Add auditable superuser mode (#824)

* Remove is_superuser everywhere * Session handling * List of sessions, relative timeout * Absolute timeout * Optionally pseudo-force audit comments * Fix failing tests * Add tests * Add docs * Rebsae migration * Typos * Fix tests
2026-05-05 15:14:04 +00:00 · 2018-03-28 14:16:58 +02:00
parent 558c920181
commit a284e0c2f7
56 changed files with 965 additions and 130 deletions
--- a/src/pretix/plugins/banktransfer/signals.py
+++ b/src/pretix/plugins/banktransfer/signals.py
@@ -35,7 +35,7 @@ def control_nav_import(sender, request=None, **kwargs):
@receiver(nav_organizer, dispatch_uid="payment_banktransfer_organav")
 def control_nav_orga_import(sender, request=None, **kwargs):
    url = resolve(request.path_info)
-    if not request.user.has_organizer_permission(request.organizer, 'can_change_orders'):
+    if not request.user.has_organizer_permission(request.organizer, 'can_change_orders', request=request):
        return []
    if not request.organizer.events.filter(plugins__icontains='pretix.plugins.banktransfer'):
        return []
--- a/src/pretix/plugins/banktransfer/views.py
+++ b/src/pretix/plugins/banktransfer/views.py
@@ -488,7 +488,7 @@ class OrganizerActionView(OrganizerBanktransferView, OrganizerPermissionRequired
    def order_qs(self):
        all = self.request.user.teams.filter(organizer=self.request.organizer, can_change_orders=True,
                                             can_view_orders=True, all_events=True).exists()
-        if self.request.user.is_superuser or all:
+        if self.request.user.has_active_staff_session(self.request.session.session_key) or all:
            return Order.objects.filter(event__organizer=self.request.organizer)
        else:
            return Order.objects.filter(
--- a/src/pretix/plugins/pretixdroid/signals.py
+++ b/src/pretix/plugins/pretixdroid/signals.py
@@ -15,7 +15,7 @@ from pretix.control.signals import nav_event
@receiver(nav_event, dispatch_uid="pretixdroid_nav")
 def control_nav_import(sender, request=None, **kwargs):
    url = resolve(request.path_info)
-    if not request.user.has_event_permission(request.organizer, request.event, 'can_change_orders'):
+    if not request.user.has_event_permission(request.organizer, request.event, 'can_change_orders', request=request):
        return []
    return [
        {
--- a/src/pretix/plugins/sendmail/signals.py
+++ b/src/pretix/plugins/sendmail/signals.py
@@ -9,7 +9,7 @@ from pretix.control.signals import nav_event
@receiver(nav_event, dispatch_uid="sendmail_nav")
 def control_nav_import(sender, request=None, **kwargs):
    url = resolve(request.path_info)
-    if not request.user.has_event_permission(request.organizer, request.event, 'can_change_orders'):
+    if not request.user.has_event_permission(request.organizer, request.event, 'can_change_orders', request=request):
        return []
    return [
        {
--- a/src/pretix/plugins/statistics/signals.py
+++ b/src/pretix/plugins/statistics/signals.py
@@ -9,7 +9,7 @@ from pretix.control.signals import nav_event
@receiver(nav_event, dispatch_uid="statistics_nav")
 def control_nav_import(sender, request=None, **kwargs):
    url = resolve(request.path_info)
-    if not request.user.has_event_permission(request.organizer, request.event, 'can_view_orders'):
+    if not request.user.has_event_permission(request.organizer, request.event, 'can_view_orders', request=request):
        return []
    return [
        {