API: Add write operations to taxrules resource

src/pretix/api/views/event.py

@@ -1,11 +1,13 @@
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import filters, viewsets
+from rest_framework.exceptions import PermissionDenied
 
 from pretix.api.serializers.event import (
     EventSerializer, SubEventSerializer, TaxRuleSerializer,
 )
 from pretix.base.models import Event, ItemCategory, TaxRule
 from pretix.base.models.event import SubEvent
+from pretix.base.models.organizer import TeamAPIToken
 
 
 class EventViewSet(viewsets.ReadOnlyModelViewSet):
@@ -36,10 +38,39 @@ class SubEventViewSet(viewsets.ReadOnlyModelViewSet):
         )
 
 
-class TaxRuleViewSet(viewsets.ReadOnlyModelViewSet):
+class TaxRuleViewSet(viewsets.ModelViewSet):
     serializer_class = TaxRuleSerializer
     queryset = TaxRule.objects.none()
     write_permission = 'can_change_event_settings'
 
     def get_queryset(self):
         return self.request.event.tax_rules.all()
+
+    def perform_update(self, serializer):
+        super().perform_update(serializer)
+        serializer.instance.log_action(
+            'pretix.event.taxrule.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.taxrule.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def perform_destroy(self, instance):
+        if not instance.allow_delete():
+            raise PermissionDenied('This tax rule can not be deleted as it is currently in use.')
+
+        instance.log_action(
+            'pretix.event.taxrule.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+        super().perform_destroy(instance)

src/pretix/base/models/tax.py

@@ -81,6 +81,16 @@ class TaxRule(LoggedModel):
                     'if configured above.'),
     )
 
+    def allow_delete(self):
+        from pretix.base.models.orders import OrderFee, OrderPosition
+
+        return (
+            not OrderFee.objects.filter(tax_rule=self, order__event=self.event).exists()
+            and not OrderPosition.objects.filter(tax_rule=self, order__event=self.event).exists()
+            and not self.event.items.filter(tax_rule=self).exists()
+            and self.event.settings.tax_rate_default != self
+        )
+
     @classmethod
     def zero(cls):
         return cls(

src/pretix/control/views/event.py

@@ -26,10 +26,9 @@ from pytz import timezone
 
 from pretix.base.models import (
     CachedCombinedTicket, CachedTicket, Event, Item, ItemVariation, LogEntry,
-    Order, OrderPosition, RequiredAction, TaxRule, Voucher,
+    Order, RequiredAction, TaxRule, Voucher,
 )
 from pretix.base.models.event import EventMetaValue
-from pretix.base.models.orders import OrderFee
 from pretix.base.services import tickets
 from pretix.base.services.invoices import build_preview_invoice_pdf
 from pretix.base.signals import event_live_issues, register_ticket_outputs
@@ -972,7 +971,7 @@ class TaxDelete(EventSettingsViewMixin, EventPermissionRequiredMixin, DeleteView
     def delete(self, request, *args, **kwargs):
         self.object = self.get_object()
         success_url = self.get_success_url()
-        if self.is_allowed():
+        if self.object.allow_delete():
             self.object.log_action(action='pretix.event.taxrule.deleted', user=request.user)
             self.object.delete()
             messages.success(self.request, _('The selected tax rule has been deleted.'))
@@ -986,16 +985,7 @@ class TaxDelete(EventSettingsViewMixin, EventPermissionRequiredMixin, DeleteView
             'event': self.request.event.slug,
         })
 
-    def is_allowed(self) -> bool:
-        o = self.object
-        return (
-            not OrderFee.objects.filter(tax_rule=o, order__event=self.request.event).exists()
-            and not OrderPosition.objects.filter(tax_rule=o, order__event=self.request.event).exists()
-            and not self.request.event.items.filter(tax_rule=o).exists()
-            and self.request.event.settings.tax_rate_default != o
-        )
-
     def get_context_data(self, *args, **kwargs) -> dict:
         context = super().get_context_data(*args, **kwargs)
-        context['possible'] = self.is_allowed()
+        context['possible'] = self.object.allow_delete()
         return context

src/tests/api/conftest.py

@@ -38,6 +38,7 @@ def team(organizer):
     return Team.objects.create(
         organizer=organizer,
         can_change_items=True,
+        can_change_event_settings=True
     )
 
 

src/tests/api/test_permissions.py

@@ -26,6 +26,10 @@ event_permission_urls = [
     ('get', 'can_change_items', 'items/', 200),
     ('get', 'can_change_items', 'questions/', 200),
     ('get', 'can_change_items', 'quotas/', 200),
+    ('post', 'can_change_event_settings', 'taxrules/', 400),
+    ('put', 'can_change_event_settings', 'taxrules/1/', 404),
+    ('patch', 'can_change_event_settings', 'taxrules/1/', 404),
+    ('delete', 'can_change_event_settings', 'taxrules/1/', 404),
 ]
 
 

src/tests/api/test_taxrules.py

@@ -1,5 +1,9 @@
+from decimal import Decimal
+
 import pytest
 
+from pretix.base.models import TaxRule
+
 TEST_TAXRULE_RES = {
     'name': {'en': 'VAT'},
     'rate': '19.00',
@@ -26,3 +30,59 @@ def test_rule_detail(token_client, organizer, event, taxrule):
                                                                                   taxrule.pk))
     assert resp.status_code == 200
     assert res == resp.data
+
+
+@pytest.mark.django_db
+def test_rule_create(token_client, organizer, event):
+    resp = token_client.post(
+        '/api/v1/organizers/{}/events/{}/taxrules/'.format(organizer.slug, event.slug),
+        {
+            "name": {"en": "VAT", "de": "MwSt"},
+            "rate": "19.00",
+            "price_includes_tax": True,
+            "eu_reverse_charge": False,
+            "home_country": "DE"
+        },
+        format='json'
+    )
+    assert resp.status_code == 201
+    rule = TaxRule.objects.get(pk=resp.data['id'])
+    assert rule.name.data == {"en": "VAT", "de": "MwSt"}
+    assert rule.rate == Decimal("19.00")
+    assert rule.price_includes_tax is True
+    assert rule.eu_reverse_charge is False
+    assert str(rule.home_country) == "DE"
+
+
+@pytest.mark.django_db
+def test_rule_update(token_client, organizer, event, taxrule):
+    resp = token_client.patch(
+        '/api/v1/organizers/{}/events/{}/taxrules/{}/'.format(organizer.slug, event.slug, taxrule.pk),
+        {
+            "rate": "20.00",
+        },
+        format='json'
+    )
+    assert resp.status_code == 200
+    taxrule.refresh_from_db()
+    assert taxrule.rate == Decimal("20.00")
+    assert taxrule.all_logentries().last().action_type == 'pretix.event.taxrule.changed'
+
+
+@pytest.mark.django_db
+def test_rule_delete(token_client, organizer, event, taxrule):
+    resp = token_client.delete(
+        '/api/v1/organizers/{}/events/{}/taxrules/{}/'.format(organizer.slug, event.slug, taxrule.pk),
+    )
+    assert resp.status_code == 200
+    assert not event.taxrules.exists()
+
+
+@pytest.mark.django_db
+def test_rule_delete_forbidden(token_client, organizer, event, taxrule):
+    event.items.create(name="Budget Ticket", default_price=23, tax_rule=taxrule)
+    resp = token_client.delete(
+        '/api/v1/organizers/{}/events/{}/taxrules/{}/'.format(organizer.slug, event.slug, taxrule.pk),
+    )
+    assert resp.status_code == 403
+    assert event.taxrules.exists()