Update src/pretix/control/views/orders.py

doc/api/resources/orders.rst

@@ -864,6 +864,9 @@ Generating new secrets
 
    Triggers generation of new ``secret`` and ``web_secret`` attributes for both the order and all order positions.
 
+   Ticket secrets of order positions that have been used to issue a gift card can not
+   be changed. Only the link (``web_secret``) will be changed in this case.
+
    **Example request**:
 
    .. sourcecode:: http
@@ -895,6 +898,9 @@ Generating new secrets
 
    Triggers generation of a new ``secret`` and ``web_secret`` attribute for a single order position.
 
+   Ticket secrets of order positions that have been used to issue a gift card can not
+   be changed. Only the link (``web_secret``) will be changed in this case.
+
    **Example request**:
 
    .. sourcecode:: http

pyproject.toml

@@ -33,7 +33,7 @@ dependencies = [
   "bleach==6.4.*",
   "celery==5.6.*",
   "chardet==5.2.*",
-  "cryptography>=48.0.1",
+  "cryptography>=48.0.0",
   "css-inline==0.20.*",
   "defusedcsv>=3.0.0",
   "dnspython==2.*",

src/pretix/base/models/orders.py

@@ -354,59 +354,38 @@ class Order(LockModel, LoggedModel):
     def _transaction_key_reset(self):
         self.__initial_status_paid_or_pending = self.status in (Order.STATUS_PENDING, Order.STATUS_PAID) and not self.require_approval
 
-    @classmethod
-    def gracefully_delete_bulk(cls, event, orders, user=None, auth=None):
-        # Expects to be called in a transaction
-        from . import (
-            GiftCard, GiftCardTransaction, LogEntry, Membership, Voucher,
-        )
-
-        if not transaction.get_connection().in_atomic_block:
-            raise Exception('gracefully_delete_bulk should only be called in atomic transaction!')
-
-        logs_create = []
-        for o in orders:
-            if not o.testmode:
-                raise TypeError("Only test mode orders can be deleted.")
-            order_gracefully_delete.send(event, order=o)
-            logs_create.append(o.log_action(
-                'pretix.event.order.deleted', user=user, auth=auth,
-                data={
-                    'code': o.code,
-                },
-                save=False,
-            ))
-        LogEntry.bulk_create_and_postprocess(logs_create)
-
-        vouchers = OrderPosition.objects.filter(
-            order__in=orders,
-            voucher__isnull=False
-        ).exclude(order__status=Order.STATUS_CANCELED).values_list("voucher_id", flat=True)
-        for v_id in vouchers:
-            Voucher.objects.filter(pk=v_id).update(redeemed=Greatest(0, F('redeemed') - 1))
-
-        GiftCardTransaction.objects.filter(payment__order__in=orders).update(payment=None)
-        GiftCardTransaction.objects.filter(refund__order__in=orders).update(refund=None)
-        GiftCardTransaction.objects.filter(order__in=orders).update(order=None)
-        GiftCard.objects.filter(issued_in__order__in=orders).update(issued_in=None)
-        Membership.objects.filter(granted_in__order__in=orders, testmode=True).update(granted_in=None)
-        OrderPosition.all.filter(order__in=orders, addon_to__isnull=False).delete()
-        OrderPosition.all.filter(order__in=orders).delete()
-        OrderFee.all.filter(order__in=orders).delete()
-        Transaction.objects.filter(order__in=orders).delete()
-        OrderRefund.objects.filter(order__in=orders).delete()
-        OrderPayment.objects.filter(order__in=orders).delete()
-        if isinstance(orders, models.QuerySet):
-            orders.delete()
-        else:
-            Order.objects.filter(pk__in=[o.pk for o in orders]).delete()
-        event.cache.delete('complain_testmode_orders')
-
     def gracefully_delete(self, user=None, auth=None):
+        from . import GiftCard, GiftCardTransaction, Membership, Voucher
+
         if not self.testmode:
             raise TypeError("Only test mode orders can be deleted.")
+        self.log_action(
+            'pretix.event.order.deleted', user=user, auth=auth,
+            data={
+                'code': self.code,
+            }
+        )
 
