Refs #314 -- Read-only REST API (#513)

* initial commit * API auth * Hierarchical URLs * Add session auth * Strong hierarchy * Add filters * Add i18n fields, questions * More viewsets and serializers * Ticket download * Add OrderPosition serializer * View-level permissions * More tests * More tests * Add basic API docs * Add REST API to docs frontpage * Tests for order endpoints * Add invoice tests * Voucher and waitinglist tests * Doc draft * order docs * Docs on all viewsets * Disable DRF docs, style sphinx, style browsable API * Fix tests * deprecated imports * Test foo * Attendee names * Fix migration problems * Remove browsable API, plugin integration * Doc fixes
2026-05-04 15:04:03 +00:00 · 2017-06-19 11:16:04 +02:00
parent 6df3a7d4b5
commit b2d4bea1d0
71 changed files with 4213 additions and 59 deletions
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -161,6 +161,9 @@ def _merge_csp(a, b):


 class SecurityMiddleware(MiddlewareMixin):
+    CSP_EXEMPT = (
+        '/api/v1/docs/',
+    )

    def process_response(self, request, resp):
        if settings.DEBUG and resp.status_code >= 400:
@@ -199,6 +202,7 @@ class SecurityMiddleware(MiddlewareMixin):
            else:
                staticdomain += " " + settings.SITE_URL
                dynamicdomain += " " + settings.SITE_URL
+
        if hasattr(request, 'organizer') and request.organizer:
            domain = get_domain(request.organizer)
            if domain:
@@ -207,5 +211,6 @@ class SecurityMiddleware(MiddlewareMixin):
                    domain = '%s:%d' % (domain, siteurlsplit.port)
                dynamicdomain += " " + domain

-        resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain)
+        if request.path not in self.CSP_EXEMPT:
+            resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain)
        return resp
--- a/src/pretix/base/migrations/0062_auto_20170602_0948.py
+++ b/src/pretix/base/migrations/0062_auto_20170602_0948.py
@@ -0,0 +1,28 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.2 on 2017-06-02 09:48
+from __future__ import unicode_literals
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+import pretix.base.models.organizer
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0061_auto_20170521_0942'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='TeamAPIToken',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.CharField(max_length=190)),
+                ('active', models.BooleanField(default=True)),
+                ('token', models.CharField(default=pretix.base.models.organizer.generate_api_token, max_length=64)),
+                ('team', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='tokens', to='pretixbase.Team')),
+            ],
+        ),
+    ]
--- a/src/pretix/base/models/invoices.py
+++ b/src/pretix/base/models/invoices.py
@@ -1,8 +1,8 @@
 import string
-from datetime import date
 from decimal import Decimal

 from django.db import DatabaseError, models, transaction
+from django.utils import timezone
 from django.utils.crypto import get_random_string
 from django.utils.functional import cached_property

@@ -15,6 +15,10 @@ def invoice_filename(instance, filename: str) -> str:
    )


+def today():
+    return timezone.now().date()
+
+
 class Invoice(models.Model):
    """
    Represents an invoice that is issued because of an order. Because invoices are legally required
@@ -56,7 +60,7 @@ class Invoice(models.Model):
    refers = models.ForeignKey('Invoice', related_name='refered', null=True, blank=True)
    invoice_from = models.TextField()
    invoice_to = models.TextField()
-    date = models.DateField(default=date.today)
+    date = models.DateField(default=today)
    locale = models.CharField(max_length=50, default='en')
    introductory_text = models.TextField(blank=True)
    additional_text = models.TextField(blank=True)
--- a/src/pretix/base/models/organizer.py
+++ b/src/pretix/base/models/organizer.py
@@ -72,6 +72,10 @@ def generate_invite_token():
    return get_random_string(length=32, allowed_chars=string.ascii_lowercase + string.digits)


+def generate_api_token():
+    return get_random_string(length=64, allowed_chars=string.ascii_lowercase + string.digits)
+
+
 class Team(LoggedModel):
    """
    A team is a collection of people given certain access rights to one or more events of an organizer.
@@ -175,6 +179,10 @@ class Team(LoggedModel):
        else:
            return self.limit_events.filter(pk=event.pk).exists()

