mirror of
https://github.com/pretix/pretix.git
synced 2026-07-04 05:01:54 +00:00
Compare commits
18 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| faa97026e1 | |||
| e1736e8d2a | |||
| 120317a8f2 | |||
| 7d5b00a610 | |||
| 83612c7d65 | |||
| 7a5f96369a | |||
| 7fd6bf41f9 | |||
| 458c3d4b83 | |||
| d10d061e45 | |||
| d30bca50f7 | |||
| 3903aca7c9 | |||
| 493c920aba | |||
| 09b7bc00b0 | |||
| 2e195c0274 | |||
| 18cb9c1816 | |||
| c3e0120f9f | |||
| 67f7fec134 | |||
| c2c97f31ca |
+2
-1
@@ -53,6 +53,7 @@ dependencies = [
|
||||
"django-oauth-toolkit==2.3.*",
|
||||
"django-otp==1.7.*",
|
||||
"django-phonenumber-field==8.4.*",
|
||||
"django-querytagger==0.0.2",
|
||||
"django-redis==6.0.*",
|
||||
"django-scopes==2.0.*",
|
||||
"django-statici18n==2.7.*",
|
||||
@@ -93,7 +94,7 @@ dependencies = [
|
||||
"redis==7.4.*",
|
||||
"reportlab==4.5.*",
|
||||
"requests==2.32.*",
|
||||
"sentry-sdk==2.63.*",
|
||||
"sentry-sdk==2.64.*",
|
||||
"sepaxml==2.7.*",
|
||||
"stripe==7.9.*",
|
||||
"text-unidecode==1.*",
|
||||
|
||||
+2
-2
@@ -6,8 +6,8 @@ localecompile:
|
||||
./manage.py compilemessages
|
||||
|
||||
localegen:
|
||||
./manage.py makemessages --keep-pot --ignore "pretix/static/npm_dir/*" $(LNGS)
|
||||
./manage.py makemessages --keep-pot -e js,ts,vue -d djangojs --ignore "pretix/static/npm_dir/*" --ignore "pretix/helpers/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static.dist/*" --ignore "data/*" --ignore "pretix/static/rrule/*" --ignore "build/*" $(LNGS)
|
||||
./manage.py makemessages --keep-pot --add-location file --ignore "pretix/static/npm_dir/*" $(LNGS)
|
||||
./manage.py makemessages --keep-pot --add-location file -e js,ts,vue -d djangojs --ignore "pretix/static/npm_dir/*" --ignore "pretix/helpers/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static.dist/*" --ignore "data/*" --ignore "pretix/static/rrule/*" --ignore "build/*" $(LNGS)
|
||||
|
||||
staticfiles: npminstall npmbuild jsi18n
|
||||
./manage.py collectstatic --noinput
|
||||
|
||||
@@ -19,4 +19,4 @@
|
||||
# You should have received a copy of the GNU Affero General Public License along with this program. If not, see
|
||||
# <https://www.gnu.org/licenses/>.
|
||||
#
|
||||
__version__ = "2026.6.0"
|
||||
__version__ = "2026.7.0.dev0"
|
||||
|
||||
@@ -118,6 +118,7 @@ ALL_LANGUAGES = [
|
||||
('sv', _('Swedish')),
|
||||
('es', _('Spanish')),
|
||||
('es-419', _('Spanish (Latin America)')),
|
||||
('th', _('Thai')),
|
||||
('tr', _('Turkish')),
|
||||
('uk', _('Ukrainian')),
|
||||
]
|
||||
|
||||
@@ -19,6 +19,8 @@
|
||||
# You should have received a copy of the GNU Affero General Public License along with this program. If not, see
|
||||
# <https://www.gnu.org/licenses/>.
|
||||
#
|
||||
import logging
|
||||
import re
|
||||
from collections import OrderedDict
|
||||
from urllib.parse import urlparse, urlsplit
|
||||
from zoneinfo import ZoneInfo, ZoneInfoNotFoundError
|
||||
@@ -43,6 +45,8 @@ from pretix.multidomain.urlreverse import (
|
||||
)
|
||||
from pretix.presale.style import get_fonts
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
_supported = None
|
||||
|
||||
|
||||
@@ -223,7 +227,26 @@ def _parse_csp(header):
|
||||
return h
|
||||
|
||||
|
||||
VALID_CSP_DIRECTIVES = [
|
||||
"child-src", "connect-src", "default-src", "fenced-frame-src", "font-src", "form-action", "frame-src", "img-src",
|
||||
"manifest-src", "media-src", "object-src", "prefetch-src", "report-uri", "script-src", "script-src-elem",
|
||||
"script-src-attr", "style-src", "style-src-elem", "style-src-attr", "worker-src",
|
||||
]
|
||||
|
||||
CSP_ILLEGAL_CHARS = re.compile(r'[\s,;]')
|
||||
|
||||
|
||||
def _sanitize_csp(h):
|
||||
for k, v in h.items():
|
||||
if k not in VALID_CSP_DIRECTIVES:
|
||||
raise ValueError("Invalid CSP directive " + k)
|
||||
if any(CSP_ILLEGAL_CHARS.search(el) for el in v):
|
||||
logger.warning("Stripping invalid component from CSP: %r", h)
|
||||
h[k] = [el for el in v if not CSP_ILLEGAL_CHARS.search(el)]
|
||||
|
||||
|
||||
def _render_csp(h):
|
||||
_sanitize_csp(h)
|
||||
return "; ".join(k + ' ' + ' '.join(v) for k, v in h.items() if v)
|
||||
|
||||
|
||||
@@ -243,21 +266,7 @@ def _merge_csp(a, b):
|
||||
|
||||
|
||||
class SecurityMiddleware(MiddlewareMixin):
|
||||
CSP_EXEMPT = (
|
||||
'/api/v1/docs/',
|
||||
)
|
||||
