From 9935ba370d80f39ecb6509d473fde4c599422538 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Mon, 24 Sep 2018 12:44:45 +0200
Subject: [PATCH] Event list API: Do not show events without any access
 permissions

---
 src/pretix/api/views/event.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/pretix/api/views/event.py b/src/pretix/api/views/event.py
index 23b2749813..cf8bd8a629 100644
--- a/src/pretix/api/views/event.py
+++ b/src/pretix/api/views/event.py
@@ -12,7 +12,7 @@ from pretix.api.serializers.event import (
     TaxRuleSerializer,
 )
 from pretix.api.views import ConditionalListView
-from pretix.base.models import Event, ItemCategory, TaxRule
+from pretix.base.models import Event, ItemCategory, TaxRule, TeamAPIToken
 from pretix.base.models.event import SubEvent
 from pretix.helpers.dicts import merge_dicts
 
@@ -73,7 +73,16 @@ class EventViewSet(viewsets.ModelViewSet):
     filterset_class = EventFilter
 
     def get_queryset(self):
-        return self.request.organizer.events.prefetch_related('meta_values', 'meta_values__property')
+        if isinstance(self.request.auth, TeamAPIToken):
+            qs = self.request.auth.team.get_events_with_any_permission()
+        elif self.request.user.is_authenticated:
+            qs = self.request.user.get_events_with_any_permission(self.request).filter(
+                organizer=self.request.organizer
+            )
+
+        return qs.prefetch_related(
+            'meta_values', 'meta_values__property'
+        )
 
     def perform_update(self, serializer):
         current_live_value = serializer.instance.live