Pluggable permissions (#5728)

* Data model draft

* Refactor query and assignment usages of old permissions

* Backend UI

* API serializer

* Big string replace

* Docs, tests and fixes for teams api

* Update docs for device auth

* Eliminate old names

* Make tests pass

* Use new permissions, remove inconsistencies

* Add test for translations

* Show plugin permissions

* Add permission for seating plans

* Fix plugin activation

* Fix failing test

* Refactor to permission groups

* Update doc/api/resources/devices.rst

Co-authored-by: luelista <weller@rami.io>

* Update doc/api/resources/events.rst

Co-authored-by: luelista <weller@rami.io>

* Update src/pretix/api/serializers/organizer.py

Co-authored-by: luelista <weller@rami.io>

* Fix typo

* Fix python version compat

* Replacement after rebase

* Add proper permission handling for exports

* Docs for exporters

* Runtime linting of permission names

* Fix typos

* Show export page even without orders permission

* More legacy compat

* Do not strongly validate before plugins are loaded

* Rebase migration

* Add permission for outgoing mails

* Review notes

* Update doc/api/resources/teams.rst

Co-authored-by: Richard Schreiber <schreiber@pretix.eu>

* Clean up logic around exporters

* Review and failures

* Fix migration leading to forbidden combination

* Handle permissions on event copying

* Remove print-statements

* Make test clearer

* Review feedback

* Add AnyPermissionOf

* migration safety

---------

Co-authored-by: luelista <weller@rami.io>
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>

src/pretix/control/permissions.py

@@ -38,6 +38,9 @@ from django.core.exceptions import PermissionDenied
 from django.urls import reverse
 from django.utils.translation import gettext as _
 
+from pretix.base.permissions import (
+    assert_valid_event_permission, assert_valid_organizer_permission,
+)
 from pretix.helpers.http import redirect_to_url
 
 
@@ -55,7 +58,9 @@ def event_permission_required(permission):
     """
     if permission == 'can_change_settings':
         # Legacy support
-        permission = 'can_change_event_settings'
+        permission = 'event.settings.general:write'
+
+    assert_valid_event_permission(permission)
 
     def decorator(function):
         def wrapper(request, *args, **kw):
@@ -79,7 +84,7 @@ class EventPermissionRequiredMixin:
     This mixin is equivalent to the event_permission_required view decorator but
     is in a form suitable for class-based views.
     """
-    permission = ''
+    permission = None  # None means "any permission"
 
     @classmethod
     def as_view(cls, **initkwargs):
@@ -92,9 +97,11 @@ def organizer_permission_required(permission):
     This view decorator rejects all requests with a 403 response which are not from
     users having the given permission for the event the request is associated with.
     """
-    if permission == 'can_change_settings':
+    if permission in ('event.settings.general:write', 'can_change_settings', 'can_change_event_settings'):
         # Legacy support
-        permission = 'can_change_organizer_settings'
+        permission = 'organizer.settings.general:write'
+
+    assert_valid_organizer_permission(permission)
 
     def decorator(function):
         def wrapper(request, *args, **kw):
@@ -116,7 +123,7 @@ class OrganizerPermissionRequiredMixin:
     This mixin is equivalent to the organizer_permission_required view decorator but
     is in a form suitable for class-based views.
     """
-    permission = ''
+    permission = None  # None means "any permission"
 
     @classmethod
     def as_view(cls, **initkwargs):