def test_correct_event_permission(client, env, perm, url, code):
ep = EventPermission(
event=env[0], user=env[1],
)
setattr(ep, perm, True)
ep.save()
client.login(identifier='*****@*****.**', password='******')
response = client.get('/control/event/dummy/dummy/' + url)
assert response.status_code == code
def test_wrong_event_permission(client, env, perm, url, code):
ep = EventPermission(
event=env[0], user=env[1],
)
setattr(ep, perm, False)
ep.save()
client.login(email='*****@*****.**', password='******')
response = client.get('/control/event/dummy/dummy/' + url)
assert response.status_code == 403
def test_correct_event_permission(client, env, perm, url, code):
ep = EventPermission(
event=env[0], user=env[1],
)
setattr(ep, perm, True)
ep.save()
client.login(email='*****@*****.**', password='******')
response = client.get('/control/event/dummy/dummy/' + url)
assert response.status_code == code
def test_current_permission(client, env):
ep = EventPermission(
event=env[0], user=env[1],
)
setattr(ep, 'can_change_settings', True)
ep.save()
client.login(email='*****@*****.**', password='******')
response = client.get('/control/event/dummy/dummy/settings/')
assert response.status_code == 200
setattr(ep, 'can_change_settings', False)
ep.save()
response = client.get('/control/event/dummy/dummy/settings/')
assert response.status_code == 403
def test_current_permission(client, env):
ep = EventPermission(
event=env[0], user=env[1],
)
setattr(ep, 'can_change_settings', True)
ep.save()
client.login(email='*****@*****.**', password='******')
response = client.get('/control/event/dummy/dummy/settings/')
assert response.status_code == 200
ep = ep.clone()
setattr(ep, 'can_change_settings', False)
ep.save()
response = client.get('/control/event/dummy/dummy/settings/')
assert response.status_code == 403
def process_request(self, request):
url = resolve(request.path_info)
url_name = url.url_name
if not request.path.startswith(get_script_prefix() + 'control'):
# This middleware should only touch the /control subpath
return
if hasattr(request, 'organizer'):
# If the user is on a organizer's subdomain, he should be redirected to pretix
return redirect(urljoin(settings.SITE_URL,
request.get_full_path()))
if url_name in self.EXCEPTIONS:
return
if not request.user.is_authenticated:
# Taken from django/contrib/auth/decorators.py
path = request.build_absolute_uri()
# urlparse chokes on lazy objects in Python 3, force to str
resolved_login_url = force_str(
resolve_url(settings.LOGIN_URL_CONTROL))
# If the login url is the same scheme and net location then just
# use the path as the "next" url.
login_scheme, login_netloc = urlparse(resolved_login_url)[:2]
current_scheme, current_netloc = urlparse(path)[:2]
if ((not login_scheme or login_scheme == current_scheme)
and (not login_netloc or login_netloc == current_netloc)):
path = request.get_full_path()
from django.contrib.auth.views import redirect_to_login
return redirect_to_login(path, resolved_login_url,
REDIRECT_FIELD_NAME)
events = Event.objects.all(
) if request.user.is_superuser else request.user.events
request.user.events_cache = events.order_by(
"organizer", "date_from").prefetch_related("organizer")
if 'event' in url.kwargs and 'organizer' in url.kwargs:
try:
if request.user.is_superuser:
request.event = Event.objects.filter(
slug=url.kwargs['event'],
organizer__slug=url.kwargs['organizer'],
).select_related('organizer')[0]
request.eventperm = EventPermission(event=request.event,
user=request.user)
else:
request.event = Event.objects.filter(
slug=url.kwargs['event'],
permitted__id__exact=request.user.id,
organizer__slug=url.kwargs['organizer'],
).select_related('organizer')[0]
request.eventperm = EventPermission.objects.get(
event=request.event, user=request.user)
request.organizer = request.event.organizer
except IndexError:
raise Http404(
_("The selected event was not found or you "
"have no permission to administrate it."))
elif 'organizer' in url.kwargs:
try:
if request.user.is_superuser:
request.organizer = Organizer.objects.filter(
slug=url.kwargs['organizer'], )[0]
request.orgaperm = OrganizerPermission(
organizer=request.organizer, user=request.user)
else:
request.organizer = Organizer.objects.filter(
slug=url.kwargs['organizer'],
permitted__id__exact=request.user.id,
)[0]
request.orgaperm = OrganizerPermission.objects.get(
organizer=request.organizer, user=request.user)
except IndexError:
raise Http404(
_("The selected organizer was not found or you "
"have no permission to administrate it."))
