Add proper permission handling for exports

src/pretix/control/views/orders.py

@@ -92,7 +92,9 @@ from pretix.base.payment import PaymentException
 from pretix.base.secrets import assign_ticket_secret
 from pretix.base.services import tickets
 from pretix.base.services.cancelevent import cancel_event
-from pretix.base.services.export import export, scheduled_event_export
+from pretix.base.services.export import (
+    export, init_event_exporters, scheduled_event_export,
+)
 from pretix.base.services.invoices import (
     generate_cancellation, generate_invoice, invoice_pdf, invoice_pdf_task,
     invoice_qualified, regenerate_invoice, transmit_invoice,
@@ -111,9 +113,7 @@ from pretix.base.services.tax import (
     VATIDFinalError, VATIDTemporaryError, validate_vat_id,
 )
 from pretix.base.services.tickets import generate
-from pretix.base.signals import (
-    order_modified, register_data_exporters, register_ticket_outputs,
-)
+from pretix.base.signals import order_modified, register_ticket_outputs
 from pretix.base.templatetags.money import money_filter
 from pretix.base.templatetags.rich_text import markdown_compile_email
 from pretix.base.views.mixins import OrderQuestionsViewMixin
@@ -2660,12 +2660,7 @@ class OrderGo(EventPermissionRequiredMixin, View):
 class ExportMixin:
     @cached_property
     def exporters(self):
-        responses = register_data_exporters.send(self.request.event)
-        raw_exporters = [response(self.request.event, self.request.organizer) for r, response in responses if response]
-        raw_exporters = [
-            ex for ex in raw_exporters
-            if ex.available_for_user(self.request.user if self.request.user and self.request.user.is_authenticated else None)
-        ]
+        raw_exporters = list(init_event_exporters(self.request.event, user=self.request.user, request=self.request))
         return sorted(
             raw_exporters,
             key=lambda ex: (0 if ex.category else 1, ex.category or "", 0 if ex.featured else 1, str(ex.verbose_name).lower())
@@ -2737,7 +2732,7 @@ class ExportMixin:
 
 
 class ExportDoView(EventPermissionRequiredMixin, ExportMixin, AsyncAction, TemplateView):
-    permission = 'event.orders:read'
+    permission = None
     known_errortypes = ['ExportError', 'ExportEmptyError']
     task = export
     template_name = 'pretixcontrol/orders/export_form.html'
@@ -2782,11 +2777,20 @@ class ExportDoView(EventPermissionRequiredMixin, ExportMixin, AsyncAction, Templ
         cf.date = now()
         cf.expires = now() + timedelta(hours=24)
         cf.save()
-        return self.do(self.request.event.id, str(cf.id), self.exporter.identifier, data)
+        return self.do(
+            self.request.event.id,
+            user=self.request.user.id,
+            fileid=str(cf.id),
+            provider=self.exporter.identifier,
+            device=None,
+            token=None,
+            form_data=data,
+            staff_session=self.request.user.has_active_staff_session(self.request.session.session_key)
+        )
 
 
 class ExportView(EventPermissionRequiredMixin, ExportMixin, ListView):
-    permission = 'event.orders:read'
+    permission = None
     paginate_by = 25
     context_object_name = 'scheduled'
 
@@ -2906,7 +2910,7 @@ class ExportView(EventPermissionRequiredMixin, ExportMixin, ListView):
 
 
 class DeleteScheduledExportView(EventPermissionRequiredMixin, ExportMixin, CompatDeleteView):
-    permission = 'event.orders:read'
+    permission = None
     template_name = 'pretixcontrol/orders/export_delete.html'
     context_object_name = 'export'
 

src/pretix/control/views/organizer.py

@@ -104,9 +104,10 @@ from pretix.base.plugins import (
     PLUGIN_LEVEL_EVENT, PLUGIN_LEVEL_EVENT_ORGANIZER_HYBRID,
     PLUGIN_LEVEL_ORGANIZER,
 )
-from pretix.base.services.export import multiexport, scheduled_organizer_export
+from pretix.base.services.export import (
+    init_organizer_exporters, multiexport, scheduled_organizer_export,
+)
 from pretix.base.services.mail import SendMailException, mail, prefix_subject
-from pretix.base.signals import register_multievent_data_exporters
 from pretix.base.templatetags.rich_text import markdown_compile_email
 from pretix.base.views.tasks import AsyncAction
 from pretix.control.forms.exports import ScheduledOrganizerExportForm
@@ -1982,7 +1983,7 @@ class ExportMixin:
                      )),
                     ('events',
                      forms.ModelMultipleChoiceField(
-                         queryset=self.events,
+                         queryset=ex.events,
                          widget=forms.CheckboxSelectMultiple(
                              attrs={
                                  'class': 'scrolling-multiple-choice',
@@ -1995,29 +1996,9 @@ class ExportMixin:
                 ])
             return ex
 
-    @cached_property
-    def events(self):
-        return self.request.user.get_events_with_permission('event.orders:read', request=self.request).filter(
-            organizer=self.request.organizer
-        )
-
     @cached_property
     def exporters(self):
-        responses = register_multievent_data_exporters.send(self.request.organizer)
-        raw_exporters = [
-            response(Event.objects.none() if issubclass(response, OrganizerLevelExportMixin) else self.events,
-                     self.request.organizer)
-            for r, response in responses
-            if response
-        ]
-        raw_exporters = [
-            ex for ex in raw_exporters
-            if (
-                not isinstance(ex, OrganizerLevelExportMixin) or
-                self.request.user.has_organizer_permission(self.request.organizer, ex.organizer_required_permission,
-                                                           self.request)
-            ) and ex.available_for_user(self.request.user if self.request.user and self.request.user.is_authenticated else None)
-        ]
+        raw_exporters = list(init_organizer_exporters(self.request.organizer, user=self.request.user, request=self.request))
         return sorted(
             raw_exporters,
             key=lambda ex: (
@@ -2208,11 +2189,17 @@ class ExportView(OrganizerPermissionRequiredMixin, ExportMixin, ListView):
         return self.get_scheduled_queryset()
 
     def has_permission(self):
-        if isinstance(self.exporter, OrganizerLevelExportMixin):
-            if not self.request.user.has_organizer_permission(self.request.organizer, self.exporter.organizer_required_permission):
+        # Check if permission exists even without staff session
+        if self.exporter:
+            if isinstance(self.exporter, OrganizerLevelExportMixin):
+                if not self.request.user.has_organizer_permission(self.request.organizer, self.exporter.get_required_organizer_permission()):
+                    return False
+            else:
+                permission_name = self.exporter.get_required_event_permission()
+                if not any(t.has_event_permission(permission_name) for t in self.request.user.teams.filter(organizer=self.request.organizer)):
+                    return False
+            if not self.exporter.available_for_user(self.request.user):
                 return False
-        if self.exporter and not self.exporter.available_for_user(self.request.user):
-            return False
         return True
 
     def get_context_data(self, **kwargs):