Allow users with can_checkin_orders permission to use the bulk actions of the check-in list view

src/tests/control/test_checkins.py

@@ -307,6 +307,26 @@ def test_manual_checkins(client, checkin_list_env):
     ).exists()
 
 
+@pytest.mark.django_db
+def test_manual_checkins_revert_requires_order_change_permission(client, checkin_list_env):
+    client.login(email='dummy@dummy.dummy', password='dummy')
+    with scopes_disabled():
+        assert not checkin_list_env[5][3].checkins.exists()
+        Team.objects.update(can_change_orders=False, can_checkin_orders=True)
+    client.post('/control/event/dummy/dummy/checkinlists/{}/bulk_action'.format(checkin_list_env[6].pk), {
+        'checkin': [checkin_list_env[5][3].pk]
+    })
+    with scopes_disabled():
+        assert checkin_list_env[5][3].checkins.exists()
+    r = client.post('/control/event/dummy/dummy/checkinlists/{}/bulk_action'.format(checkin_list_env[6].pk), {
+        'checkin': [checkin_list_env[5][3].pk],
+        'revert': 'true'
+    })
+    assert r.status_code == 403
+    with scopes_disabled():
+        assert checkin_list_env[5][3].checkins.exists()
+
+
 @pytest.mark.django_db
 def test_manual_checkins_revert(client, checkin_list_env):
     client.login(email='dummy@dummy.dummy', password='dummy')

src/tests/control/test_permissions.py

@@ -386,6 +386,7 @@ event_permission_urls = [
     ("can_view_orders", "checkinlists/", 200, HTTP_GET),
     ("can_view_orders", "checkinlists/1/", 404, HTTP_GET),
     ("can_change_orders", "checkinlists/1/bulk_action", 404, HTTP_POST),
+    ("can_checkin_orders", "checkinlists/1/bulk_action", 404, HTTP_POST),
     ("can_change_event_settings", "checkinlists/add", 200, HTTP_GET),
     ("can_change_event_settings", "checkinlists/1/change", 404, HTTP_GET),
     ("can_change_event_settings", "checkinlists/1/delete", 404, HTTP_GET),