Pluggable permissions (#5728)

* Data model draft * Refactor query and assignment usages of old permissions * Backend UI * API serializer * Big string replace * Docs, tests and fixes for teams api * Update docs for device auth * Eliminate old names * Make tests pass * Use new permissions, remove inconsistencies * Add test for translations * Show plugin permissions * Add permission for seating plans * Fix plugin activation * Fix failing test * Refactor to permission groups * Update doc/api/resources/devices.rst Co-authored-by: luelista <weller@rami.io> * Update doc/api/resources/events.rst Co-authored-by: luelista <weller@rami.io> * Update src/pretix/api/serializers/organizer.py Co-authored-by: luelista <weller@rami.io> * Fix typo * Fix python version compat * Replacement after rebase * Add proper permission handling for exports * Docs for exporters * Runtime linting of permission names * Fix typos * Show export page even without orders permission * More legacy compat * Do not strongly validate before plugins are loaded * Rebase migration * Add permission for outgoing mails * Review notes * Update doc/api/resources/teams.rst Co-authored-by: Richard Schreiber <schreiber@pretix.eu> * Clean up logic around exporters * Review and failures * Fix migration leading to forbidden combination * Handle permissions on event copying * Remove print-statements * Make test clearer * Review feedback * Add AnyPermissionOf * migration safety --------- Co-authored-by: luelista <weller@rami.io> Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
2026-05-04 15:04:03 +00:00 · 2026-03-17 14:43:56 +01:00
parent eddde2b6c0
commit df0b580dd6
203 changed files with 5374 additions and 2331 deletions
--- a/doc/api/resources/devices.rst
+++ b/doc/api/resources/devices.rst
@@ -30,7 +30,7 @@ software_brand                        string                     Device software
 software_version                      string                     Device software version (read-only)
 created                               datetime                   Creation time
 initialized                           datetime                   Time of initialization (or ``null``)
-initialization_token                  string                     Token for initialization
+initialization_token                  string                     Token for initialization (field invisible without write permission)
 revoked                               boolean                    Whether this device no longer has access
 security_profile                      string                     The name of a supported security profile restricting API access
 ===================================== ========================== =======================================================
--- a/doc/api/resources/events.rst
+++ b/doc/api/resources/events.rst
@@ -65,8 +65,6 @@ Endpoints

   Returns a list of all events within a given organizer the authenticated user/token has access to.

-   Permission required: "Can change event settings"
-
   **Example request**:

   .. sourcecode:: http
@@ -161,8 +159,6 @@ Endpoints

   Returns information on one event, identified by its slug.

-   Permission required: "Can change event settings"
-
   **Example request**:

   .. sourcecode:: http
@@ -234,8 +230,6 @@ Endpoints
   Please note that events cannot be created as 'live' using this endpoint. Quotas and payment must be added to the
   event before sales can go live.

-   Permission required: "Can create events"
-
   **Example request**:

   .. sourcecode:: http
@@ -338,8 +332,6 @@ Endpoints
   Please note that you can only copy from events under the same organizer this way. Use the ``clone_from`` parameter
   when creating a new event for this instead.

-   Permission required: "Can create events"
-
   **Example request**:

   .. sourcecode:: http
@@ -433,8 +425,6 @@ Endpoints

   Updates an event

-   Permission required: "Can change event settings"
-
   **Example request**:

   .. sourcecode:: http
@@ -510,8 +500,6 @@ Endpoints

   Delete an event. Note that events with orders cannot be deleted to ensure data integrity.

-   Permission required: "Can change event settings"
-
   **Example request**:

   .. sourcecode:: http
@@ -561,8 +549,6 @@ organizer level.

   Get current values of event settings.

-   Permission required: "Can change event settings" (Exception: with device auth, *some* settings can always be *read*.)
-
   **Example request**:

   .. sourcecode:: http
@@ -615,6 +601,8 @@ organizer level.

   Updates event settings. Note that ``PUT`` is not allowed here, only ``PATCH``.

+   Permission "Can change event settings" is always required. Some keys require additional permissions.
+
    .. warning::

       Settings can be stored at different levels in pretix. If a value is not set on event level, a default setting
--- a/doc/api/resources/organizers.rst
+++ b/doc/api/resources/organizers.rst
@@ -110,8 +110,6 @@ Endpoints

   Updates an organizer. Currently only the ``plugins`` field may be updated.

-   Permission required: "Can change organizer settings"
-
   **Example request**:

   .. sourcecode:: http
@@ -172,8 +170,6 @@ information about the properties.

   Get current values of organizer settings.

-   Permission required: "Can change organizer settings"
-
   **Example request**:

   .. sourcecode:: http
--- a/doc/api/resources/reusablemedia.rst
+++ b/doc/api/resources/reusablemedia.rst
@@ -154,7 +154,7 @@ Endpoints
 .. http:post:: /api/v1/organizers/(organizer)/reusablemedia/lookup/

   Look up a new reusable medium by its identifier. In some cases, this might lead to the automatic creation of a new
-   medium behind the scenes.
+   medium behind the scenes, therefore this endpoint requires write permissions.

