CI: Try to run with 4 threads

CI: Run PostgreSQL as a native service (#4560 )
* GH Actions: Fix PostgreSQL issues * Map PostgreSQL port
2024-10-25 17:23:33 +02:00 · 2024-10-25 17:18:42 +02:00 · 2024-10-25 17:06:11 +02:00 · 2024-10-25 17:05:58 +02:00 · 2024-10-25 17:04:16 +02:00 · 2024-10-25 16:44:22 +02:00
304 changed files with 188903 additions and 126463 deletions
@@ -38,7 +38,7 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install system dependencies
-        run: sudo apt update && sudo apt install gettext unzip
+        run: sudo apt update && sudo apt install -y gettext unzip
      - name: Install Python dependencies
        run: pip3 install -U setuptools build pip check-manifest
      - name: Run check-manifest
@@ -37,7 +37,7 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install system packages
-        run: sudo apt update && sudo apt install enchant-2 hunspell aspell-en
+        run: sudo apt update && sudo apt install -y enchant-2 hunspell aspell-en
      - name: Install Dependencies
        run: pip3 install -Ur requirements.txt
        working-directory: ./doc
@@ -35,9 +35,9 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install system packages
-        run: sudo apt update && sudo apt install gettext
+        run: sudo apt update && sudo apt -y install gettext
      - name: Install Dependencies
-        run: pip3 install -e ".[dev]"
+        run: pip3 install uv && uv pip install --system -e ".[dev]"
      - name: Compile messages
        run: python manage.py compilemessages
        working-directory: ./src
@@ -62,7 +62,7 @@ jobs:
      - name: Install system packages
        run: sudo apt update && sudo apt install enchant-2 hunspell hunspell-de-de aspell-en aspell-de
      - name: Install Dependencies
-        run: pip3 install -e ".[dev]"
+        run: pip3 install uv && uv pip install --system -e ".[dev]"
      - name: Spellcheck translations
        run: potypo
        working-directory: ./src
@@ -35,7 +35,7 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install Dependencies
-        run: pip3 install -e ".[dev]" psycopg2-binary
+        run: pip3 install uv && uv pip install --system -e ".[dev]" psycopg2-binary
      - name: Run isort
        run: isort -c .
        working-directory: ./src
@@ -55,7 +55,7 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install Dependencies
-        run: pip3 install -e ".[dev]" psycopg2-binary
+        run: pip3 install uv && uv pip install --system -e ".[dev]" psycopg2-binary
      - name: Run flake8
        run: flake8 .
        working-directory: ./src
@@ -30,15 +30,21 @@ jobs:
            python-version: "3.9"
          - database: sqlite
            python-version: "3.10"
+    services:
+      postgres:
+        image: postgres:15
+        env:
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_DB: pretix
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
    steps:
      - uses: actions/checkout@v4
-      - uses: harmon758/postgresql-action@v1
-        with:
-          postgresql version: '15'
-          postgresql db: 'pretix'
-          postgresql user: 'postgres'
-          postgresql password: 'postgres'
-        if: matrix.database == 'postgres'
      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@v5
        with:
@@ -50,9 +56,9 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install system dependencies
-        run: sudo apt update && sudo apt install gettext
+        run: sudo apt update && sudo apt install -y gettext
      - name: Install Python dependencies
-        run: pip3 install --ignore-requires-python -e ".[dev]" psycopg2-binary  # We ignore that flake8 needs newer python as we don't run flake8 during tests
+        run: pip3 install uv && uv pip install --system -e ".[dev]" psycopg2-binary
      - name: Run checks
        run: python manage.py check
        working-directory: ./src
@@ -64,7 +70,7 @@ jobs:
        run: make all compress
      - name: Run tests
        working-directory: ./src
-        run: PRETIX_CONFIG_FILE=tests/travis_${{ matrix.database }}.cfg py.test -n 3 -p no:sugar --cov=./ --cov-report=xml --reruns 3 tests --maxfail=100
+        run: PRETIX_CONFIG_FILE=tests/travis_${{ matrix.database }}.cfg py.test -n 4 -p no:sugar --cov=./ --cov-report=xml --reruns 3 tests --maxfail=100
      - name: Run concurrency tests
        working-directory: ./src
        run: PRETIX_CONFIG_FILE=tests/travis_${{ matrix.database }}.cfg py.test tests/concurrency_tests/ --reruns 0 --reuse-db
@@ -0,0 +1 @@
+17
@@ -10,6 +10,8 @@ recursive-include src/pretix/helpers/locale *
 recursive-include src/pretix/base/templates *
 recursive-include src/pretix/control/templates *
 recursive-include src/pretix/presale/templates *
+recursive-include src/pretix/plugins/autocheckin/templates *
+recursive-include src/pretix/plugins/autocheckin/static *
 recursive-include src/pretix/plugins/banktransfer/templates *
 recursive-include src/pretix/plugins/banktransfer/static *
 recursive-include src/pretix/plugins/manualpayment/templates *
@@ -294,6 +294,10 @@ Example::
    setting is not provided, pretix will generate a random secret on the first start
    and will store it in the filesystem for later usage.

+``secret_fallback0`` ... ``secret_fallback9``
+    Prior versions of the secret to be used by Django for signing and verification purposes that will still
+    be accepted but no longer be used for new signing.
+
 ``debug``
    Whether or not to run in debug mode. Default is ``False``.

@@ -73,4 +73,11 @@ This release includes a migration that changes retroactively fills an `organizer
 `pretixbase_logentry`. If you have a large database, the migration step of the upgrade might take significantly
 longer than usual, so plan the update accordingly.

