CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-05 15:14:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5e3b4b126e3e77ea10f3cab465cc8a7e235ab55e
pretix_original/src/pretix/presale/views/cart.py
Raphael Michel 5e3b4b126e Make voucher lookups case-insensitive
2018-03-16 15:27:02 +01:00

464 lines
19 KiB
Python
Raw Blame History

import mimetypes
import os
from django.contrib import messages
from django.db.models import Q
from django.http import FileResponse, Http404, JsonResponse
from django.shortcuts import get_object_or_404, redirect
from django.utils import translation
from django.utils.crypto import get_random_string
from django.utils.decorators import method_decorator
from django.utils.functional import cached_property
from django.utils.http import is_safe_url
from django.utils.timezone import now
from django.utils.translation import ugettext as _
from django.views.decorators.clickjacking import xframe_options_exempt
from django.views.generic import TemplateView, View
from pretix.base.models import (
CartPosition, InvoiceAddress, QuestionAnswer, SubEvent, Voucher,
)
from pretix.base.services.cart import (
CartError, add_items_to_cart, clear_cart, remove_cart_position,
)
from pretix.multidomain.urlreverse import eventreverse
from pretix.presale.views import (
EventViewMixin, allow_cors_if_namespaced, allow_frame_if_namespaced,
iframe_entry_view_wrapper,
)
from pretix.presale.views.async import AsyncAction
from pretix.presale.views.event import (
get_grouped_items, item_group_by_category,
)
from pretix.presale.views.robots import NoSearchIndexViewMixin
class CartActionMixin:
def get_next_url(self):
if "next" in self.request.GET and is_safe_url(self.request.GET.get("next")):
u = self.request.GET.get('next')
else:
kwargs = {}
if 'cart_namespace' in self.kwargs:
kwargs['cart_namespace'] = self.kwargs['cart_namespace']
u = eventreverse(self.request.event, 'presale:event.index', kwargs=kwargs)
if '?' in u:
u += '&require_cookie=true'
else:
u += '?require_cookie=true'
return u
def get_success_url(self, value=None):
return self.get_next_url()
def get_error_url(self):
return self.get_next_url()
@cached_property
def cart_session(self):
return cart_session(self.request)
@cached_property
def invoice_address(self):
iapk = self.cart_session.get('invoice_address')
if not iapk:
return InvoiceAddress()
try:
return InvoiceAddress.objects.get(pk=iapk, order__isnull=True)
except InvoiceAddress.DoesNotExist:
return InvoiceAddress()
def _item_from_post_value(self, key, value, voucher=None):
if value.strip() == '' or '_' not in key:
return
if not key.startswith('item_') and not key.startswith('variation_'):
return
parts = key.split("_")
try:
amount = int(value)
except ValueError:
raise CartError(_('Please enter numbers only.'))
if amount < 0:
raise CartError(_('Please enter positive numbers only.'))
elif amount == 0:
return
price = self.request.POST.get('price_' + "_".join(parts[1:]), "")
if key.startswith('item_'):
try:
return {
'item': int(parts[1]),
'variation': None,
'count': amount,
'price': price,
'voucher': voucher,
'subevent': self.request.POST.get("subevent")
}
except ValueError:
raise CartError(_('Please enter numbers only.'))
elif key.startswith('variation_'):
try:
return {
'item': int(parts[1]),
'variation': int(parts[2]),
'count': amount,
'price': price,
'voucher': voucher,
'subevent': self.request.POST.get("subevent")
}
except ValueError:
raise CartError(_('Please enter numbers only.'))
def _items_from_post_data(self):
"""
Parses the POST data and returns a list of tuples in the
form (item id, variation id or None, number)
"""
# Compatibility patch that makes the frontend code a lot easier
req_items = list(self.request.POST.lists())
if '_voucher_item' in self.request.POST and '_voucher_code' in self.request.POST:
req_items.append((
'%s' % self.request.POST['_voucher_item'], ('1',)
))
pass
items = []
for key, values in req_items:
for value in values:
try:
item = self._item_from_post_value(key, value, self.request.POST.get('_voucher_code'))
except CartError as e:
messages.error(self.request, str(e))
return
if item:
items.append(item)
if len(items) == 0:
messages.warning(self.request, _('You did not select any products.'))
return []
return items
def generate_cart_id(prefix=''):
"""
Generates a random new cart ID that is not currently in use, with an optional pretix.
