     if request.session.get('payment_paypal_order'):
         order = Order.objects.get(pk=request.session.get('payment_paypal_order'))
     else:
@@ -44,7 +63,8 @@ def success(request, *args, **kwargs):
     else:
         messages.error(request, _('Invalid response from PayPal received.'))
         logger.error('Session did not contain payment_paypal_id')
-        return redirect(eventreverse(request.event, 'presale:event.checkout', kwargs={'step': 'payment'}))
+        urlkwargs['step'] = 'payment'
+        return redirect(eventreverse(request.event, 'presale:event.checkout', kwargs=urlkwargs))
 
     if order:
         return redirect(eventreverse(request.event, 'presale:event.order', kwargs={
@@ -52,7 +72,8 @@ def success(request, *args, **kwargs):
             'secret': order.secret
         }) + ('?paid=yes' if order.status == Order.STATUS_PAID else ''))
     else:
-        return redirect(eventreverse(request.event, 'presale:event.checkout', kwargs={'step': 'confirm'}))
+        urlkwargs['step'] = 'confirm'
+        return redirect(eventreverse(request.event, 'presale:event.checkout', kwargs=urlkwargs))
 
 
 def abort(request, *args, **kwargs):