Giftcard/Reusable Media API: fix expand permission check (Z#23230608) (#6091)

* add failing tests * add permission checks in to_representation * only overwrite final representation not the serializer * styling * include review
2026-05-08 15:44:02 +00:00 · 2026-04-15 15:59:08 +02:00
parent 0f2ebb8687
commit e3ffd66691
4 changed files with 137 additions and 3 deletions
--- a/src/pretix/api/serializers/media.py
+++ b/src/pretix/api/serializers/media.py
@@ -31,7 +31,9 @@ from pretix.api.serializers.order import OrderPositionSerializer
 from pretix.api.serializers.organizer import (
    CustomerSerializer, GiftCardSerializer,
 )
-from pretix.base.models import Order, OrderPosition, ReusableMedium
+from pretix.base.models import (
+    Device, Order, OrderPosition, ReusableMedium, TeamAPIToken,
+)

 logger = logging.getLogger(__name__)

@@ -80,8 +82,7 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
            )

        if 'linked_orderposition' in self.context['request'].query_params.getlist('expand'):
-            # No additional permission check performed, documented limitation of the permission system
-            # Would get to complex/unusable otherwise since the permission depends on the event
+            # Permission Check performed in to_representation
            self.fields['linked_orderposition'] = NestedOrderPositionSerializer(read_only=True)
        else:
            self.fields['linked_orderposition'] = serializers.PrimaryKeyRelatedField(
@@ -117,6 +118,27 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
                )
        return data

+    def to_representation(self, instance):
+        r = super().to_representation(instance)
+        request = self.context.get('request')
+        # late permission evaluations for checks that depend on the actual linked events
+        expand_nested = self.context['request'].query_params.getlist('expand')
+        perm_holder = request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user
+        if 'linked_orderposition' in expand_nested:
+            if instance.linked_orderposition is not None:
+                event = instance.linked_orderposition.order.event
+                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
+                    r['linked_orderposition'] = {'id': instance.linked_orderposition.id}
+
+        if 'linked_giftcard.owner_ticket' in expand_nested:
+            gc = instance.linked_giftcard
+            if gc is not None and gc.owner_ticket is not None:
+                event = gc.owner_ticket.order.event
+                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
+                    r['linked_giftcard']['owner_ticket'] = {'id': instance.linked_giftcard.owner_ticket.id}
+
+        return r
+
    class Meta:
        model = ReusableMedium
        fields = (
--- a/src/pretix/api/serializers/organizer.py
+++ b/src/pretix/api/serializers/organizer.py
@@ -286,6 +286,19 @@ class GiftCardSerializer(I18nAwareModelSerializer):
                )
        return data

+    def to_representation(self, instance):
+        r = super().to_representation(instance)
+        request = self.context.get('request')
+        # late permission evaluations for checks that depend on the actual linked events
+        if 'owner_ticket' in self.context['request'].query_params.getlist('expand'):
+            owner_ticket = instance.owner_ticket
+            if owner_ticket:
+                event = owner_ticket.order.event
+                perm_holder = request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user
+                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
+                    r['owner_ticket'] = {'id': instance.owner_ticket.id}
+        return r
+
    class Meta:
        model = GiftCard
        fields = ('id', 'secret', 'issuance', 'value', 'currency', 'testmode', 'expires', 'conditions', 'owner_ticket',