|
||||
def process_response(self, request, resp):
|
||||
def nested_dict_values(d):
|
||||
for v in d.values():
|
||||
if isinstance(v, dict):
|
||||
yield from nested_dict_values(v)
|
||||
else:
|
||||
if isinstance(v, str):
|
||||
yield v
|
||||
|
||||
url = resolve(request.path_info)
|
||||
|
||||
if settings.DEBUG and resp.status_code >= 400:
|
||||
# Don't use CSP on debug error page as it breaks of Django's fancy error
|
||||
# pages
|
||||
@@ -268,18 +277,15 @@ class SecurityMiddleware(MiddlewareMixin):
|
||||
# https://github.com/pretix/pretix/issues/765
|
||||
resp['P3P'] = 'CP=\"ALL DSP COR CUR ADM TAI OUR IND COM NAV INT\"'
|
||||
|
||||
img_src = []
|
||||
gs = global_settings_object(request)
|
||||
if gs.settings.leaflet_tiles:
|
||||
img_src.append(gs.settings.leaflet_tiles[:gs.settings.leaflet_tiles.index("/", 10)].replace("{s}", "*"))
|
||||
if not getattr(resp, '_csp_ignore', False):
|
||||
resp['Content-Security-Policy'] = _render_csp(self._build_csp(request, resp))
|
||||
elif 'Content-Security-Policy' in resp:
|
||||
del resp['Content-Security-Policy']
|
||||
|
||||
font_src = set()
|
||||
if hasattr(request, 'event'):
|
||||
for font in get_fonts(request.event, pdf_support_required=False).values():
|
||||
for path in list(nested_dict_values(font)):
|
||||
font_location = urlparse(path)
|
||||
if font_location.scheme and font_location.netloc:
|
||||
font_src.add('{}://{}'.format(font_location.scheme, font_location.netloc))
|
||||
return resp
|
||||
|
||||
def _build_csp(self, request, resp):
|
||||
url = resolve(request.path_info)
|
||||
|
||||
h = {
|
||||
'default-src': ["{static}"],
|
||||
@@ -288,8 +294,8 @@ class SecurityMiddleware(MiddlewareMixin):
|
||||
'frame-src': ['{static}'],
|
||||
'style-src': ["{static}", "{media}"],
|
||||
'connect-src': ["{dynamic}", "{media}"],
|
||||
'img-src': ["{static}", "{media}", "data:"] + img_src,
|
||||
'font-src': ["{static}"] + list(font_src),
|
||||
'img-src': ["{static}", "{media}", "data:"],
|
||||
'font-src': ["{static}"],
|
||||
'media-src': ["{static}", "data:"],
|
||||
# form-action is not only used to match on form actions, but also on URLs
|
||||
# form-actions redirect to. In the context of e.g. payment providers or
|
||||
@@ -298,6 +304,13 @@ class SecurityMiddleware(MiddlewareMixin):
|
||||
'form-action': ["{dynamic}", "https:"] + (['http:'] if settings.SITE_URL.startswith('http://') else []),
|
||||
}
|
||||
|
||||
gs = global_settings_object(request)
|
||||
if gs.settings.leaflet_tiles:
|
||||
h['img-src'].append(gs.settings.leaflet_tiles[:gs.settings.leaflet_tiles.index("/", 10)].replace("{s}", "*"))
|
||||
|
||||
if hasattr(request, 'event'):
|
||||
h['font-src'] += list(self._get_font_origins(request.event))
|
||||
|
||||
if settings.VITE_DEV_MODE:
|
||||
h['script-src'] += ["http://localhost:5173", "ws://localhost:5173"]
|
||||
h['style-src'] += ["'unsafe-inline'"]
|
||||
@@ -309,6 +322,7 @@ class SecurityMiddleware(MiddlewareMixin):
|
||||
if not settings.VITE_DEV_MODE:
|
||||
# can't have 'unsafe-inline' and nonce at the same time
|
||||
h['style-src'].append(nonce)
|
||||
|
||||
# Only include pay.google.com for wallet detection purposes on the Payment selection page
|
||||
if (
|
||||
url.url_name == "event.order.pay.change" or
|
||||
@@ -317,27 +331,32 @@ class SecurityMiddleware(MiddlewareMixin):
|
||||
h['script-src'].append('https://pay.google.com')
|
||||
h['frame-src'].append('https://pay.google.com')
|
||||
h['connect-src'].append('https://google.com/pay')
|
||||
|
||||
if settings.LOG_CSP:
|
||||
h['report-uri'] = ["/csp_report/"]
|
||||
|
||||
if 'Content-Security-Policy' in resp:
|
||||
_merge_csp(h, _parse_csp(resp['Content-Security-Policy']))
|
||||
|
||||
if settings.CSP_ADDITIONAL_HEADER:
|
||||
_merge_csp(h, _parse_csp(settings.CSP_ADDITIONAL_HEADER))
|
||||
|
||||
staticdomain = "'self'"
|
||||
dynamicdomain = "'self'"
|
||||
mediadomain = "'self'"
|
||||
placeholders = {
|
||||
"{static}": ["'self'"],
|
||||
"{dynamic}": ["'self'"],
|
||||
"{media}": ["'self'"],
|
||||
}
|
||||
if settings.MEDIA_URL.startswith('http'):
|
||||
mediadomain += " " + settings.MEDIA_URL[:settings.MEDIA_URL.find('/', 9)]
|
||||
placeholders["{media}"].append(settings.MEDIA_URL[:settings.MEDIA_URL.find('/', 9)])
|
||||
if settings.STATIC_URL.startswith('http'):
