CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2025-12-05 21:32:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: CGM_Public:v2023.9.1
Branches Tags
CGM_Public:master CGM_Public:answer-export CGM_Public:fix-csv-error CGM_Public:banktransfer-dashes CGM_Public:sendmail-iterator CGM_Public:update-django-version CGM_Public:reusablemedium-multiop CGM_Public:payment-qr CGM_Public:csv-duplicate-cols CGM_Public:release/2025.10.x CGM_Public:stable CGM_Public:release/2025.9.x CGM_Public:release/2025.8.x CGM_Public:release/2025.7.x CGM_Public:linkify-placeholder-fix CGM_Public:dependabot/pip/django-countries-eq-8.2.star CGM_Public:hardening-2fa CGM_Public:hide-invisible-fields CGM_Public:logentrytype-schema CGM_Public:quickstart-optional CGM_Public:op-export-unique-cols CGM_Public:lazy-imports CGM_Public:banktransfer-zero-5168 CGM_Public:timeline-fix-5614 CGM_Public:event-dialog-optional-4794 CGM_Public:banktransfer-invoice-reference CGM_Public:webhook-length CGM_Public:typeahead-org-slug CGM_Public:show-current-cart CGM_Public:banktransfer-camt CGM_Public:dependent-on-cc CGM_Public:attendee-mails-default CGM_Public:sort-property-helper CGM_Public:rename-migration CGM_Public:invoice-pdf-line-desc-max-length CGM_Public:validate-user-email CGM_Public:banktransfer-pending-order CGM_Public:order-rounding-mixin CGM_Public:dependabot/pip/redis-eq-7.0.star CGM_Public:richtext-link-mastodon CGM_Public:import-.wrong-item CGM_Public:fix-attach-size-filter CGM_Public:add-organizer-scope-to-pluginslist CGM_Public:fix-transmission-info CGM_Public:sync-single-transactionaware CGM_Public:no-ordinal-dates CGM_Public:new-license-header CGM_Public:checkinrule-warn-invalid-ids CGM_Public:fix-rrule CGM_Public:fix-form-styles CGM_Public:fix-datasync-shouldnotsync CGM_Public:fix-datasync-logdisplay CGM_Public:invoice-no-crash CGM_Public:dependabot/pip/django-phonenumber-field-eq-8.3.star CGM_Public:subevent-editor-improvements CGM_Public:exports-repeatable-read CGM_Public:plaintext-invoice-notification CGM_Public:order-import-logentries-bulk CGM_Public:dependabot/pip/django-oauth-toolkit-eq-3.1.star CGM_Public:notification-bulk-check CGM_Public:enqueue-order-immediate CGM_Public:enqueue-order-return CGM_Public:import-testmode-warn CGM_Public:api_organizer_settings CGM_Public:confirm-text-free CGM_Public:revert-5452-invoice-plugin-data CGM_Public:fix-wordlist-issue CGM_Public:subevent-filter-plugin CGM_Public:item-plugin-forms-group CGM_Public:fix-5455 CGM_Public:logentry-wording CGM_Public:img-srcset CGM_Public:invoice-plugin-data CGM_Public:mail-model CGM_Public:update-signal-docstrings CGM_Public:add-category-btn CGM_Public:logdetail-dbg CGM_Public:fix-order-email-error-log CGM_Public:fix-paypal2-xhr-free-cart CGM_Public:fix-datasync-notfound CGM_Public:fix-asynctask-i18n CGM_Public:org-level-plugin CGM_Public:plugins-page-fix CGM_Public:voucher-webhook CGM_Public:datasync-providers-doc CGM_Public:hierarkey-2 CGM_Public:ttf-pragraph-fallback CGM_Public:voucher-created CGM_Public:invoice-address-do-not-store-on-free CGM_Public:sync-single-tx CGM_Public:mapping-json CGM_Public:datasync CGM_Public:sendmail_pendingoverdue CGM_Public:rename-contact CGM_Public:pdf-price-with-bundled CGM_Public:fix-widget-cache-check CGM_Public:presale-remove-webmanifest CGM_Public:release/2025.6.x CGM_Public:pdf-editor-areyousure CGM_Public:api-expand-generic CGM_Public:invoice-email-language CGM_Public:question-stats-percentage CGM_Public:fix-question-graphs-ui CGM_Public:subevent-bulkedit-warning CGM_Public:clean-docs CGM_Public:event-title-everywhere CGM_Public:link-timeline CGM_Public:a11y-improve-renew-feedback CGM_Public:a11y-autocomplete-off CGM_Public:a11y-fix-calendar-nav-aria-current CGM_Public:release/2025.5.x CGM_Public:a11y-fix-giftcard-checkout CGM_Public:subevent-edit-name CGM_Public:fix-seat-svg-missing-label CGM_Public:gettextstub CGM_Public:fix-voucher-redeem-form CGM_Public:stripe_12x CGM_Public:cookieconsent-properly CGM_Public:ocm-cancel-all CGM_Public:fix-checkout-confirm CGM_Public:fix-nothingtoadd CGM_Public:dialog-backdrop-click-close CGM_Public:cart-renewal CGM_Public:a11y-add-cart-empty CGM_Public:waitinglist-export-productid CGM_Public:a11y-fix-waitinglist-link CGM_Public:a11y-no-underline-event-list CGM_Public:a11y-placeolder-contrast CGM_Public:cart-renewal-ui-html5dialog CGM_Public:cart-renewal-ui CGM_Public:tooltip-a11y CGM_Public:a11y-widget-fix-filter-dropdown CGM_Public:a11y-common-modal-dialogs CGM_Public:invoice-to-organizer-multimail CGM_Public:a11y-fix-b-strong CGM_Public:issue-5077 CGM_Public:a11y-validate-dates-serverside CGM_Public:a11y-fix-datepicker-error CGM_Public:item-list-seating CGM_Public:fix-eventlist-date-field CGM_Public:fix-headline-mismatch CGM_Public:release/2025.4.x CGM_Public:fix-datepicker-datedisplay CGM_Public:change-secret CGM_Public:subevent-discounts-test CGM_Public:sold-out-voucher CGM_Public:question-clean-answer-typo CGM_Public:checkinrpc-locales CGM_Public:fix-bulkedit-devices CGM_Public:release/2025.3.x CGM_Public:order-search-in-attendee-company CGM_Public:refactor-copy_to_first_ticket CGM_Public:organizer-index-filter-empty CGM_Public:context-on-error-page CGM_Public:order-checkin-icons CGM_Public:order-email-history-attachments CGM_Public:salutation-empty-label CGM_Public:fix-customer-create-race-condition CGM_Public:widget-data-3rdparty CGM_Public:scheduledmail-subevent-missing CGM_Public:fix-widget-data-3rdparty CGM_Public:widget-subevent-fix CGM_Public:a11y-remove-autofocus CGM_Public:release/2025.2.x CGM_Public:lists-for-failed-checkin CGM_Public:api-create-fees CGM_Public:fix-widget-data-overwrite CGM_Public:bulk-actions-logentries CGM_Public:widget-consent-prio CGM_Public:oidc-pkce CGM_Public:dependabot/pip/sphinx-eq-8.2.star