-        Order.gracefully_delete_bulk(self.event, Order.objects.filter(pk=self.pk), user, auth)
+        order_gracefully_delete.send(self.event, order=self)
+
+        if self.status != Order.STATUS_CANCELED:
+            for position in self.positions.all():
+                if position.voucher:
+                    Voucher.objects.filter(pk=position.voucher.pk).update(redeemed=Greatest(0, F('redeemed') - 1))
+
+        GiftCardTransaction.objects.filter(payment__in=self.payments.all()).update(payment=None)
+        GiftCardTransaction.objects.filter(refund__in=self.refunds.all()).update(refund=None)
+        GiftCardTransaction.objects.filter(order=self).update(order=None)
+        GiftCard.objects.filter(issued_in__in=self.positions.all()).update(issued_in=None)
+        Membership.objects.filter(granted_in__order=self, testmode=True).update(granted_in=None)
+        OrderPosition.all.filter(order=self, addon_to__isnull=False).delete()
+        OrderPosition.all.filter(order=self).delete()
+        OrderFee.all.filter(order=self).delete()
+        Transaction.objects.filter(order=self).delete()
+        self.refunds.all().delete()
+        self.payments.all().delete()
+        self.event.cache.delete('complain_testmode_orders')
+        self.delete()
 
     def email_confirm_secret(self):
         return self.tagged_secret("email_confirm", 9)

src/pretix/base/secrets.py

@@ -245,6 +245,9 @@ def recv_classic(sender, **kwargs):
 
 
 def assign_ticket_secret(event, position, force_invalidate_if_revokation_list_used=False, force_invalidate=False, save=True):
+    if position.issued_gift_cards.exists():
+        return
+
     gen = event.ticket_secret_generator
     if gen.use_revocation_list and force_invalidate_if_revokation_list_used:
         force_invalidate = True

src/pretix/base/services/orders.py

@@ -1599,6 +1599,7 @@ class OrderChangeManager:
         'seat_forbidden': gettext_lazy('The selected product does not allow to select a seat.'),
         'tax_rule_country_blocked': gettext_lazy('The selected country is blocked by your tax rule.'),
         'gift_card_change': gettext_lazy('You cannot change the price of a position that has been used to issue a gift card.'),
+        'gift_card_secret': gettext_lazy('You cannot change the ticket secret of a position that has been used to issue a gift card.'),
         'max_items_per_product': ngettext_lazy(
             "You cannot select more than %(max)s item of the product %(product)s.",
             "You cannot select more than %(max)s items of the product %(product)s.",
@@ -1756,6 +1757,9 @@ class OrderChangeManager:
         self._operations.append(self.RegenerateSecretOperation(position))
 
     def change_ticket_secret(self, position: OrderPosition, new_secret: str):
+        if position.issued_gift_cards.exists():
+            raise OrderError(self.error_messages['gift_card_secret'])
+
         self._operations.append(self.ChangeSecretOperation(position, new_secret))
 
     def change_valid_from(self, position: OrderPosition, new_value: datetime):

src/pretix/control/templates/pretixcontrol/order/change.html

@@ -284,6 +284,14 @@
                             </div>
                             <div class="col-sm-4">
                                 {% bootstrap_field position.form.operation_secret layout='inline' %}
+                                {% if position.issued_gift_cards.exists %}
+                                    <div class="alert alert-info">
+                                        {% blocktrans trimmed %}
+                                        Ticket secrets of order positions that have been used to issue a gift card can not
+                                        be changed. Only the link will be changed in this case.
+                                        {% endblocktrans %}
+                                    </div>
+                                {% endif %}
                             </div>
                         </div>
 

src/pretix/control/views/event.py

@@ -1148,11 +1148,8 @@ class EventLive(EventPermissionRequiredMixin, TemplateView):
             if request.POST.get("delete") == "yes":
                 try:
                     with transaction.atomic():
-                        Order.gracefully_delete_bulk(
-                            request.event,
-                            request.event.orders.filter(testmode=True),
-                            user=self.request.user
-                        )
+                        for order in request.event.orders.filter(testmode=True):
+                            order.gracefully_delete(user=self.request.user)
                 except ProtectedError:
                     messages.error(self.request, _('An order could not be deleted as some constraints (e.g. data '
                                                    'created by plug-ins) do not allow it.'))