|
||||
staticdomain += " " + settings.STATIC_URL[:settings.STATIC_URL.find('/', 9)]
|
||||
placeholders["{static}"].append(settings.STATIC_URL[:settings.STATIC_URL.find('/', 9)])
|
||||
if settings.SITE_URL.startswith('http'):
|
||||
if settings.SITE_URL.find('/', 9) > 0:
|
||||
staticdomain += " " + settings.SITE_URL[:settings.SITE_URL.find('/', 9)]
|
||||
dynamicdomain += " " + settings.SITE_URL[:settings.SITE_URL.find('/', 9)]
|
||||
placeholders["{static}"].append(settings.SITE_URL[:settings.SITE_URL.find('/', 9)])
|
||||
placeholders["{dynamic}"].append(settings.SITE_URL[:settings.SITE_URL.find('/', 9)])
|
||||
else:
|
||||
staticdomain += " " + settings.SITE_URL
|
||||
dynamicdomain += " " + settings.SITE_URL
|
||||
placeholders["{static}"].append(settings.SITE_URL)
|
||||
placeholders["{dynamic}"].append(settings.SITE_URL)
|
||||
|
||||
if hasattr(request, 'organizer') and request.organizer:
|
||||
if hasattr(request, 'event') and request.event:
|
||||
@@ -348,18 +367,29 @@ class SecurityMiddleware(MiddlewareMixin):
|
||||
siteurlsplit = urlsplit(settings.SITE_URL)
|
||||
if siteurlsplit.port and siteurlsplit.port not in (80, 443):
|
||||
domain = '%s:%d' % (domain, siteurlsplit.port)
|
||||
dynamicdomain += " " + domain
|
||||
placeholders["{dynamic}"].append(domain)
|
||||
|
||||
if request.path not in self.CSP_EXEMPT and not getattr(resp, '_csp_ignore', False):
|
||||
resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain,
|
||||
media=mediadomain)
|
||||
for k, v in h.items():
|
||||
h[k] = sorted(set(' '.join(v).format(static=staticdomain, dynamic=dynamicdomain, media=mediadomain).split(' ')))
|
||||
resp['Content-Security-Policy'] = _render_csp(h)
|
||||
elif 'Content-Security-Policy' in resp:
|
||||
del resp['Content-Security-Policy']
|
||||
for k, v in h.items():
|
||||
h[k] = sorted(set(result for part in v for result in placeholders.get(part, [part])))
|
||||
|
||||
return resp
|
||||
return h
|
||||
|
||||
def _get_font_origins(self, event):
|
||||
def nested_dict_values(d):
|
||||
for v in d.values():
|
||||
if isinstance(v, dict):
|
||||
yield from nested_dict_values(v)
|
||||
else:
|
||||
if isinstance(v, str):
|
||||
yield v
|
||||
|
||||
font_src = set()
|
||||
for font in get_fonts(event, pdf_support_required=False).values():
|
||||
for path in list(nested_dict_values(font)):
|
||||
font_location = urlparse(path)
|
||||
if font_location.scheme and font_location.netloc:
|
||||
font_src.add('{}://{}'.format(font_location.scheme, font_location.netloc))
|
||||
return font_src
|
||||
|
||||
|
||||
class RejectInvalidInputMiddleware(MiddlewareMixin):
|
||||
|
||||
@@ -647,25 +647,22 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
|
||||
id__in=self.teams.filter(TeamQuerySet.organizer_permission_q(permission)).values_list('organizer', flat=True)
|
||||
)
|
||||
|
||||
def has_active_staff_session(self, session_key=None):
|
||||
def has_active_staff_session(self, session_key):
|
||||
"""
|
||||
Returns whether or not a user has an active staff session (formerly known as superuser session)
|
||||
with the given session key.
|
||||
"""
|
||||
return self.get_active_staff_session(session_key) is not None
|
||||
|
||||
def get_active_staff_session(self, session_key=None):
|
||||
if not self.is_staff:
|
||||
def get_active_staff_session(self, session_key):
|
||||
if not self.is_staff or not session_key:
|
||||
return None
|
||||
if not hasattr(self, '_staff_session_cache'):
|
||||
self._staff_session_cache = {}
|
||||
if session_key not in self._staff_session_cache:
|
||||
qs = StaffSession.objects.filter(
|
||||
user=self, date_end__isnull=True
|
||||
)
|
||||
if session_key:
|
||||
qs = qs.filter(session_key=session_key)
|
||||
sess = qs.first()
|
||||
sess = StaffSession.objects.filter(
|
||||
user=self, date_end__isnull=True, session_key=session_key
|
||||
).first()
|
||||
if sess:
|
||||
if sess.date_start < now() - timedelta(seconds=settings.PRETIX_SESSION_TIMEOUT_ABSOLUTE):
|
||||
sess.date_end = now()
|
||||
|
||||
@@ -1924,8 +1924,6 @@ DEFAULTS = {
|
||||
'serializer_class': serializers.BooleanField,
|
||||
'form_kwargs': dict(
|
||||
label=_("Hide all past dates from calendar"),
|
||||
help_text=_("This option currently only affects the calendar of this event series, not the organizer-wide "
|
||||
"calendar.")
