fix(admin): hide reservation token hashes

2026-04-29 22:45:16 +02:00
parent 33307a5de2
commit 7a46e288cf
2 changed files with 31 additions and 8 deletions
--- a/backend/bookings/admin.py
+++ b/backend/bookings/admin.py
@@ -40,8 +40,8 @@ class ReservationAdminForm(forms.ModelForm):
 class ReservationTokenInline(admin.TabularInline):
    model = ReservationToken
    extra = 0
-    readonly_fields = ("token_hash", "used_at", "created_at")
-    fields = ("purpose", "token_hash", "expires_at", "used_at", "created_at")
+    readonly_fields = ("used_at", "created_at")
+    fields = ("purpose", "expires_at", "used_at", "created_at")
    can_delete = False


@@ -231,13 +231,10 @@ class ReservationAdmin(admin.ModelAdmin):

@admin.register(ReservationToken)
 class ReservationTokenAdmin(admin.ModelAdmin):
-    list_display = ("reservation", "purpose", "expires_at", "used_at", "created_at", "token_preview")
+    list_display = ("reservation", "purpose", "expires_at", "used_at", "created_at")
    list_filter = ("purpose", "expires_at", "used_at", "created_at")
    search_fields = ("reservation__name", "reservation__email", "token_hash")
-    readonly_fields = ("token_hash", "created_at", "used_at")
+    readonly_fields = ("created_at", "used_at")
+    exclude = ("token_hash",)
    list_select_related = ("reservation", "reservation__performance")
    autocomplete_fields = ("reservation",)
-
-    @admin.display(description="Token hash")
-    def token_preview(self, obj):
-        return obj.token_hash[:12]
--- a/backend/bookings/test_admin.py
+++ b/backend/bookings/test_admin.py
@@ -83,3 +83,29 @@ class ReservationAdminTests(TestCase):
            "https://tickets.azionelab.example/api/reservations/confirm/?token=",
            mail.outbox[0].body,
        )
+
+    def test_token_hash_is_hidden_in_token_admin_views(self):
+        reservation = Reservation.objects.create(
+            performance=self.performance,
+            name="Maria Rossi",
+            email="maria@example.com",
+            party_size=2,
+        )
+        token, _ = ReservationToken.create_token(
+            reservation=reservation,
+            purpose=ReservationToken.Purpose.CONFIRMATION,
+            expires_at=timezone.now() + timedelta(hours=2),
+        )
+
+        changelist_response = self.client.get(reverse("admin:bookings_reservationtoken_changelist"))
+        change_response = self.client.get(
+            reverse("admin:bookings_reservationtoken_change", args=[token.id]),
+        )
+
+        self.assertEqual(changelist_response.status_code, 200)
+        self.assertEqual(change_response.status_code, 200)
+        self.assertNotContains(changelist_response, token.token_hash)
+        self.assertNotContains(change_response, token.token_hash)
+        self.assertContains(change_response, token.get_purpose_display())
+        self.assertContains(change_response, "Expires at")
+        self.assertContains(change_response, "Used at")