src/pretix/control/views/orders.py

@@ -64,7 +64,7 @@ from django.urls import reverse
 from django.utils import formats
 from django.utils.formats import date_format, get_format
 from django.utils.functional import cached_property
-from django.utils.html import conditional_escape, escape
+from django.utils.html import conditional_escape, escape, format_html
 from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.safestring import mark_safe
 from django.utils.timezone import make_aware, now
@@ -81,7 +81,7 @@ from pretix.base.i18n import language
 from pretix.base.models import (
     CachedFile, CachedTicket, Checkin, Invoice, InvoiceAddress, Item,
     ItemVariation, LogEntry, Order, QuestionAnswer, Quota,
-    ScheduledEventExport, generate_secret,
+    ScheduledEventExport, generate_secret, GiftCard,
 )
 from pretix.base.models.orders import (
     CancellationRequest, OrderFee, OrderPayment, OrderPosition, OrderRefund,
@@ -139,7 +139,6 @@ from pretix.helpers import OF_SELF
 from pretix.helpers.compat import CompatDeleteView
 from pretix.helpers.format import SafeFormatter, format_map
 from pretix.helpers.hierarkey import clean_filename
-from pretix.helpers.iter import chunked_iterable
 from pretix.helpers.json import CustomJSONEncoder
 from pretix.helpers.safedownload import check_token
 from pretix.presale.signals import question_form_fields
@@ -241,7 +240,7 @@ class BaseOrderBulkActionView(OrderSearchMixin, EventPermissionRequiredMixin, As
         raise NotImplementedError()
 
     def execute_bulk(self, queryset: QuerySet, form: forms.Form):
-        qs = self.allowed_for(self.get_queryset())
+        qs = self.allowed_for(self.allowed_for(self.get_queryset()))
         total = qs.count()
         orders_with_successful_action = 0
         for i, o in enumerate(qs):
@@ -395,21 +394,9 @@ class OrderDeleteBulkActionView(BaseOrderBulkActionView):
             testmode=True,
         )
 
-    def execute_bulk(self, queryset: QuerySet, form: forms.Form):
-        qs = self.allowed_for(self.get_queryset())
-        total = qs.count()
-        all_ids = list(qs.values_list("id", flat=True))
-
-        orders_with_successful_action = 0
-        for chunk in chunked_iterable(all_ids, 1000):
-            Order.gracefully_delete_bulk(
-                self.request.event,
-                qs.filter(id__in=chunk),
-                user=self.request.user,
-            )
-            orders_with_successful_action += len(chunk)
-            self.async_set_progress(orders_with_successful_action / total * 100)
-        return orders_with_successful_action, total
+    def execute_single(self, instance, form: forms.Form):
+        instance.gracefully_delete(user=self.request.user)
+        return True
 
 
 class OrderList(OrderSearchMixin, EventPermissionRequiredMixin, PaginationMixin, ListView):
@@ -2261,6 +2248,12 @@ class OrderContactChange(OrderView):
     def get_context_data(self, **kwargs):
         ctx = super().get_context_data()
         ctx['form'] = self.form
+        if self.order.all_positions.filter(Exists(GiftCard.objects.filter(issued_in=OuterRef('pk')))).exists():
+            self.form.fields['regenerate_secrets'].help_text = format_html(
+                '{}<br><br><strong><span class="fa fa-warning"></span> {}</strong>',
+                self.form.fields['regenerate_secrets'].help_text,
+                _("Ticket secrets of order positions that have been used to issue a gift card can not be changed. Only the link will be changed in this case."),
+            )
         return ctx
 
     @cached_property