Scheduled exports: Check permissions on creation

2026-05-05 15:14:04 +00:00 · 2025-09-22 10:22:12 +02:00
parent 5416c0cdfd
commit fb8a8142d9
2 changed files with 33 additions and 4 deletions
--- a/src/pretix/control/views/orders.py
+++ b/src/pretix/control/views/orders.py
@@ -2832,11 +2832,23 @@ class ExportView(EventPermissionRequiredMixin, ExportMixin, ListView):
    def get_queryset(self):
        return self.get_scheduled_queryset()

+    def has_permission(self):
+        return self.request.user.has_event_permission(self.request.organizer, self.request.event, "can_view_orders")
+
    def get_context_data(self, **kwargs):
        ctx = super().get_context_data(**kwargs)
        if "schedule" in self.request.POST or self.scheduled:
-            ctx['schedule_form'] = self.schedule_form
-            ctx['rrule_form'] = self.rrule_form
+            if "schedule" in self.request.POST and not self.has_permission():
+                messages.error(
+                    self.request,
+                    _(
+                        "Your user account does not have sufficient permission to run this report, therefore "
+                        "you cannot schedule it."
+                    )
+                )
+            else:
+                ctx['schedule_form'] = self.schedule_form
+                ctx['rrule_form'] = self.rrule_form
        elif not self.exporter:
            for s in ctx['scheduled']:
                try:
--- a/src/pretix/control/views/organizer.py
+++ b/src/pretix/control/views/organizer.py
@@ -2189,11 +2189,28 @@ class ExportView(OrganizerPermissionRequiredMixin, ExportMixin, ListView):
    def get_queryset(self):
        return self.get_scheduled_queryset()

+    def has_permission(self):
+        if isinstance(self.exporter, OrganizerLevelExportMixin):
+            if not self.request.user.has_organizer_permission(self.request.organizer, self.exporter.organizer_required_permission):
+                return False
+        if self.exporter and not self.exporter.available_for_user(self.request.user):
+            return False
+        return True
+
    def get_context_data(self, **kwargs):
        ctx = super().get_context_data(**kwargs)
        if "schedule" in self.request.POST or self.scheduled:
-            ctx['schedule_form'] = self.schedule_form
-            ctx['rrule_form'] = self.rrule_form
+            if "schedule" in self.request.POST and not self.has_permission():
+                messages.error(
+                    self.request,
+                    _(
+                        "Your user account does not have sufficient permission to run this report, therefore "
+                        "you cannot schedule it."
+                    )
+                )
+            else:
+                ctx['schedule_form'] = self.schedule_form
+                ctx['rrule_form'] = self.rrule_form
        elif not self.exporter:
            for s in ctx['scheduled']:
                try: