API: Allow to whiteliste fields for the orders resource

2026-05-04 15:04:03 +00:00 · 2022-11-28 10:57:12 +01:00
parent 0a30fa70da
commit b72dc0ce8e
4 changed files with 81 additions and 0 deletions
--- a/src/pretix/api/serializers/order.py
+++ b/src/pretix/api/serializers/order.py
@@ -622,6 +622,23 @@ class OrderSerializer(I18nAwareModelSerializer):
        if not self.context['pdf_data']:
            self.fields['positions'].child.fields.pop('pdf_data', None)

+        includes = set(self.context['include'])
+        if includes:
+            for fname, field in list(self.fields.items()):
+                if fname in includes:
+                    continue
+                elif hasattr(field, 'child'):
+                    found_any = False
+                    for childfname, childfield in list(field.child.fields.items()):
+                        if f'{fname}.{childfname}' not in includes:
+                            field.child.fields.pop(childfname)
+                        else:
+                            found_any = True
+                    if not found_any:
+                        self.fields.pop(fname)
+                else:
+                    self.fields.pop(fname)
+
        for exclude_field in self.context['exclude']:
            p = exclude_field.split('.')
            if p[0] in self.fields: