From bd48112bf961e29ad8b465b84b03d57f1c592f71 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Wed, 8 Aug 2018 09:24:42 +0200
Subject: [PATCH] Refs #710 -- Remove monkeypatch for django-hijack

---
 src/pretix/control/views/users.py | 82 +------------------------------
 src/requirements/production.txt   |  2 +-
 2 files changed, 3 insertions(+), 81 deletions(-)

diff --git a/src/pretix/control/views/users.py b/src/pretix/control/views/users.py
index e16682e6d9..757cc40947 100644
--- a/src/pretix/control/views/users.py
+++ b/src/pretix/control/views/users.py
@@ -1,16 +1,13 @@
 from django.conf import settings
 from django.contrib import messages
-from django.contrib.auth import get_user_model
 from django.contrib.auth.mixins import LoginRequiredMixin
-from django.core.exceptions import PermissionDenied
-from django.http import HttpResponseRedirect
-from django.shortcuts import get_object_or_404, redirect, resolve_url
+from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.functional import cached_property
-from django.utils.http import is_safe_url
 from django.utils.translation import ugettext_lazy as _
 from django.views import View
 from django.views.generic import ListView
+from hijack.helpers import login_user, release_hijack
 
 from pretix.base.models import User
 from pretix.base.services.mail import SendMailException
@@ -164,78 +161,3 @@ class UserCreateView(AdministratorPermissionRequiredMixin, RecentAuthenticationR
     def form_valid(self, form):
         messages.success(self.request, _('The new user has been created.'))
         return super().form_valid(form)
-
-
-# TODO: COMPAT methods: Remove after https://github.com/arteria/django-hijack/pull/178 is merged
-def login_user(request, hijacked):
-    from hijack.helpers import (
-        check_hijack_authorization, get_used_backend, no_update_last_login, login,
-        hijack_started, hijack_settings
-    )
-    hijacker = request.user
-    hijack_history = [request.user._meta.pk.value_to_string(hijacker)]
-    if request.session.get('hijack_history'):
-        hijack_history = request.session['hijack_history'] + hijack_history
-
-    check_hijack_authorization(request, hijacked)
-
-    backend = get_used_backend(request)
-    hijacked.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
-
-    with no_update_last_login():
-        # Actually log user in
-        login(request, hijacked)
-
-    hijack_started.send(
-        sender=None, request=request,
-        hijacker=hijacker, hijacked=hijacked,
-        # send IDs for backward compatibility
-        hijacker_id=hijacker.pk, hijacked_id=hijacked.pk)
-    request.session['hijack_history'] = hijack_history
-    request.session['is_hijacked_user'] = True
-    request.session['display_hijack_warning'] = True
-    request.session.modified = True
-    return redirect_to_next(request, default_url=hijack_settings.HIJACK_LOGIN_REDIRECT_URL)
-
-
-def redirect_to_next(request, default_url):
-    redirect_to = request.GET.get('next', '')
-    if not is_safe_url(redirect_to, allowed_hosts=None):
-        redirect_to = default_url
-    return HttpResponseRedirect(resolve_url(redirect_to))
-
-
-def release_hijack(request):
-    from hijack.helpers import (
-        get_used_backend, no_update_last_login, login, hijack_ended, hijack_settings
-    )
-    hijack_history = request.session.get('hijack_history', False)
-
-    if not hijack_history:
-        raise PermissionDenied
-
-    hijacker = None
-    hijacked = None
-    if hijack_history:
-        hijacked = request.user
-        user_pk = hijack_history.pop()
-        hijacker = get_object_or_404(get_user_model(), pk=user_pk)
-        backend = get_used_backend(request)
-        hijacker.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
-        with no_update_last_login():
-            login(request, hijacker)
-    if hijack_history:
-        request.session['hijack_history'] = hijack_history
-        request.session['is_hijacked_user'] = True
-        request.session['display_hijack_warning'] = True
-    else:
-        request.session.pop('hijack_history', None)
-        request.session.pop('is_hijacked_user', None)
-        request.session.pop('display_hijack_warning', None)
-    request.session.modified = True
-    hijack_ended.send(
-        sender=None, request=request,
-        hijacker=hijacker, hijacked=hijacked,
-        # send IDs for backward compatibility
-        hijacker_id=hijacker.pk, hijacked_id=hijacked.pk)
-    return redirect_to_next(request, default_url=hijack_settings.HIJACK_LOGOUT_REDIRECT_URL)
diff --git a/src/requirements/production.txt b/src/requirements/production.txt
index 3fd0869aec..34c44a6a80 100644
--- a/src/requirements/production.txt
+++ b/src/requirements/production.txt
@@ -32,7 +32,7 @@ bleach==2.*
 raven
 babel
 django-i18nfield>=1.4.0
-django-hijack==2.1.*
+django-hijack>=2.1.10,<2.2.0
 django-oauth-toolkit==1.2.*
 # Stripe
 stripe==2.0.*