CGM_Public:fix-copy-to-first-matching CGM_Public:headless CGM_Public:fix-deletedevent-checkin-logdisplay CGM_Public:widget_email_repeat CGM_Public:release/2025.1.x CGM_Public:new-docs CGM_Public:oidc_query_parameters CGM_Public:a11y-autofocus-tabindex CGM_Public:metrics_middleware_concat CGM_Public:widget-cookiebot CGM_Public:missing-registrations CGM_Public:fix-business-deps CGM_Public:invoice-pdf-transparency CGM_Public:logentrytype-registry CGM_Public:reldatetimefield-refactor CGM_Public:fix-copy-variations-channels CGM_Public:customdomain-show-backend-btn CGM_Public:invoice-user-paid CGM_Public:question-max-digits CGM_Public:i18n-field-order CGM_Public:language-switch-parameter CGM_Public:fieldset-panels-checkout CGM_Public:fix-invoice-name-validation CGM_Public:fieldset-panels-anim CGM_Public:dashboard-intcomma CGM_Public:fieldset-panels CGM_Public:fix-shipping-form CGM_Public:addressform-err-handling CGM_Public:fix-state-required-logic CGM_Public:release/2024.11.x CGM_Public:a11y-customer CGM_Public:robust-alert-colors CGM_Public:stripe-sofort-remove CGM_Public:stripe_mobilepay CGM_Public:quota-lock-log CGM_Public:main CGM_Public:pluggable-security-profiles CGM_Public:fix-category-change-log CGM_Public:checkin-present-filter-perf CGM_Public:hide-dependencies-recursively CGM_Public:fix-cond-display CGM_Public:badge-export-order-date CGM_Public:manual-fees CGM_Public:release/2024.10.x CGM_Public:raphaelm-patch-3 CGM_Public:hacky-debug-output CGM_Public:hacky-debug-output-reruns CGM_Public:ci-more-threads CGM_Public:ci-apt-y CGM_Public:before-fakeredis-update CGM_Public:actions-debug-postgres-1 CGM_Public:actions-fix-postgres CGM_Public:ci-postgres-service CGM_Public:pdf-layout-renderer-api CGM_Public:fix-category-type-column CGM_Public:cross-selling CGM_Public:bundles-not-negative CGM_Public:manual-installation CGM_Public:subevent-empty-avoid CGM_Public:release/2024.9.x CGM_Public:utils CGM_Public:email-confirm-secret-independent CGM_Public:docs-fix-typo-sso CGM_Public:unify-uncat-products-html-source CGM_Public:seating-waitinglist-sronly CGM_Public:release/2024.8.x CGM_Public:event-date-weekday CGM_Public:fix-sidebar-mobile CGM_Public:release/2024.7.x CGM_Public:release/2024.6.x CGM_Public:release/2024.5.x CGM_Public:fix-mail-preview-xss CGM_Public:api-webhook-filter CGM_Public:fix-tests CGM_Public:checkinlist-export-sort-by-date CGM_Public:fix-stripe-sca-sandbox CGM_Public:order-nullability CGM_Public:pytest-no-pending CGM_Public:add-temp-seatingframe-signal CGM_Public:fix-seatingframe-missing-css CGM_Public:stripe-giropay CGM_Public:list-sorting-move CGM_Public:daterange-test-foo CGM_Public:fix-checkbox-disabled-label-refactor CGM_Public:fix-pdf-bg-append CGM_Public:remove-subevent-items CGM_Public:fix-mail-preview-brackets-mismatch-2 CGM_Public:voucher-suggested-price CGM_Public:giftcard-validity CGM_Public:fix-mail-preview-brackets-mismatch CGM_Public:seo-improvements CGM_Public:ppv2_apm_wh_capture CGM_Public:back-to-the-future-2 CGM_Public:multi-subevent-cart-add CGM_Public:release/2024.4.x CGM_Public:fix-country-codes-profiles CGM_Public:release/2024.3.x CGM_Public:data-attr-price CGM_Public:issue-3967-adjacent CGM_Public:fix-issue-3967 CGM_Public:event_fonts CGM_Public:back-to-the-future CGM_Public:release/2024.2.x CGM_Public:release/2023.10.x CGM_Public:release/2023.8.x CGM_Public:release/2023.9.x CGM_Public:release/2024.1.x CGM_Public:django-oauth-toolkit-eq-2.3.star CGM_Public:select2-close-on-clear CGM_Public:plugins-allow-individual-ticket-download CGM_Public:event-dashboard CGM_Public:scan-debug-data CGM_Public:money-filter-tests CGM_Public:sort-sales-channels CGM_Public:pdf-fix-rotate CGM_Public:locking-tests CGM_Public:global_applepay_domain_validation CGM_Public:payment-available-from2 CGM_Public:release/4.20.x CGM_Public:release/2023.6.x CGM_Public:release/2023.7.x CGM_Public:zerodecimal_refunds CGM_Public:fix-typo CGM_Public:customer-webhooks CGM_Public:quota-cache-fix CGM_Public:pdf-bulk-vars-2 CGM_Public:new-checkin-type CGM_Public:mf0aes-docs CGM_Public:fix-pdf-image-multi-export CGM_Public:walletdetection CGM_Public:fix-pdf-bg-offset CGM_Public:celery-5.3 CGM_Public:api-taxrules CGM_Public:fix-lazy-translation-settings CGM_Public:hide-empty-addons CGM_Public:add-order-min CGM_Public:release/4.19.x CGM_Public:idna CGM_Public:order-filter-requires-attention CGM_Public:release/4.18.x CGM_Public:fix-widget-close-position CGM_Public:release/4.15.x CGM_Public:release/4.16.x CGM_Public:release/4.17.x CGM_Public:fix-q-checkbox-required CGM_Public:compact-cart CGM_Public:harmonize-checkin-export-date CGM_Public:ocm-no-canceled CGM_Public:widget-seating-embed CGM_Public:guest-handling CGM_Public:dnspython2 CGM_Public:fix-addon-typo CGM_Public:oauth-toolkit-2 CGM_Public:thumbnail-store-created CGM_Public:invoice-to-other-email CGM_Public:answer-options-csv CGM_Public:release/4.14.x CGM_Public:transaction-source CGM_Public:improve-badge-pdf-bg-performance CGM_Public:release/4.13.x CGM_Public:common-country-names CGM_Public:fix-check-in-subevent-filterform CGM_Public:placeholder-last-modification CGM_Public:fix-pdf-editor-prefill-bug CGM_Public:release/4.12.x CGM_Public:invoice-giftcards CGM_Public:addon-match CGM_Public:release/4.9.x CGM_Public:release/4.11.x CGM_Public:release/4.10.x CGM_Public:product-list-export CGM_Public:fix-api-operations-refresh CGM_Public:fix-free-price-checkbox CGM_Public:redis-response-error CGM_Public:remove-promise-from-paypal2 CGM_Public:fix-customer-identifier-unique CGM_Public:add-name-for-salutation-to-editor CGM_Public:orderlist-canceled-lines CGM_Public:event-clone-tests CGM_Public:aws_ses_454 CGM_Public:release/4.8.x CGM_Public:fix-2556-remove-attestation-from-2fa CGM_Public:release/4.5.x CGM_Public:release/4.6.x CGM_Public:release/4.7.x CGM_Public:db-conn-tz CGM_Public:hotfix CGM_Public:release/4.3.x CGM_Public:release/4.4.x CGM_Public:short-month-day-format CGM_Public:add-fixed-scroll-pos-to-calendar CGM_Public:consistency-check CGM_Public:sticky-add-to-basket CGM_Public:release/4.2.x CGM_Public:release/4.1.x CGM_Public:release/4.0.x CGM_Public:release/3.18.x CGM_Public:release/3.17.x CGM_Public:waitlist_subeventpicker CGM_Public:hotfix20210323 CGM_Public:hotfix20210325 CGM_Public:django31 CGM_Public:flaky-test CGM_Public:release/3.16.x CGM_Public:cancel-no-invoice CGM_Public:release/3.15.x CGM_Public:release/3.14.x CGM_Public:validate-dns CGM_Public:release/3.13.x CGM_Public:release/3.12.x CGM_Public:release/3.11.x CGM_Public:docker-nginx-logs CGM_Public:remove-reversecharge CGM_Public:stripe-connect-2 CGM_Public:copy-from-matching-product CGM_Public:seat-orgchoice CGM_Public:release/3.10.x CGM_Public:release/3.9.x CGM_Public:gha-migrations CGM_Public:release/3.8.x CGM_Public:issue1575 CGM_Public:release/3.7.x CGM_Public:release/3.6.x CGM_Public:release/3.5.x CGM_Public:cart-vouchers CGM_Public:release/3.4.x CGM_Public:release/3.3.x CGM_Public:stripe-connect-fees CGM_Public:release/3.2.x CGM_Public:release/3.1.x CGM_Public:release/3.0.x CGM_Public:pretixscan CGM_Public:hidden-product-quota-voucher CGM_Public:scopes CGM_Public:release/2.8.x CGM_Public:release/2.7.x CGM_Public:loadtest2 CGM_Public:orderchange2 CGM_Public:django22 CGM_Public:release/2.6.x CGM_Public:794-questions-default-value CGM_Public:dekodi CGM_Public:release/2.5.x CGM_Public:loadtest CGM_Public:selfcancel-positions CGM_Public:searchindex CGM_Public:release/2.4.x CGM_Public:release/2.3.x CGM_Public:release/2.2.x CGM_Public:release/2.1.x CGM_Public:transfer-ticket CGM_Public:release/2.0.x CGM_Public:release/1.17.x CGM_Public:design2.0 CGM_Public:release/1.16.x CGM_Public:release/1.15.x CGM_Public:release/1.14.x CGM_Public:release/1.13.x CGM_Public:release/1.12.x CGM_Public:release/1.11.x CGM_Public:release/1.10.x CGM_Public:release/1.9.x CGM_Public:release/1.8.x CGM_Public:release/1.7.x CGM_Public:new-placeholders CGM_Public:release/1.4.x CGM_Public:release/1.5.x CGM_Public:release/1.6.x CGM_Public:custom-manager CGM_Public:release/1.1.x CGM_Public:release/1.2.x CGM_Public:release/1.3.x CGM_Public:release/1.0.x CGM_Public:voucher-wizard CGM_Public:shorter-locking
CGM_Public:v2025.10.0 CGM_Public:v2025.7.3 CGM_Public:v2025.9.2 CGM_Public:v2025.8.2 CGM_Public:v2025.8.1 CGM_Public:v2025.9.1 CGM_Public:v2025.7.2 CGM_Public:v2025.9.0 CGM_Public:v2025.8.0 CGM_Public:v2025.7.1 CGM_Public:v2025.7.0 CGM_Public:v2025.6.0 CGM_Public:v2025.5.0 CGM_Public:v2025.4.0 CGM_Public:v2025.3.0 CGM_Public:v2025.2.0 CGM_Public:v2025.1.0 CGM_Public:v2024.11.0 CGM_Public:v2024.10.0 CGM_Public:v2024.9.0 CGM_Public:v2024.8.0 CGM_Public:v2024.7.1 CGM_Public:v2024.6.1 CGM_Public:v2024.5.1 CGM_Public:v2024.7.0 CGM_Public:v2024.6.0 CGM_Public:v2024.5.0 CGM_Public:v2024.4.0 CGM_Public:v2024.3.0 CGM_Public:v2024.2.0 CGM_Public:v2023.10.2 CGM_Public:v2023.8.1.post1 CGM_Public:v2023.9.1.post1 CGM_Public:v2023.8.1 CGM_Public:v2023.9.1 CGM_Public:v2024.1.1 CGM_Public:v2024.1.0 CGM_Public:v2023.10.1.post1 CGM_Public:v2023.10.1 CGM_Public:v2023.10.0 CGM_Public:v2023.9.0 CGM_Public:v2023.8.0 CGM_Public:v2023.6.3 CGM_Public:v4.20.4 CGM_Public:v2023.7.3 CGM_Public:v4.20.3 CGM_Public:v2023.6.2 CGM_Public:v2023.7.2 CGM_Public:v4.20.2.post1 CGM_Public:v4.20.2 CGM_Public:v2023.6.1 CGM_Public:v2023.7.1 CGM_Public:v2023.7.0 CGM_Public:v2023.6.0 CGM_Public:v4.20.1 CGM_Public:v4.20.0 CGM_Public:v4.19.0.post1 CGM_Public:v4.19.0 CGM_Public:v4.18.2.post1 CGM_Public:v4.18.2 CGM_Public:v4.18.1 CGM_Public:v4.18.0 CGM_Public:v4.15.1 CGM_Public:v4.16.1 CGM_Public:v4.17.1 CGM_Public:v4.17.0 CGM_Public:v4.16.0 CGM_Public:v4.15.0 CGM_Public:v4.14.0 CGM_Public:v4.13.1 CGM_Public:v4.13.0 CGM_Public:v4.12.0 CGM_Public:v4.9.1 CGM_Public:v4.10.1 CGM_Public:v4.11.1 CGM_Public:v4.11.0 CGM_Public:v4.10.0 CGM_Public:v4.9.0 CGM_Public:v4.8.0 CGM_Public:v4.5.2 CGM_Public:v4.6.1 CGM_Public:v4.7.1 CGM_Public:v4.7.0 CGM_Public:v4.6.0 CGM_Public:v4.3.1 CGM_Public:v4.4.1 CGM_Public:v4.5.1 CGM_Public:v4.5.0 CGM_Public:a CGM_Public:v4.4.0 CGM_Public:v4.3.0 CGM_Public:v4.2.0 CGM_Public:v4.1.0.post1 CGM_Public:v4.1.0 CGM_Public:v4.0.0 CGM_Public:v3.18.0 CGM_Public:v3.17.2 CGM_Public:v3.17.1 CGM_Public:v3.17.0 CGM_Public:v3.16.0 CGM_Public:v3.15.0 CGM_Public:v3.14.2 CGM_Public:v3.14.1 CGM_Public:v3.14.0 CGM_Public:v3.13.1 CGM_Public:v3.12.1 CGM_Public:v3.11.1 CGM_Public:v3.13.0 CGM_Public:v3.12.0 CGM_Public:v3.11.0 CGM_Public:v3.10.0 CGM_Public:v3.9.0 CGM_Public:v3.8.0 CGM_Public:v3.7.0 CGM_Public:v3.6.0 CGM_Public:v3.5.0 CGM_Public:v3.4.0 CGM_Public:v3.3.0 CGM_Public:v3.2.0 CGM_Public:v3.1.0 CGM_Public:v3.0.1 CGM_Public:v3.0.0 CGM_Public:v2.8.2 CGM_Public:v2.8.1 CGM_Public:v2.8.0 CGM_Public:v2.7.2 CGM_Public:v2.7.1 CGM_Public:v2.7.0 CGM_Public:s CGM_Public:v2.6.0 CGM_Public:v2.5.0 CGM_Public:v2.4.0 CGM_Public:v2.3.0 CGM_Public:v2.2.0 CGM_Public:v2.1.0 CGM_Public:v2.0.0 CGM_Public:v1.17.1 CGM_Public:v1.17.0 CGM_Public:v1.16.0 CGM_Public:v1.15.2 CGM_Public:v1.15.1 CGM_Public:v1.15.0 CGM_Public:v1.14.0 CGM_Public:v1.13.1 CGM_Public:v1.13.0 CGM_Public:v1.12.1 CGM_Public:v1.12.0 CGM_Public:v1.11.1 CGM_Public:v1.11.0 CGM_Public:v1.10.1 CGM_Public:v1.10.0 CGM_Public:v1.9.1 CGM_Public:v1.8.1 CGM_Public:v1.7.2 CGM_Public:v1.9.0 CGM_Public:v1.8.0 CGM_Public:v1.7.1 CGM_Public:v1.7.0 CGM_Public:v1.4.1 CGM_Public:v1.5.2 CGM_Public:v1.6.2 CGM_Public:v1.6.1 CGM_Public:v1.6.0 CGM_Public:v1.5.1 CGM_Public:v1.5.0 CGM_Public:v1.4.0 CGM_Public:v1.1.3 CGM_Public:v1.2.2 CGM_Public:v1.3.1 CGM_Public:v1.3.0 CGM_Public:v1.2.1 CGM_Public:v1.2.0 CGM_Public:v1.1.2 CGM_Public:v1.1.1 CGM_Public:v1.1.0 CGM_Public:1.0.0 CGM_Public:1.0.0b2 CGM_Public:1.0.0b1
...
compare: CGM_Public:v4.15.1
Branches Tags
CGM_Public:answer-export CGM_Public:fix-csv-error CGM_Public:master CGM_Public:banktransfer-dashes CGM_Public:sendmail-iterator CGM_Public:update-django-version CGM_Public:reusablemedium-multiop CGM_Public:payment-qr CGM_Public:csv-duplicate-cols CGM_Public:release/2025.10.x CGM_Public:stable CGM_Public:release/2025.9.x CGM_Public:release/2025.8.x CGM_Public:release/2025.7.x CGM_Public:linkify-placeholder-fix CGM_Public:dependabot/pip/django-countries-eq-8.2.star CGM_Public:hardening-2fa CGM_Public:hide-invisible-fields CGM_Public:logentrytype-schema CGM_Public:quickstart-optional CGM_Public:op-export-unique-cols CGM_Public:lazy-imports CGM_Public:banktransfer-zero-5168 CGM_Public:timeline-fix-5614 CGM_Public:event-dialog-optional-4794 CGM_Public:banktransfer-invoice-reference CGM_Public:webhook-length CGM_Public:typeahead-org-slug CGM_Public:show-current-cart CGM_Public:banktransfer-camt CGM_Public:dependent-on-cc CGM_Public:attendee-mails-default CGM_Public:sort-property-helper CGM_Public:rename-migration CGM_Public:invoice-pdf-line-desc-max-length CGM_Public:validate-user-email CGM_Public:banktransfer-pending-order CGM_Public:order-rounding-mixin CGM_Public:dependabot/pip/redis-eq-7.0.star CGM_Public:richtext-link-mastodon CGM_Public:import-.wrong-item CGM_Public:fix-attach-size-filter CGM_Public:add-organizer-scope-to-pluginslist CGM_Public:fix-transmission-info CGM_Public:sync-single-transactionaware CGM_Public:no-ordinal-dates CGM_Public:new-license-header CGM_Public:checkinrule-warn-invalid-ids CGM_Public:fix-rrule CGM_Public:fix-form-styles CGM_Public:fix-datasync-shouldnotsync CGM_Public:fix-datasync-logdisplay CGM_Public:invoice-no-crash CGM_Public:dependabot/pip/django-phonenumber-field-eq-8.3.star CGM_Public:subevent-editor-improvements CGM_Public:exports-repeatable-read CGM_Public:plaintext-invoice-notification CGM_Public:order-import-logentries-bulk CGM_Public:dependabot/pip/django-oauth-toolkit-eq-3.1.star CGM_Public:notification-bulk-check CGM_Public:enqueue-order-immediate CGM_Public:enqueue-order-return CGM_Public:import-testmode-warn CGM_Public:api_organizer_settings CGM_Public:confirm-text-free CGM_Public:revert-5452-invoice-plugin-data CGM_Public:fix-wordlist-issue CGM_Public:subevent-filter-plugin CGM_Public:item-plugin-forms-group CGM_Public:fix-5455 CGM_Public:logentry-wording CGM_Public:img-srcset CGM_Public:invoice-plugin-data CGM_Public:mail-model CGM_Public:update-signal-docstrings CGM_Public:add-category-btn CGM_Public:logdetail-dbg CGM_Public:fix-order-email-error-log CGM_Public:fix-paypal2-xhr-free-cart CGM_Public:fix-datasync-notfound CGM_Public:fix-asynctask-i18n CGM_Public:org-level-plugin CGM_Public:plugins-page-fix CGM_Public:voucher-webhook CGM_Public:datasync-providers-doc CGM_Public:hierarkey-2 CGM_Public:ttf-pragraph-fallback CGM_Public:voucher-created CGM_Public:invoice-address-do-not-store-on-free CGM_Public:sync-single-tx CGM_Public:mapping-json CGM_Public:datasync CGM_Public:sendmail_pendingoverdue CGM_Public:rename-contact CGM_Public:pdf-price-with-bundled CGM_Public:fix-widget-cache-check CGM_Public:presale-remove-webmanifest CGM_Public:release/2025.6.x CGM_Public:pdf-editor-areyousure CGM_Public:api-expand-generic CGM_Public:invoice-email-language CGM_Public:question-stats-percentage CGM_Public:fix-question-graphs-ui CGM_Public:subevent-bulkedit-warning CGM_Public:clean-docs CGM_Public:event-title-everywhere CGM_Public:link-timeline CGM_Public:a11y-improve-renew-feedback CGM_Public:a11y-autocomplete-off CGM_Public:a11y-fix-calendar-nav-aria-current CGM_Public:release/2025.5.x CGM_Public:a11y-fix-giftcard-checkout CGM_Public:subevent-edit-name CGM_Public:fix-seat-svg-missing-label CGM_Public:gettextstub CGM_Public:fix-voucher-redeem-form CGM_Public:stripe_12x CGM_Public:cookieconsent-properly CGM_Public:ocm-cancel-all CGM_Public:fix-checkout-confirm CGM_Public:fix-nothingtoadd CGM_Public:dialog-backdrop-click-close CGM_Public:cart-renewal CGM_Public:a11y-add-cart-empty CGM_Public:waitinglist-export-productid CGM_Public:a11y-fix-waitinglist-link CGM_Public:a11y-no-underline-event-list CGM_Public:a11y-placeolder-contrast CGM_Public:cart-renewal-ui-html5dialog CGM_Public:cart-renewal-ui CGM_Public:tooltip-a11y CGM_Public:a11y-widget-fix-filter-dropdown CGM_Public:a11y-common-modal-dialogs CGM_Public:invoice-to-organizer-multimail CGM_Public:a11y-fix-b-strong CGM_Public:issue-5077 CGM_Public:a11y-validate-dates-serverside CGM_Public:a11y-fix-datepicker-error CGM_Public:item-list-seating CGM_Public:fix-eventlist-date-field CGM_Public:fix-headline-mismatch CGM_Public:release/2025.4.x CGM_Public:fix-datepicker-datedisplay CGM_Public:change-secret CGM_Public:subevent-discounts-test CGM_Public:sold-out-voucher CGM_Public:question-clean-answer-typo CGM_Public:checkinrpc-locales CGM_Public:fix-bulkedit-devices CGM_Public:release/2025.3.x CGM_Public:order-search-in-attendee-company