def process_request(self, request):
url = resolve(request.path_info)
url_name = url.url_name
if not request.path.startswith(get_script_prefix() + 'control'):
# This middleware should only touch the /control subpath
return
if hasattr(request, 'organizer'):
# If the user is on a organizer's subdomain, he should be redirected to pretix
return redirect(urljoin(settings.SITE_URL,
request.get_full_path()))
if url_name in self.EXCEPTIONS:
return
if not request.user.is_authenticated:
return self._login_redirect(request)
try:
# If this logic is updated, make sure to also update the logic in pretix/api/auth/permission.py
assert_session_valid(request)
except SessionInvalid:
logout(request)
return self._login_redirect(request)
except SessionReauthRequired:
if url_name not in ('user.reauth', 'auth.logout'):
return redirect(
reverse('control:user.reauth') + '?next=' +
quote(request.get_full_path()))
if 'event' in url.kwargs and 'organizer' in url.kwargs:
request.event = Event.objects.filter(
slug=url.kwargs['event'],
organizer__slug=url.kwargs['organizer'],
).select_related('organizer').first()
if not request.event or not request.user.has_event_permission(
request.event.organizer, request.event, request=request):
raise Http404(
_("The selected event was not found or you "
"have no permission to administrate it."))
request.organizer = request.event.organizer
if request.user.has_active_staff_session(
request.session.session_key):
request.eventpermset = SuperuserPermissionSet()
else:
request.eventpermset = request.user.get_event_permission_set(
request.organizer, request.event)
elif 'organizer' in url.kwargs:
request.organizer = Organizer.objects.filter(
slug=url.kwargs['organizer'], ).first()
if not request.organizer or not request.user.has_organizer_permission(
request.organizer, request=request):
raise Http404(
_("The selected organizer was not found or you "
"have no permission to administrate it."))
if request.user.has_active_staff_session(
request.session.session_key):
request.orgapermset = SuperuserPermissionSet()
else:
request.orgapermset = request.user.get_organizer_permission_set(
request.organizer)
def has_permission(self, request, view):
if not request.user.is_authenticated and not isinstance(request.auth, (Device, TeamAPIToken)):
return False
if request.method not in SAFE_METHODS and hasattr(view, 'write_permission'):
required_permission = getattr(view, 'write_permission')
elif hasattr(view, 'permission'):
required_permission = getattr(view, 'permission')
else:
required_permission = None
if request.user.is_authenticated:
try:
# If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
assert_session_valid(request)
except SessionInvalid:
return False
except SessionReauthRequired:
return False
perm_holder = (request.auth if isinstance(request.auth, (Device, TeamAPIToken))
else request.user)
if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs:
request.event = Event.objects.filter(
slug=request.resolver_match.kwargs['event'],
organizer__slug=request.resolver_match.kwargs['organizer'],
).select_related('organizer').first()
if not request.event or not perm_holder.has_event_permission(request.event.organizer, request.event, request=request):
return False
request.organizer = request.event.organizer
if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key):
request.eventpermset = SuperuserPermissionSet()
else:
request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event)
if required_permission and required_permission not in request.eventpermset:
return False
elif 'organizer' in request.resolver_match.kwargs:
if not request.organizer or not perm_holder.has_organizer_permission(request.organizer, request=request):
return False
if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key):
request.orgapermset = SuperuserPermissionSet()
else:
request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer)
if required_permission and required_permission not in request.orgapermset:
return False
if isinstance(request.auth, OAuthAccessToken):
if not request.auth.allow_scopes(['write']) and request.method not in SAFE_METHODS:
return False
if not request.auth.allow_scopes(['read']) and request.method in SAFE_METHODS:
return False
if isinstance(request.auth, OAuthAccessToken) and hasattr(request, 'organizer'):
if not request.auth.organizers.filter(pk=request.organizer.pk).exists():
return False
return True
def __call__(self, request):
url = resolve(request.path_info)
url_name = url.url_name
if not request.path.startswith(get_script_prefix() + 'control'):
# This middleware should only touch the /control subpath
return self.get_response(request)
if hasattr(request, 'organizer'):
# If the user is on a organizer's subdomain, he should be redirected to pretix
return redirect(urljoin(settings.SITE_URL,
request.get_full_path()))
if url_name in self.EXCEPTIONS:
return self.get_response(request)
if not request.user.is_authenticated:
return self._login_redirect(request)
try:
# If this logic is updated, make sure to also update the logic in pretix/api/auth/permission.py
assert_session_valid(request)
except SessionInvalid:
logout(request)
return self._login_redirect(request)
except SessionReauthRequired:
if url_name not in ('user.reauth', 'auth.logout'):
return redirect(
reverse('control:user.reauth') + '?next=' +
quote(request.get_full_path()))
if request.user.needs_password_change and url_name not in self.EXCEPTIONS_FORCED_PW_CHANGE:
return redirect(
reverse('control:user.settings') + '?next=' +
quote(request.get_full_path()))
if not request.user.require_2fa and settings.PRETIX_OBLIGATORY_2FA \
and url_name not in self.EXCEPTIONS_2FA:
return redirect(reverse('control:user.settings.2fa'))
if 'event' in url.kwargs and 'organizer' in url.kwargs:
if url.kwargs['organizer'] == '-' and url.kwargs['event'] == '-':
# This is a hack that just takes the user to ANY event. It's useful to link to features in support
# or documentation.
ev = request.user.get_events_with_any_permission().order_by(
'-date_from').first()
if not ev:
raise Http404(
_("The selected event was not found or you "
"have no permission to administrate it."))
k = dict(url.kwargs)
k['organizer'] = ev.organizer.slug
k['event'] = ev.slug
return redirect(reverse(url.view_name, kwargs=k,
args=url.args))
with scope(organizer=None):
request.event = Event.objects.filter(
slug=url.kwargs['event'],
organizer__slug=url.kwargs['organizer'],
).select_related('organizer').first()
if not request.event or not request.user.has_event_permission(
request.event.organizer, request.event, request=request):
raise Http404(
_("The selected event was not found or you "
"have no permission to administrate it."))
request.organizer = request.event.organizer
if request.user.has_active_staff_session(
request.session.session_key):
request.eventpermset = SuperuserPermissionSet()
else:
request.eventpermset = request.user.get_event_permission_set(
request.organizer, request.event)
elif 'organizer' in url.kwargs:
if url.kwargs['organizer'] == '-':
# This is a hack that just takes the user to ANY organizer. It's useful to link to features in support
# or documentation.
org = request.user.get_organizers_with_any_permission().first()
if not org:
raise Http404(
_("The selected organizer was not found or you "
"have no permission to administrate it."))
k = dict(url.kwargs)
k['organizer'] = org.slug
return redirect(reverse(url.view_name, kwargs=k,
args=url.args))
request.organizer = Organizer.objects.filter(
slug=url.kwargs['organizer'], ).first()
if not request.organizer or not request.user.has_organizer_permission(
request.organizer, request=request):
raise Http404(
_("The selected organizer was not found or you "
"have no permission to administrate it."))
if request.user.has_active_staff_session(
request.session.session_key):
request.orgapermset = SuperuserPermissionSet()
else:
request.orgapermset = request.user.get_organizer_permission_set(
request.organizer)
with scope(organizer=getattr(request, 'organizer', None)):
r = self.get_response(request)
if isinstance(r, TemplateResponse):
r = r.render()
return r