Update src/pretix/control/views/orders.py

Prevent changing ticket secret of gift-card-issuing order positions (issue #6248 )
2026-06-13 01:45:19 +00:00 · 2026-06-12 17:07:31 +02:00 · 2026-06-12 15:39:08 +02:00
5 changed files with 29 additions and 2 deletions
--- a/doc/api/resources/orders.rst
+++ b/doc/api/resources/orders.rst
@@ -864,6 +864,9 @@ Generating new secrets

   Triggers generation of new ``secret`` and ``web_secret`` attributes for both the order and all order positions.

+   Ticket secrets of order positions that have been used to issue a gift card can not
+   be changed. Only the link (``web_secret``) will be changed in this case.
+
   **Example request**:

   .. sourcecode:: http
@@ -895,6 +898,9 @@ Generating new secrets

   Triggers generation of a new ``secret`` and ``web_secret`` attribute for a single order position.

+   Ticket secrets of order positions that have been used to issue a gift card can not
+   be changed. Only the link (``web_secret``) will be changed in this case.
+
   **Example request**:

   .. sourcecode:: http
--- a/src/pretix/base/secrets.py
+++ b/src/pretix/base/secrets.py
@@ -245,6 +245,9 @@ def recv_classic(sender, **kwargs):


 def assign_ticket_secret(event, position, force_invalidate_if_revokation_list_used=False, force_invalidate=False, save=True):
+    if position.issued_gift_cards.exists():
+        return
+
    gen = event.ticket_secret_generator
    if gen.use_revocation_list and force_invalidate_if_revokation_list_used:
        force_invalidate = True
--- a/src/pretix/base/services/orders.py
+++ b/src/pretix/base/services/orders.py
@@ -1599,6 +1599,7 @@ class OrderChangeManager:
        'seat_forbidden': gettext_lazy('The selected product does not allow to select a seat.'),
        'tax_rule_country_blocked': gettext_lazy('The selected country is blocked by your tax rule.'),
        'gift_card_change': gettext_lazy('You cannot change the price of a position that has been used to issue a gift card.'),
+        'gift_card_secret': gettext_lazy('You cannot change the ticket secret of a position that has been used to issue a gift card.'),
        'max_items_per_product': ngettext_lazy(
            "You cannot select more than %(max)s item of the product %(product)s.",
            "You cannot select more than %(max)s items of the product %(product)s.",
@@ -1756,6 +1757,9 @@ class OrderChangeManager:
        self._operations.append(self.RegenerateSecretOperation(position))

    def change_ticket_secret(self, position: OrderPosition, new_secret: str):
+        if position.issued_gift_cards.exists():
+            raise OrderError(self.error_messages['gift_card_secret'])
+
        self._operations.append(self.ChangeSecretOperation(position, new_secret))

    def change_valid_from(self, position: OrderPosition, new_value: datetime):
--- a/src/pretix/control/templates/pretixcontrol/order/change.html
+++ b/src/pretix/control/templates/pretixcontrol/order/change.html
@@ -284,6 +284,14 @@
                            </div>
                            <div class="col-sm-4">
                                {% bootstrap_field position.form.operation_secret layout='inline' %}
+                                {% if position.issued_gift_cards.exists %}
+                                    <div class="alert alert-info">
+                                        {% blocktrans trimmed %}
+                                        Ticket secrets of order positions that have been used to issue a gift card can not
+                                        be changed. Only the link will be changed in this case.
+                                        {% endblocktrans %}
+                                    </div>
+                                {% endif %}
                            </div>
                        </div>

--- a/src/pretix/control/views/orders.py
+++ b/src/pretix/control/views/orders.py
@@ -64,7 +64,7 @@ from django.urls import reverse
 from django.utils import formats
 from django.utils.formats import date_format, get_format
 from django.utils.functional import cached_property
-from django.utils.html import conditional_escape, escape
+from django.utils.html import conditional_escape, escape, format_html
 from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.safestring import mark_safe
 from django.utils.timezone import make_aware, now
@@ -81,7 +81,7 @@ from pretix.base.i18n import language
 from pretix.base.models import (
    CachedFile, CachedTicket, Checkin, Invoice, InvoiceAddress, Item,
    ItemVariation, LogEntry, Order, QuestionAnswer, Quota,
-    ScheduledEventExport, generate_secret,
+    ScheduledEventExport, generate_secret, GiftCard,
 )
 from pretix.base.models.orders import (
    CancellationRequest, OrderFee, OrderPayment, OrderPosition, OrderRefund,
@@ -2248,6 +2248,12 @@ class OrderContactChange(OrderView):
    def get_context_data(self, **kwargs):
        ctx = super().get_context_data()
        ctx['form'] = self.form
+        if self.order.all_positions.filter(Exists(GiftCard.objects.filter(issued_in=OuterRef('pk')))).exists():
+            self.form.fields['regenerate_secrets'].help_text = format_html(
+                '{}<br><br><strong><span class="fa fa-warning"></span> {}</strong>',
+                self.form.fields['regenerate_secrets'].help_text,
+                _("Ticket secrets of order positions that have been used to issue a gift card can not be changed. Only the link will be changed in this case."),
+            )
        return ctx

    @cached_property
Author	SHA1	Message	Date
luelista	e869e88cca	Update src/pretix/control/views/orders.py	2026-06-12 17:07:31 +02:00
Mira Weller	eaf25cfd1a	Prevent changing ticket secret of gift-card-issuing order positions (issue #6248 )	2026-06-12 15:39:08 +02:00