CGM_Public:refactor-copy_to_first_ticket CGM_Public:organizer-index-filter-empty CGM_Public:context-on-error-page CGM_Public:order-checkin-icons CGM_Public:order-email-history-attachments CGM_Public:salutation-empty-label CGM_Public:fix-customer-create-race-condition CGM_Public:widget-data-3rdparty CGM_Public:scheduledmail-subevent-missing CGM_Public:fix-widget-data-3rdparty CGM_Public:widget-subevent-fix CGM_Public:a11y-remove-autofocus CGM_Public:release/2025.2.x CGM_Public:lists-for-failed-checkin CGM_Public:api-create-fees CGM_Public:fix-widget-data-overwrite CGM_Public:bulk-actions-logentries CGM_Public:widget-consent-prio CGM_Public:oidc-pkce CGM_Public:dependabot/pip/sphinx-eq-8.2.star CGM_Public:fix-copy-to-first-matching CGM_Public:headless CGM_Public:fix-deletedevent-checkin-logdisplay CGM_Public:widget_email_repeat CGM_Public:release/2025.1.x CGM_Public:new-docs CGM_Public:oidc_query_parameters CGM_Public:a11y-autofocus-tabindex CGM_Public:metrics_middleware_concat CGM_Public:widget-cookiebot CGM_Public:missing-registrations CGM_Public:fix-business-deps CGM_Public:invoice-pdf-transparency CGM_Public:logentrytype-registry CGM_Public:reldatetimefield-refactor CGM_Public:fix-copy-variations-channels CGM_Public:customdomain-show-backend-btn CGM_Public:invoice-user-paid CGM_Public:question-max-digits CGM_Public:i18n-field-order CGM_Public:language-switch-parameter CGM_Public:fieldset-panels-checkout CGM_Public:fix-invoice-name-validation CGM_Public:fieldset-panels-anim CGM_Public:dashboard-intcomma CGM_Public:fieldset-panels CGM_Public:fix-shipping-form CGM_Public:addressform-err-handling CGM_Public:fix-state-required-logic CGM_Public:release/2024.11.x CGM_Public:a11y-customer CGM_Public:robust-alert-colors CGM_Public:stripe-sofort-remove CGM_Public:stripe_mobilepay CGM_Public:quota-lock-log CGM_Public:main CGM_Public:pluggable-security-profiles CGM_Public:fix-category-change-log CGM_Public:checkin-present-filter-perf CGM_Public:hide-dependencies-recursively CGM_Public:fix-cond-display CGM_Public:badge-export-order-date CGM_Public:manual-fees CGM_Public:release/2024.10.x CGM_Public:raphaelm-patch-3 CGM_Public:hacky-debug-output CGM_Public:hacky-debug-output-reruns CGM_Public:ci-more-threads CGM_Public:ci-apt-y CGM_Public:before-fakeredis-update CGM_Public:actions-debug-postgres-1 CGM_Public:actions-fix-postgres CGM_Public:ci-postgres-service CGM_Public:pdf-layout-renderer-api CGM_Public:fix-category-type-column CGM_Public:cross-selling CGM_Public:bundles-not-negative CGM_Public:manual-installation CGM_Public:subevent-empty-avoid CGM_Public:release/2024.9.x CGM_Public:utils CGM_Public:email-confirm-secret-independent CGM_Public:docs-fix-typo-sso CGM_Public:unify-uncat-products-html-source CGM_Public:seating-waitinglist-sronly CGM_Public:release/2024.8.x CGM_Public:event-date-weekday CGM_Public:fix-sidebar-mobile CGM_Public:release/2024.7.x CGM_Public:release/2024.6.x CGM_Public:release/2024.5.x CGM_Public:fix-mail-preview-xss CGM_Public:api-webhook-filter CGM_Public:fix-tests CGM_Public:checkinlist-export-sort-by-date CGM_Public:fix-stripe-sca-sandbox CGM_Public:order-nullability CGM_Public:pytest-no-pending CGM_Public:add-temp-seatingframe-signal CGM_Public:fix-seatingframe-missing-css CGM_Public:stripe-giropay CGM_Public:list-sorting-move CGM_Public:daterange-test-foo CGM_Public:fix-checkbox-disabled-label-refactor CGM_Public:fix-pdf-bg-append CGM_Public:remove-subevent-items CGM_Public:fix-mail-preview-brackets-mismatch-2 CGM_Public:voucher-suggested-price CGM_Public:giftcard-validity CGM_Public:fix-mail-preview-brackets-mismatch CGM_Public:seo-improvements CGM_Public:ppv2_apm_wh_capture CGM_Public:back-to-the-future-2 CGM_Public:multi-subevent-cart-add CGM_Public:release/2024.4.x CGM_Public:fix-country-codes-profiles CGM_Public:release/2024.3.x CGM_Public:data-attr-price CGM_Public:issue-3967-adjacent CGM_Public:fix-issue-3967 CGM_Public:event_fonts CGM_Public:back-to-the-future CGM_Public:release/2024.2.x CGM_Public:release/2023.10.x CGM_Public:release/2023.8.x CGM_Public:release/2023.9.x CGM_Public:release/2024.1.x CGM_Public:django-oauth-toolkit-eq-2.3.star CGM_Public:select2-close-on-clear CGM_Public:plugins-allow-individual-ticket-download CGM_Public:event-dashboard CGM_Public:scan-debug-data CGM_Public:money-filter-tests CGM_Public:sort-sales-channels CGM_Public:pdf-fix-rotate CGM_Public:locking-tests CGM_Public:global_applepay_domain_validation CGM_Public:payment-available-from2 CGM_Public:release/4.20.x CGM_Public:release/2023.6.x CGM_Public:release/2023.7.x CGM_Public:zerodecimal_refunds CGM_Public:fix-typo CGM_Public:customer-webhooks CGM_Public:quota-cache-fix CGM_Public:pdf-bulk-vars-2 CGM_Public:new-checkin-type CGM_Public:mf0aes-docs CGM_Public:fix-pdf-image-multi-export CGM_Public:walletdetection CGM_Public:fix-pdf-bg-offset CGM_Public:celery-5.3 CGM_Public:api-taxrules CGM_Public:fix-lazy-translation-settings CGM_Public:hide-empty-addons