+Upgrade to 2024.7.0 or newer
+"""""""""""""""""""""""""""""
+
+This release includes a migration that changes how sales channels are referred on orders.
+If you have a large database, the migration step of the upgrade might take significantly longer than usual, so plan
+the update accordingly.
+
 .. _blog: https://pretix.eu/about/en/blog/
@@ -0,0 +1,259 @@
+.. _rest-autocheckinrules:
+
+Auto check-in rules
+===================
+
+This feature requires the bundled ``pretix.plugins.autocheckin`` plugin to be active for the event in order to work properly.
+
+Resource description
+--------------------
+
+Auto check-in rules specify that tickets should under specific conditions automatically be considered checked in after
+they have been purchased.
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the rule
+list                                  integer                    ID of the check-in list to check the ticket in on. If
+                                                                 ``None``, the system will select all matching check-in lists.
+mode                                  string                     ``"placed"`` if the rule should be evaluated right after
+                                                                 an order has been created, ``"paid"`` if the rule should
+                                                                 be evaluated after the order has been fully paid.
+all_sales_channels                    boolean                    If ``true`` (default), the rule applies to tickets sold on all sales channels.
+limit_sales_channels                  list of strings            List of sales channel identifiers the rule should apply to
+                                                                 if ``all_sales_channels`` is ``false``.
+all_products                          boolean                    If ``true`` (default), the rule affects all products and variations.
+limit_products                        list of integers           List of item IDs, if ``all_products`` is not set. If the
+                                                                 product listed here has variations, all variations will be matched.
+limit_variations                      list of integers           List of product variation IDs, if ``all_products`` is not set.
+                                                                 The parent product does not need to be part of ``limit_products``.
+all_payment_methods                   boolean                    If ``true`` (default), the rule applies to tickets paid with all payment methods.
+limit_payment_methods                 list of strings            List of payment method identifiers the rule should apply to
+                                                                 if ``all_payment_methods`` is ``false``.
+===================================== ========================== =======================================================
+
+.. versionadded:: 2024.7
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/auto_checkin_rules/
+
+   Returns a list of all rules configured for an event.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/auto_checkin_rules/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "list": 12345,
+            "mode": "placed",
+            "all_sales_channels": false,
+            "limit_sales_channels": ["web"],
+            "all_products": False,
+            "limit_products": [2, 3],
+            "limit_variations": [456],
+            "all_payment_methods": true,
+            "limit_payment_methods": []
+          }
+        ]
+      }
+
+   :query page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the event to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view it.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/auto_checkin_rules/(id)/
+
+   Returns information on one rule, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/auto_checkin_rules/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "list": 12345,
+        "mode": "placed",
+        "all_sales_channels": false,
+        "limit_sales_channels": ["web"],
+        "all_products": False,
+        "limit_products": [2, 3],
+        "limit_variations": [456],
+        "all_payment_methods": true,
+        "limit_payment_methods": []
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param id: The ``id`` field of the rule to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/rule does not exist **or** you have no permission to view it.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/auto_checkin_rules/
+
+   Create a new rule.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/auto_checkin_rules/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 166
+
+      {
+        "list": 12345,
+        "mode": "placed",
+        "all_sales_channels": false,
+        "limit_sales_channels": ["web"],
+        "all_products": False,
+        "limit_products": [2, 3],
+        "limit_variations": [456],
+        "all_payment_methods": true,
+        "limit_payment_methods": []
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "list": 12345,
+        "mode": "placed",
+        "all_sales_channels": false,
+        "limit_sales_channels": ["web"],
+        "all_products": False,
+        "limit_products": [2, 3],
+        "limit_variations": [456],
+        "all_payment_methods": true,
+        "limit_payment_methods": []
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a rule for
+   :param event: The ``slug`` field of the event to create a rule for
+   :statuscode 201: no error
+   :statuscode 400: The rule could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create rules.
+
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/auto_checkin_rules/(id)/
+
+   Update a rule. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/auto_checkin_rules/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 34
+
+      {
+        "mode": "paid",
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: text/javascript
+
+      {
+        "id": 1,
+        "list": 12345,
+        "mode": "placed",
+        "all_sales_channels": false,
+        "limit_sales_channels": ["web"],
+        "all_products": False,
+        "limit_products": [2, 3],
+        "limit_variations": [456],
+        "all_payment_methods": true,
+        "limit_payment_methods": []
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the rule to modify
+   :statuscode 200: no error
+   :statuscode 400: The rule could not be modified due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/rule does not exist **or** you have no permission to change it.
+
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/auto_checkin_rules/(id)/
+
+   Delete a rule.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/auto_checkin_rules/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the rule to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/rule does not exist **or** you have no permission to change it **or** this rule cannot be deleted since it is currently in use.
@@ -23,6 +23,22 @@ position                              integer                    An integer, use
 is_addon                              boolean                    If ``true``, items within this category are not on sale
                                                                 on their own but the category provides a source for
                                                                 defining add-ons for other products.
+cross_selling_mode                    string                     If ``null``, cross-selling is disabled for this category.
+                                                                 If ``"only"``, it is only visible in the cross-selling
+                                                                 step.
+                                                                 If ``"both"``, it is visible on the normal index page
+                                                                 as well.
+                                                                 Only available if ``is_addon`` is ``false``.
+cross_selling_condition               string                     Only relevant if ``cross_selling_mode`` is not ``null``.
+                                                                 If ``"always"``, always show in cross-selling step.
+                                                                 If ``"products"``, only show if the cart contains one of
+                                                                 the products listed in ``cross_selling_match_products``.
+                                                                 If ``"discounts"``, only show products that qualify for
+                                                                 a discount according to discount rules.
+cross_selling_match_products          list of integer            Only relevant if ``cross_selling_condition`` is
+                                                                 ``"products"``. Internal ID of the items of which at
+                                                                 least one needs to be in the cart for this category to
+                                                                 be shown.
 ===================================== ========================== =======================================================


@@ -60,7 +76,10 @@ Endpoints
            "internal_name": "",
            "description": {"en": "Tickets are what you need to get in."},
            "position": 1,
-            "is_addon": false
+            "is_addon": false,
+            "cross_selling_mode": null,
+            "cross_selling_condition": null,
+            "cross_selling_match_products": []
          }
        ]
      }
@@ -102,7 +121,10 @@ Endpoints
        "internal_name": "",
        "description": {"en": "Tickets are what you need to get in."},
        "position": 1,
-        "is_addon": false
+        "is_addon": false,
+        "cross_selling_mode": null,
+        "cross_selling_condition": null,
+        "cross_selling_match_products": []
      }