   This endpoint, and this endpoint only, might return media from a different organizer if there is a cross-acceptance
   agreement. In this case, only linked gift cards will be returned, no order position or customer records,
--- a/doc/api/resources/subevents.rst
+++ b/doc/api/resources/subevents.rst
@@ -154,8 +154,6 @@ Endpoints

   Creates a new subevent.

-   Permission required: "Can create events"
-
   **Example request**:

   .. sourcecode:: http
@@ -300,8 +298,6 @@ Endpoints
   provide all fields of the resource, other fields will be reset to default. With ``PATCH``, you only need to provide
   the fields that you want to change.

-   Permission required: "Can change event settings"
-
   **Example request**:

   .. sourcecode:: http
@@ -373,8 +369,6 @@ Endpoints

   Delete a sub-event. Note that events with orders cannot be deleted to ensure data integrity.

-   Permission required: "Can change event settings"
-
   **Example request**:

   .. sourcecode:: http
--- a/doc/api/resources/teams.rst
+++ b/doc/api/resources/teams.rst
@@ -24,21 +24,58 @@ all_events                            boolean                    Whether this te
 limit_events                          list                       List of event slugs this team has access to
 require_2fa                           boolean                    Whether members of this team are required to use
                                                                 two-factor authentication
-can_create_events                     boolean
-can_change_teams                      boolean
-can_change_organizer_settings         boolean
-can_manage_customers                  boolean
-can_manage_reusable_media             boolean
-can_manage_gift_cards                 boolean
-can_change_event_settings             boolean
-can_change_items                      boolean
-can_view_orders                       boolean
-can_change_orders                     boolean
-can_view_vouchers                     boolean
-can_change_vouchers                   boolean
-can_checkin_orders                    boolean
+all_event_permissions                 bool                       Whether members of this team are granted all event-level
+                                                                 permissions, including future additions
+limit_event_permissions               list of strings            The event-level permissions team members are granted
+all_organizer_permissions             bool                       Whether members of this team are granted all organizer-level
+                                                                 permissions, including future additions
+all_organizer_permissions             list of strings            The organizer-level permissions team members are granted
+can_create_events                     boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_change_teams                      boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_change_organizer_settings         boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_manage_customers                  boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_manage_reusable_media             boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_manage_gift_cards                 boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_change_event_settings             boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_change_items                      boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_view_orders                       boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_change_orders                     boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_view_vouchers                     boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_change_vouchers                   boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_checkin_orders                    boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
 ===================================== ========================== =======================================================

+Possible values for ``limit_organizer_permissions`` defined in the core pretix system (plugins might add more)::
+
+    organizer.events:create
+    organizer.settings.general:write
+    organizer.teams:write
+    organizer.seatingplans:write
+    organizer.giftcards:read
+    organizer.giftcards:write
+    organizer.customers:read
+    organizer.customers:write
+    organizer.reusablemedia:read
+    organizer.reusablemedia:write
+    organizer.devices:read
+    organizer.devices:write
+    organizer.outgoingmails:read
+
+Possible values for ``limit_event_permissions`` defined in the core pretix system (plugins might add more)::
+
+    event.settings.general:write
+    event.settings.payment:write
+    event.settings.tax:write
+    event.settings.invoicing:write
+    event.subevents:write
+    event.items:write
+    event.orders:read
+    event.orders:write
+    event.orders:checkin
+    event.vouchers:read
+    event.vouchers:write
+    event:cancel
+
 Team member resource
 --------------------

@@ -121,6 +158,10 @@ Team endpoints
            "all_events": true,
            "limit_events": [],
            "require_2fa": true,
+            "all_event_permissions": true,
+            "limit_event_permissions": [],
+            "all_organizer_permissions": true,
+            "limit_organizer_permissions": [],
            "can_create_events": true,
            ...
          }
@@ -159,6 +200,10 @@ Team endpoints
        "all_events": true,
        "limit_events": [],
        "require_2fa": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": true,
+        "limit_organizer_permissions": [],
        "can_create_events": true,
        ...
      }
@@ -187,7 +232,10 @@ Team endpoints
        "all_events": true,
        "limit_events": [],
        "require_2fa": true,
-        "can_create_events": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": true,
+        "limit_organizer_permissions": [],
        ...
      }

@@ -205,6 +253,10 @@ Team endpoints
        "all_events": true,
        "limit_events": [],
        "require_2fa": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": true,
+        "limit_organizer_permissions": [],
        "can_create_events": true,
        ...
      }
@@ -232,7 +284,8 @@ Team endpoints
      Content-Length: 94

      {
-        "can_create_events": true
+        "all_organizer_permissions": false,
+        "limit_organizer_permissions": ["organizer.events:create"]
      }

   **Example response**:
@@ -249,6 +302,10 @@ Team endpoints
        "all_events": true,
        "limit_events": [],
        "require_2fa": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": false,
+        "limit_organizer_permissions": ["organizer.events:create"],
        "can_create_events": true,
        ...
      }