Pluggable permissions (#5728)

* Data model draft * Refactor query and assignment usages of old permissions * Backend UI * API serializer * Big string replace * Docs, tests and fixes for teams api * Update docs for device auth * Eliminate old names * Make tests pass * Use new permissions, remove inconsistencies * Add test for translations * Show plugin permissions * Add permission for seating plans * Fix plugin activation * Fix failing test * Refactor to permission groups * Update doc/api/resources/devices.rst Co-authored-by: luelista <weller@rami.io> * Update doc/api/resources/events.rst Co-authored-by: luelista <weller@rami.io> * Update src/pretix/api/serializers/organizer.py Co-authored-by: luelista <weller@rami.io> * Fix typo * Fix python version compat * Replacement after rebase * Add proper permission handling for exports * Docs for exporters * Runtime linting of permission names * Fix typos * Show export page even without orders permission * More legacy compat * Do not strongly validate before plugins are loaded * Rebase migration * Add permission for outgoing mails * Review notes * Update doc/api/resources/teams.rst Co-authored-by: Richard Schreiber <schreiber@pretix.eu> * Clean up logic around exporters * Review and failures * Fix migration leading to forbidden combination * Handle permissions on event copying * Remove print-statements * Make test clearer * Review feedback * Add AnyPermissionOf * migration safety --------- Co-authored-by: luelista <weller@rami.io> Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
2026-05-08 15:44:02 +00:00 · 2026-03-17 14:43:56 +01:00
parent eddde2b6c0
commit df0b580dd6
203 changed files with 5374 additions and 2331 deletions
--- a/src/tests/api/test_reusable_media.py
+++ b/src/tests/api/test_reusable_media.py
@@ -119,7 +119,39 @@ def test_medium_list(token_client, organizer, event, medium):


@pytest.mark.django_db
-def test_medium_detail(token_client, organizer, event, medium, giftcard, customer):
+def test_medium_detail_permission_missing(token_client, organizer, event, medium, giftcard, customer, team):
+    team.all_organizer_permissions = False
+    team.limit_organizer_permissions = {
+        "organizer.reusablemedia:read": True,
+    }
+    team.save()
+    resp = token_client.get(
+        '/api/v1/organizers/{}/reusablemedia/{}/?expand=linked_giftcard'.format(
+            organizer.slug, medium.pk
+        )
+    )
+    assert resp.status_code == 403
+    assert "No permission to access gift card details." in str(resp.data)
+
+    resp = token_client.get(
+        '/api/v1/organizers/{}/reusablemedia/{}/?expand=customer'.format(
+            organizer.slug, medium.pk
+        )
+    )
+    assert resp.status_code == 403
+    assert "No permission to access customer details." in str(resp.data)
+
+
+@pytest.mark.django_db
+def test_medium_detail(token_client, organizer, event, medium, giftcard, customer, team):
+    team.all_organizer_permissions = False
+    team.limit_organizer_permissions = {
+        "organizer.reusablemedia:read": True,
+        "organizer.customers:read": True,
+        "organizer.giftcards:read": True,
+    }
+    team.save()
+
    res = dict(TEST_MEDIUM_RES)
    res["id"] = medium.pk
    res["created"] = medium.created.isoformat().replace('+00:00', 'Z')
@@ -340,7 +372,16 @@ def test_medium_lookup_not_found(token_client, organizer, organizer2, medium):


@pytest.mark.django_db
-def test_medium_lookup_autocreate(token_client, organizer):
+def test_medium_lookup_autocreate(token_client, organizer, team):
+    team.all_organizer_permissions = False
+    team.limit_organizer_permissions = {
+        "organizer.reusablemedia:read": True,
+        "organizer.reusablemedia:write": True,
+        "organizer.customers:read": True,
+        "organizer.giftcards:read": True,
+    }
+    team.save()
+
    # Disabled
    resp = token_client.post(
        '/api/v1/organizers/{}/reusablemedia/lookup/'.format(organizer.slug),
@@ -386,7 +427,15 @@ def test_medium_lookup_autocreate(token_client, organizer):


@pytest.mark.django_db
-def test_medium_autocreate_giftcard(token_client, organizer):
+def test_medium_autocreate_giftcard(token_client, organizer, team):
+    team.all_organizer_permissions = False
+    team.limit_organizer_permissions = {
+        "organizer.reusablemedia:write": True,
+        "organizer.reusablemedia:read": True,
+        "organizer.customers:read": True,
+        "organizer.giftcards:read": True,
+    }
+    team.save()
    organizer.settings.reusable_media_type_nfc_mf0aes_autocreate_giftcard = True
    organizer.settings.reusable_media_type_nfc_mf0aes_autocreate_giftcard_currency = 'USD'
    resp = token_client.post(