|
||||
)
|
||||
},
|
||||
'allow_modifications': {
|
||||
|
||||
@@ -42,8 +42,6 @@ from bleach import DEFAULT_CALLBACKS, html5lib_shim
|
||||
from bleach.linkifier import build_email_re
|
||||
from django import template
|
||||
from django.conf import settings
|
||||
from django.core import signing
|
||||
from django.urls import reverse
|
||||
from django.utils.functional import SimpleLazyObject
|
||||
from django.utils.html import escape
|
||||
from django.utils.http import url_has_allowed_host_and_scheme
|
||||
|
||||
@@ -36,6 +36,7 @@ from urllib.parse import quote, urljoin, urlparse
|
||||
|
||||
from django.conf import settings
|
||||
from django.contrib.auth import REDIRECT_FIELD_NAME, logout
|
||||
from django.contrib.auth.views import redirect_to_login
|
||||
from django.http import Http404
|
||||
from django.shortcuts import get_object_or_404, resolve_url
|
||||
from django.template.response import TemplateResponse
|
||||
@@ -214,12 +215,15 @@ class AuditLogMiddleware:
|
||||
hijack_history = request.session.get('hijack_history', False)
|
||||
hijacker = get_object_or_404(User, pk=hijack_history[0]["user"])
|
||||
ss = hijacker.get_active_staff_session(request.session.get('hijacker_session'))
|
||||
if ss:
|
||||
ss.logs.create(
|
||||
url=request.path,
|
||||
method=request.method,
|
||||
impersonating=request.user
|
||||
)
|
||||
if not ss:
|
||||
# Staff session expired or not found
|
||||
logout(request)
|
||||
return redirect_to_login(request.get_full_path())
|
||||
ss.logs.create(
|
||||
url=request.path,
|
||||
method=request.method,
|
||||
impersonating=request.user
|
||||
)
|
||||
else:
|
||||
ss = request.user.get_active_staff_session(request.session.session_key)
|
||||
if ss:
|
||||
|
||||
@@ -50,6 +50,46 @@
|
||||
{% endblocktrans %}
|
||||
</div>
|
||||
{% endif %}
|
||||
{% if dkim_warning %}
|
||||
<div class="alert alert-danger">
|
||||
<p>
|
||||
{{ dkim_warning }}
|
||||
</p>
|
||||
<p>
|
||||
{% trans "Your new DKIM record should be set up as a CNAME record like this:" %}
|
||||
</p>
|
||||
<pre><code>{{ dkim_hostname }} CNAME {{ dkim_cname }}</code></pre>
|
||||
<p>
|
||||
{% trans "Please keep in mind that updates to DNS might require multiple hours to take effect." %}
|
||||
</p>
|
||||
</div>
|
||||
{% elif dkim_cname %}
|
||||
<div class="alert alert-success">
|
||||
{% blocktrans trimmed %}
|
||||
We found a DKIM record on your domain for this system. Great!
|
||||
{% endblocktrans %}
|
||||
</div>
|
||||
{% endif %}
|
||||
{% if dmarc_warning %}
|
||||
<div class="alert alert-danger">
|
||||
<p>
|
||||
{{ dmarc_warning }}
|
||||
</p>
|
||||
<p>
|
||||
{% trans "Your new DMARC record could look like this:" %}
|
||||
</p>
|
||||
<pre><code>_dmarc.{{ hostname }} TXT "v=DMARC1; p=quarantine; sp=none; adkim=r; aspf=r;"</code></pre>
|
||||
<p>
|
||||
{% trans "Please keep in mind that updates to DNS might require multiple hours to take effect." %}
|
||||
</p>
|
||||
</div>
|
||||
{% elif dkim_cname %}
|
||||
<div class="alert alert-success">
|
||||
{% blocktrans trimmed %}
|
||||
We found a DMARC record on your domain for this system. Great!
|
||||
{% endblocktrans %}
|
||||
</div>
|
||||
{% endif %}
|
||||
{% if verification %}
|
||||
<h3>{% trans "Verification" %}</h3>
|
||||
<p>
|
||||
@@ -70,7 +110,7 @@
|
||||
</div>
|
||||
</div>
|
||||
|
||||
{% if spf_warning %}
|
||||
{% if spf_warning or dkim_warning or dmarc_warning %}
|
||||
<div class="form-group submit-group">
|
||||
<a href="" class="btn btn-default btn-save">
|
||||
{% trans "Cancel" %}
|
||||
|
||||
@@ -41,6 +41,30 @@ from pretix.control.forms.mailsetup import SimpleMailForm, SMTPMailForm
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def get_cname_record(hostname):
|
||||
try:
|
||||
r = dns.resolver.Resolver()
|
||||
answers = r.resolve(hostname, 'CNAME')
|
||||
answers = list(answers)
|
||||
if len(answers) != 1:
|
||||
logger.exception('Found multiple CNAME records for {}'.format(hostname))
|
||||
return
|
||||
return str(answers[0].target).lower()
|
||||
except:
|
||||
logger.exception('Could not fetch CNAME record for {}'.format(hostname))
|
||||
|
||||
|
||||
def get_dmarc_record(hostname):
|
||||
try:
|
||||
r = dns.resolver.Resolver()
|
||||
for resp in r.resolve("_dmarc." + hostname, 'TXT'):
|
||||
data = b''.join(resp.strings).decode()
|
||||
if 'DMARC1' in data.strip():
|
||||
return data
|
||||
except:
|
||||
logger.exception("Could not fetch DMARC record for {}".format(hostname))
|
||||
|
||||
|
||||
def get_spf_record(hostname):
|
||||
try:
|
||||
r = dns.resolver.Resolver()
|
||||
@@ -49,7 +73,7 @@ def get_spf_record(hostname):
|
||||
if data.lower().strip().startswith('v=spf1 '): # RFC7208, section 4.5
|
||||
return data
|
||||
except:
|
||||
logger.exception("Could not fetch SPF record")
|
||||
logger.exception("Could not fetch SPF record for {}".format(hostname))
|
||||
|
||||
|
||||
def _check_spf_record(not_found_lookup_parts, spf_record, depth):
|
||||
@@ -168,10 +192,15 @@ class MailSettingsSetupView(TemplateView):
|
||||
return super().get(request, *args, **kwargs)
|
||||
|
||||
session_key = f'sender_mail_verification_code_{self.request.path}_{self.simple_form.cleaned_data.get("mail_from")}'
|
||||
verify_dns = (
|
||||
settings.MAIL_CUSTOM_SENDER_SPF_STRING or
|
||||
(settings.MAIL_CUSTOM_SENDER_DKIM_CNAME and settings.MAIL_CUSTOM_SENDER_DMARC_REQUIRED) or
|
||||
settings.MAIL_CUSTOM_SENDER_DMARC_REQUIRED
|
||||
)
|
||||
allow_save = (
|
||||
(not settings.MAIL_CUSTOM_SENDER_VERIFICATION_REQUIRED or
|
||||
('verification' in self.request.POST and self.request.POST.get('verification', '') == self.request.session.get(session_key, None))) and
|
||||
(not settings.MAIL_CUSTOM_SENDER_SPF_STRING or self.request.POST.get('state') == 'save')
|
||||
(not verify_dns or self.request.POST.get('state') == 'save')
|
||||
)
|
||||
|
||||
if allow_save:
|
||||
@@ -192,8 +221,8 @@ class MailSettingsSetupView(TemplateView):
|
||||
|
||||
spf_warning = None
|
||||
spf_record = None
|
||||
hostname = self.simple_form.cleaned_data['mail_from'].split('@')[-1]
|
||||
if settings.MAIL_CUSTOM_SENDER_SPF_STRING:
|
||||
hostname = self.simple_form.cleaned_data['mail_from'].split('@')[-1]
|
||||
spf_record = get_spf_record(hostname)
|
||||
if not spf_record:
|
||||
spf_warning = _(
|
||||
@@ -210,7 +239,43 @@ class MailSettingsSetupView(TemplateView):
|
||||
'this system in the SPF record.'
