# # This file is part of pretix (Community Edition). # # Copyright (C) 2014-2020 Raphael Michel and contributors # Copyright (C) 2020-2021 rami.io GmbH and contributors # # This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General # Public License as published by the Free Software Foundation in version 3 of the License. # # ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are # applicable granting you additional permissions and placing additional restrictions on your usage of this software. # Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive # this file, see . # # This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more # details. # # You should have received a copy of the GNU Affero General Public License along with this program. If not, see # . # # This file is based on an earlier version of pretix which was released under the Apache License 2.0. The full text of # the Apache License 2.0 can be obtained at . # # This file may have since been changed and any changes are released under the terms of AGPLv3 as described above. A # full history of changes and contributors is available at . # # This file contains Apache-licensed contributions copyrighted by: Ture Gjørup # # Unless required by applicable law or agreed to in writing, software distributed under the Apache License 2.0 is # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations under the License. import django_filters from django.db import transaction from django.db.models import ProtectedError, Q from django.utils.timezone import now from django_filters.rest_framework import DjangoFilterBackend, FilterSet from django_scopes import scopes_disabled from rest_framework import filters, serializers, views, viewsets from rest_framework.exceptions import PermissionDenied from rest_framework.response import Response from pretix.api.auth.permission import EventCRUDPermission from pretix.api.serializers.event import ( CloneEventSerializer, DeviceEventSettingsSerializer, EventSerializer, EventSettingsSerializer, SubEventSerializer, TaxRuleSerializer, ) from pretix.api.views import ConditionalListView from pretix.base.models import ( CartPosition, Device, Event, TaxRule, TeamAPIToken, ) from pretix.base.models.event import SubEvent from pretix.base.settings import SETTINGS_AFFECTING_CSS from pretix.helpers.dicts import merge_dicts from pretix.presale.style import regenerate_css from pretix.presale.views.organizer import filter_qs_by_attr with scopes_disabled(): class EventFilter(FilterSet): is_past = django_filters.rest_framework.BooleanFilter(method='is_past_qs') is_future = django_filters.rest_framework.BooleanFilter(method='is_future_qs') ends_after = django_filters.rest_framework.IsoDateTimeFilter(method='ends_after_qs') sales_channel = django_filters.rest_framework.CharFilter(method='sales_channel_qs') class Meta: model = Event fields = ['is_public', 'live', 'has_subevents'] def ends_after_qs(self, queryset, name, value): expr = ( Q(has_subevents=False) & Q( Q(Q(date_to__isnull=True) & Q(date_from__gte=value)) | Q(Q(date_to__isnull=False) & Q(date_to__gte=value)) ) ) return queryset.filter(expr) def is_past_qs(self, queryset, name, value): expr = ( Q(has_subevents=False) & Q( Q(Q(date_to__isnull=True) & Q(date_from__lt=now())) | Q(Q(date_to__isnull=False) & Q(date_to__lt=now())) ) ) if value: return queryset.filter(expr) else: return queryset.exclude(expr) def is_future_qs(self, queryset, name, value): expr = ( Q(has_subevents=False) & Q( Q(Q(date_to__isnull=True) & Q(date_from__gte=now())) | Q(Q(date_to__isnull=False) & Q(date_to__gte=now())) ) ) if value: return queryset.filter(expr) else: return queryset.exclude(expr) def sales_channel_qs(self, queryset, name, value): return queryset.filter(sales_channels__contains=value) class EventViewSet(viewsets.ModelViewSet): serializer_class = EventSerializer queryset = Event.objects.none() lookup_field = 'slug' lookup_url_kwarg = 'event' lookup_value_regex = '[^/]+' permission_classes = (EventCRUDPermission,) filter_backends = (DjangoFilterBackend, filters.OrderingFilter) ordering = ('slug',) ordering_fields = ('date_from', 'slug') filterset_class = EventFilter def get_queryset(self): if isinstance(self.request.auth, (TeamAPIToken, Device)): qs = self.request.auth.get_events_with_any_permission() elif self.request.user.is_authenticated: qs = self.request.user.get_events_with_any_permission(self.request).filter( organizer=self.request.organizer ) qs = filter_qs_by_attr(qs, self.request) return qs.prefetch_related( 'meta_values', 'meta_values__property', 'seat_category_mappings' ) def perform_update(self, serializer): current_live_value = serializer.instance.live updated_live_value = serializer.validated_data.get('live', None) current_plugins_value = serializer.instance.get_plugins() updated_plugins_value = serializer.validated_data.get('plugins', None) super().perform_update(serializer) if updated_live_value is not None and updated_live_value != current_live_value: log_action = 'pretix.event.live.activated' if updated_live_value else 'pretix.event.live.deactivated' serializer.instance.log_action( log_action, user=self.request.user, auth=self.request.auth, data=self.request.data ) if updated_plugins_value is not None and set(updated_plugins_value) != set(current_plugins_value): enabled = {m: 'enabled' for m in updated_plugins_value if m not in current_plugins_value} disabled = {m: 'disabled' for m in current_plugins_value if m not in updated_plugins_value} changed = merge_dicts(enabled, disabled) for module, action in changed.items(): serializer.instance.log_action( 'pretix.event.plugins.' + action, user=self.request.user, auth=self.request.auth, data={'plugin': module} ) other_keys = {k: v for k, v in serializer.validated_data.items() if k not in ['plugins', 'live']} if other_keys: serializer.instance.log_action( 'pretix.event.changed', user=self.request.user, auth=self.request.auth, data=self.request.data ) def perform_create(self, serializer): serializer.save(organizer=self.request.organizer) serializer.instance.set_defaults() serializer.instance.log_action( 'pretix.event.added', user=self.request.user, auth=self.request.auth, data=self.request.data ) def perform_destroy(self, instance): if not instance.allow_delete(): raise PermissionDenied('The event can not be deleted as it already contains orders. Please set \'live\'' ' to false to hide the event and take the shop offline instead.') try: with transaction.atomic(): instance.organizer.log_action( 'pretix.event.deleted', user=self.request.user, data={ 'event_id': instance.pk, 'name': str(instance.name), 'logentries': list(instance.logentry_set.values_list('pk', flat=True)) } ) instance.delete_sub_objects() super().perform_destroy(instance) except ProtectedError: raise PermissionDenied('The event could not be deleted as some constraints (e.g. data created by plug-ins) ' 'do not allow it.') class CloneEventViewSet(viewsets.ModelViewSet): serializer_class = CloneEventSerializer queryset = Event.objects.none() lookup_field = 'slug' lookup_url_kwarg = 'event' http_method_names = ['post'] write_permission = 'can_create_events' def get_serializer_context(self): ctx = super().get_serializer_context() ctx['event'] = self.kwargs['event'] ctx['organizer'] = self.request.organizer return ctx def perform_create(self, serializer): serializer.save(organizer=self.request.organizer) serializer.instance.log_action( 'pretix.event.added', user=self.request.user, auth=self.request.auth, data=self.request.data ) with scopes_disabled(): class SubEventFilter(FilterSet): is_past = django_filters.rest_framework.BooleanFilter(method='is_past_qs') is_future = django_filters.rest_framework.BooleanFilter(method='is_future_qs') ends_after = django_filters.rest_framework.IsoDateTimeFilter(method='ends_after_qs') modified_since = django_filters.IsoDateTimeFilter(field_name='last_modified', lookup_expr='gte') class Meta: model = SubEvent fields = ['active', 'event__live'] def ends_after_qs(self, queryset, name, value): expr = Q( Q(Q(date_to__isnull=True) & Q(date_from__gte=value)) | Q(Q(date_to__isnull=False) & Q(date_to__gte=value)) ) return queryset.filter(expr) def is_past_qs(self, queryset, name, value): expr = Q( Q(Q(date_to__isnull=True) & Q(date_from__lt=now())) | Q(Q(date_to__isnull=False) & Q(date_to__lt=now())) ) if value: return queryset.filter(expr) else: return queryset.exclude(expr) def is_future_qs(self, queryset, name, value): expr = Q( Q(Q(date_to__isnull=True) & Q(date_from__gte=now())) | Q(Q(date_to__isnull=False) & Q(date_to__gte=now())) ) if value: return queryset.filter(expr) else: return queryset.exclude(expr) class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet): serializer_class = SubEventSerializer queryset = SubEvent.objects.none() write_permission = 'can_change_event_settings' filter_backends = (DjangoFilterBackend, filters.OrderingFilter) filterset_class = SubEventFilter ordering = ('date_from',) ordering_fields = ('id', 'date_from', 'last_modified') def get_queryset(self): if getattr(self.request, 'event', None): qs = self.request.event.subevents elif isinstance(self.request.auth, (TeamAPIToken, Device)): qs = SubEvent.objects.filter( event__organizer=self.request.organizer, event__in=self.request.auth.get_events_with_any_permission() ) elif