+    @property
+    def active_tokens(self):
+        return self.tokens.filter(active=True)
+
    class Meta:
        verbose_name = _("Team")
        verbose_name_plural = _("Teams")
@@ -200,3 +208,81 @@ class TeamInvite(models.Model):
        return _("Invite to team '{team}' for '{email}'").format(
            team=str(self.team), email=self.email
        )
+
+
+class TeamAPIToken(models.Model):
+    """
+    A TeamAPIToken represents an API token that has the same access level as the team it belongs to.
+
+    :param team: The team the person is invited to
+    :type team: Team
+    :param name: A human-readable name for the token
+    :type name: str
+    :param active: Whether or not this token is active
+    :type active: bool
+    :param token: The secret required to submit to the API
+    :type token: str
+    """
+    team = models.ForeignKey(Team, related_name="tokens", on_delete=models.CASCADE)
+    name = models.CharField(max_length=190)
+    active = models.BooleanField(default=True)
+    token = models.CharField(default=generate_api_token, max_length=64)
+
+    def get_event_permission_set(self, organizer, event) -> set:
+        """
+        Gets a set of permissions (as strings) that a token holds for a particular event
+
+        :param organizer: The organizer of the event
+        :param event: The event to check
+        :return: set of permissions
+        """
+        has_event_access = (self.team.all_events and organizer == self.team.organizer) or (
+            event in self.team.limit_events.all()
+        )
+        return self.team.permission_set() if has_event_access else set()
+
+    def get_organizer_permission_set(self, organizer) -> set:
+        """
+        Gets a set of permissions (as strings) that a token holds for a particular organizer
+
+        :param organizer: The organizer of the event
+        :return: set of permissions
+        """
+        return self.team.permission_set() if self.team.organizer == organizer else set()
+
+    def has_event_permission(self, organizer, event, perm_name=None) -> bool:
+        """
+        Checks if this token is part of a team that grants access of type ``perm_name``
+        to the event ``event``.
+
+        :param organizer: The organizer of the event
+        :param event: The event to check
+        :param perm_name: The permission, e.g. ``can_change_teams``
+        :return: bool
+        """
+        has_event_access = (self.team.all_events and organizer == self.team.organizer) or (
+            event in self.team.limit_events.all()
+        )
+        return has_event_access and (not perm_name or self.team.has_permission(perm_name))
+
+    def has_organizer_permission(self, organizer, perm_name=None):
+        """
+        Checks if this token is part of a team that grants access of type ``perm_name``
+        to the organizer ``organizer``.
+
+        :param organizer: The organizer to check
+        :param perm_name: The permission, e.g. ``can_change_teams``
+        :return: bool
+        """
+        return organizer == self.team.organizer and (not perm_name or self.team.has_permission(perm_name))
+
+    def get_events_with_any_permission(self):
+        """
+        Returns a queryset of events the token has any permissions to.
+
+        :return: Iterable of Events
+        """
+        if self.team.all_events:
+            return self.team.organizer.events.all()
+        else:
+            return self.team.limit_events.all()
--- a/src/pretix/base/services/invoices.py
+++ b/src/pretix/base/services/invoices.py
@@ -1,14 +1,13 @@
 import copy
 import tempfile
 from collections import defaultdict
-from datetime import date
 from decimal import Decimal

 from django.contrib.staticfiles import finders
 from django.core.files.base import ContentFile
 from django.db import transaction
+from django.utils import timezone
 from django.utils.formats import date_format, localize
-from django.utils.timezone import now
 from django.utils.translation import pgettext, ugettext as _
 from i18nfield.strings import LazyI18nString
 from reportlab.lib import pagesizes
@@ -108,7 +107,7 @@ def generate_cancellation(invoice: Invoice):
    cancellation.invoice_no = None
    cancellation.refers = invoice
    cancellation.is_cancellation = True
-    cancellation.date = date.today()
+    cancellation.date = timezone.now().date()
    cancellation.payment_provider_text = ''
    cancellation.save()

@@ -135,7 +134,7 @@ def generate_invoice(order: Order):
    invoice = Invoice(
        order=order,
        event=order.event,
-        date=date.today(),
+        date=timezone.now().date(),
        locale=locale
    )
    invoice = build_invoice(invoice)
@@ -430,11 +429,11 @@ def build_preview_invoice_pdf(event):
        locale = event.settings.locale

    with rolledback_transaction(), language(locale):
-        order = event.orders.create(status=Order.STATUS_PENDING, datetime=now(),
-                                    expires=now(), code="PREVIEW", total=119)
+        order = event.orders.create(status=Order.STATUS_PENDING, datetime=timezone.now(),
+                                    expires=timezone.now(), code="PREVIEW", total=119)
        invoice = Invoice(
            order=order, event=event, invoice_no="PREVIEW",
-            date=date.today(), locale=locale
+            date=timezone.now().date(), locale=locale
        )
        invoice.invoice_from = event.settings.get('invoice_address_from')

--- a/src/pretix/base/services/tickets.py
+++ b/src/pretix/base/services/tickets.py
@@ -1,4 +1,5 @@
 import os
+from datetime import timedelta

 from django.core.files.base import ContentFile
 from django.utils.timezone import now
@@ -85,3 +86,43 @@ def preview(event: int, provider: str):
            prov = response(event)
            if prov.identifier == provider:
                return prov.generate(p)
+
+
+def get_cachedticket_for_position(pos, identifier):
+    try:
+        ct = CachedTicket.objects.filter(
+            order_position=pos, provider=identifier
+        ).last()
+    except CachedTicket.DoesNotExist:
+        ct = None
+
+    if not ct:
+        ct = CachedTicket.objects.create(
+            order_position=pos, provider=identifier,
+            extension='', type='', file=None)
+        generate.apply_async(args=(pos.id, identifier))
+
+    if not ct.file:
+        if now() - ct.created > timedelta(minutes=5):
+            generate.apply_async(args=(pos.id, identifier))
+    return ct
+
+
+def get_cachedticket_for_order(order, identifier):
+    try:
+        ct = CachedCombinedTicket.objects.filter(
+            order=order, provider=identifier
+        ).last()
+    except CachedCombinedTicket.DoesNotExist:
+        ct = None
+
+    if not ct:
+        ct = CachedCombinedTicket.objects.create(
+            order=order, provider=identifier,
+            extension='', type='', file=None)
+        generate_order.apply_async(args=(order.id, identifier))
+
+    if not ct.file:
+        if now() - ct.created > timedelta(minutes=5):
+            generate_order.apply_async(args=(order.id, identifier))
+    return ct