Add auditable superuser mode (#824)

* Remove is_superuser everywhere * Session handling * List of sessions, relative timeout * Absolute timeout * Optionally pseudo-force audit comments * Fix failing tests * Add tests * Add docs * Rebsae migration * Typos * Fix tests
2026-05-04 15:04:03 +00:00 · 2018-03-28 14:16:58 +02:00
parent 558c920181
commit a284e0c2f7
56 changed files with 965 additions and 130 deletions
--- a/src/pretix/control/forms/filter.py
+++ b/src/pretix/control/forms/filter.py
@@ -234,7 +234,7 @@ class OrderSearchFilterForm(OrderFilterForm):
    def __init__(self, *args, **kwargs):
        request = kwargs.pop('request')
        super().__init__(*args, **kwargs)
-        if request.user.is_superuser:
+        if request.user.has_active_staff_session(request.session.session_key):
            self.fields['organizer'].queryset = Organizer.objects.all()
        else:
            self.fields['organizer'].queryset = Organizer.objects.filter(
@@ -393,7 +393,7 @@ class EventFilterForm(FilterForm):
    def __init__(self, *args, **kwargs):
        request = kwargs.pop('request')
        super().__init__(*args, **kwargs)
-        if request.user.is_superuser:
+        if request.user.has_active_staff_session(request.session.session_key):
            self.fields['organizer'].queryset = Organizer.objects.all()
        else:
            self.fields['organizer'].queryset = Organizer.objects.filter(
@@ -583,9 +583,9 @@ class UserFilterForm(FilterForm):
            qs = qs.filter(is_active=False)

        if fdata.get('superuser') == 'yes':
-            qs = qs.filter(is_superuser=True)
+            qs = qs.filter(is_staff=True)
        elif fdata.get('superuser') == 'no':
-            qs = qs.filter(is_superuser=False)
+            qs = qs.filter(is_staff=False)

        if fdata.get('query'):
            qs = qs.filter(
--- a/src/pretix/control/forms/users.py
+++ b/src/pretix/control/forms/users.py
@@ -8,6 +8,13 @@ from django.utils.translation import ugettext_lazy as _
 from pytz import common_timezones

 from pretix.base.models import User
+from pretix.base.models.auth import StaffSession
+
+
+class StaffSessionForm(forms.ModelForm):
+    class Meta:
+        model = StaffSession
+        fields = ['comment']


 class UserEditForm(forms.ModelForm):
@@ -41,7 +48,7 @@ class UserEditForm(forms.ModelForm):
            'email',
            'require_2fa',
            'is_active',
-            'is_superuser'
+            'is_staff'
        ]

    def __init__(self, *args, **kwargs):