Pluggable permissions (#5728)

* Data model draft * Refactor query and assignment usages of old permissions * Backend UI * API serializer * Big string replace * Docs, tests and fixes for teams api * Update docs for device auth * Eliminate old names * Make tests pass * Use new permissions, remove inconsistencies * Add test for translations * Show plugin permissions * Add permission for seating plans * Fix plugin activation * Fix failing test * Refactor to permission groups * Update doc/api/resources/devices.rst Co-authored-by: luelista <weller@rami.io> * Update doc/api/resources/events.rst Co-authored-by: luelista <weller@rami.io> * Update src/pretix/api/serializers/organizer.py Co-authored-by: luelista <weller@rami.io> * Fix typo * Fix python version compat * Replacement after rebase * Add proper permission handling for exports * Docs for exporters * Runtime linting of permission names * Fix typos * Show export page even without orders permission * More legacy compat * Do not strongly validate before plugins are loaded * Rebase migration * Add permission for outgoing mails * Review notes * Update doc/api/resources/teams.rst Co-authored-by: Richard Schreiber <schreiber@pretix.eu> * Clean up logic around exporters * Review and failures * Fix migration leading to forbidden combination * Handle permissions on event copying * Remove print-statements * Make test clearer * Review feedback * Add AnyPermissionOf * migration safety --------- Co-authored-by: luelista <weller@rami.io> Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
2026-05-17 17:14:04 +00:00 · 2026-03-17 14:43:56 +01:00
parent eddde2b6c0
commit df0b580dd6
203 changed files with 5374 additions and 2331 deletions
--- a/src/pretix/control/views/subevents.py
+++ b/src/pretix/control/views/subevents.py
@@ -117,7 +117,7 @@ class SubEventList(EventPermissionRequiredMixin, PaginationMixin, SubEventQueryM
    model = SubEvent
    context_object_name = 'subevents'
    template_name = 'pretixcontrol/subevents/index.html'
-    permission = 'can_change_settings'
+    permission = None

    def get_queryset(self):
        return super().get_queryset(True).prefetch_related(
@@ -156,7 +156,7 @@ class SubEventList(EventPermissionRequiredMixin, PaginationMixin, SubEventQueryM
 class SubEventDelete(EventPermissionRequiredMixin, CompatDeleteView):
    model = SubEvent
    template_name = 'pretixcontrol/subevents/delete.html'
-    permission = 'can_change_settings'
+    permission = 'event.subevents:write'
    context_object_name = 'subevents'

    def get_object(self, queryset=None) -> SubEvent:
@@ -241,7 +241,7 @@ class SubEventEditorMixin(MetaDataEditorMixin):
            property=p,
            disabled=(
                p.protected and
-                not self.request.user.has_organizer_permission(self.request.organizer, 'can_change_organizer_settings', request=self.request)
+                not self.request.user.has_organizer_permission(self.request.organizer, 'organizer.settings.general:write', request=self.request)
            ),
            default=self._default_meta.get(p.name, ''),
            instance=val_instances.get(p.pk, self.meta_model(property=p, subevent=self.object)),
@@ -508,7 +508,7 @@ class SubEventEditorMixin(MetaDataEditorMixin):
 class SubEventUpdate(EventPermissionRequiredMixin, SubEventEditorMixin, UpdateView):
    model = SubEvent
    template_name = 'pretixcontrol/subevents/detail.html'
-    permission = 'can_change_settings'
+    permission = 'event.subevents:write'
    context_object_name = 'subevent'
    form_class = SubEventForm

@@ -575,7 +575,7 @@ class SubEventUpdate(EventPermissionRequiredMixin, SubEventEditorMixin, UpdateVi
 class SubEventCreate(SubEventEditorMixin, EventPermissionRequiredMixin, CreateView):
    model = SubEvent
    template_name = 'pretixcontrol/subevents/detail.html'
-    permission = 'can_change_settings'
+    permission = 'event.subevents:write'
    context_object_name = 'subevent'
    form_class = SubEventForm

@@ -669,7 +669,7 @@ class SubEventCreate(SubEventEditorMixin, EventPermissionRequiredMixin, CreateVi


 class SubEventBulkAction(SubEventQueryMixin, EventPermissionRequiredMixin, View):
-    permission = 'can_change_settings'
+    permission = 'event.subevents:write'

    @transaction.atomic
    def post(self, request, *args, **kwargs):
@@ -740,7 +740,7 @@ class SubEventBulkAction(SubEventQueryMixin, EventPermissionRequiredMixin, View)
 class SubEventBulkCreate(SubEventEditorMixin, EventPermissionRequiredMixin, AsyncFormView):
    model = SubEvent
    template_name = 'pretixcontrol/subevents/bulk.html'
-    permission = 'can_change_settings'
+    permission = 'event.subevents:write'
    context_object_name = 'subevent'
    form_class = SubEventBulkForm
    itemformclass = BulkSubEventItemForm
@@ -1065,7 +1065,7 @@ class SubEventBulkCreate(SubEventEditorMixin, EventPermissionRequiredMixin, Asyn


 class SubEventBulkEdit(SubEventQueryMixin, EventPermissionRequiredMixin, FormView):
-    permission = 'can_change_settings'
+    permission = 'event.subevents:write'
    form_class = SubEventBulkEditForm
    template_name = 'pretixcontrol/subevents/bulk_edit.html'
    context_object_name = 'subevent'
@@ -1170,7 +1170,10 @@ class SubEventBulkEdit(SubEventQueryMixin, EventPermissionRequiredMixin, FormVie
        kwargs = {}

        if self.sampled_quotas is not None:
-            kwargs['instance'] = self.get_queryset()[0]
+            try:
+                kwargs['instance'] = self.get_queryset()[0]
+            except IndexError:
+                raise Http404("No matching dates")

        formsetclass = inlineformset_factory(
            SubEvent, Quota,