def process_request(self, request): url = resolve(request.path_info) url_name = url.url_name if not request.path.startswith(get_script_prefix() + 'control'): # This middleware should only touch the /control subpath return if hasattr(request, 'organizer'): # If the user is on a organizer's subdomain, he should be redirected to pretix return redirect(urljoin(settings.SITE_URL, request.get_full_path())) if url_name in self.EXCEPTIONS: return if not request.user.is_authenticated: return self._login_redirect(request) try: # If this logic is updated, make sure to also update the logic in pretix/api/auth/permission.py assert_session_valid(request) except SessionInvalid: logout(request) return self._login_redirect(request) except SessionReauthRequired: if url_name not in ('user.reauth', 'auth.logout'): return redirect( reverse('control:user.reauth') + '?next=' + quote(request.get_full_path())) if 'event' in url.kwargs and 'organizer' in url.kwargs: request.event = Event.objects.filter( slug=url.kwargs['event'], organizer__slug=url.kwargs['organizer'], ).select_related('organizer').first() if not request.event or not request.user.has_event_permission( request.event.organizer, request.event, request=request): raise Http404( _("The selected event was not found or you " "have no permission to administrate it.")) request.organizer = request.event.organizer if request.user.has_active_staff_session( request.session.session_key): request.eventpermset = SuperuserPermissionSet() else: request.eventpermset = request.user.get_event_permission_set( request.organizer, request.event) elif 'organizer' in url.kwargs: request.organizer = Organizer.objects.filter( slug=url.kwargs['organizer'], ).first() if not request.organizer or not request.user.has_organizer_permission( request.organizer, request=request): raise Http404( _("The selected organizer was not found or you " "have no permission to administrate it.")) if request.user.has_active_staff_session( request.session.session_key): request.orgapermset = SuperuserPermissionSet() else: request.orgapermset = request.user.get_organizer_permission_set( request.organizer)
def has_permission(self, request, view): if not request.user.is_authenticated and not isinstance(request.auth, (Device, TeamAPIToken)): return False if request.method not in SAFE_METHODS and hasattr(view, 'write_permission'): required_permission = getattr(view, 'write_permission') elif hasattr(view, 'permission'): required_permission = getattr(view, 'permission') else: required_permission = None if request.user.is_authenticated: try: # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py assert_session_valid(request) except SessionInvalid: return False except SessionReauthRequired: return False perm_holder = (request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user) if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs: request.event = Event.objects.filter( slug=request.resolver_match.kwargs['event'], organizer__slug=request.resolver_match.kwargs['organizer'], ).select_related('organizer').first() if not request.event or not perm_holder.has_event_permission(request.event.organizer, request.event, request=request): return False request.organizer = request.event.organizer if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key): request.eventpermset = SuperuserPermissionSet() else: request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event) if required_permission and required_permission not in request.eventpermset: return False elif 'organizer' in request.resolver_match.kwargs: if not request.organizer or not perm_holder.has_organizer_permission(request.organizer, request=request): return False if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key): request.orgapermset = SuperuserPermissionSet() else: request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer) if required_permission and required_permission not in request.orgapermset: return False if isinstance(request.auth, OAuthAccessToken): if not request.auth.allow_scopes(['write']) and request.method not in SAFE_METHODS: return False if not request.auth.allow_scopes(['read']) and request.method in SAFE_METHODS: return False if isinstance(request.auth, OAuthAccessToken) and hasattr(request, 'organizer'): if not request.auth.organizers.filter(pk=request.organizer.pk).exists(): return False return True
