mirror of
https://github.com/pretix/pretix.git
synced 2026-05-08 15:44:02 +00:00
Add auditable superuser mode (#824)
* Remove is_superuser everywhere * Session handling * List of sessions, relative timeout * Absolute timeout * Optionally pseudo-force audit comments * Fix failing tests * Add tests * Add docs * Rebsae migration * Typos * Fix tests
This commit is contained in:
Raphael Michel
@@ -248,12 +248,13 @@ def event_index(request, organizer, event):
|
||||
for r, result in event_dashboard_widgets.send(sender=request.event, subevent=subevent):
|
||||
widgets.extend(result)
|
||||
|
||||
can_change_orders = request.user.has_event_permission(request.organizer, request.event, 'can_change_orders')
|
||||
can_change_orders = request.user.has_event_permission(request.organizer, request.event, 'can_change_orders',
|
||||
request=request)
|
||||
qs = request.event.logentry_set.all().select_related('user', 'content_type').order_by('-datetime')
|
||||
qs = qs.exclude(action_type__in=OVERVIEW_BLACKLIST)
|
||||
if not request.user.has_event_permission(request.organizer, request.event, 'can_view_orders'):
|
||||
if not request.user.has_event_permission(request.organizer, request.event, 'can_view_orders', request=request):
|
||||
qs = qs.exclude(content_type=ContentType.objects.get_for_model(Order))
|
||||
if not request.user.has_event_permission(request.organizer, request.event, 'can_view_vouchers'):
|
||||
if not request.user.has_event_permission(request.organizer, request.event, 'can_view_vouchers', request=request):
|
||||
qs = qs.exclude(content_type=ContentType.objects.get_for_model(Voucher))
|
||||
|
||||
a_qs = request.event.requiredaction_set.filter(done=False)
|
||||
@@ -271,7 +272,7 @@ def event_index(request, organizer, event):
|
||||
return render(request, 'pretixcontrol/event/index.html', ctx)
|
||||
|
||||
|
||||
def annotated_event_query(user):
|
||||
def annotated_event_query(request):
|
||||
active_orders = Order.objects.filter(
|
||||
event=OuterRef('pk'),
|
||||
status__in=[Order.STATUS_PENDING, Order.STATUS_PAID]
|
||||
@@ -285,7 +286,7 @@ def annotated_event_query(user):
|
||||
event=OuterRef('pk'),
|
||||
done=False
|
||||
)
|
||||
qs = user.get_events_with_any_permission().annotate(
|
||||
qs = request.user.get_events_with_any_permission(request).annotate(
|
||||
order_count=Subquery(active_orders, output_field=IntegerField()),
|
||||
has_ra=Exists(required_actions)
|
||||
).annotate(
|
||||
@@ -299,7 +300,7 @@ def annotated_event_query(user):
|
||||
return qs
|
||||
|
||||
|
||||
def widgets_for_event_qs(qs, user, nmax):
|
||||
def widgets_for_event_qs(request, qs, user, nmax):
|
||||
widgets = []
|
||||
|
||||
# Get set of events where we have the permission to show the # of orders
|
||||
@@ -370,7 +371,7 @@ def widgets_for_event_qs(qs, user, nmax):
|
||||
orders_text=ungettext('{num} order', '{num} orders', event.order_count or 0).format(
|
||||
num=event.order_count or 0
|
||||
)
|
||||
) if user.is_superuser or event.pk in events_with_orders else ''
|
||||
) if user.has_active_staff_session(request.session.session_key) or event.pk in events_with_orders else ''
|
||||
),
|
||||
daterange=dr,
|
||||
status=status[1],
|
||||
@@ -402,7 +403,8 @@ def user_index(request):
|
||||
ctx = {
|
||||
'widgets': rearrange(widgets),
|
||||
'upcoming': widgets_for_event_qs(
|
||||
annotated_event_query(request.user).filter(
|
||||
request,
|
||||
annotated_event_query(request).filter(
|
||||
Q(has_subevents=False) &
|
||||
Q(
|
||||
Q(Q(date_to__isnull=True) & Q(date_from__gte=now()))
|
||||
@@ -413,7 +415,8 @@ def user_index(request):
|
||||
7
|
||||
),
|
||||
'past': widgets_for_event_qs(
|
||||
annotated_event_query(request.user).filter(
|
||||
request,
|
||||
annotated_event_query(request).filter(
|
||||
Q(has_subevents=False) &
|
||||
Q(
|
||||
Q(Q(date_to__isnull=True) & Q(date_from__lt=now()))
|
||||
@@ -424,7 +427,8 @@ def user_index(request):
|
||||
8
|
||||
