pythonkr
diff --git a/‎app/admin_api/filtersets/shop/orders.py‎
Lines changed: 17 additions & 4 deletions b/‎app/admin_api/filtersets/shop/orders.py‎
Lines changed: 17 additions & 4 deletions
diff --git a/‎app/admin_api/serializers/shop/orders.py‎
Lines changed: 2 additions & 2 deletions b/‎app/admin_api/serializers/shop/orders.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/admin_api/test/shop/orders_api_test.py‎
Lines changed: 18 additions & 0 deletions b/‎app/admin_api/test/shop/orders_api_test.py‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎app/admin_api/test/shop/soft_delete_filtering_test.py‎
Lines changed: 150 additions & 0 deletions b/‎app/admin_api/test/shop/soft_delete_filtering_test.py‎
Lines changed: 150 additions & 0 deletions
diff --git a/‎app/admin_api/views/shop/order_notifications.py‎
Lines changed: 1 addition & 1 deletion b/‎app/admin_api/views/shop/order_notifications.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/admin_api/views/shop/orders.py‎
Lines changed: 25 additions & 8 deletions b/‎app/admin_api/views/shop/orders.py‎
Lines changed: 25 additions & 8 deletions
diff --git a/‎app/internal_api/filters.py‎
Lines changed: 24 additions & 10 deletions b/‎app/internal_api/filters.py‎
Lines changed: 24 additions & 10 deletions
diff --git a/‎app/internal_api/views.py‎
Lines changed: 2 additions & 2 deletions b/‎app/internal_api/views.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/shop/order/exports.py‎
Lines changed: 1 addition & 1 deletion b/‎app/shop/order/exports.py‎
Lines changed: 1 addition & 1 deletion
@@ -1,6 +1,7 @@
 from core.filter.multi_field import MultiFieldOrCharInFilter
+from django.db.models import Exists, OuterRef, QuerySet
 from django_filters import rest_framework as filters
-from shop.order.models import Order
+from shop.order.models import Order, OrderProductRelation
 
 
 class OrderAdminFilterSet(filters.FilterSet):
@@ -26,13 +27,25 @@ class OrderAdminFilterSet(filters.FilterSet):
     status_changed_at_after = filters.DateTimeFilter(field_name="status_changed_at", lookup_expr="gte")
     status_changed_at_before = filters.DateTimeFilter(field_name="status_changed_at", lookup_expr="lte")
 
-    product_id = filters.BaseInFilter(field_name="products__product_id", distinct=True)
-    category_id = filters.BaseInFilter(field_name="products__product__category_id", distinct=True)
-    category_group_id = filters.BaseInFilter(field_name="products__product__category__group_id", distinct=True)
+    product_id = filters.BaseCSVFilter(method="filter_by_active_opr_product_id")
+    category_id = filters.BaseCSVFilter(method="filter_by_active_opr_category_id")
+    category_group_id = filters.BaseCSVFilter(method="filter_by_active_opr_category_group_id")
 
     price_min = filters.NumberFilter(field_name="latest_price", lookup_expr="gte")
     price_max = filters.NumberFilter(field_name="latest_price", lookup_expr="lte")
 
+    def _filter_by_active_opr_exists(self, qs: QuerySet[Order], **kw: object) -> QuerySet[Order]:
+        return qs.filter(Exists(OrderProductRelation.objects.filter_active().filter(order_id=OuterRef("pk"), **kw)))
+
+    def filter_by_active_opr_product_id(self, qs: QuerySet[Order], n: str, vs: list[str]) -> QuerySet[Order]:
+        return self._filter_by_active_opr_exists(qs, product_id__in=vs) if vs else qs
+
+    def filter_by_active_opr_category_id(self, qs: QuerySet[Order], n: str, vs: list[str]) -> QuerySet[Order]:
+        return self._filter_by_active_opr_exists(qs, product__category_id__in=vs) if vs else qs
+
+    def filter_by_active_opr_category_group_id(self, qs: QuerySet[Order], n: str, v: list[str]) -> QuerySet[Order]:
+        return self._filter_by_active_opr_exists(qs, product__category__group_id__in=v) if v else qs
+
     class Meta:
         model = Order
         fields = [
 