CGM_Public:add-order-min CGM_Public:release/4.19.x CGM_Public:idna CGM_Public:order-filter-requires-attention CGM_Public:release/4.18.x CGM_Public:fix-widget-close-position CGM_Public:release/4.15.x CGM_Public:release/4.16.x CGM_Public:release/4.17.x CGM_Public:fix-q-checkbox-required CGM_Public:compact-cart CGM_Public:harmonize-checkin-export-date CGM_Public:ocm-no-canceled CGM_Public:widget-seating-embed CGM_Public:guest-handling CGM_Public:dnspython2 CGM_Public:fix-addon-typo CGM_Public:oauth-toolkit-2 CGM_Public:thumbnail-store-created CGM_Public:invoice-to-other-email CGM_Public:answer-options-csv CGM_Public:release/4.14.x CGM_Public:transaction-source CGM_Public:improve-badge-pdf-bg-performance CGM_Public:release/4.13.x CGM_Public:common-country-names CGM_Public:fix-check-in-subevent-filterform CGM_Public:placeholder-last-modification CGM_Public:fix-pdf-editor-prefill-bug CGM_Public:release/4.12.x CGM_Public:invoice-giftcards CGM_Public:addon-match CGM_Public:release/4.9.x CGM_Public:release/4.11.x CGM_Public:release/4.10.x CGM_Public:product-list-export CGM_Public:fix-api-operations-refresh CGM_Public:fix-free-price-checkbox CGM_Public:redis-response-error CGM_Public:remove-promise-from-paypal2 CGM_Public:fix-customer-identifier-unique CGM_Public:add-name-for-salutation-to-editor CGM_Public:orderlist-canceled-lines CGM_Public:event-clone-tests CGM_Public:aws_ses_454 CGM_Public:release/4.8.x CGM_Public:fix-2556-remove-attestation-from-2fa CGM_Public:release/4.5.x CGM_Public:release/4.6.x CGM_Public:release/4.7.x CGM_Public:db-conn-tz CGM_Public:hotfix CGM_Public:release/4.3.x CGM_Public:release/4.4.x CGM_Public:short-month-day-format CGM_Public:add-fixed-scroll-pos-to-calendar CGM_Public:consistency-check CGM_Public:sticky-add-to-basket CGM_Public:release/4.2.x CGM_Public:release/4.1.x CGM_Public:release/4.0.x CGM_Public:release/3.18.x CGM_Public:release/3.17.x CGM_Public:waitlist_subeventpicker CGM_Public:hotfix20210323 CGM_Public:hotfix20210325 CGM_Public:django31 CGM_Public:flaky-test CGM_Public:release/3.16.x CGM_Public:cancel-no-invoice CGM_Public:release/3.15.x CGM_Public:release/3.14.x CGM_Public:validate-dns CGM_Public:release/3.13.x CGM_Public:release/3.12.x CGM_Public:release/3.11.x CGM_Public:docker-nginx-logs CGM_Public:remove-reversecharge CGM_Public:stripe-connect-2 CGM_Public:copy-from-matching-product CGM_Public:seat-orgchoice CGM_Public:release/3.10.x CGM_Public:release/3.9.x CGM_Public:gha-migrations CGM_Public:release/3.8.x CGM_Public:issue1575 CGM_Public:release/3.7.x CGM_Public:release/3.6.x CGM_Public:release/3.5.x CGM_Public:cart-vouchers CGM_Public:release/3.4.x CGM_Public:release/3.3.x CGM_Public:stripe-connect-fees CGM_Public:release/3.2.x CGM_Public:release/3.1.x CGM_Public:release/3.0.x CGM_Public:pretixscan CGM_Public:hidden-product-quota-voucher CGM_Public:scopes CGM_Public:release/2.8.x CGM_Public:release/2.7.x CGM_Public:loadtest2 CGM_Public:orderchange2 CGM_Public:django22 CGM_Public:release/2.6.x CGM_Public:794-questions-default-value CGM_Public:dekodi CGM_Public:release/2.5.x CGM_Public:loadtest CGM_Public:selfcancel-positions CGM_Public:searchindex CGM_Public:release/2.4.x CGM_Public:release/2.3.x CGM_Public:release/2.2.x CGM_Public:release/2.1.x CGM_Public:transfer-ticket CGM_Public:release/2.0.x CGM_Public:release/1.17.x CGM_Public:design2.0 CGM_Public:release/1.16.x CGM_Public:release/1.15.x CGM_Public:release/1.14.x CGM_Public:release/1.13.x CGM_Public:release/1.12.x CGM_Public:release/1.11.x CGM_Public:release/1.10.x CGM_Public:release/1.9.x CGM_Public:release/1.8.x CGM_Public:release/1.7.x CGM_Public:new-placeholders CGM_Public:release/1.4.x CGM_Public:release/1.5.x CGM_Public:release/1.6.x CGM_Public:custom-manager CGM_Public:release/1.1.x CGM_Public:release/1.2.x CGM_Public:release/1.3.x CGM_Public:release/1.0.x CGM_Public:voucher-wizard CGM_Public:shorter-locking
CGM_Public:v2025.10.0 CGM_Public:v2025.7.3 CGM_Public:v2025.9.2 CGM_Public:v2025.8.2 CGM_Public:v2025.8.1 CGM_Public:v2025.9.1 CGM_Public:v2025.7.2 CGM_Public:v2025.9.0 CGM_Public:v2025.8.0 CGM_Public:v2025.7.1 CGM_Public:v2025.7.0 CGM_Public:v2025.6.0 CGM_Public:v2025.5.0 CGM_Public:v2025.4.0 CGM_Public:v2025.3.0 CGM_Public:v2025.2.0 CGM_Public:v2025.1.0 CGM_Public:v2024.11.0 CGM_Public:v2024.10.0 CGM_Public:v2024.9.0 CGM_Public:v2024.8.0 CGM_Public:v2024.7.1 CGM_Public:v2024.6.1 CGM_Public:v2024.5.1 CGM_Public:v2024.7.0 CGM_Public:v2024.6.0 CGM_Public:v2024.5.0 CGM_Public:v2024.4.0 CGM_Public:v2024.3.0 CGM_Public:v2024.2.0 CGM_Public:v2023.10.2 CGM_Public:v2023.8.1.post1 CGM_Public:v2023.9.1.post1 CGM_Public:v2023.8.1 CGM_Public:v2023.9.1 CGM_Public:v2024.1.1 CGM_Public:v2024.1.0 CGM_Public:v2023.10.1.post1 CGM_Public:v2023.10.1 CGM_Public:v2023.10.0 CGM_Public:v2023.9.0 CGM_Public:v2023.8.0 CGM_Public:v2023.6.3 CGM_Public:v4.20.4 CGM_Public:v2023.7.3 CGM_Public:v4.20.3 CGM_Public:v2023.6.2 CGM_Public:v2023.7.2 CGM_Public:v4.20.2.post1 CGM_Public:v4.20.2 