   :param organizer: The ``slug`` field of the organizer to fetch
@@ -130,7 +152,10 @@ Endpoints
        "internal_name": "",
        "description": {"en": "Tickets are what you need to get in."},
        "position": 1,
-        "is_addon": false
+        "is_addon": false,
+        "cross_selling_mode": null,
+        "cross_selling_condition": null,
+        "cross_selling_match_products": []
      }

   **Example response**:
@@ -147,7 +172,10 @@ Endpoints
        "internal_name": "",
        "description": {"en": "Tickets are what you need to get in."},
        "position": 1,
-        "is_addon": false
+        "is_addon": false,
+        "cross_selling_mode": null,
+        "cross_selling_condition": null,
+        "cross_selling_match_products": []
      }

   :param organizer: The ``slug`` field of the organizer of the event to create a category for
@@ -193,7 +221,10 @@ Endpoints
        "internal_name": "",
        "description": {"en": "Tickets are what you need to get in."},
        "position": 1,
-        "is_addon": true
+        "is_addon": true,
+        "cross_selling_mode": null,
+        "cross_selling_condition": null,
+        "cross_selling_match_products": []
      }

   :param organizer: The ``slug`` field of the organizer to modify
@@ -32,6 +32,7 @@ position_count                        integer                    Number of ticke
 checkin_count                         integer                    Number of check-ins performed on this list (read-only).
 include_pending                       boolean                    If ``true``, the check-in list also contains tickets from orders in pending state.
 auto_checkin_sales_channels           list of strings            All items on the check-in list will be automatically marked as checked-in when purchased through any of the listed sales channels.
+                                                                 **Deprecated, will be removed in pretix 2024.10.** Use :ref:`rest-autocheckinrules`: instead.
 allow_multiple_entries                boolean                    If ``true``, subsequent scans of a ticket on this list should not show a warning but instead be stored as an additional check-in.
 allow_entry_after_exit                boolean                    If ``true``, subsequent scans of a ticket on this list are valid if the last scan of the ticket was an exit scan.
 rules                                 object                     Custom check-in logic. The contents of this field are currently not considered a stable API and modifications through the API are highly discouraged.
@@ -44,5 +44,7 @@ at :ref:`plugin-docs`.
   scheduled_exports
   shredders
   sendmail_rules
+   auto_checkin_rules
   billing_invoices
-   billing_var
+   billing_var
+   seats
@@ -217,6 +217,9 @@ List of all invoices
   :query boolean is_cancellation: If set to ``true`` or ``false``, only invoices with this value for the field
                                   ``is_cancellation`` will be returned.
   :query string order: If set, only invoices belonging to the order with the given order code will be returned.
+                        This parameter may be given multiple times. In this case, all invoices matching one of the inputs will be returned.
+   :query string number: If set, only invoices with the given invoice number will be returned.
+                        This parameter may be given multiple times. In this case, all invoices matching one of the inputs will be returned.
   :query string refers: If set, only invoices referring to the given invoice will be returned.
   :query string locale: If set, only invoices with the given locale will be returned.
   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``date`` and
@@ -203,7 +203,8 @@ checkins                              list of objects            List of **succe
 ├ datetime                            datetime                   Time of check-in
 ├ type                                string                     Type of scan (defaults to ``entry``)
 ├ gate                                integer                    Internal ID of the gate. Can be ``null``.
-├ device                              integer                    Internal ID of the device. Can be ``null``.
+├ device                              integer                    Internal ID of the device. Can be ``null``. **Deprecated**, since this ID is not otherwise used in the API and is therefore not very useful.
+├ device_id                           integer                    Attribute ``device_id`` of the device. Can be ``null``.
 └ auto_checked_in                     boolean                    Indicates if this check-in been performed automatically by the system
 downloads                             list of objects            List of ticket download options
 ├ output                              string                     Ticket output provider (e.g. ``pdf``, ``passbook``)
@@ -51,7 +51,7 @@ Endpoints
        "results": [
          {
            "identifier": "web",
-            "name": {
+            "label": {
              "en": "Online shop"
            },
            "type": "web",
@@ -88,7 +88,7 @@ Endpoints

      {
        "identifier": "web",
-        "name": {
+        "label": {
          "en": "Online shop"
        },
        "type": "web",
@@ -116,7 +116,7 @@ Endpoints

      {
        "identifier": "api.custom",
-        "name": {
+        "label": {
          "en": "Custom integration"
        },
        "type": "api",
@@ -133,7 +133,7 @@ Endpoints

      {
        "identifier": "api.custom",
-        "name": {
+        "label": {
          "en": "Custom integration"
        },
        "type": "api",
@@ -178,7 +178,7 @@ Endpoints