"""
while True:
new_id = prefix + get_random_string(length=32 - len(prefix))
if not CartPosition.objects.filter(cart_id=new_id).exists():
return new_id
def create_empty_cart_id(request, replace_current=True):
"""
Forcefully creates a new empty cart for the current session. Behaves like get_or_create_cart_id,
except that it ignores the current state of the session. If replace_current is active, the
current cart session for this event is deleted as well.
This is currently only invoked after an order has been created to make sure that all forms during
checkout will show empty again if the same browser starts buying tickets again.
"""
session_keyname = 'current_cart_event_{}'.format(request.event.pk)
prefix = ''
if request.resolver_match and request.resolver_match.kwargs.get('cart_namespace'):
session_keyname += '_' + request.resolver_match.kwargs.get('cart_namespace')
prefix = request.resolver_match.kwargs.get('cart_namespace')
if 'carts' not in request.session:
request.session['carts'] = {}
new_id = generate_cart_id(prefix=prefix)
request.session['carts'][new_id] = {}
if replace_current:
current_id = request.session.get(session_keyname)
if current_id and current_id in request.session.get('carts', {}):
del request.session['carts'][current_id]
del request.session[session_keyname]
request.session[session_keyname] = new_id
return new_id
def get_or_create_cart_id(request, create=True):
"""
This method returns the cart ID in use for this request or creates a new cart ID if required.
Before pretix 1.8.0, the user's session cookie was used as the cart ID in the database.
With the cart session data isolation introduced in 1.8.0 (see cart_session()) this changed
drastically. Now, a different random cart ID is used for every event and stored to the
user's session with the 'current_cart_event_42' key (with 42 being the event ID).
This became even more relevant and complex with the introduction of the pretix widget in 1.9.0.
Since the widget operates from a different origin, it requires us to lower some security walls
in order to function correctly:
* The checkout and order views can no longer send X-Frame-Options: DENY headers as we include
those pages in an iframe. This makes our users vulnerable to clickjacking. Possible scenario: A
third-party website could trick you into submitting an order that you currently have in your cart.
* The cart add view needs to drop CSRF protection and set Access-Control-Allow-Origin: *. This makes
our users vulnerable to CSRF attacks adding unwanted products to their carts. Cross-Origin is not
that much of an issue since we can't set Access-Control-Allow-Credentials for origin * either way,
but on the other hand this also prevents us to change the current cart for legitimate reasons.
We can mitigate all of these issues at the same time with the very simple strategy on only lowering
these walls at unguessable URLs. This makes it impossible for an attacker to create an exploit with
real-world impact.
Therefore, we introduce cart namespacing in pretix 1.9.0. In addition to your default session that you
have at /orga/event/ as usual, you will have a different cart session with a different cart ID at
/orga/event/w/mysecretnonce123/. Such a namespace parameter can be passed to all views relevant to the
widget (e.g. /orga/event/w/mysecretnonce123/cart/add) that are not already unguessable
(like /orga/event/orders/ABCDE/secret123465456/).
The actual cart IDs for those namespaced carts will then be stored at
request.session['current_cart_event_42_mysecretnonce123'].
However, we still need to work around the issue that we can't use Access-Control-Allow-Credentials
but want to invoke /cart/add via a cross-origin request. This leads to /cart/add creating a new
cart session every time it is invoked cross-origin by default. We solve this by returning the newly
created cart ID from /cart/add in the response and allow passing it as the take_cart_id query parameter
to the view in the iframe or to subsequent /cart/add requests.
As an additional precaution, take_cart_id will only be honoured on POST requests or if there is an
actual cart with this ID. This reduces the likelihood of strange behaviour if someone accidentally
shares a link that includes this parameter.