),
|
||||
'series': widgets_for_event_qs(
|
||||
annotated_event_query(request.user).filter(
|
||||
request,
|
||||
annotated_event_query(request).filter(
|
||||
has_subevents=True
|
||||
).order_by('-order_to'),
|
||||
request.user,
|
||||
|
||||
@@ -212,7 +212,7 @@ class EventPlugins(EventSettingsViewMixin, EventPermissionRequiredMixin, Templat
|
||||
module = key.split(":")[1]
|
||||
if value == "enable" and module in plugins_available:
|
||||
if getattr(plugins_available[module], 'restricted', False):
|
||||
if not request.user.is_superuser:
|
||||
if not request.user.has_active_staff_session(request.session.session_key):
|
||||
continue
|
||||
|
||||
if hasattr(plugins_available[module].app, 'installed'):
|
||||
@@ -854,9 +854,11 @@ class EventLog(EventPermissionRequiredMixin, ListView):
|
||||
def get_queryset(self):
|
||||
qs = self.request.event.logentry_set.all().select_related('user', 'content_type').order_by('-datetime')
|
||||
qs = qs.exclude(action_type__in=OVERVIEW_BLACKLIST)
|
||||
if not self.request.user.has_event_permission(self.request.organizer, self.request.event, 'can_view_orders'):
|
||||
if not self.request.user.has_event_permission(self.request.organizer, self.request.event, 'can_view_orders',
|
||||
request=self.request):
|
||||
qs = qs.exclude(content_type=ContentType.objects.get_for_model(Order))
|
||||
if not self.request.user.has_event_permission(self.request.organizer, self.request.event, 'can_view_vouchers'):
|
||||
if not self.request.user.has_event_permission(self.request.organizer, self.request.event, 'can_view_vouchers',
|
||||
request=self.request):
|
||||
qs = qs.exclude(content_type=ContentType.objects.get_for_model(Voucher))
|
||||
|
||||
if self.request.GET.get('user') == 'yes':
|
||||
|
||||
@@ -8,7 +8,9 @@ from pretix.base.settings import GlobalSettingsObject
|
||||
from pretix.control.forms.global_settings import (
|
||||
GlobalSettingsForm, UpdateSettingsForm,
|
||||
)
|
||||
from pretix.control.permissions import AdministratorPermissionRequiredMixin
|
||||
from pretix.control.permissions import (
|
||||
AdministratorPermissionRequiredMixin, StaffMemberRequiredMixin,
|
||||
)
|
||||
|
||||
|
||||
class GlobalSettingsView(AdministratorPermissionRequiredMixin, FormView):
|
||||
@@ -28,7 +30,7 @@ class GlobalSettingsView(AdministratorPermissionRequiredMixin, FormView):
|
||||
return reverse('control:global.settings')
|
||||
|
||||
|
||||
class UpdateCheckView(AdministratorPermissionRequiredMixin, FormView):
|
||||
class UpdateCheckView(StaffMemberRequiredMixin, FormView):
|
||||
template_name = 'pretixcontrol/global_update.html'
|
||||
form_class = UpdateSettingsForm
|
||||
|
||||
|
||||
@@ -31,7 +31,7 @@ class EventList(PaginationMixin, ListView):
|
||||
template_name = 'pretixcontrol/events/index.html'
|
||||
|
||||
def get_queryset(self):
|
||||
qs = self.request.user.get_events_with_any_permission().select_related('organizer').prefetch_related(
|
||||
qs = self.request.user.get_events_with_any_permission(self.request).select_related('organizer').prefetch_related(
|
||||
'_settings_objects', 'organizer___settings_objects'
|
||||
).order_by('-date_from')
|
||||
|
||||
|
||||
@@ -38,7 +38,7 @@ class OrganizerList(PaginationMixin, ListView):
|
||||
qs = Organizer.objects.all()
|
||||
if self.filter_form.is_valid():
|
||||
qs = self.filter_form.filter_qs(qs)
|
||||
if self.request.user.is_superuser:
|
||||
if self.request.user.has_active_staff_session(self.request.session.session_key):
|
||||
return qs
|
||||
else:
|
||||
return qs.filter(pk__in=self.request.user.teams.values_list('organizer', flat=True))
|
||||
@@ -219,7 +219,7 @@ class OrganizerUpdate(OrganizerPermissionRequiredMixin, UpdateView):
|
||||
|
||||
def get_form_kwargs(self):
|
||||
kwargs = super().get_form_kwargs()
|
||||
if self.request.user.is_superuser:
|
||||
if self.request.user.has_active_staff_session(self.request.session.session_key):
|
||||
kwargs['domain'] = True
