Raise BadRequest instead of PermissionDenied in error condition

Fix bulk edit of revoked devices (Z#23187227)
2025-12-05 21:32:28 +00:00 · 2025-03-28 17:43:26 +01:00 · 2025-03-28 14:49:29 +01:00
1 changed files with 8 additions and 3 deletions
--- a/src/pretix/control/views/organizer.py
+++ b/src/pretix/control/views/organizer.py
@@ -44,7 +44,9 @@ import dateutil
 from django import forms
 from django.conf import settings
 from django.contrib import messages
-from django.core.exceptions import PermissionDenied, ValidationError
+from django.core.exceptions import (
+    BadRequest, PermissionDenied, ValidationError,
+)
 from django.core.files import File
 from django.db import transaction
 from django.db.models import (
@@ -944,13 +946,16 @@ class DeviceQueryMixin:
        qs = self.request.organizer.devices.prefetch_related(
            'limit_events', 'gate',
        ).order_by('revoked', '-device_id')
-        if self.filter_form.is_valid():
-            qs = self.filter_form.filter_qs(qs)

        if 'device' in self.request_data and '__ALL' not in self.request_data:
            qs = qs.filter(
                id__in=self.request_data.getlist('device')
            )
+        elif self.request.method == 'GET' or '__ALL' in self.request_data:
+            if self.filter_form.is_valid():
+                qs = self.filter_form.filter_qs(qs)
+        else:
+            raise BadRequest("No devices selected")

        return qs
Author	SHA1	Message	Date
Mira Weller	0917d25448	Raise BadRequest instead of PermissionDenied in error condition	2025-03-28 17:43:26 +01:00
Mira Weller	481cecd6a0	Fix bulk edit of revoked devices (Z#23187227)	2025-03-28 14:49:29 +01:00