@@ -139,7 +139,7 @@ def to_representation(self, order: Order) -> Recipient | None:
             return None
         if not (recipient := getattr(customer_info, CUSTOMER_INFO_RECIPIENT_ATTR_BY_CHANNEL[channel], "")):
             return None
-        if not (order_product_rel := next(iter(order.products.all()), None)):
+        if not (order_product_rel := next(iter(order.products.filter_active()), None)):
             return None
 
         ctx: dict[str, Any] = {
@@ -148,7 +148,7 @@ def to_representation(self, order: Order) -> Recipient | None:
                 if o_rel.product_option_group.is_custom_response
                 else (o_rel.product_option.name if o_rel.product_option else "")
             )
-            for o_rel in order_product_rel.options.all()
+            for o_rel in order_product_rel.options.filter_active()
         } | order.build_notification_context()
 
         return {"recipient": recipient, "context": ctx | self.context["context_override"]}
 
@@ -68,6 +68,24 @@ def test_admin_list_filters_by_product_id_distinct(api_client, product, order_fa
     }
 
 
+@pytest.mark.django_db
+def test_admin_list_filters_by_active_opr_category(api_client, product, order_factory):
+    """`?category_id=` 가 active OPR 가 있는 주문만 매칭한다."""
+    completed_order = order_factory(status="completed")
+    response = OrdersAdminApi(http_client=api_client).list({"category_id": str(product.category_id)})
+    assert response.status_code == HTTP_200_OK
+    assert {row["id"] for row in response.json()["results"]} == {str(completed_order.id)}
+
+
+@pytest.mark.django_db
+def test_admin_list_filters_by_active_opr_category_group(api_client, product, order_factory):
+    """`?category_group_id=` 가 active OPR 가 있는 주문만 매칭한다."""
+    completed_order = order_factory(status="completed")
+    response = OrdersAdminApi(http_client=api_client).list({"category_group_id": str(product.category.group_id)})
+    assert response.status_code == HTTP_200_OK
+    assert {row["id"] for row in response.json()["results"]} == {str(completed_order.id)}
+
+
 @pytest.mark.django_db
 def test_admin_retrieve_returns_nested_payload(api_client, order_factory):
     completed_order = order_factory(status="completed")
 