|
||||
return kwargs
|
||||
|
||||
@@ -271,7 +271,7 @@ class OrganizerCreate(CreateView):
|
||||
context_object_name = 'organizer'
|
||||
|
||||
def dispatch(self, request, *args, **kwargs):
|
||||
if not request.user.is_superuser:
|
||||
if not request.user.has_active_staff_session(self.request.session.session_key):
|
||||
raise PermissionDenied() # TODO
|
||||
return super().dispatch(request, *args, **kwargs)
|
||||
|
||||
|
||||
@@ -24,7 +24,7 @@ class OrderSearch(PaginationMixin, ListView):
|
||||
|
||||
def get_queryset(self):
|
||||
qs = Order.objects.select_related('invoice_address')
|
||||
if not self.request.user.is_superuser:
|
||||
if not self.request.user.has_active_staff_session(self.request.session.session_key):
|
||||
qs = qs.filter(
|
||||
Q(event__organizer_id__in=self.request.user.teams.filter(
|
||||
all_events=True, can_view_orders=True).values_list('organizer', flat=True))
|
||||
|
||||
@@ -18,7 +18,7 @@ def event_list(request):
|
||||
page = int(request.GET.get('page', '1'))
|
||||
except ValueError:
|
||||
page = 1
|
||||
qs = request.user.get_events_with_any_permission().filter(
|
||||
qs = request.user.get_events_with_any_permission(request).filter(
|
||||
Q(name__icontains=i18ncomp(query)) | Q(slug__icontains=query) |
|
||||
Q(organizer__name__icontains=i18ncomp(query)) | Q(organizer__slug__icontains=query)
|
||||
).annotate(
|
||||
@@ -107,7 +107,7 @@ def organizer_select2(request):
|
||||
qs = Organizer.objects.all()
|
||||
if term:
|
||||
qs = qs.filter(Q(name__icontains=term) | Q(slug__icontains=term))
|
||||
if not request.user.is_superuser:
|
||||
if not request.user.has_active_staff_session(request.session.session_key):
|
||||
qs = qs.filter(pk__in=request.user.teams.values_list('organizer', flat=True))
|
||||
|
||||
total = qs.count()
|
||||
@@ -130,7 +130,7 @@ def organizer_select2(request):
|
||||
|
||||
|
||||
def users_select2(request):
|
||||
if not request.user.is_superuser:
|
||||
if not request.user.has_active_staff_session(request.session.session_key):
|
||||
raise PermissionDenied()
|
||||
|
||||
term = request.GET.get('query', '')
|
||||
|
||||
@@ -12,8 +12,10 @@ from django.shortcuts import get_object_or_404, redirect
|
||||
from django.utils.crypto import get_random_string
|
||||
from django.utils.functional import cached_property
|
||||
from django.utils.http import is_safe_url
|
||||
from django.utils.timezone import now
|
||||
from django.utils.translation import ugettext_lazy as _
|
||||
from django.views.generic import FormView, TemplateView, UpdateView
|
||||
from django.views import View
|
||||
from django.views.generic import FormView, ListView, TemplateView, UpdateView
|
||||
from django_otp.plugins.otp_static.models import StaticDevice
|
||||
from django_otp.plugins.otp_totp.models import TOTPDevice
|
||||
from u2flib_server import u2f
|
||||
@@ -21,7 +23,12 @@ from u2flib_server.jsapi import DeviceRegistration
|
||||
|
||||
from pretix.base.forms.user import User2FADeviceAddForm, UserSettingsForm
|
||||
from pretix.base.models import Event, NotificationSetting, U2FDevice, User
|
||||
from pretix.base.models.auth import StaffSession
|
||||
from pretix.base.notifications import get_all_notification_types
|
||||
from pretix.control.forms.users import StaffSessionForm
|
||||
from pretix.control.permissions import (
|
||||
AdministratorPermissionRequiredMixin, StaffMemberRequiredMixin,
|
||||
)
|
||||
from pretix.control.views.auth import get_u2f_appid
|
||||
|
||||
REAL_DEVICE_TYPES = (TOTPDevice, U2FDevice)
|
||||
@@ -472,3 +479,67 @@ class UserNotificationsEditView(TemplateView):
|
||||
if self.event:
|
||||
ctx['permset'] = self.request.user.get_event_permission_set(self.event.organizer, self.event)
|
||||
return ctx
|
||||
|
||||
|
||||
class StartStaffSession(StaffMemberRequiredMixin, RecentAuthenticationRequiredMixin, TemplateView):
|
||||
template_name = 'pretixcontrol/user/staff_session_start.html'
