Add a log entry on manual VAT ID validation (Z#23223874) (#5939)

* Include nix development enviornment

* Obfuscate contact email addresses in shop HTML and deanonymize via JavaScript

This change addresses #1907: "hide contact e-mail address in source code
of a shop".

- Contact email addresses rendered in public-facing templates are now
obfuscated in the HTML source (e.g., replacing "@" with "[at]" and "."
with "[dot]").
- A new JavaScript file is included in the relevant templates to
automatically rewrite and restore the email address for users after the
page loads.
- This approach helps protect email addresses from basic harvesting bots
and reduces spam, while keeping them accessible and user-friendly for
human visitors.
- The obfuscation and deanonymization logic is only applied to web
templates, not to emails sent via pretix.

This implementation follows the recommendations discussed in #1907,
using a standardized, maintainable approach that’s compatible with
pretix's asset pipeline and template structure.

* Undo nix development environment for merge into main

* convert complete mailto-link to HTML entities

* remove gitignore noise

* Update .gitignore

* fix gitignore noise

* Update .gitignore

---------

Co-authored-by: Richard Schreiber <schreiber@rami.io>

src/pretix/base/exporters/orderlist.py

@@ -315,9 +315,8 @@ class OrderListExporter(MultiSheetListExporter):
             for id, vn in payment_methods:
                 headers.append(_('Paid by {method}').format(method=vn))
 
-        if self.event_object_cache:
-            # get meta_data labels from first cached event if any
-            headers += next(iter(self.event_object_cache.values())).meta_data.keys()
+        # get meta_data labels from first cached event
+        headers += next(iter(self.event_object_cache.values())).meta_data.keys()
         yield headers
 
         full_fee_sum_cache = {
@@ -504,9 +503,8 @@ class OrderListExporter(MultiSheetListExporter):
         headers.append(_('External customer ID'))
         headers.append(_('Payment providers'))
 
-        if self.event_object_cache:
-            # get meta_data labels from first cached event if any
-            headers += next(iter(self.event_object_cache.values())).meta_data.keys()
+        # get meta_data labels from first cached event
+        headers += next(iter(self.event_object_cache.values())).meta_data.keys()
         yield headers
 
         yield self.ProgressSetTotal(total=qs.count())
@@ -709,9 +707,9 @@ class OrderListExporter(MultiSheetListExporter):
             _('Position order link')
         ]
 
+        # get meta_data labels from first cached event
+        meta_data_labels = next(iter(self.event_object_cache.values())).meta_data.keys()
         if has_subevents:
-            # get meta_data labels from first cached event
-            meta_data_labels = next(iter(self.event_object_cache.values())).meta_data.keys()
             headers += meta_data_labels
         yield headers
 

src/pretix/base/templatetags/anonymize_email.py

@@ -0,0 +1,34 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020  Raphael Michel and contributors
+# Copyright (C) 2020-today pretix GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+from django import template
+from django.utils.html import mark_safe
+
+register = template.Library()
+
+
+@register.filter("anon_email")
+def anon_email(value):
+    """Replaces @ with [at] and . with [dot] for anonymization."""
+    if not isinstance(value, str):
+        return value
+    value = value.replace("@", "[at]").replace(".", "[dot]")
+    return mark_safe(''.join(['&#{0};'.format(ord(char)) for char in value]))

src/pretix/control/logdisplay.py

@@ -518,6 +518,7 @@ def pretixcontrol_orderposition_blocked_display(sender: Event, orderposition, bl
         'The order requires approval before it can continue to be processed.'),
     'pretix.event.order.approved': _('The order has been approved.'),
     'pretix.event.order.denied': _('The order has been denied (comment: "{comment}").'),
+    'pretix.event.order.vatid.validated': _('The customer VAT ID has been verified.'),
     'pretix.event.order.contact.changed': _('The email address has been changed from "{old_email}" '
                                             'to "{new_email}".'),
     'pretix.event.order.contact.confirmed': _(

src/pretix/control/views/orders.py

@@ -1641,9 +1641,17 @@ class OrderCheckVATID(OrderView):
 
             try:
                 normalized_id = validate_vat_id(ia.vat_id, str(ia.country))
-                ia.vat_id_validated = True
-                ia.vat_id = normalized_id
-                ia.save()
+                with transaction.atomic():
+                    ia.vat_id_validated = True
+                    ia.vat_id = normalized_id
+                    ia.save()
+                    self.order.log_action(
+                        'pretix.event.order.vatid.validated',
+                        data={
+                            'vat_id': normalized_id,
+                        },
+                        user=self.request.user,
+                    )
             except VATIDFinalError as e:
                 messages.error(self.request, e.message)
             except VATIDTemporaryError:

src/pretix/presale/templates/pretixpresale/event/base.html

@@ -6,6 +6,7 @@
 {% load eventurl %}
 {% load safelink %}
 {% load rich_text %}
+{% load anonymize_email %}
 {% block thetitle %}
     {% if messages %}
         {{ messages|join:" " }} :: 
@@ -219,7 +220,7 @@
 {% endblock %}
 {% block footernav %}
     {% if request.event.settings.contact_mail %}
-        <li><a href="mailto:{{ request.event.settings.contact_mail }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
+        <li><a href="{{ 'mailto:'|add:request.event.settings.contact_mail|anon_email }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
     {% endif %}
     {% if request.event.settings.privacy_url %}
         <li><a href="{% safelink request.event.settings.privacy_url %}" target="_blank" rel="noopener">{% trans "Privacy policy" %}</a></li>

src/pretix/presale/templates/pretixpresale/fragment_js.html

@@ -21,4 +21,5 @@
     <script type="text/javascript" src="{% static "pretixpresale/js/ui/cart.js" %}"></script>
     <script type="text/javascript" src="{% static "pretixpresale/js/ui/iframe.js" %}"></script>
     <script type="text/javascript" src="{% static "pretixbase/js/addressform.js" %}"></script>
+    <script type="text/javascript" src="{% static "pretixbase/js/deanonymize_email.js" %}"></script>
 {% endcompress %}

src/pretix/presale/templates/pretixpresale/organizers/base.html

@@ -5,6 +5,7 @@
 {% load thumb %}
 {% load eventurl %}
 {% load safelink %}
+{% load anonymize_email %}
 {% block thetitle %}
     {% block title %}{% endblock %}{% if url_name != "organizer.index" %} :: {% endif %}{{ organizer.name }}
 {% endblock %}
@@ -97,7 +98,7 @@
 {% endblock %}
 {% block footernav %}
     {% if not request.event and request.organizer.settings.contact_mail %}
-        <li><a href="mailto:{{ request.organizer.settings.contact_mail }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
+        <li><a href="{{ 'mailto:'|add:request.organizer.settings.contact_mail|anon_email }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
     {% endif %}
     {% if not request.event and request.organizer.settings.privacy_url %}
         <li><a href="{% safelink request.organizer.settings.privacy_url %}" target="_blank" rel="noopener">{% trans "Privacy policy" %}</a></li>

src/pretix/static/pretixbase/js/deanonymize_email.js

@@ -0,0 +1,7 @@
+document.addEventListener('DOMContentLoaded', function() {
+    document.querySelectorAll('a[href^="mailto:"]').forEach(function(link) {
+        // Replace [at] with @ and the [dot] with . in both the href and the displayed text (if needed)
+        link.href = link.href.replace('[at]', '@').replace('[dot]', '.');
+        link.textContent = link.textContent.replace('[at]', '@').replace('[dot]', '.');
+    });
+});