@@ -0,0 +1,150 @@
+"""Admin shop API soft-delete 회귀 — export / 부분 환불 lookup / list filter 가 soft-deleted row 를 노출하지 않는다."""
+
+from datetime import datetime, timezone
+from io import BytesIO
+
+import pandas
+import pytest
+from freezegun import freeze_time
+from rest_framework.status import HTTP_200_OK, HTTP_404_NOT_FOUND
+from shop.order.models import Order, OrderProductRelation
+from shop.payment_history.models import PaymentHistory, PaymentHistoryStatus
+from shop.product.models import Product
+from shop.test.helpers import OrdersAdminApi, valid_refund_totp
+
+
+@pytest.mark.django_db
+def test_admin_refund_product_404_for_soft_deleted_opr(api_client, order_factory, product):
+    """soft-deleted paid OPR 은 admin refund_product 에서 lookup 되지 않아 404."""
+    completed = order_factory(status="completed")
+    stale_opr = OrderProductRelation.objects.create(
+        order=completed, product=product, price=product.price, status=OrderProductRelation.OrderProductStatus.paid
+    )
+    stale_opr.delete()
+
+    response = OrdersAdminApi(http_client=api_client).refund_product(
+        completed.id, stale_opr.id, totp=valid_refund_totp()
+    )
+    assert response.status_code == HTTP_404_NOT_FOUND
+
+
+@freeze_time(datetime(2026, 5, 23, 15, 30, 45, tzinfo=timezone.utc))
+@pytest.mark.django_db
+def test_admin_export_excludes_soft_deleted_opr_from_product_sheet(api_client, order_factory, product):
+    """admin export 의 '주문상품' 시트에 soft-deleted OPR 가 들어가지 않는다."""
+    completed = order_factory(status="completed")
+    active_opr = completed.products.get()
+    stale_opr = OrderProductRelation.objects.create(
+        order=completed,
+        product=product,
+        price=99999,
+        status=OrderProductRelation.OrderProductStatus.paid,
+    )
+    stale_opr.delete()
+
+    response = OrdersAdminApi(http_client=api_client).export(
+        {"product_ids": [str(product.id)], "include_refunded": False}
+    )
+    assert response.status_code == HTTP_200_OK
+    df_dict = pandas.read_excel(
+        BytesIO(b"".join(response.streaming_content)),
+        sheet_name="주문상품",
+        index_col=0,
+        na_filter=False,
+        dtype={"고객 전화번호": str, "PortOne ID": str},
+    )
+    rows = df_dict.to_dict(orient="records")
+    prices = {row["결제 금액"] for row in rows}
+    assert active_opr.price in prices  # 활성 OPR row 가 존재
+    assert 99999 not in prices  # soft-deleted OPR(price=99999) 는 시트에 없음
+    assert str(completed.id) in {row["주문 번호"] for row in rows}
+
+
+@freeze_time(datetime(2026, 5, 23, 15, 30, 45, tzinfo=timezone.utc))
+@pytest.mark.django_db
+def test_admin_export_excludes_order_with_only_soft_deleted_matching_opr(
+    api_client, customer_user, product, order_factory
+):
+    """선택 product_id 가 soft-deleted OPR 에만 있는 주문은 export 양쪽 시트 모두에서 제외돼야 한다."""
+    target_product = product
+
+    # 1) 활성 OPR 가 있는 정상 주문 — export 대상.
+    normal = order_factory(status="completed")
+
+    # 2) 같은 product 로 soft-deleted OPR 만 가진 주문 (다른 product 의 paid OPR 보유) — export 에서 빠져야.
+    other_product = Product.objects.create(
+        category=target_product.category,
+        name="기타",
+        price=500,
+        visible_starts_at=target_product.visible_starts_at,
+        visible_ends_at=target_product.visible_ends_at,
+        orderable_starts_at=target_product.orderable_starts_at,
+        orderable_ends_at=target_product.orderable_ends_at,
+        refundable_ends_at=target_product.refundable_ends_at,
+    )
+    leak_candidate = Order.objects.create(user=customer_user, name="leak")
+    OrderProductRelation.objects.create(
+        order=leak_candidate,
+        product=other_product,
+        price=500,
+        status=OrderProductRelation.OrderProductStatus.paid,
+    )
+    stale = OrderProductRelation.objects.create(
+        order=leak_candidate,
+        product=target_product,
+        price=99999,
+        status=OrderProductRelation.OrderProductStatus.paid,
+    )
+    stale.delete()
+    # leak_candidate 도 완료 PH 가 있어야 current_status filter 를 통과 — 그래야 누수 가능성이 노출됨.
+    PaymentHistory.objects.create(order=leak_candidate, imp_id="leak", status=PaymentHistoryStatus.completed, price=500)
+
+    response = OrdersAdminApi(http_client=api_client).export(
+        {"product_ids": [str(target_product.id)], "include_refunded": True}
+    )
+    assert response.status_code == HTTP_200_OK
+    df_dict = pandas.read_excel(
+        BytesIO(b"".join(response.streaming_content)),
+        sheet_name=None,
+        index_col=0,
+        na_filter=False,
+        dtype={"고객 전화번호": str, "PortOne ID": str},
+    )
+    order_ids = {row["주문 번호"] for row in df_dict["주문"].to_dict(orient="records")}
+    assert str(normal.id) in order_ids
+    assert str(leak_candidate.id) not in order_ids
+
+
+@pytest.mark.django_db
+def test_admin_list_filter_by_product_id_ignores_soft_deleted_opr(api_client, customer_user, product, order_factory):
+    """`?product_id=` 필터가 soft-deleted OPR 만 가진 주문을 매칭하지 않는다."""
+    matching_order = order_factory(status="completed")
+
+    other_product = Product.objects.create(
+        category=product.category,
+        name="기타2",
+        price=500,
+        visible_starts_at=product.visible_starts_at,
+        visible_ends_at=product.visible_ends_at,
+        orderable_starts_at=product.orderable_starts_at,
+        orderable_ends_at=product.orderable_ends_at,
+        refundable_ends_at=product.refundable_ends_at,
+    )
+    leak_candidate = Order.objects.create(user=customer_user, name="leak")
+    OrderProductRelation.objects.create(
+        order=leak_candidate,
+        product=other_product,
+        price=500,
+        status=OrderProductRelation.OrderProductStatus.paid,
+    )
+    stale = OrderProductRelation.objects.create(
+        order=leak_candidate, product=product, price=99999, status=OrderProductRelation.OrderProductStatus.paid
+    )
+    stale.delete()
+    PaymentHistory.objects.create(order=leak_candidate, imp_id="leak", status=PaymentHistoryStatus.completed, price=500)
+
+    response = OrdersAdminApi(http_client=api_client).list({"product_id": str(product.id)})
+    assert response.status_code == HTTP_200_OK
+    returned_ids = {row["id"] for row in response.json()["results"]}
+    assert str(matching_order.id) in returned_ids
+    assert str(leak_candidate.id) not in returned_ids
@@ -34,7 +34,7 @@ class OrderNotificationAdminViewSet(JsonSchemaViewSet, viewsets.GenericViewSet):
         .filter(current_status__in=REFUNDABLE_STATUSES)
         .select_related("customer_info")
         .prefetch_related(
-            Order.prefetchs["_payment_histories_by_latest"],
+            Order.prefetchs["_active_payment_histories"],
             models.Prefetch(
                 "products",
                 queryset=OrderProductRelation.objects.filter_active().prefetch_related(
 