This method migrates legacy sessions created before the upgrade to 1.8.0 on a best-effort basis,
meaning that the migration does not respect plugin-specific data and works best if the user only
used the session for one event at the time of migration.
If ``create`` is ``False`` and no session currently exists, ``None`` will be returned.
"""
session_keyname = 'current_cart_event_{}'.format(request.event.pk)
prefix = ''
if request.resolver_match and request.resolver_match.kwargs.get('cart_namespace'):
session_keyname += '_' + request.resolver_match.kwargs.get('cart_namespace')
prefix = request.resolver_match.kwargs.get('cart_namespace')
current_id = orig_current_id = request.session.get(session_keyname)
if prefix and 'take_cart_id' in request.GET:
pos = CartPosition.objects.filter(event=request.event, cart_id=request.GET.get('take_cart_id'))
if request.method == "POST" or pos.exists():
current_id = request.GET.get('take_cart_id')
if current_id and current_id in request.session.get('carts', {}):
if current_id != orig_current_id:
request.session[session_keyname] = current_id
return current_id
else:
cart_data = {}
if prefix and 'take_cart_id' in request.GET and current_id:
new_id = current_id
else:
if not create:
return None
new_id = generate_cart_id(prefix=prefix)
# Migrate legacy data
# TODO: This is for the upgrade 1.7→1.8. We should remove this around April 2018
legacy_pos = CartPosition.objects.filter(cart_id=request.session.session_key, event=request.event)
if legacy_pos.exists():
legacy_pos.update(cart_id=new_id)
if 'invoice_address_{}'.format(request.event.pk) in request.session:
cart_data['invoice_address'] = request.session['invoice_address_{}'.format(request.event.pk)]
if 'email' in request.session:
cart_data['email'] = request.session['email']
if 'contact_form_data' in request.session:
cart_data['contact_form_data'] = request.session['contact_form_data']
if 'payment' in request.session:
cart_data['payment'] = request.session['payment']
if 'carts' not in request.session:
request.session['carts'] = {}
if new_id not in request.session['carts']:
request.session['carts'][new_id] = cart_data
request.session[session_keyname] = new_id
return new_id
def cart_session(request):
"""
Before pretix 1.8.0, all checkout-related information (like the entered email address) was stored
in the user's regular session dictionary. This led to data interference and leaks for example if a
user simultaneously buys tickets for two events.
Starting with 1.8.0, this information is stored in separate dictionaries in the user's session within
the new request.session['carts'] dictionary. This method provides convenient access to the currently
active cart session sub-dictionary for read and write access.
"""
request.session.modified = True
cart_id = get_or_create_cart_id(request)
return request.session['carts'][cart_id]
@method_decorator(allow_frame_if_namespaced, 'dispatch')
class CartRemove(EventViewMixin, CartActionMixin, AsyncAction, View):
task = remove_cart_position
known_errortypes = ['CartError']
def get_success_message(self, value):
if CartPosition.objects.filter(cart_id=get_or_create_cart_id(self.request)).exists():
return _('Your cart has been updated.')
else:
return _('Your cart is now empty.')
def post(self, request, *args, **kwargs):
if 'id' in request.POST:
return self.do(self.request.event.id, request.POST.get('id'), get_or_create_cart_id(self.request), translation.get_language())
else:
if 'ajax' in self.request.GET or 'ajax' in self.request.POST:
return JsonResponse({
'redirect': self.get_error_url()
})
else:
return redirect(self.get_error_url())
@method_decorator(allow_frame_if_namespaced, 'dispatch')
class CartClear(EventViewMixin, CartActionMixin, AsyncAction, View):
task = clear_cart
known_errortypes = ['CartError']
def get_success_message(self, value):
return _('Your cart is now empty.')
def post(self, request, *args, **kwargs):
return self.do(self.request.event.id, get_or_create_cart_id(self.request), translation.get_language())
@method_decorator(allow_cors_if_namespaced, 'dispatch')
@method_decorator(allow_frame_if_namespaced, 'dispatch')
@method_decorator(iframe_entry_view_wrapper, 'dispatch')
class CartAdd(EventViewMixin, CartActionMixin, AsyncAction, View):
task = add_items_to_cart
known_errortypes = ['CartError']
def get_success_message(self, value):
return _('The products have been successfully added to your cart.')