      {
        "identifier": "web",
-        "name": {
+        "label": {
          "en": "Online shop"
        },
        "type": "web",
@@ -0,0 +1,262 @@
+.. _`rest-reusablemedia`:
+
+Seats
+=====
+
+The seat resource represents the seats in a seating plan in a specific event or subevent.
+
+Resource description
+--------------------
+
+The seat resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of this seat
+subevent                              integer                    Internal ID of the subevent this seat belongs to
+zone_name                             string                     Name of the zone the seat is in
+row_name                              string                     Name/number of the row the seat is in
+row_label                             string                     Additional label of the row (or ``null``)
+seat_number                           string                     Number of the seat within the row
+seat_label                            string                     Additional label of the seat (or ``null``)
+seat_guid                             string                     Identifier of the seat within the seating plan
+product                               integer                    Internal ID of the product that is mapped to this seat
+blocked                               boolean                    Whether this seat is blocked manually.
+orderposition                         integer / object           Internal ID of an order position reserving this seat.
+cartposition                          integer / object           Internal ID of a cart position reserving this seat.
+voucher                               integer / object           Internal ID of a voucher reserving this seat.
+===================================== ========================== =======================================================
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/seats/
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/subevents/(subevent_id)/seats/
+
+   Returns a list of all seats in the specified event or subevent. Depending on whether the event has subevents, the
+   according endpoint has to be used.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/seats/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+        HTTP/1.1 200 OK
+        Vary: Accept
+        Content-Type: application/json
+
+        {
+            "count": 500,
+            "next": "https://pretix.eu/api/v1/organizers/bigevents/events/sampleconf/seats/?page=2",
+            "previous": null,
+            "results": [
+                {
+                    "id": 1633,
+                    "subevent": null,
+                    "zone_name": "Ground floor",
+                    "row_name": "1",
+                    "row_label": null,
+                    "seat_number": "1",
+                    "seat_label": null,
+                    "seat_guid": "b9746230-6f31-4f41-bbc9-d6b60bdb3342",
+                    "product": 104,
+                    "blocked": false,
+                    "orderposition": null,
+                    "cartposition": null,
+                    "voucher": 51
+                },
+                {
+                    "id": 1634,
+                    "subevent": null,
+                    "zone_name": "Ground floor",
+                    "row_name": "1",
+                    "row_label": null,
+                    "seat_number": "2",
+                    "seat_label": null,
+                    "seat_guid": "1d29fe20-8e1e-4984-b0ee-2773b0d07e07",
+                    "product": 104,
+                    "blocked": true,
+                    "orderposition": 4321,
+                    "cartposition": null,
+                    "voucher": null
+                },
+                // ...
+            ]
+        }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1.
+   :query string zone_name: Only show seats with the given zone_name.
+   :query string row_name: Only show seats with the given row_name.
+   :query string row_label: Only show seats with the given row_label.
+   :query string seat_number: Only show seats with the given seat_number.
+   :query string seat_label: Only show seats with the given seat_label.
+   :query string seat_guid: Only show seats with the given seat_guid.
+   :query boolean blocked: Only show seats with the given blocked status.
+   :query boolean is_available: Only show seats that are (not) currently available.
+   :query string expand: If you pass ``"orderposition"``, ``"cartposition"``, or ``"voucher"``, the respective field will be
+                         shown as a nested value instead of just an ID. This requires permission to access that object.
+                         The nested objects are identical to the respective resources, except that order positions
+                         will have an attribute of the format ``"order": {"code": "ABCDE", "event": "eventslug"}`` to make
+                         matching easier, and won't include the `seat` attribute, as that would be redundant.
+                         The parameter can be given multiple times.
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param subevent_id: The ``id`` field of the subevent to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+   :statuscode 404: Endpoint without subevent id was used for event with subevents, or vice versa.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/seats/(id)/
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/subevents/(subevent_id)/seats/(id)/
+
+   Returns information on one seat, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+        GET /api/v1/organizers/bigevents/events/sampleconf/seats/1634/?expand=orderposition HTTP/1.1
+        Host: pretix.eu
+        Accept: application/json
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+        HTTP/1.1 200 OK
+        Vary: Accept
+        Content-Type: application/json
+
+        {
+            "id": 1634,
+            "subevent": null,
+            "zone_name": "Ground floor",
+            "row_name": "1",
+            "row_label": null,
+            "seat_number": "2",
+            "seat_label": null,
+            "seat_guid": "1d29fe20-8e1e-4984-b0ee-2773b0d07e07",
+            "product": 104,
+            "blocked": true,
+            "orderposition": {
+                "id": 134,
+                "order": {
+                    "code": "U0HW7",
+                    "event": "sampleconf"
+                },
+                "positionid": 1,
+                "item": 104,
+                "variation": 59,
+                "price": "60.00",
+                "attendee_name": "",
+                "attendee_name_parts": {
+                    "_scheme": "given_family"
+                },
+                "company": null,
+                "street": null,
+                "zipcode": null,
+                "city": null,
+                "country": null,
+                "state": null,
+                "discount": null,
+                "attendee_email": null,
+                "voucher": null,
+                "tax_rate": "0.00",
+                "tax_value": "0.00",
+                "secret": "4rfgp263jduratnsvwvy6cc6r6wnptbj",
+                "addon_to": null,
+                "subevent": null,
+                "checkins": [],
+                "downloads": [],
+                "answers": [],
+                "tax_rule": null,
+                "pseudonymization_id": "ZSNYSG3URZ",
+                "canceled": false,
+                "valid_from": null,
+                "valid_until": null,
+                "blocked": null,
+                "voucher_budget_use": null
+            },
+            "cartposition": null,
+            "voucher": null
+        }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param subevent_id: The ``id`` field of the subevent to fetch
+   :param id: The ``id`` field of the seat to fetch
+   :query string expand: If you pass ``"orderposition"``, ``"cartposition"``, or ``"voucher"``, the respective field will be
+                         shown as a nested value instead of just an ID. This requires permission to access that object.
+                         The nested objects are identical to the respective resources, except that order positions
+                         will have an attribute of the format ``"order": {"code": "ABCDE", "event": "eventslug"}`` to make
+                         matching easier, and won't include the `seat` attribute, as that would be redundant.
+                         The parameter can be given multiple times.
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+   :statuscode 404: Seat does not exist; or the endpoint without subevent id was used for event with subevents, or vice versa.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/seats/(id)/
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/subevents/(id)/seats/(id)/
+
+   Update a seat.
+
+   You can only change the ``blocked`` field.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+        PATCH /api/v1/organizers/bigevents/events/sampleconf/seats/1636/ HTTP/1.1
+        Host: pretix.eu
+        Accept: application/json, text/javascript
+        Content-Type: application/json
+
+        {
+            "blocked": true
+        }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+        HTTP/1.1 200 OK
+        Vary: Accept
+        Content-Type: application/json
+
+        {
+            "id": 1636,
+            "subevent": null,
+            "zone_name": "Ground floor",
+            "row_name": "1",
+            "row_label": null,
+            "seat_number": "4",
+            "seat_label": null,
+            "seat_guid": "6c0e29e5-05d6-421f-99f3-afd01478ecad",
+            "product": 104,
+            "blocked": true,
+            "orderposition": null,
+            "cartposition": null,
+            "voucher": null
+        },
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param subevent_id: The ``id`` field of the subevent to modify
+   :param id: The ``id`` field of the seat to modify
+   :statuscode 200: no error
+   :statuscode 400: The seat could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer or event does not exist **or** you have no permission to change this resource.
+   :statuscode 404: Seat does not exist; or the endpoint without subevent id was used for event with subevents, or vice versa.
@@ -1,6 +1,8 @@
 Scheduled email rules
 =====================