|
||||
|
||||
def post(self, request, *args, **kwargs):
|
||||
if not request.user.has_active_staff_session(request.session.session_key):
|
||||
StaffSession.objects.create(
|
||||
user=request.user,
|
||||
session_key=request.session.session_key
|
||||
)
|
||||
|
||||
if "next" in request.GET and is_safe_url(request.GET.get("next")):
|
||||
return redirect(request.GET.get("next"))
|
||||
else:
|
||||
return redirect(reverse("control:index"))
|
||||
|
||||
|
||||
class StopStaffSession(StaffMemberRequiredMixin, View):
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
session = StaffSession.objects.filter(
|
||||
date_end__isnull=True, session_key=request.session.session_key, user=request.user,
|
||||
).first()
|
||||
if not session:
|
||||
return redirect(reverse("control:index"))
|
||||
|
||||
session.date_end = now()
|
||||
session.save()
|
||||
return redirect(reverse("control:user.sudo.edit", kwargs={'id': session.pk}))
|
||||
|
||||
|
||||
class StaffSessionList(AdministratorPermissionRequiredMixin, ListView):
|
||||
context_object_name = 'sessions'
|
||||
template_name = 'pretixcontrol/user/staff_session_list.html'
|
||||
paginate_by = 25
|
||||
model = StaffSession
|
||||
|
||||
def get_queryset(self):
|
||||
return StaffSession.objects.select_related('user').order_by('-date_start')
|
||||
|
||||
|
||||
class EditStaffSession(StaffMemberRequiredMixin, UpdateView):
|
||||
context_object_name = 'session'
|
||||
template_name = 'pretixcontrol/user/staff_session_edit.html'
|
||||
form_class = StaffSessionForm
|
||||
|
||||
def get_success_url(self):
|
||||
return reverse("control:user.sudo.edit", kwargs={'id': self.object.pk})
|
||||
|
||||
def get_context_data(self, **kwargs):
|
||||
ctx = super().get_context_data(**kwargs)
|
||||
ctx['logs'] = self.object.logs.select_related('impersonating')
|
||||
return ctx
|
||||
|
||||
def form_valid(self, form):
|
||||
messages.success(self.request, _('Your comment has been saved.'))
|
||||
return super().form_valid(form)
|
||||
|
||||
def get_object(self, queryset=None):
|
||||
if self.request.user.has_active_staff_session(self.request.session.session_key):
|
||||
return get_object_or_404(StaffSession, pk=self.kwargs['id'])
|
||||
else:
|
||||
return get_object_or_404(StaffSession, pk=self.kwargs['id'], user=self.request.user)
|
||||
|
||||
@@ -112,7 +112,9 @@ class UserImpersonateView(AdministratorPermissionRequiredMixin, RecentAuthentica
|
||||
'other': self.kwargs.get("id"),
|
||||
'other_email': self.object.email
|
||||
})
|
||||
oldkey = request.session.session_key
|
||||
login_user(request, self.object)
|
||||
request.session['hijacker_session'] = oldkey
|
||||
return redirect(reverse('control:index'))
|
||||
|
||||
|
||||
@@ -120,7 +122,14 @@ class UserImpersonateStopView(LoginRequiredMixin, View):
|
||||
|
||||
def post(self, request, *args, **kwargs):
|
||||
impersonated = request.user
|
||||
hijs = request.session['hijacker_session']
|
||||
release_hijack(request)
|
||||
ss = request.user.get_active_staff_session(hijs)
|
||||
if ss:
|
||||
request.session.save()
|
||||
ss.session_key = request.session.session_key
|
||||
ss.save()
|
||||
|
||||
request.user.log_action('pretix.control.auth.user.impersonate_stopped',
|
||||
user=request.user,
|
||||
data={
|
||||
|
||||
@@ -48,7 +48,8 @@ class WaitingListView(EventPermissionRequiredMixin, PaginationMixin, ListView):
|
||||
|
||||
def post(self, request, *args, **kwargs):
|
||||
if 'assign' in request.POST:
|
||||
if not request.user.has_event_permission(request.organizer, request.event, 'can_change_orders'):
|
||||
if not request.user.has_event_permission(request.organizer, request.event, 'can_change_orders',
|
||||
request=request):
|
||||
messages.error(request, _('You do not have permission to do this'))
|
||||
return redirect(reverse('control:event.orders.waitinglist', kwargs={
|
||||
'event': request.event.slug,
|
||||
|
||||
Reference in New Issue
Block a user