@@ -49,7 +49,8 @@
 def _payment_history_created_at_subquery(*, latest: bool) -> models.Subquery:
     """Order 별 첫/마지막 PaymentHistory.created_at scalar subquery (filter/annotate 양쪽 용)."""
     return models.Subquery(
-        PaymentHistory.objects.filter(order_id=models.OuterRef("pk"))
+        PaymentHistory.objects.filter_active()
+        .filter(order_id=models.OuterRef("pk"))
         .order_by("-created_at" if latest else "created_at")
         .values("created_at")[:1]
     )
@@ -70,7 +71,7 @@ class OrderAdminViewSet(
     permission_classes = [IsSuperUser]
     queryset = (
         Order.objects.filter_has_payment_histories()
-        .filter(models.Exists(OrderProductRelation.objects.filter(order=models.OuterRef("pk"))))
+        .filter(models.Exists(OrderProductRelation.objects.filter_active().filter(order=models.OuterRef("pk"))))
         .select_related_with_user("user", "customer_info")
         .prefetch_related(
             models.Prefetch("products", queryset=_OPR_PREFETCH_QS),
@@ -118,7 +119,7 @@ def refund_product(
         pk: typing.Any = None,
         rel_id: typing.Any = None,
     ) -> response.Response:
-        order_product_rel = OrderProductRelation.objects.filter(order_id=pk, id=rel_id).first()
+        order_product_rel = OrderProductRelation.objects.filter_active().filter(order_id=pk, id=rel_id).first()
         if not order_product_rel:
             raise exceptions.NotFound("OrderProductRelation not found.")
 
@@ -208,15 +209,31 @@ def export(self, request: request.Request) -> StreamingHttpResponse:
         statuses = PURCHASED_STATUSES if include_refunded else REFUNDABLE_STATUSES
 
