Vouchers: Don't allow to generate more than 100k random codes at once

2026-05-05 15:14:04 +00:00 · 2023-07-10 15:11:49 +02:00
parent 8a9f14db03
commit f4203b7408
3 changed files with 5 additions and 1 deletions
--- a/src/pretix/control/templates/pretixcontrol/vouchers/bulk.html
+++ b/src/pretix/control/templates/pretixcontrol/vouchers/bulk.html
@@ -17,7 +17,7 @@
                           placeholder="{% trans "Prefix (optional)" %}">
                    <div class="input-group">
                        <input type="number" class="form-control input-xs"
-                               id="voucher-bulk-codes-num"
+                               id="voucher-bulk-codes-num" max="100000"
                               placeholder="{% trans "Number" context "number_of_things" %}">
                        <div class="input-group-btn">
                            <button class="btn btn-default" type="button" id="voucher-bulk-codes-generate"
--- a/src/pretix/control/views/vouchers.py
+++ b/src/pretix/control/views/vouchers.py
@@ -569,6 +569,8 @@ class VoucherRNG(EventPermissionRequiredMixin, View):
    def get(self, request, *args, **kwargs):
        try:
            num = int(request.GET.get('num', '5'))
+            if num > 100_000:
+                return HttpResponseBadRequest()
        except ValueError:  # NOQA
            return HttpResponseBadRequest()

--- a/src/pretix/static/pretixcontrol/js/ui/main.js
+++ b/src/pretix/static/pretixcontrol/js/ui/main.js
@@ -123,6 +123,8 @@ var form_handlers = function (el) {

    // Vouchers
    el.find("#voucher-bulk-codes-generate").click(function () {
+        if (!$("#voucher-bulk-codes-num").get(0).reportValidity())
+            return;
        var num = $("#voucher-bulk-codes-num").val();
        var prefix = $('#voucher-bulk-codes-prefix').val();
        if (num != "") {