* Include nix development enviornment
* Obfuscate contact email addresses in shop HTML and deanonymize via JavaScript
This change addresses #1907: "hide contact e-mail address in source code
of a shop".
- Contact email addresses rendered in public-facing templates are now
obfuscated in the HTML source (e.g., replacing "@" with "[at]" and "."
with "[dot]").
- A new JavaScript file is included in the relevant templates to
automatically rewrite and restore the email address for users after the
page loads.
- This approach helps protect email addresses from basic harvesting bots
and reduces spam, while keeping them accessible and user-friendly for
human visitors.
- The obfuscation and deanonymization logic is only applied to web
templates, not to emails sent via pretix.
This implementation follows the recommendations discussed in #1907,
using a standardized, maintainable approach that’s compatible with
pretix's asset pipeline and template structure.
* Undo nix development environment for merge into main
* convert complete mailto-link to HTML entities
* remove gitignore noise
* Update .gitignore
* fix gitignore noise
* Update .gitignore
---------
Co-authored-by: Richard Schreiber <schreiber@rami.io>
The field Voucher.price_mode is sometimes called "Price mode" and
sometimes "Price effect" in the UI, which is inconsistent. I think
"price effect" is a little clearer, but I don't really care as long as
it is consistent.
I've kept it for 400/403/500/csrffail for now, because they also have a
"try again" link. Yes, both things have browser buttons, but they make
it a *little* clearer to technical users what one could to next, and
especially on csrffail, "step back" is always possible and possibly actually
helpful.
Not all transmission fields are visible to users at all times, depending on whether they are necessary for users to know/change but they are submitted for the backend. This change hides those fields that were hidden before in the confirmation step as well to avoid confusion.
* Tax rounding: Allow to apply only for B2B (Z#23220106)
Most effective in combination with #5807
* Update src/pretix/base/settings.py
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
---------
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* Order changes: Do not allow to double-book add-ons
* tests
* Update src/pretix/presale/templates/pretixpresale/event/fragment_addon_choice.html
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
---------
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* Invoices: Allow issuing invoices only to businesses
In situations where every invoice has a significant accounting cost and
consumers usually do not need invoices, this can save a lot of money or
effort.
* Improve backend UI if not qualified for invoice
* baseline of 574 queries
* reuse event from wle for locked_wle
reduces amount of queries to 556
* keep event accross refresh from db
drops queries from 556 to 471, halving the amount of queries for direct fetches for the event
* make numbers of queries reproducible by prewarming ContentTypeCache
* fix oversight
* correct number of queries to 335
* remove debug tooling
* remove assert_num_queries
* Localize state names in js-helper
* localize statename in address-confirm
* add localized state_name to AbstractPosition and AttendeeProfile
* use state_for_address in order export
* Allow to combine language variant with region (fixes#3947, Z#23220951)
This only affects babel-based formatting (currently: currencies and phone numbers),
**not** Django-based formatting (currently: date and time formats).
* Remove tests where I don'T actually know whats right
* Fix lookup order
* Add option to restrict anonymous access to order URLs
By default, users who place orders while logged in can still access
their order URLs without authentication. This raises potential
security risks, particularly if order confirmation emails are
forwarded.
This commit introduces an organiser-level setting to disable anonymous
access for such orders. When enabled, unauthenticated attempts to access
URLs starting with `/order/`, which are intended for the customer, are
redirected to the login page. Upon successful authentication, the user
is redirected back to the original order URL.
It is important to note that this change does not impact routes intended
for attendees (e.g., `/ticket/*`), which remain accessible without
authentication.
* Change name of setting for future clarity
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
* Update message wording
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
* Eliminate database query
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
* Rename feature flag to fix breaking tests
* Refactor order access verification code into `OrderDetailsMixin`
* Add test for logged-in customer accessing another customer's order
* Refactor order access conditions to remove nesting
* Handle case where customer is not yet verified
* Add additional information to help message
* Fix multidomain issue
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
* Merge order/position variants into single tests
* Add docstring explaining return type of `order` property
* Apply suggestion from @raphaelm
* Fix indentation
---------
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
Co-authored-by: Raphael Michel <michel@rami.io>
* Add more log entry types to the org-level logs page
all_logentries() limits the QuerySet to LogEntrys whose content object
is an Organizer.
This change expands that to get any LogEntry linked to the current
Organization. It removes those that are linked directly to an Event,
since they are already served by the event-level logs page.
* Check active plugins with either Event or Organizer