CGM_Public:v2023.6.1 CGM_Public:v2023.7.1 CGM_Public:v2023.7.0 CGM_Public:v2023.6.0 CGM_Public:v4.20.1 CGM_Public:v4.20.0 CGM_Public:v4.19.0.post1 CGM_Public:v4.19.0 CGM_Public:v4.18.2.post1 CGM_Public:v4.18.2 CGM_Public:v4.18.1 CGM_Public:v4.18.0 CGM_Public:v4.15.1 CGM_Public:v4.16.1 CGM_Public:v4.17.1 CGM_Public:v4.17.0 CGM_Public:v4.16.0 CGM_Public:v4.15.0 CGM_Public:v4.14.0 CGM_Public:v4.13.1 CGM_Public:v4.13.0 CGM_Public:v4.12.0 CGM_Public:v4.9.1 CGM_Public:v4.10.1 CGM_Public:v4.11.1 CGM_Public:v4.11.0 CGM_Public:v4.10.0 CGM_Public:v4.9.0 CGM_Public:v4.8.0 CGM_Public:v4.5.2 CGM_Public:v4.6.1 CGM_Public:v4.7.1 CGM_Public:v4.7.0 CGM_Public:v4.6.0 CGM_Public:v4.3.1 CGM_Public:v4.4.1 CGM_Public:v4.5.1 CGM_Public:v4.5.0 CGM_Public:a CGM_Public:v4.4.0 CGM_Public:v4.3.0 CGM_Public:v4.2.0 CGM_Public:v4.1.0.post1 CGM_Public:v4.1.0 CGM_Public:v4.0.0 CGM_Public:v3.18.0 CGM_Public:v3.17.2 CGM_Public:v3.17.1 CGM_Public:v3.17.0 CGM_Public:v3.16.0 CGM_Public:v3.15.0 CGM_Public:v3.14.2 CGM_Public:v3.14.1 CGM_Public:v3.14.0 CGM_Public:v3.13.1 CGM_Public:v3.12.1 CGM_Public:v3.11.1 CGM_Public:v3.13.0 CGM_Public:v3.12.0 CGM_Public:v3.11.0 CGM_Public:v3.10.0 CGM_Public:v3.9.0 CGM_Public:v3.8.0 CGM_Public:v3.7.0 CGM_Public:v3.6.0 CGM_Public:v3.5.0 CGM_Public:v3.4.0 CGM_Public:v3.3.0 CGM_Public:v3.2.0 CGM_Public:v3.1.0 CGM_Public:v3.0.1 CGM_Public:v3.0.0 CGM_Public:v2.8.2 CGM_Public:v2.8.1 CGM_Public:v2.8.0 CGM_Public:v2.7.2 CGM_Public:v2.7.1 CGM_Public:v2.7.0 CGM_Public:s CGM_Public:v2.6.0 CGM_Public:v2.5.0 CGM_Public:v2.4.0 CGM_Public:v2.3.0 CGM_Public:v2.2.0 CGM_Public:v2.1.0 CGM_Public:v2.0.0 CGM_Public:v1.17.1 CGM_Public:v1.17.0 CGM_Public:v1.16.0 CGM_Public:v1.15.2 CGM_Public:v1.15.1 CGM_Public:v1.15.0 CGM_Public:v1.14.0 CGM_Public:v1.13.1 CGM_Public:v1.13.0 CGM_Public:v1.12.1 CGM_Public:v1.12.0 CGM_Public:v1.11.1 CGM_Public:v1.11.0 CGM_Public:v1.10.1 CGM_Public:v1.10.0 CGM_Public:v1.9.1 CGM_Public:v1.8.1 CGM_Public:v1.7.2 CGM_Public:v1.9.0 CGM_Public:v1.8.0 CGM_Public:v1.7.1 CGM_Public:v1.7.0 CGM_Public:v1.4.1 CGM_Public:v1.5.2 CGM_Public:v1.6.2 CGM_Public:v1.6.1 CGM_Public:v1.6.0 CGM_Public:v1.5.1 CGM_Public:v1.5.0 CGM_Public:v1.4.0 CGM_Public:v1.1.3 CGM_Public:v1.2.2 CGM_Public:v1.3.1 CGM_Public:v1.3.0 CGM_Public:v1.2.1 CGM_Public:v1.2.0 CGM_Public:v1.1.2 CGM_Public:v1.1.1 CGM_Public:v1.1.0 CGM_Public:1.0.0 CGM_Public:1.0.0b2 CGM_Public:1.0.0b1

2 Commits
v2023.9.1 ... v4.15.1

Author SHA1 Message Date
Raphael Michel
ce4a6be7f7 Bump to 4.15.1 2023-03-06 14:58:35 +01:00
Raphael Michel
cbfac15e23 [SECURITY] Enforce session validation on oauth authorize endpoint 2023-03-06 14:58:24 +01:00
6 changed files with 170 additions and 6 deletions
Expand all files Collapse all files

2
src/pretix/__init__.py
View File

@@ -19,4 +19,4 @@
# You should have received a copy of the GNU Affero General Public License along with this program. If not, see
# <https://www.gnu.org/licenses/>.
#
__version__ = "4.15.0"
__version__ = "4.15.1"

3
src/pretix/api/views/oauth.py
View File

@@ -34,6 +34,7 @@ from oauth2_provider.views import (
from pretix.api.models import OAuthApplication
from pretix.base.models import Organizer
from pretix.control.views.user import RecentAuthenticationRequiredMixin
logger = logging.getLogger(__name__)
@@ -54,7 +55,7 @@ class OAuthAllowForm(AllowForm):
del self.fields['organizers']
class AuthorizationView(BaseAuthorizationView):
class AuthorizationView(RecentAuthenticationRequiredMixin, BaseAuthorizationView):
template_name = "pretixcontrol/auth/oauth_authorization.html"
form_class = OAuthAllowForm

2
src/pretix/control/middleware.py
View File

@@ -112,7 +112,7 @@ class PermissionMiddleware:
url = resolve(request.path_info)
url_name = url.url_name
if not request.path.startswith(get_script_prefix() + 'control'):
if not request.path.startswith(get_script_prefix() + 'control') and not (url.namespace.startswith("api-") and url_name == "authorize"):
# This middleware should only touch the /control subpath
return self.get_response(request)

15
src/tests/api/test_auth.py
View File

@@ -19,6 +19,8 @@
# You should have received a copy of the GNU Affero General Public License along with this program. If not, see
# <https://www.gnu.org/licenses/>.
#
import time
import pytest
from pretix.base.models import Organizer
@@ -48,6 +50,19 @@ def test_session_auth_with_teams(client, user, team):
assert len(resp.data['results']) == 1
@pytest.mark.django_db
def test_session_auth_relative_timeout(client, user, team):
client.login(email=user.email, password='dummy')
session = client.session
session['pretix_auth_long_session'] = False
session['pretix_auth_login_time'] = int(time.time()) - 3600 * 6
session['pretix_auth_last_used'] = int(time.time()) - 3600 * 3 - 60
session.save()
resp = client.get('/api/v1/organizers/')
assert resp.status_code == 403
@pytest.mark.django_db
def test_token_invalid(client):
client.credentials(HTTP_AUTHORIZATION='Token ABCDE')

152
src/tests/api/test_oauth.py
View File