def _ajax_response_data(self):
cart_id = get_or_create_cart_id(self.request)
return {
'cart_id': cart_id,
'has_cart': CartPosition.objects.filter(cart_id=cart_id, event=self.request.event).exists()
}
def post(self, request, *args, **kwargs):
items = self._items_from_post_data()
if items:
return self.do(self.request.event.id, items, get_or_create_cart_id(self.request), translation.get_language(),
self.invoice_address.pk)
else:
if 'ajax' in self.request.GET or 'ajax' in self.request.POST:
return JsonResponse({
'redirect': self.get_error_url()
})
else:
return redirect(self.get_error_url())
@method_decorator(allow_frame_if_namespaced, 'dispatch')
@method_decorator(iframe_entry_view_wrapper, 'dispatch')
class RedeemView(NoSearchIndexViewMixin, EventViewMixin, TemplateView):
template_name = "pretixpresale/event/voucher.html"
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
context['voucher'] = self.voucher
context['max_times'] = self.voucher.max_usages - self.voucher.redeemed
# Fetch all items
items, display_add_to_cart = get_grouped_items(self.request.event, self.subevent,
voucher=self.voucher)
# Calculate how many options the user still has. If there is only one option, we can
# check the box right away ;)
context['options'] = sum([(len(item.available_variations) if item.has_variations else 1)
for item in items])
# Regroup those by category
context['items_by_category'] = item_group_by_category(items)
context['subevent'] = self.subevent
return context
def dispatch(self, request, *args, **kwargs):
from pretix.base.services.cart import error_messages
err = None
v = request.GET.get('voucher')
if v:
v = v.strip()
try:
self.voucher = Voucher.objects.get(code__iexact=v, event=request.event)
if self.voucher.redeemed >= self.voucher.max_usages:
err = error_messages['voucher_redeemed']
if self.voucher.valid_until is not None and self.voucher.valid_until < now():
err = error_messages['voucher_expired']
if self.voucher.item is not None and self.voucher.item.is_available() is False:
err = error_messages['voucher_item_not_available']
redeemed_in_carts = CartPosition.objects.filter(
Q(voucher=self.voucher) & Q(event=request.event) &
(Q(expires__gte=now()) | Q(cart_id=get_or_create_cart_id(request)))
)
v_avail = self.voucher.max_usages - self.voucher.redeemed - redeemed_in_carts.count()
if v_avail < 1:
err = error_messages['voucher_redeemed']
except Voucher.DoesNotExist:
err = error_messages['voucher_invalid']
else:
return redirect(self.get_index_url())
if request.event.presale_start and now() < request.event.presale_start:
err = error_messages['not_started']
if request.event.presale_end and now() > request.event.presale_end:
err = error_messages['ended']
self.subevent = None
if request.event.has_subevents:
if request.GET.get('subevent'):
self.subevent = get_object_or_404(SubEvent, event=request.event, pk=request.GET.get('subevent'),
active=True)
if hasattr(self, 'voucher') and self.voucher.subevent:
self.subevent = self.voucher.subevent
else:
pass
if err:
messages.error(request, _(err))
return redirect(self.get_index_url())
return super().dispatch(request, *args, **kwargs)
@method_decorator(xframe_options_exempt, 'dispatch')
class AnswerDownload(EventViewMixin, View):
def get(self, request, *args, **kwargs):
answid = kwargs.get('answer')
answer = get_object_or_404(
QuestionAnswer,
cartposition__cart_id=get_or_create_cart_id(self.request),
id=answid
)
if not answer.file:
return Http404()
ftype, _ = mimetypes.guess_type(answer.file.name)
resp = FileResponse(answer.file, content_type=ftype or 'application/binary')
resp['Content-Disposition'] = 'attachment; filename="{}-cart-{}"'.format(
self.request.event.slug.upper(),
os.path.basename(answer.file.name).split('.', 1)[1]
)
return resp
Reference in New Issue View Git Blame Copy Permalink