Make tests pass

2026-05-06 15:24:02 +00:00 · 2026-01-09 17:30:51 +01:00
parent 70973c8c6f
commit e566ab3405
30 changed files with 219 additions and 117 deletions
--- a/src/pretix/control/forms/organizer.py
+++ b/src/pretix/control/forms/organizer.py
@@ -376,7 +376,7 @@ class TeamForm(forms.ModelForm):

    def clean(self):
        data = super().clean()
-        if self.instance.pk and not data['all_organizer_permissions'] and not data.get('limit_organizer_permissions', {}).get('organizer.teams:write'):
+        if self.instance.pk and not data['all_organizer_permissions'] and 'organizer.teams:write' not in data.get('limit_organizer_permissions', []):
            if not self.instance.organizer.teams.exclude(pk=self.instance.pk).filter(
                TeamQuerySet.organizer_permission_q("organizer.teams:write"),
                members__isnull=False
--- a/src/pretix/control/views/organizer.py
+++ b/src/pretix/control/views/organizer.py
@@ -245,7 +245,7 @@ class OrganizerDetail(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin
 class OrganizerTeamView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, DetailView):
    model = Organizer
    template_name = 'pretixcontrol/organizers/teams.html'
-    permission = 'organizer.teams:read'
+    permission = 'organizer.teams:write'
    context_object_name = 'organizer'


@@ -1068,7 +1068,7 @@ class TeamMemberView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin,
                    TeamQuerySet.organizer_permission_q("organizer.teams:write"),
                    members__isnull=False
                ).exists() or self.request.user.has_active_staff_session(self.request.session.session_key)
-                if not other_admin_teams and self.object.has_permission() and self.object.members.count() == 1:
+                if not other_admin_teams and self.object.has_organizer_permission("organizer.teams:write") and self.object.members.count() == 1:
                    messages.error(self.request, _('You cannot remove the last member from this team as no one would '
                                                   'be left with the permission to change teams.'))
                    return redirect(self.get_success_url())
@@ -1754,7 +1754,7 @@ class GiftCardAcceptanceListView(OrganizerDetailViewMixin, OrganizerPermissionRe
 class GiftCardListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ListView):
    model = GiftCard
    template_name = 'pretixcontrol/organizers/giftcards.html'
-    permission = 'organizer.giftcards:write'
+    permission = 'organizer.giftcards:read'
    context_object_name = 'giftcards'
    paginate_by = 50

@@ -1788,7 +1788,7 @@ class GiftCardListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixi

 class GiftCardDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, DetailView):
    template_name = 'pretixcontrol/organizers/giftcard.html'
-    permission = 'organizer.giftcards:write'
+    permission = 'organizer.giftcards:read'
    context_object_name = 'card'

    def get_object(self, queryset=None) -> Organizer:
@@ -1799,6 +1799,8 @@ class GiftCardDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi

    @transaction.atomic()
    def post(self, request, *args, **kwargs):
+        if not request.user.has_organizer_permission(request.organizer, "organizer.giftcards:write", request=request):
+            raise PermissionDenied()
        self.object = GiftCard.objects.select_for_update(of=OF_SELF).get(pk=self.get_object().pk)
        if 'revert' in request.POST:
            t = get_object_or_404(self.object.transactions.all(), pk=request.POST.get('revert'), order__isnull=False)