self.request.user.is_authenticated: qs = SubEvent.objects.filter( event__organizer=self.request.organizer, event__in=self.request.user.get_events_with_any_permission() ) qs = filter_qs_by_attr(qs, self.request) return qs.prefetch_related( 'subeventitem_set', 'subeventitemvariation_set', 'seat_category_mappings', 'meta_values' ) def list(self, request, **kwargs): date = serializers.DateTimeField().to_representation(now()) queryset = self.filter_queryset(self.get_queryset()) page = self.paginate_queryset(queryset) if page is not None: serializer = self.get_serializer(page, many=True) resp = self.get_paginated_response(serializer.data) resp['X-Page-Generated'] = date return resp serializer = self.get_serializer(queryset, many=True) return Response(serializer.data, headers={'X-Page-Generated': date}) def perform_update(self, serializer): original_data = self.get_serializer(instance=serializer.instance).data super().perform_update(serializer) if serializer.data == original_data: # Performance optimization: If nothing was changed, we do not need to save or log anything. # This costs us a few cycles on save, but avoids thousands of lines in our log. return serializer.instance.log_action( 'pretix.subevent.changed', user=self.request.user, auth=self.request.auth, data=self.request.data ) def perform_create(self, serializer): serializer.save(event=self.request.event) serializer.instance.log_action( 'pretix.subevent.added', user=self.request.user, auth=self.request.auth, data=self.request.data ) def perform_destroy(self, instance): if not instance.allow_delete(): raise PermissionDenied('The sub-event can not be deleted as it has already been used in orders. Please set' ' \'active\' to false instead to hide it from users.') try: with transaction.atomic(): instance.log_action( 'pretix.subevent.deleted', user=self.request.user, auth=self.request.auth, data=self.request.data ) CartPosition.objects.filter(addon_to__subevent=instance).delete() instance.cartposition_set.all().delete() super().perform_destroy(instance) except ProtectedError: raise PermissionDenied('The sub-event could not be deleted as some constraints (e.g. data created by ' 'plug-ins) do not allow it.') class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet): serializer_class = TaxRuleSerializer queryset = TaxRule.objects.none() write_permission = 'can_change_event_settings' def get_queryset(self): return self.request.event.tax_rules.all() def perform_update(self, serializer): super().perform_update(serializer) serializer.instance.log_action( 'pretix.event.taxrule.changed', user=self.request.user, auth=self.request.auth, data=self.request.data ) def perform_create(self, serializer): serializer.save(event=self.request.event) serializer.instance.log_action( 'pretix.event.taxrule.added', user=self.request.user, auth=self.request.auth, data=self.request.data ) def perform_destroy(self, instance): if not instance.allow_delete(): raise PermissionDenied('This tax rule can not be deleted as it is currently in use.') instance.log_action( 'pretix.event.taxrule.deleted', user=self.request.user, auth=self.request.auth, ) super().perform_destroy(instance) class EventSettingsView(views.APIView): permission = None write_permission = 'can_change_event_settings' def get(self, request, *args, **kwargs): if isinstance(request.auth, Device): s = DeviceEventSettingsSerializer(instance=request.event.settings, event=request.event, context={ 'request': request }) elif 'can_change_event_settings' in request.eventpermset: s = EventSettingsSerializer(instance=request.event.settings, event=request.event, context={ 'request': request }) else: raise PermissionDenied() if 'explain' in request.GET: return Response({ fname: { 'value': s.data[fname], 'label': getattr(field, '_label', fname), 'help_text': getattr(field, '_help_text', None) } for fname, field in s.fields.items() }) return Response(s.data) def patch(self, request, *wargs, **kwargs): s = EventSettingsSerializer(instance=request.event.settings, data=request.data, partial=True, event=request.event, context={'request': request}) s.is_valid(raise_exception=True) with transaction.atomic(): s.save() self.request.event.log_action( 'pretix.event.settings', user=self.request.user, auth=self.request.auth, data={ k: v for k, v in s.validated_data.items() } ) if any(p in s.changed_data for p in SETTINGS_AFFECTING_CSS): regenerate_css.apply_async(args=(request.event.pk,)) s = EventSettingsSerializer( instance=request.event.settings, event=request.event, context={ 'request': request }) return Response(s.data)