         order_qs = (
-            Order.objects.annotate(current_status=PaymentHistory.objects.latest_per_order_field("status"))
+            Order.objects.filter_active()
+            .annotate(current_status=PaymentHistory.objects.latest_per_order_field("status"))
             .select_related("user")
-            .prefetch_related("products", "payment_histories")
-            .filter(products__product_id__in=product_ids, current_status__in=statuses)
+            .with_dto_prefetches()
+            .filter(
+                models.Exists(
+                    OrderProductRelation.objects.filter_active().filter(
+                        order_id=models.OuterRef("pk"), product_id__in=product_ids
+                    )
+                ),
+                current_status__in=statuses,
+            )
         )
         order_product_qs = (
-            OrderProductRelation.objects.filter(order__in=order_qs)
+            OrderProductRelation.objects.filter_active()
+            .filter(order__in=order_qs)
             .select_related("product")
-            .prefetch_related("options__product_option_group", "options__product_option")
+            .prefetch_related(
+                models.Prefetch(
+                    "options",
+                    queryset=OrderProductOptionRelation.objects.filter_active().select_related(
+                        "product_option_group", "product_option"
+                    ),
+                ),
+            )
             .distinct()
         )
 
 
@@ -28,35 +28,49 @@ def filter_by_category_groups(self, qs: OrderQuerySet, name: str, values: list[s
         if not (filtered_values := [v.strip() for v in values if v.strip()]):
             return qs
 
-        opor_order_qs = OrderProductRelation.objects.filter(
-            product__category__group__name__in=filtered_values,
-        ).values_list("order_id", flat=True)
+        opor_order_qs = (
+            OrderProductRelation.objects.filter_active()
+            .filter(
+                product__category__group__name__in=filtered_values,
+            )
+            .values_list("order_id", flat=True)
+        )
 
         return qs.filter(id__in=opor_order_qs)
 
     def filter_by_categories(self, qs: OrderQuerySet, name: str, values: list[str]) -> OrderQuerySet:
         if not (filtered_values := [v.strip() for v in values if v.strip()]):
             return qs
 
-        opor_order_qs = OrderProductRelation.objects.filter(
-            product__category__name__in=filtered_values,
-        ).values_list("order_id", flat=True)
+        opor_order_qs = (
+            OrderProductRelation.objects.filter_active()
+            .filter(
+                product__category__name__in=filtered_values,
+            )
+            .values_list("order_id", flat=True)
+        )
 
         return qs.filter(id__in=opor_order_qs)
 
     def filter_by_order_product_relation_id(self, qs: OrderQuerySet, name: str, value: str) -> OrderQuerySet:
         if not value:
             return qs
 
-        return qs.filter(id__in=OrderProductRelation.objects.filter(id=value).values_list("order_id", flat=True))
+        return qs.filter(
+            id__in=OrderProductRelation.objects.filter_active().filter(id=value).values_list("order_id", flat=True)
+        )
 
     def filter_by_keywords(self, qs: OrderQuerySet, name: str, values: list[str]) -> OrderQuerySet:
         if not (filtered_values := [v.strip() for v in values if v.strip()]):
             return qs
 
-        opor_order_qs = OrderProductOptionRelation.objects.filter(
-            custom_response__in=filtered_values,
-        ).values_list("order_product_relation__order_id", flat=True)
+        opor_order_qs = (
+            OrderProductOptionRelation.objects.filter_active()
+            .filter(
+                custom_response__in=filtered_values,
+            )
+            .values_list("order_product_relation__order_id", flat=True)
+        )
         ci_order_qs = CustomerInfo.objects.filter(
             models.Q(name__in=filtered_values)
             | models.Q(email__in=filtered_values)
 
@@ -71,8 +71,8 @@ class DeskSupportViewSet(
             ),
             models.Prefetch(
                 "payment_histories",
-                queryset=PaymentHistory.objects.filter_active().order_by("-created_at"),
-                to_attr="_payment_histories_by_latest",
+                queryset=PaymentHistory.objects.filter_active(),
+                to_attr="_active_payment_histories",
             ),
         )
         .order_by("-created_at")
 
@@ -66,7 +66,7 @@ class Meta:
     def to_representation(self, instance: OrderProductRelation) -> dict[str, typing.Any]:
         result: dict[str, typing.Any] = super().to_representation(instance)
 
-        options: collections.abc.Iterable[OrderProductOptionRelation] = instance.options.all()
+        options: collections.abc.Iterable[OrderProductOptionRelation] = instance.options.filter_active()
         for option in options:
             option_group: OptionGroup = option.product_option_group
             selected_option: Option = option.product_option