def has_permission(self, request, view): if not request.user.is_authenticated and not isinstance(request.auth, (Device, TeamAPIToken)): return False if request.method not in SAFE_METHODS and hasattr(view, 'write_permission'): required_permission = getattr(view, 'write_permission') elif hasattr(view, 'permission'): required_permission = getattr(view, 'permission') else: required_permission = None if request.user.is_authenticated: try: # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py assert_session_valid(request) except SessionInvalid: return False except SessionReauthRequired: return False perm_holder = (request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user) if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs: request.event = Event.objects.filter( slug=request.resolver_match.kwargs['event'], organizer__slug=request.resolver_match.kwargs['organizer'], ).select_related('organizer').first() if not request.event or not perm_holder.has_event_permission(request.event.organizer, request.event): return False request.organizer = request.event.organizer request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event) if required_permission and required_permission not in request.eventpermset: return False elif 'organizer' in request.resolver_match.kwargs: request.organizer = Organizer.objects.filter( slug=request.resolver_match.kwargs['organizer'], ).first() if not request.organizer or not perm_holder.has_organizer_permission(request.organizer): return False request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer) if required_permission and required_permission not in request.orgapermset: return False if isinstance(request.auth, OAuthAccessToken): if not request.auth.allow_scopes(['write']) and request.method not in SAFE_METHODS: return False if not request.auth.allow_scopes(['read']) and request.method in SAFE_METHODS: return False if isinstance(request.auth, OAuthAccessToken) and hasattr(request, 'organizer'): if not request.auth.organizers.filter(pk=request.organizer.pk).exists(): return False return True
def has_permission(self, request, view): if not request.user.is_authenticated and not isinstance( request.auth, TeamAPIToken): return False if request.method not in SAFE_METHODS and hasattr( view, 'write_permission'): required_permission = getattr(view, 'write_permission') elif hasattr(view, 'permission'): required_permission = getattr(view, 'permission') else: required_permission = None if request.user.is_authenticated: try: # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py assert_session_valid(request) except SessionInvalid: return False except SessionReauthRequired: return False perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken) else request.user) if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs: request.event = Event.objects.filter( slug=request.resolver_match.kwargs['event'], organizer__slug=request.resolver_match.kwargs['organizer'], ).select_related('organizer').first() if not request.event or not perm_holder.has_event_permission( request.event.organizer, request.event): return False request.organizer = request.event.organizer request.eventpermset = perm_holder.get_event_permission_set( request.organizer, request.event) if required_permission and required_permission not in request.eventpermset: return False elif 'organizer' in request.resolver_match.kwargs: request.organizer = Organizer.objects.filter( slug=request.resolver_match.kwargs['organizer'], ).first() if not request.organizer or not perm_holder.has_organizer_permission( request.organizer): return False request.orgapermset = perm_holder.get_organizer_permission_set( request.organizer) if required_permission and required_permission not in request.orgapermset: return False return True
def process_request(self, request): url = resolve(request.path_info) url_name = url.url_name if not request.path.startswith(get_script_prefix() + 'control'): # This middleware should only touch the /control subpath return if hasattr(request, 'organizer'): # If the user is on a organizer's subdomain, he should be redirected to pretix return redirect(urljoin(settings.SITE_URL, request.get_full_path())) if url_name in self.EXCEPTIONS: return if not request.user.is_authenticated: return self._login_redirect(request) try: # If this logic is updated, make sure to also update the logic in pretix/api/auth/permission.py assert_session_valid(request) except SessionInvalid: logout(request) return self._login_redirect(request) except SessionReauthRequired: if url_name not in ('user.reauth', 'auth.logout'): return redirect(reverse('control:user.reauth') + '?next=' + quote(request.get_full_path())) if 'event' in url.kwargs and 'organizer' in url.kwargs: request.event = Event.objects.filter( slug=url.kwargs['event'], organizer__slug=url.kwargs['organizer'], ).select_related('organizer').first() if not request.event or not request.user.has_event_permission(request.event.organizer, request.event, request=request): raise Http404(_("The selected event was not found or you " "have no permission to administrate it.")) request.organizer = request.event.organizer if request.user.has_active_staff_session(request.session.session_key): request.eventpermset = SuperuserPermissionSet() else: request.eventpermset = request.user.get_event_permission_set(request.organizer, request.event) elif 'organizer' in url.kwargs: request.organizer = Organizer.objects.filter( slug=url.kwargs['organizer'], ).first() if not request.organizer or not request.user.has_organizer_permission(request.organizer, request=request): raise Http404(_("The selected organizer was not found or you " "have no permission to administrate it.")) if request.user.has_active_staff_session(request.session.session_key): request.orgapermset = SuperuserPermissionSet() else: request.orgapermset = request.user.get_organizer_permission_set(request.organizer)