|
||||
)
|
||||
|
||||
verification = settings.MAIL_CUSTOM_SENDER_VERIFICATION_REQUIRED and not spf_warning
|
||||
dkim_warning = None
|
||||
dkim_hostname = None
|
||||
dkim_cname = None
|
||||
if settings.MAIL_CUSTOM_SENDER_DKIM_CNAME and settings.MAIL_CUSTOM_SENDER_DKIM_SELECTOR:
|
||||
dkim_hostname = settings.MAIL_CUSTOM_SENDER_DKIM_SELECTOR + '._domainkey.' + hostname
|
||||
cname_target = get_cname_record(dkim_hostname)
|
||||
dkim_cname = settings.MAIL_CUSTOM_SENDER_DKIM_CNAME
|
||||
if not dkim_cname.endswith("."):
|
||||
dkim_cname += "."
|
||||
if "%s" in dkim_cname:
|
||||
dkim_cname = dkim_cname.replace("%s", hostname.replace(".", "-").lower())
|
||||
if not cname_target:
|
||||
dkim_warning = _(
|
||||
'We could not find a CNAME record pointing to our DKIM key for domain you are trying to use. '
|
||||
'This means that there is a very high change most of the emails will be rejected or marked as '
|
||||
'spam. We strongly recommend setting up DKIM through a CNAME record. You can do so through the '
|
||||
'DNS settings at the provider you registered your domain with.'
|
||||
)
|
||||
elif cname_target != dkim_cname:
|
||||
dkim_warning = _(
|
||||
'We found a CNAME record for a DKIM key, but it is not pointing to the right location. '
|
||||
'This means that there is a very high chance most of the emails will be rejected or marked as '
|
||||
'spam. You should update the DNS settings of your domain.'
|
||||
)
|
||||
|
||||
dmarc_warning = None
|
||||
dmarc_record = None
|
||||
if settings.MAIL_CUSTOM_SENDER_DMARC_REQUIRED:
|
||||
dmarc_record = get_dmarc_record(hostname)
|
||||
if not dmarc_record:
|
||||
spf_warning = _(
|
||||
'We did not find DMARC record for your domain. This means that there is a very high chance '
|
||||
'most of the emails will be rejected or marked as spam. You should update the DNS settings '
|
||||
'of your domain.'
|
||||
)
|
||||
|
||||
verification = settings.MAIL_CUSTOM_SENDER_VERIFICATION_REQUIRED and not spf_warning and not dkim_warning and not dmarc_warning
|
||||
if verification:
|
||||
if 'verification' in self.request.POST:
|
||||
messages.error(request, _('The verification code was incorrect, please try again.'))
|
||||
@@ -240,6 +305,12 @@ class MailSettingsSetupView(TemplateView):
|
||||
'spf_warning': spf_warning,
|
||||
'spf_record': spf_record,
|
||||
'spf_key': settings.MAIL_CUSTOM_SENDER_SPF_STRING,
|
||||
'dkim_warning': dkim_warning,
|
||||
'dkim_hostname': dkim_hostname,
|
||||
'dkim_cname': dkim_cname,
|
||||
'dmarc_warning': dmarc_warning,
|
||||
'dmarc_record': dmarc_record,
|
||||
'hostname': hostname,
|
||||
'recp': self.simple_form.cleaned_data.get('mail_from')
|
||||
},
|
||||
using=self.template_engine,
|
||||
|
||||
@@ -31,6 +31,7 @@ from django.contrib.auth import (
|
||||
)
|
||||
from django.contrib.auth.mixins import LoginRequiredMixin
|
||||
from django.contrib.auth.views import redirect_to_login
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from django.db import transaction
|
||||
from django.shortcuts import get_object_or_404, redirect
|
||||
from django.urls import reverse
|
||||
@@ -221,11 +222,13 @@ class UserImpersonateView(AdministratorPermissionRequiredMixin, RecentAuthentica
|
||||
|
||||
def post(self, request, *args, **kwargs):
|
||||
self.object = get_object_or_404(User, pk=self.kwargs.get("id"))
|
||||
staff_session = request.user.get_active_staff_session(request.session.session_key)
|
||||
self.request.user.log_action('pretix.control.auth.user.impersonated',
|
||||
user=request.user,
|
||||
data={
|
||||
'other': self.kwargs.get("id"),
|
||||
'other_email': self.object.email
|
||||
'other_email': self.object.email,
|
||||
'staff_session': staff_session.pk,
|
||||
})
|
||||
oldkey = request.session.session_key
|
||||
|
||||
@@ -249,6 +252,12 @@ class UserImpersonateView(AdministratorPermissionRequiredMixin, RecentAuthentica
|
||||
with signals.no_update_last_login(), keep_session_age(request.session):
|
||||
login(request, hijacked, backend=backend)
|
||||
|
||||
request.session.save()
|
||||
staff_session.logs.create(
|
||||
method='(NOTE)',
|
||||
url=f'Begin impersonating user #{hijacked.pk} (request session {oldkey[:8]} -> {request.session.session_key[:8]})',
|
||||
)
|
||||
|
||||
request.session["hijack_history"] = hijack_history
|
||||
|
||||
signals.hijack_started.send(
|
||||
