CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-06 15:24:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix pretix_event_access (custom domain) sessions for staff users (#4158)

Browse Source
This commit is contained in:
Mira
2024-05-21 13:26:12 +02:00
committed by GitHub
parent e95d551711
commit 9a807df158
2 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/pretix/base/models/auth.py
View File

@@ -418,18 +418,22 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
else:
return set()
def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
def has_event_permission(self, organizer, event, perm_name=None, request=None, session_key=None) -> bool:
"""
Checks if this user is part of any team that grants access of type ``perm_name``
to the event ``event``.
Either ``request`` or ``session_key`` are required to detect staff sessions properly.
:param organizer: The organizer of the event
:param event: The event to check
:param perm_name: The permission, e.g. ``can_change_teams``
:param request: The current request (optional). Required to detect staff sessions properly.
:param request: The current request (optional)
:param session_key: The current session key (optional)
:return: bool
"""
if request and self.has_active_staff_session(request.session.session_key):
assert not (session_key and request)
if (session_key or request) and self.has_active_staff_session(session_key or request.session.session_key):
return True
teams = self._get_teams_for_event(organizer, event)
if teams:

6
src/pretix/presale/utils.py
View File

@@ -327,14 +327,16 @@ def _detect_event(request, require_live=True, require_plugin=None):
)
)
if not can_access and 'pretix_event_access_{}'.format(request.event.pk) in request.session:
sparent = SessionStore(request.session.get('pretix_event_access_{}'.format(request.event.pk)))
parent_session_key = request.session.get('pretix_event_access_{}'.format(request.event.pk))
sparent = SessionStore(parent_session_key)
try:
parentdata = sparent.load()
except:
pass
else:
user = _get_user_from_session_data(parentdata)
if user and user.is_authenticated and user.has_event_permission(request.organizer, request.event, request=request):
if user and user.is_authenticated and user.has_event_permission(
request.organizer, request.event, session_key=parent_session_key):
can_access = True
request.event_access_user = user