+This feature requires the bundled ``pretix.plugins.sendmail`` plugin to be active for the event in order to work properly.
+
 Resource description
 --------------------

@@ -48,6 +50,7 @@ send_to                               string                     Can be ``"order
                                                                 or ``"both"``.
                                                                 date. Otherwise it is relative to the event start date.
 ===================================== ========================== =======================================================
+
 .. versionchanged:: 2023.7

    The ``include_pending`` field has been  deprecated.
@@ -136,6 +136,7 @@ Endpoints
      }

   :query page: The page number in case of a multi-page result set, default is 1
+   :query is_public: If set to ``true``/``false``, only subevents with a matching value of ``is_public`` are returned.
   :query active: If set to ``true``/``false``, only events with a matching value of ``active`` are returned.
   :query is_future: If set to ``true`` (``false``), only events that happen currently or in the future are (not) returned.
   :query is_past: If set to ``true`` (``false``), only events that are over are (not) returned.
@@ -467,6 +468,7 @@ Endpoints
      }

   :query page: The page number in case of a multi-page result set, default is 1
+   :query is_public: If set to ``true``/``false``, only subevents with a matching value of ``is_public`` are returned.
   :query active: If set to ``true``/``false``, only events with a matching value of ``active`` are returned.
   :query event__live: If set to ``true``/``false``, only events with a matching value of ``live`` on the parent event are returned.
   :query is_future: If set to ``true`` (``false``), only events that happen currently or in the future are (not) returned.
@@ -20,8 +20,9 @@ internal_name                         string                     An optional nam
 rate                                  decimal (string)           Tax rate in percent
 price_includes_tax                    boolean                    If ``true`` (default), tax is assumed to be included in
                                                                 the specified product price
-eu_reverse_charge                     boolean                    If ``true``, EU reverse charge rules are applied. Will
-                                                                 be ignored if custom rules are set.
+eu_reverse_charge                     boolean                    **DEPRECATED**. If ``true``, EU reverse charge rules
+                                                                 are applied. Will be ignored if custom rules are set.
+                                                                 Use custom rules instead.
 home_country                          string                     Merchant country (required for reverse charge), can be
                                                                 ``null`` or empty string
 keep_gross_if_rate_changes            boolean                    If ``true``, changes of the tax rate based on custom
@@ -14,7 +14,7 @@ Core
   :members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types, notification,
      item_copy_data, register_sales_channel_types, register_global_settings, quota_availability, global_email_filter,
      register_ticket_secret_generators, gift_card_transaction_display,
-      register_text_placeholders, register_mail_placeholders
+      register_text_placeholders, register_mail_placeholders, device_info_updated

 Order events
 """"""""""""
@@ -136,9 +136,7 @@ It is a good idea to put this command into your git hook ``.git/hooks/pre-commit
 for example, to check for any errors in any staged files when committing::

    #!/bin/bash
-    cd $GIT_DIR/../src
-    export GIT_WORK_TREE=../
-    export GIT_DIR=../.git
+
    source ../env/bin/activate  # Adjust to however you activate your virtual environment
    for file in $(git diff --cached --name-only | grep -E '\.py$' | grep -Ev "migrations|mt940\.py|pretix/settings\.py|make_testdata\.py|testutils/settings\.py|tests/settings\.py|pretix/base/models/__init__\.py|.*_pb2\.py")
    do
@@ -29,8 +29,8 @@ item_assignments                      list of objects            Products this l
 ===================================== ========================== =======================================================


-Endpoints
---------
+Layout endpoints
+----------------

 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/ticketlayouts/

@@ -268,5 +268,75 @@ Endpoints
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.

+Ticket rendering endpoint
+-----------------------------
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/ticketpdfrenderer/render_batch/
+
+   With this API call, you can instruct the system to render a set of tickets into one combined PDF file. To specify
+   which tickets to render, you need to submit a list of "parts". For every part, the following fields are supported:
+
+   * ``orderposition`` (``integer``, required): The ID of the order position to render.
+   * ``override_channel`` (``string``, optional): The sales channel ID to be used for layout selection instead of the
+     original channel of the order.
+   * ``override_layout`` (``integer``, optional): The ticket layout ID to be used instead of the auto-selected one.
+
+   If your input parameters validate correctly, a ``202 Accepted`` status code is returned.
+   The body points you to the download URL of the result. Running a ``GET`` request on that result URL will
+   yield one of the following status codes:
+
+    * ``200 OK`` – The export succeeded. The body will be your resulting file. Might be large!
+    * ``409 Conflict`` – Your export is still running. The body will be JSON with the structure ``{"status": "running"}``. ``status`` can be ``waiting`` before the task is actually being processed. Please retry, but wait at least one second before you do.
+    * ``410 Gone`` – Running the export has failed permanently. The body will be JSON with the structure ``{"status": "failed", "message": "Error message"}``
+    * ``404 Not Found`` – The export does not exist / is expired.
+
+   .. warning:: This endpoint is considered **experimental**. It might change at any time without prior notice.
+
+   .. note:: To avoid performance issues, a maximum number of 1000 parts is currently allowed.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/ticketpdfrenderer/render_batch/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "parts": [
+          {
+            "orderposition": 55412
+          },
+          {
+            "orderposition": 55412,
+            "override_channel": "web"
+          },
+          {
+            "orderposition": 55412,
+            "override_layout": 56
+          }
+        ]
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "download": "https://pretix.eu/api/v1/organizers/bigevents/events/sampleconf/ticketpdfrenderer/download/29891ede-196f-4942-9e26-d055a36e98b8/3f279f13-c198-4137-b49b-9b360ce9fcce/"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :statuscode 202: no error
+   :statuscode 400: Invalid input options
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+