def has_permission(self, request, view): if not request.user.is_authenticated and not isinstance( request.auth, (Device, TeamAPIToken)): return False if request.user.is_authenticated: try: # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py assert_session_valid(request) except SessionInvalid: return False except SessionReauthRequired: return False return True
def has_permission(self, request, view): if not request.user.is_authenticated and not isinstance( request.auth, (Device, TeamAPIToken)): return False if request.user.is_authenticated: try: # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py assert_session_valid(request) except SessionInvalid: return False except SessionReauthRequired: return False if isinstance(request.auth, OAuthAccessToken): if not (request.auth.allow_scopes(['read']) or request.auth.allow_scopes( ['profile'])) and request.method in SAFE_METHODS: return False return True
def __call__(self, request): url = resolve(request.path_info) url_name = url.url_name if not request.path.startswith(get_script_prefix() + 'control'): # This middleware should only touch the /control subpath return self.get_response(request) if hasattr(request, 'organizer'): # If the user is on a organizer's subdomain, he should be redirected to pretix return redirect(urljoin(settings.SITE_URL, request.get_full_path())) if url_name in self.EXCEPTIONS: return self.get_response(request) if not request.user.is_authenticated: return self._login_redirect(request) try: # If this logic is updated, make sure to also update the logic in pretix/api/auth/permission.py assert_session_valid(request) except SessionInvalid: logout(request) return self._login_redirect(request) except SessionReauthRequired: if url_name not in ('user.reauth', 'auth.logout'): return redirect( reverse('control:user.reauth') + '?next=' + quote(request.get_full_path())) if request.user.needs_password_change and url_name not in self.EXCEPTIONS_FORCED_PW_CHANGE: return redirect( reverse('control:user.settings') + '?next=' + quote(request.get_full_path())) if not request.user.require_2fa and settings.PRETIX_OBLIGATORY_2FA \ and url_name not in self.EXCEPTIONS_2FA: return redirect(reverse('control:user.settings.2fa')) if 'event' in url.kwargs and 'organizer' in url.kwargs: if url.kwargs['organizer'] == '-' and url.kwargs['event'] == '-': # This is a hack that just takes the user to ANY event. It's useful to link to features in support # or documentation. ev = request.user.get_events_with_any_permission().order_by( '-date_from').first() if not ev: raise Http404( _("The selected event was not found or you " "have no permission to administrate it.")) k = dict(url.kwargs) k['organizer'] = ev.organizer.slug k['event'] = ev.slug return redirect(reverse(url.view_name, kwargs=k, args=url.args)) with scope(organizer=None): request.event = Event.objects.filter( slug=url.kwargs['event'], organizer__slug=url.kwargs['organizer'], ).select_related('organizer').first() if not request.event or not request.user.has_event_permission( request.event.organizer, request.event, request=request): raise Http404( _("The selected event was not found or you " "have no permission to administrate it.")) request.organizer = request.event.organizer if request.user.has_active_staff_session( request.session.session_key): request.eventpermset = SuperuserPermissionSet() else: request.eventpermset = request.user.get_event_permission_set( request.organizer, request.event) elif 'organizer' in url.kwargs: if url.kwargs['organizer'] == '-': # This is a hack that just takes the user to ANY organizer. It's useful to link to features in support # or documentation. org = request.user.get_organizers_with_any_permission().first() if not org: raise Http404( _("The selected organizer was not found or you " "have no permission to administrate it.")) k = dict(url.kwargs) k['organizer'] = org.slug return redirect(reverse(url.view_name, kwargs=k, args=url.args)) request.organizer = Organizer.objects.filter( slug=url.kwargs['organizer'], ).first() if not request.organizer or not request.user.has_organizer_permission( request.organizer, request=request): raise Http404( _("The selected organizer was not found or you " "have no permission to administrate it.")) if request.user.has_active_staff_session( request.session.session_key): request.orgapermset = SuperuserPermissionSet() else: request.orgapermset = request.user.get_organizer_permission_set( request.organizer) with scope(organizer=getattr(request, 'organizer', None)): r = self.get_response(request) if isinstance(r, TemplateResponse): r = r.render() return r