@@ -265,13 +274,15 @@ class UserImpersonateView(AdministratorPermissionRequiredMixin, RecentAuthentica
|
||||
class UserImpersonateStopView(LoginRequiredMixin, View):
|
||||
|
||||
def post(self, request, *args, **kwargs):
|
||||
impersonated = request.user
|
||||
|
||||
hijs = request.session['hijacker_session']
|
||||
staff_session_key = request.session['hijacker_session']
|
||||
prev_session_key = request.session.session_key
|
||||
hijack_history = request.session.get("hijack_history", [])
|
||||
hijacked = request.user
|
||||
prev_session = hijack_history.pop()
|
||||
hijacker = get_object_or_404(get_user_model(), pk=prev_session["user"])
|
||||
staff_session = hijacker.get_active_staff_session(staff_session_key)
|
||||
if not staff_session:
|
||||
raise PermissionDenied
|
||||
|
||||
expected_hash = salted_hmac(
|
||||
key_salt=b"hijack-history-hash",
|
||||
@@ -299,17 +310,22 @@ class UserImpersonateStopView(LoginRequiredMixin, View):
|
||||
hijacked=hijacked,
|
||||
)
|
||||
|
||||
ss = request.user.get_active_staff_session(hijs)
|
||||
if ss:
|
||||
request.session.save()
|
||||
ss.session_key = request.session.session_key
|
||||
ss.save()
|
||||
request.session.save()
|
||||
staff_session.session_key = request.session.session_key
|
||||
staff_session.save()
|
||||
|
||||
staff_session.logs.create(
|
||||
method='(NOTE)',
|
||||
url=f'Stop impersonating user #{hijacked.pk} (request session {prev_session_key[:8]}, '
|
||||
f'staff session {staff_session_key[:8]} -> {request.session.session_key[:8]})',
|
||||
)
|
||||
|
||||
request.user.log_action('pretix.control.auth.user.impersonate_stopped',
|
||||
user=request.user,
|
||||
data={
|
||||
'other': impersonated.pk,
|
||||
'other_email': impersonated.email
|
||||
'other': hijacked.pk,
|
||||
'other_email': hijacked.email,
|
||||
'staff_session': staff_session.pk,
|
||||
})
|
||||
return redirect(reverse('control:index'))
|
||||
|
||||
|
||||
@@ -21,22 +21,21 @@
|
||||
data-date="{{ day.date|date_fast:"SHORT_DATE_FORMAT" }}">
|
||||
<p>
|
||||
{% if day.events %}
|
||||
<a href="#selected-day" class="day-label event hidden-sm hidden-md hidden-lg">
|
||||
<a href="#selected-day" class="day-label event hidden-sm hidden-md hidden-lg" aria-describedby="nr-of-events-{{ day.date|date_fast:"Y-m-d" }}">
|
||||
<b aria-hidden="true">{{ day.day }}</b>
|
||||
<time datetime="{{ day.date|date_fast:"Y-m-d" }}" class="sr-only">
|
||||
{{ day.date|date_fast:"SHORT_DATE_FORMAT" }}
|
||||
</time>
|
||||
<span class="sr-only">
|
||||
({% blocktrans trimmed count count=day.events|length %}
|
||||
{{ count }} event
|
||||
{% plural %}
|
||||
{{ count }} events
|
||||
{% endblocktrans %})
|
||||
</span>
|
||||
<span class="sr-only" id="nr-of-events-{{ day.date|date_fast:"Y-m-d" }}">{% blocktrans trimmed count count=day.events|length %}
|
||||
{{ count }} event
|
||||
{% plural %}
|
||||
{{ count }} events
|
||||
{% endblocktrans %}</span>
|
||||
</a>
|
||||
<time datetime="{{ day.date|date_fast:"Y-m-d" }}" class="hidden-xs">{{ day.day }}</time>
|
||||
{% else %}
|
||||
<time datetime="{{ day.date|date_fast:"Y-m-d" }}" class="day-label">{{ day.day }}</time>
|
||||
<span class="sr-only">{% trans "No events" %}</span>
|
||||
{% endif %}
|
||||
</p>
|
||||
<ul class="events">
|
||||
|
||||
@@ -650,6 +650,10 @@ def add_subevents_for_days(qs, before, after, ebd, timezones, sales_channel, eve
|
||||
if hide:
|
||||
continue
|
||||
|
||||
if s.event_calendar_future_only:
|
||||
if (se.date_to or se.date_from) < time_machine_now():
|
||||
continue
|
||||
|
||||
timezones.add(s.timezone)
|
||||
tz = ZoneInfo(s.timezone)
|
||||
datetime_from = se.date_from.astimezone(tz)
|
||||
|
||||
@@ -257,6 +257,9 @@ MAIL_FROM_NOTIFICATIONS = config.get('mail', 'from_notifications', fallback=MAIL
|
||||
MAIL_FROM_ORGANIZERS = config.get('mail', 'from_organizers', fallback=MAIL_FROM)
|
||||
MAIL_CUSTOM_SENDER_VERIFICATION_REQUIRED = config.getboolean('mail', 'custom_sender_verification_required', fallback=True)
|
||||
MAIL_CUSTOM_SENDER_SPF_STRING = config.get('mail', 'custom_sender_spf_string', fallback='')
|
||||
MAIL_CUSTOM_SENDER_DKIM_SELECTOR = config.get('mail', 'custom_sender_dkim_selector', fallback='')
|
||||
MAIL_CUSTOM_SENDER_DKIM_CNAME = config.get('mail', 'custom_sender_dkim_cname', fallback='')
|
||||
MAIL_CUSTOM_SENDER_DMARC_REQUIRED = config.getboolean('mail', 'custom_sender_dmarc_required', fallback=False)
|
||||
MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS = config.getboolean('mail', 'custom_smtp_allow_private_networks', fallback=DEBUG)
|
||||
EMAIL_HOST = config.get('mail', 'host', fallback='localhost')
|
||||
EMAIL_PORT = config.getint('mail', 'port', fallback=25)
|
||||
@@ -440,6 +443,7 @@ CSRF_COOKIE_NAME = 'pretix_csrftoken'
|
||||
SESSION_COOKIE_HTTPONLY = True
|
||||
|
||||
INSTALLED_APPS += [ # noqa
|
||||
'django_querytagger',
|
||||
'django_filters',
|
||||
'django_markup',
|
||||
'django_otp',
|
||||
@@ -505,6 +509,7 @@ MIDDLEWARE = [
|
||||
'pretix.helpers.logs.RequestIdMiddleware',
|
||||
'pretix.api.middleware.IdempotencyMiddleware',
|
||||
'pretix.multidomain.middlewares.MultiDomainMiddleware',
|
||||
'django_querytagger.middleware.SetTagMiddleware', # after MultiDomainMiddleware for correct url resolving
|
||||
'pretix.base.middleware.CustomCommonMiddleware',
|
||||
'pretix.multidomain.middlewares.SessionMiddleware',
|
||||
'pretix.multidomain.middlewares.CsrfViewMiddleware',
|
||||
|
||||
@@ -126,3 +126,81 @@ class LocaleDeterminationTest(TestCase):
|
||||
response = c.get('/dummy/dummy/')
|
||||
language = response['Content-Language']
|
||||
self.assertEqual(language, 'en')
|
||||
|
||||
|
||||
def test_render_csp():
|
||||
from pretix.base.middleware import _render_csp
|
||||
|
||||
assert _render_csp({}) == ""
|
||||
assert _render_csp({'default-src': ["'self'"]}) == "default-src 'self'"
|
||||
|
||||
h = {
|
||||
'default-src': ["'self'"],
|
||||
'script-src': ["'self'"],
|
||||
'object-src': ["'none'"],
|
||||
'frame-src': ["'self'"],
|
||||
'style-src': ["'self'", "'self'"],
|
||||
'connect-src': ["'self'", "'self'"],
|
||||
'img-src': ["'self'", "'self'", "data:"],
|
||||
'font-src': ["'self'"],
|
||||
'media-src': ["'self'", "data:"],
|
||||
'form-action': ["'self'", "https:"],
|
||||
}
|
||||
assert _render_csp(h) == (
|
||||
"default-src 'self'; script-src 'self'; object-src 'none'; frame-src 'self'; style-src 'self' 'self'; "
|
||||
"connect-src 'self' 'self'; img-src 'self' 'self' data:; font-src 'self'; media-src 'self' data:; form-action 'self' https:"
|
||||
)
|
||||
|
||||
|
||||
def test_merge_csp():
|
||||
from pretix.base.middleware import _merge_csp, _parse_csp, _render_csp
|
||||
|
||||
h = {
|
||||
'default-src': ["'self'"],
|
||||
'script-src': ["'self'"],
|
||||
'style-src': ["'self'", "'self'"],
|
||||
'form-action': ["'self'", "https:"],
|
||||
'connect-src': ["'self'", "'self'"],
|
||||
}
|
||||
assert _render_csp(h) == (
|
||||
"default-src 'self'; script-src 'self'; style-src 'self' 'self'; form-action 'self' https:; connect-src 'self' 'self'"
|
||||
)
|
||||
|
||||
_merge_csp(h, _parse_csp("style-src 'unsafe-inline'; connect-src https://example.com"))
|
||||
assert _render_csp(h) == (
|
||||
"default-src 'self'; script-src 'self'; style-src 'self' 'self' 'unsafe-inline'; form-action 'self' "
|
||||
"https:; connect-src 'self' 'self' https://example.com"
|
||||
)
|
||||
|
||||
|
||||
def test_roundtrip_csp():
|
||||
from pretix.base.middleware import _merge_csp, _parse_csp, _render_csp
|
||||
|
||||
prod_csp = ("default-src 'self' https://pretix.eu https://static.pretix.cloud; script-src 'self' "
|
||||
"'sha256-+tmFggeXIPOAC2UgcQ3LW/gPHTkwyWg3/D6FOJ5BHGo=' 'unsafe-eval' https://matomo.rami.io "
|
||||
"https://pretix.eu https://static.pretix.cloud https://support.rami.io; object-src 'none'; "
|
||||
"frame-src 'self' https://matomo.rami.io https://pretix.eu https://static.pretix.cloud "
|
||||
"https://support.rami.io https://www.youtube-nocookie.com; style-src 'self' 'unsafe-inline' "
|
||||
"data: https://cdn.pretix.cloud https://pretix.eu https://static.pretix…rt.rami.io; connect-src "
|
||||
"'self' https://cdn.pretix.cloud https://matomo.rami.io https://pretix.eu https://static.pretix.cloud "
|
||||
"https://support.rami.io ws://support.rami.io; img-src 'self' data: https://cdn.pretix.cloud "
|
||||
"https://matomo.rami.io https://pretix.eu https://static.pretix.cloud https://support.rami.io; "
|
||||
"font-src 'self' https://pretix.eu https://static.pretix.cloud; media-src 'self' data: "
|
||||
"https://cdn.pretix.cloud https://pretix.eu https://static.pretix.cloud; form-action 'self' "
|
||||
"https: https://pretix.eu")
|
||||
h = _parse_csp(prod_csp)
|
||||
_merge_csp(h, _parse_csp(prod_csp))
|
||||
assert _render_csp(h) == prod_csp
|
||||
|
||||
|
||||