 .. _here: https://github.com/pretix/pretix/blob/master/src/pretix/static/schema/pdf-layout.schema.json
@@ -6,5 +6,4 @@ sphinxcontrib-images
 sphinxcontrib-jquery
 sphinxcontrib-spelling==8.*
 sphinxemoji
-pygments-markdown-lexer
 pyenchant==3.2.*
@@ -7,5 +7,4 @@ sphinxcontrib-images
 sphinxcontrib-jquery
 sphinxcontrib-spelling==8.*
 sphinxemoji
-pygments-markdown-lexer
 pyenchant==3.2.*
@@ -31,8 +31,7 @@ Android 9                   Support planned until at least 12/2025.
 Android 8                   Support planned until at least 12/2025.
 Android 7                   Support planned until at least 06/2025.
 Android 6                   Support planned until at least 06/2025.
-Android 5                   | Support planned until at least 06/2025.
-                            | No support for COVID certificate verification.
+Android 5                   Support planned until at least 06/2025.
 Android 4                   Support dropped.
 =========================== ==========================================================

@@ -57,16 +56,17 @@ Android 8                   | Support planned until at least 12/2025.
 Android 7                   | Support planned until at least 12/2024.
                            | Support for Stripe Terminal to be dropped 05/2024.
                            | No support for Cryptovision TSE.
+                            | No support for SumUp.
 Android 6                   | Support planned until at least 12/2024.
                            | No support for Cryptovision TSE.
                            | No support for Fiskal Cloud.
                            | No support for Stripe Terminal.
+                            | No support for SumUp.
 Android 5                   | Support planned until at least 12/2024.
                            | No support for Cryptovision TSE.
                            | No support for Fiskal Cloud.
                            | No support for Stripe Terminal.
                            | No support for SumUp.
-                            | No support for COVID certificate verification.
 Android 4                   Support dropped.
 =========================== ==========================================================

@@ -87,9 +87,6 @@ Android 7                   Support planned until at least 06/2025.
 Android 6                   Support planned until at least 06/2025.
 Android 5                   | Support planned until at least 06/2025.
                            | No support for Evolis printers on some devices.
-Android 4.4                 | Support planned until at least 06/2024.
-                            | No support for USB printers.
-                            | No support for Evolis printers.
 Android 4                   Support dropped.
 =========================== ==========================================================

@@ -175,7 +175,7 @@ without any special behavior.
 Connecting SSO providers (pretix as the SSO client)
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

-To connect an external application as a SSO client, go to "Customer accounts" → "SSO providers" → "Create a new SSO provider"
+To connect an external application as a SSO provider, go to "Customer accounts" → "SSO providers" → "Create a new SSO provider"
 in your organizer account.

 .. thumbnail:: ../../screens/organizer/customer_ssoprovider_add.png
@@ -450,6 +450,19 @@ Further reading:
 * `Stripe Payment Method Domain registration`_


+Content Security Policy
+-----------------------
+
+When using a Content Security Policy (CSP) on your website, you may need to make some adjustments. If your pretix
+shop is running under a custom domain, you need to add the following rules:
+
+* ``script-src``: ``'unsafe-eval' https://pretix.eu`` (adjust to your domain for self-hosted pretix)
+* ``style-src``: ``https://pretix.eu`` (adjust to your domain for self-hosted pretix **and** for custom domain on pretix Hosted)
+* ``connect-src``: ``https://pretix.eu`` (adjust to your domain for self-hosted pretix **and** for custom domain on pretix Hosted)
+* ``frame-src``: ``https://pretix.eu`` (adjust to your domain for self-hosted pretix **and** for custom domain on pretix Hosted)
+* ``img-src``: ``https://pretix.eu`` (adjust to your domain for self-hosted pretix **and** for custom domain on pretix Hosted) and for pretix Hosted additionally add ``https://cdn.pretix.space``
+
+
 External payment providers and Cross-Origin-Opener-Policy
 ---------------------------------------------------------

@@ -22,7 +22,7 @@ classifiers = [
  "Programming Language :: Python :: 3.9",
  "Programming Language :: Python :: 3.10",
  "Programming Language :: Python :: 3.11",
-  "Framework :: Django :: 4.1",
+  "Framework :: Django :: 4.2",
 ]