@@ -1,5 +1,4 @@
#
# This file is part of pretix (Community Edition).
# # This file is part of pretix (Community Edition).
#
# Copyright (C) 2014-2020 Raphael Michel and contributors
# Copyright (C) 2020-2021 rami.io GmbH and contributors
@@ -34,6 +33,7 @@
import base64
import json
import time
from urllib.parse import quote
import pytest
@@ -81,9 +81,81 @@ def test_authorize_require_login(client, application: OAuthApplication):
assert resp['Location'].startswith('/control/login')
@pytest.mark.django_db
def test_authorize_require_login_after_absolute_timeout(client, admin_user, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_long_session'] = False
session['pretix_auth_login_time'] = int(time.time()) - 3600 * 12 - 60
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s' % (
application.client_id, quote('https://example.org')
))
assert resp.status_code == 302
assert resp['Location'].startswith('/control/login')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s' % (
application.client_id, quote(application.redirect_uris)
))
assert resp.status_code == 302
@pytest.mark.django_db
def test_authorize_require_recent_auth(client, admin_user, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_long_session'] = True
session['pretix_auth_login_time'] = int(time.time()) - 3600 - 60
session['pretix_auth_last_used'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s' % (
application.client_id, quote('https://example.org')
))
assert resp.status_code == 302
assert resp['Location'].startswith('/control/reauth')
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s' % (
application.client_id, quote(application.redirect_uris)
))
assert resp.status_code == 302
@pytest.mark.django_db
def test_authorize_require_login_after_relative_timeout(client, admin_user, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_long_session'] = False
session['pretix_auth_login_time'] = int(time.time()) - 3600 * 3 - 60
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s' % (
application.client_id, quote('https://example.org')
))
assert resp.status_code == 302
assert resp['Location'].startswith('/control/reauth')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s' % (
application.client_id, quote(application.redirect_uris)
))
assert resp.status_code == 302
@pytest.mark.django_db
def test_authorize_invalid_redirect_uri(client, admin_user, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s' % (
application.client_id, quote('https://example.org')
))
@@ -93,6 +165,9 @@ def test_authorize_invalid_redirect_uri(client, admin_user, application: OAuthAp
@pytest.mark.django_db
def test_authorize_missing_response_type(client, admin_user, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s' % (
application.client_id, quote(application.redirect_uris)
))
@@ -103,9 +178,13 @@ def test_authorize_missing_response_type(client, admin_user, application: OAuthA
@pytest.mark.django_db
def test_authorize_require_organizer(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
))
print(resp.headers)
assert resp.status_code == 200
resp = client.post('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
@@ -122,6 +201,9 @@ def test_authorize_require_organizer(client, admin_user, organizer, application:
@pytest.mark.django_db
def test_authorize_denied(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
))
@@ -140,6 +222,9 @@ def test_authorize_denied(client, admin_user, organizer, application: OAuthAppli
@pytest.mark.django_db
def test_authorize_disallow_response_token(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=token' % (
application.client_id, quote(application.redirect_uris)
))
@@ -150,6 +235,9 @@ def test_authorize_disallow_response_token(client, admin_user, organizer, applic
@pytest.mark.django_db
def test_authorize_read_scope(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
))
@@ -174,6 +262,9 @@ def test_authorize_read_scope(client, admin_user, organizer, application: OAuthA
@pytest.mark.django_db
def test_authorize_state(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code&state=asdadf' % (
application.client_id, quote(application.redirect_uris)
))
@@ -194,6 +285,9 @@ def test_authorize_state(client, admin_user, organizer, application: OAuthApplic
@pytest.mark.django_db
def test_authorize_default_scope(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
))
@@ -219,6 +313,9 @@ def test_authorize_default_scope(client, admin_user, organizer, application: OAu
@pytest.mark.django_db
def test_token_from_code_without_auth(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
))
@@ -246,6 +343,9 @@ def test_token_from_code_without_auth(client, admin_user, organizer, application
@pytest.mark.django_db
def test_token_from_code(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
))
@@ -285,6 +385,9 @@ def test_use_token_for_access_one_organizer(client, admin_user, organizer, appli
t2.members.add(admin_user)
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
))
@@ -327,6 +430,9 @@ def test_use_token_for_access_two_organizers(client, admin_user, organizer, appl
t2.members.add(admin_user)
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
))
@@ -368,6 +474,9 @@ def test_use_token_for_access_two_organizers(client, admin_user, organizer, appl
@pytest.mark.django_db
def test_token_refresh(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
))
@@ -410,6 +519,9 @@ def test_token_refresh(client, admin_user, organizer, application: OAuthApplicat
@pytest.mark.django_db
def test_allow_write(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
))
@@ -442,6 +554,9 @@ def test_allow_write(client, admin_user, organizer, application: OAuthApplicatio
@pytest.mark.django_db
def test_allow_read_only(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
))
@@ -474,6 +589,9 @@ def test_allow_read_only(client, admin_user, organizer, application: OAuthApplic
@pytest.mark.django_db
def test_token_revoke_refresh_token(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
))
@@ -518,6 +636,9 @@ def test_token_revoke_refresh_token(client, admin_user, organizer, application:
@pytest.mark.django_db
def test_token_revoke_access_token(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
))
@@ -566,6 +687,9 @@ def test_token_revoke_access_token(client, admin_user, organizer, application: O
@pytest.mark.django_db
def test_user_revoke(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code' % (
application.client_id, quote(application.redirect_uris)
))
@@ -595,6 +719,9 @@ def test_user_revoke(client, admin_user, organizer, application: OAuthApplicatio
at = OAuthAccessToken.objects.get(token=access_token)
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.post('/control/settings/oauth/authorized/{}/revoke'.format(at.pk), data={
})
assert resp.status_code == 302
@@ -613,6 +740,9 @@ def test_user_revoke(client, admin_user, organizer, application: OAuthApplicatio
@pytest.mark.django_db
def test_allow_profile_only(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code&scope=profile' % (
application.client_id, quote(application.redirect_uris)
))
@@ -642,3 +772,21 @@ def test_allow_profile_only(client, admin_user, organizer, application: OAuthApp
assert resp.status_code == 403
resp = client.get('/api/v1/me', HTTP_AUTHORIZATION='Bearer %s' % access_token)
assert resp.status_code == 200
@pytest.mark.django_db
def test_reject_other_response_types(client, admin_user, organizer, application: OAuthApplication):
client.login(email='dummy@dummy.dummy', password='dummy')
session = client.session
session['pretix_auth_login_time'] = int(time.time())
session.save()
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code+id_token' % (
application.client_id, quote(application.redirect_uris)
))
assert resp.status_code == 302
assert 'error=unauthorized_client' in resp['Location']
resp = client.get('/api/v1/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=id_token' % (
application.client_id, quote(application.redirect_uris)
))
assert resp.status_code == 302
assert 'error=unsupported_response_type' in resp['Location']

2
src/tests/control/test_auth.py
View File

@@ -757,7 +757,7 @@ class SessionTimeOutTest(TestCase):
# Regression test added after a security problem in 1.9.1
# The problem was that, once the relative timeout happened, the user was redirected
# to /control/reauth/, but loading /control/reauth/ was already considered to be
# "session activitiy". Therefore, after loding /control/reauth/, the session was no longer
# "session activity". Therefore, after loding /control/reauth/, the session was no longer
# in the timeout state and the user was able to access pages again without re-entering the
# password.
session = self.client.session