def test_sanitize_csp():
|
||||
from pretix.base.middleware import _render_csp
|
||||
|
||||
h = {
|
||||
'style-src': ["'self'", "https://example.com", "https://example.org https://attack.example.net", "https://\fexample.org",
|
||||
"https://\texample.org", "https://example.org;script-src https://example.org", ],
|
||||
'script-src': ["'self'"],
|
||||
}
|
||||
assert _render_csp(h) == (
|
||||
"style-src 'self' https://example.com; script-src 'self'"
|
||||
)
|
||||
|
||||
@@ -159,6 +159,22 @@ class OrganizerTest(SoupTest):
|
||||
self.orga1.settings.flush()
|
||||
assert "mail_from" not in self.orga1.settings._cache()
|
||||
|
||||
@staticmethod
|
||||
def _fake_dmarc_record(hostname):
|
||||
return {
|
||||
'test.pretix.dev': 'v=DMARC1; p=quarantine; sp=none; adkim=r; aspf=r;',
|
||||
'bad.pretix.dev': 'BLA',
|
||||
'none.pretix.dev': None,
|
||||
}[hostname]
|
||||
|
||||
@staticmethod
|
||||
def _fake_cname_record(hostname):
|
||||
return {
|
||||
'pretix._domainkey.test.pretix.dev': 'test-pretix-dev.dkim.pretix.eu.',
|
||||
'pretix._domainkey.bad.pretix.dev': 'example.org',
|
||||
'pretix._domainkey.none.pretix.dev': None,
|
||||
}[hostname]
|
||||
|
||||
@staticmethod
|
||||
def _fake_spf_record(hostname):
|
||||
return {
|
||||
@@ -172,9 +188,17 @@ class OrganizerTest(SoupTest):
|
||||
'spftest.pretix.dev': None,
|
||||
}[hostname]
|
||||
|
||||
@override_settings(MAIL_CUSTOM_SENDER_VERIFICATION_REQUIRED=False, MAIL_CUSTOM_SENDER_SPF_STRING="include:spftest.pretix.dev include:test2.pretix.dev")
|
||||
def test_email_setup_no_verification_spf_success(self):
|
||||
@override_settings(
|
||||
MAIL_CUSTOM_SENDER_VERIFICATION_REQUIRED=False,
|
||||
MAIL_CUSTOM_SENDER_SPF_STRING="include:spftest.pretix.dev include:test2.pretix.dev",
|
||||
MAIL_CUSTOM_SENDER_DKIM_SELECTOR="pretix",
|
||||
MAIL_CUSTOM_SENDER_DKIM_CNAME="dkim.pretix.eu.",
|
||||
MAIL_CUSTOM_SENDER_DMARC_REQUIRED=True,
|
||||
)
|
||||
def test_email_setup_no_verification_spf_dmarc_dkim_success(self):
|
||||
self.monkeypatch.setattr("pretix.control.views.mailsetup.get_spf_record", OrganizerTest._fake_spf_record)
|
||||
self.monkeypatch.setattr("pretix.control.views.mailsetup.get_cname_record", OrganizerTest._fake_cname_record)
|
||||
self.monkeypatch.setattr("pretix.control.views.mailsetup.get_dmarc_record", OrganizerTest._fake_dmarc_record)
|
||||
doc = self.post_doc(
|
||||
'/control/organizer/%s/settings/email/setup' % self.orga1.slug,
|
||||
{
|
||||
@@ -213,6 +237,43 @@ class OrganizerTest(SoupTest):
|
||||
# not yet saved
|
||||
assert "mail_from" not in self.orga1.settings._cache()
|
||||
|
||||
@override_settings(MAIL_CUSTOM_SENDER_VERIFICATION_REQUIRED=False,
|
||||
MAIL_CUSTOM_SENDER_DKIM_SELECTOR="pretix",
|
||||
MAIL_CUSTOM_SENDER_DKIM_CNAME="dkim.pretix.eu.",
|
||||
MAIL_CUSTOM_SENDER_SPF_STRING="")
|
||||
def test_email_setup_no_verification_dkim_warning(self):
|
||||
self.monkeypatch.setattr("pretix.control.views.mailsetup.get_cname_record", OrganizerTest._fake_cname_record)
|
||||
doc = self.post_doc(
|
||||
'/control/organizer/%s/settings/email/setup' % self.orga1.slug,
|
||||
{
|
||||
'mode': 'simple',
|
||||
'simple-mail_from': 'test@bad.pretix.dev',
|
||||
},
|
||||
follow=True
|
||||
)
|
||||
assert doc.select('.alert-danger')
|
||||
self.orga1.settings.flush()
|
||||
# not yet saved
|
||||
assert "mail_from" not in self.orga1.settings._cache()
|
||||
|
||||
@override_settings(MAIL_CUSTOM_SENDER_VERIFICATION_REQUIRED=False,
|
||||
MAIL_CUSTOM_SENDER_DMARC_REQUIRED=True,
|
||||
MAIL_CUSTOM_SENDER_SPF_STRING="")
|
||||
def test_email_setup_no_verification_dmarc_warning(self):
|
||||
self.monkeypatch.setattr("pretix.control.views.mailsetup.get_dmarc_record", OrganizerTest._fake_dmarc_record)
|
||||
doc = self.post_doc(
|
||||
'/control/organizer/%s/settings/email/setup' % self.orga1.slug,
|
||||
{
|
||||
'mode': 'simple',
|
||||
'simple-mail_from': 'test@bad.pretix.dev',
|
||||
},
|
||||
follow=True
|
||||
)
|
||||
assert doc.select('.alert-danger')
|
||||
self.orga1.settings.flush()
|
||||
# not yet saved
|
||||
assert "mail_from" not in self.orga1.settings._cache()
|
||||
|
||||
def test_email_setup_smtp(self):
|
||||
self.monkeypatch.setattr("pretix.base.email.test_custom_smtp_backend", lambda b, a: None)
|
||||
self.monkeypatch.setattr("socket.gethostbyname", lambda h: "8.8.8.8")
|
||||
|
||||
Reference in New Issue
Block a user