 dependencies = [
@@ -35,12 +35,11 @@ dependencies = [
  "cryptography>=3.4.2",
  "css-inline==0.14.*",
  "defusedcsv>=1.1.0",
-  "dj-static",
-  "Django[argon2]==4.2.*",
-  "django-bootstrap3==24.2",
+  "Django[argon2]==4.2.*,>=4.2.15",
+  "django-bootstrap3==24.3",
  "django-compressor==4.5.1",
  "django-countries==7.6.*",
-  "django-filter==24.2",
+  "django-filter==24.3",
  "django-formset-js-improved==0.5.0.3",
  "django-formtools==2.5.1",
  "django-hierarkey==1.2.*",
@@ -56,16 +55,16 @@ dependencies = [
  "django-scopes==2.0.*",
  "django-statici18n==2.5.*",
  "djangorestframework==3.15.*",
-  "dnspython==2.6.*",
+  "dnspython==2.7.*",
  "drf_ujson2==1.7.*",
  "geoip2==4.*",
  "importlib_metadata==8.*",  # Polyfill, we can probably drop this once we require Python 3.10+
  "isoweek",
  "jsonschema",
-  "kombu==5.3.*",
+  "kombu==5.4.*",
  "libsass==0.23.*",
  "lxml",
-  "markdown==3.6",  # 3.3.5 requires importlib-metadata>=4.4, but django-bootstrap3 requires importlib-metadata<3.
+  "markdown==3.7",  # 3.3.5 requires importlib-metadata>=4.4, but django-bootstrap3 requires importlib-metadata<3.
  # We can upgrade markdown again once django-bootstrap3 upgrades or once we drop Python 3.6 and 3.7
  "mt-940==4.30.*",
  "oauthlib==3.2.*",
@@ -73,29 +72,28 @@ dependencies = [
  "packaging",
  "paypalrestsdk==1.13.*",
  "paypal-checkout-serversdk==1.0.*",
-  "PyJWT==2.8.*",
+  "PyJWT==2.9.*",
  "phonenumberslite==8.13.*",
  "Pillow==10.4.*",
  "pretix-plugin-build",
-  "protobuf==5.27.*",
+  "protobuf==5.28.*",
  "psycopg2-binary",
  "pycountry",
  "pycparser==2.22",
-  "pycryptodome==3.20.*",
-  "pypdf==4.3.*",
-  "python-bidi==0.5.*",  # Support for Arabic in reportlab
+  "pycryptodome==3.21.*",
+  "pypdf==5.0.*",
+  "python-bidi==0.6.*",  # Support for Arabic in reportlab
  "python-dateutil==2.9.*",
  "pytz",
  "pytz-deprecation-shim==0.1.*",
  "pyuca",
-  "qrcode==7.4.*",
-  "redis==5.0.*",
+  "qrcode==8.0",
+  "redis==5.1.*",
  "reportlab==4.2.*",
  "requests==2.31.*",
-  "sentry-sdk==2.10.*",
+  "sentry-sdk==2.17.*",
  "sepaxml==2.6.*",
  "slimit",
-  "static3==0.7.*",
  "stripe==7.9.*",
  "text-unidecode==1.*",
  "tlds>=2020041600",
@@ -110,10 +108,10 @@ dependencies = [
 [project.optional-dependencies]
 memcached = ["pylibmc"]
 dev = [
-  "aiohttp==3.9.*",
+  "aiohttp==3.10.*",
  "coverage",
  "coveralls",
-  "fakeredis==2.23.*",
+  "fakeredis==2.26.*",
  "flake8==7.1.*",
  "freezegun",
  "isort==5.13.*",
@@ -19,4 +19,4 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-__version__ = "2024.7.0.dev0"
+__version__ = "2024.10.0.dev0"
@@ -62,6 +62,7 @@ INSTALLED_APPS = [
    'pretix.plugins.badges',
    'pretix.plugins.manualpayment',
    'pretix.plugins.returnurl',
+    'pretix.plugins.autocheckin',
    'pretix.plugins.webcheckin',
    'django_countries',
    'oauth2_provider',
@@ -79,6 +80,7 @@ ALL_LANGUAGES = [
    ('de', _('German')),
    ('de-informal', _('German (informal)')),
    ('ar', _('Arabic')),
+    ('eu', _('Basque')),
    ('ca', _('Catalan')),
    ('zh-hans', _('Chinese (simplified)')),
    ('zh-hant', _('Chinese (traditional)')),
@@ -0,0 +1,82 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020 Raphael Michel and contributors
+# Copyright (C) 2020-2021 rami.io GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+from django import forms
+from django.core.exceptions import ValidationError
+from django.db.models import Q
+from django.db.models.constants import LOOKUP_SEP
+from django.forms import MultipleChoiceField
+from django_filters import Filter
+from django_filters.conf import settings
+
+
+class MultipleCharField(forms.CharField):
+    widget = forms.MultipleHiddenInput
+
+    def to_python(self, value):
+        if not value:
+            return []
+        elif not isinstance(value, (list, tuple)):
+            raise ValidationError(
+                MultipleChoiceField.default_error_messages["invalid_list"], code="invalid_list"
+            )
+        return [str(val) for val in value]
+
+
+class MultipleCharFilter(Filter):
+    """
+    This filter performs OR(by default) or AND(using conjoined=True) query
+    on the selected inputs.
+    """
+
+    field_class = MultipleCharField
+
+    def __init__(self, *args, **kwargs):
+        self.conjoined = kwargs.pop("conjoined", False)
+        super().__init__(*args, **kwargs)
+
+    def filter(self, qs, value):
+        if not value:
+            # Even though not a noop, no point filtering if empty.
+            return qs
+
+        if not self.conjoined:
+            q = Q()
+        for v in set(value):
+            predicate = self.get_filter_predicate(v)
+            if self.conjoined:
+                qs = self.get_method(qs)(**predicate)
+            else:
+                q |= Q(**predicate)
+
+        if not self.conjoined:
+            qs = self.get_method(qs)(q)
+
+        return qs.distinct() if self.distinct else qs
+
+    def get_filter_predicate(self, v):
+        name = self.field_name
+        if name and self.lookup_expr != settings.DEFAULT_LOOKUP_EXPR:
+            name = LOOKUP_SEP.join([name, self.lookup_expr])
+        try:
+            return {name: getattr(v, self.field.to_field_name)}
+        except (AttributeError, TypeError):
+            return {name: v}
@@ -88,16 +88,20 @@ class SalesChannelMigrationMixin:
            }

            if data.get("all_sales_channels") and set(data["sales_channels"]) != all_channels:
-                raise ValidationError(
-                    "If 'all_sales_channels' is set, the legacy attribute 'sales_channels' must not be set or set to "
-                    "the list of all sales channels."
-                )
+                raise ValidationError({
+                    "limit_sales_channels": [
+                        "If 'all_sales_channels' is set, the legacy attribute 'sales_channels' must not be set or set to "
+                        "the list of all sales channels."
+                    ]
+                })

            if data.get("limit_sales_channels") and set(data["sales_channels"]) != set(data["limit_sales_channels"]):
-                raise ValidationError(
-                    "If 'limit_sales_channels' is set, the legacy attribute 'sales_channels' must not be set or set to "
-                    "the same list."
-                )
+                raise ValidationError({
+                    "limit_sales_channels": [
+                        "If 'limit_sales_channels' is set, the legacy attribute 'sales_channels' must not be set or set to "
+                        "the same list."
+                    ]
+                })

            if data["sales_channels"] == all_channels:
                data["all_sales_channels"] = True
@@ -106,6 +110,10 @@ class SalesChannelMigrationMixin:
                data["all_sales_channels"] = False
                data["limit_sales_channels"] = data["sales_channels"]
            del data["sales_channels"]
+
+        if data.get("all_sales_channels"):
+            data["limit_sales_channels"] = []
+
        return super().to_internal_value(data)

    def to_representation(self, value):
@@ -35,7 +35,7 @@
 import logging

 from django.conf import settings
-from django.core.exceptions import ValidationError
+from django.core.exceptions import PermissionDenied, ValidationError
 from django.db import transaction
 from django.utils.crypto import get_random_string
 from django.utils.functional import cached_property
@@ -52,7 +52,8 @@ from pretix.api.serializers import (
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.api.serializers.settings import SettingsSerializer
 from pretix.base.models import (
-    Device, Event, SalesChannel, TaxRule, TeamAPIToken,
+    CartPosition, Device, Event, OrderPosition, SalesChannel, Seat, TaxRule,
+    TeamAPIToken, Voucher,
 )
 from pretix.base.models.event import SubEvent
 from pretix.base.models.items import (
@@ -771,6 +772,7 @@ class EventSettingsSerializer(SettingsSerializer):
        'invoice_address_company_required',
        'invoice_address_beneficiary',
        'invoice_address_custom_field',
+        'invoice_address_custom_field_helptext',
        'invoice_name_required',
        'invoice_address_not_asked_free',
        'invoice_show_payments',
@@ -844,6 +846,7 @@ class EventSettingsSerializer(SettingsSerializer):
        'reusable_media_type_nfc_mf0aes_autocreate_giftcard',
        'reusable_media_type_nfc_mf0aes_autocreate_giftcard_currency',
        'reusable_media_type_nfc_mf0aes_random_uid',
+        'seating_allow_blocked_seats_for_channel',
    ]
    readonly_fields = [
        # These are read-only since they are currently only settable on organizers, not events
@@ -894,6 +897,7 @@ class DeviceEventSettingsSerializer(EventSettingsSerializer):
        'locale',
        'last_order_modification_date',
        'show_quota_left',
+        'show_dates_on_frontpage',
        'max_items_per_order',
        'attendee_names_asked',
        'attendee_names_required',
@@ -913,6 +917,7 @@ class DeviceEventSettingsSerializer(EventSettingsSerializer):
        'invoice_address_company_required',
        'invoice_address_beneficiary',
        'invoice_address_custom_field',
+        'invoice_address_custom_field_helptext',
        'invoice_name_required',
        'invoice_address_not_asked_free',
        'invoice_address_from_name',
@@ -969,3 +974,77 @@ class ItemMetaPropertiesSerializer(I18nAwareModelSerializer):
    class Meta:
        model = ItemMetaProperty
        fields = ('id', 'name', 'default', 'required', 'allowed_values')
+
+
+def prefetch_by_id(items, qs, id_attr, target_attr):
+    """
+    Prefetches a related object on each item in the given list of items by searching by id or another
+    unique field. The id value is read from the attribute on item specified in `id_attr`, searched on queryset `qs` by
+    the primary key, and the resulting prefetched model object is stored into `target_attr` on the item.
+    """
+    ids = [getattr(item, id_attr) for item in items if getattr(item, id_attr)]
+    if ids:
+        result = qs.in_bulk(id_list=ids)
+        for item in items:
+            setattr(item, target_attr, result.get(getattr(item, id_attr)))
+
+
+class SeatSerializer(I18nAwareModelSerializer):
+    orderposition = serializers.IntegerField(source='orderposition_id')
+    cartposition = serializers.IntegerField(source='cartposition_id')
+    voucher = serializers.IntegerField(source='voucher_id')
+
+    class Meta:
+        model = Seat
+        read_only_fields = (
+            'id', 'subevent', 'zone_name', 'row_name', 'row_label',
+            'seat_number', 'seat_label', 'seat_guid', 'product',
+            'orderposition', 'cartposition', 'voucher',
+        )
+        fields = (
+            'id', 'subevent', 'zone_name', 'row_name', 'row_label',
+            'seat_number', 'seat_label', 'seat_guid', 'product', 'blocked',
+            'orderposition', 'cartposition', 'voucher',
+        )
+
+    def prefetch_expanded_data(self, items, request, expand_fields):
+        if 'orderposition' in expand_fields:
+            if 'can_view_orders' not in request.eventpermset:
+                raise PermissionDenied('can_view_orders permission required for expand=orderposition')
+            prefetch_by_id(items, OrderPosition.objects.prefetch_related('order'), 'orderposition_id', 'orderposition')
+        if 'cartposition' in expand_fields:
+            if 'can_view_orders' not in request.eventpermset:
+                raise PermissionDenied('can_view_orders permission required for expand=cartposition')
+            prefetch_by_id(items, CartPosition.objects, 'cartposition_id', 'cartposition')
+        if 'voucher' in expand_fields:
+            if 'can_view_vouchers' not in request.eventpermset:
+                raise PermissionDenied('can_view_vouchers permission required for expand=voucher')
+            prefetch_by_id(items, Voucher.objects, 'voucher_id', 'voucher')
+
+    def __init__(self, instance, *args, **kwargs):
+        if not kwargs.get('data'):
+            self.prefetch_expanded_data(instance if hasattr(instance, '__iter__') else [instance],
+                                        kwargs['context']['request'],
+                                        kwargs['context']['expand_fields'])
+
+        super().__init__(instance, *args, **kwargs)
+
+        if 'orderposition' in self.context['expand_fields']:
+            from pretix.api.serializers.media import (
+                NestedOrderPositionSerializer,
+            )
+            self.fields['orderposition'] = NestedOrderPositionSerializer(read_only=True, context=self.context['order_context'])
+            try:
+                del self.fields['orderposition'].fields['seat']
+            except KeyError:
+                pass
+
+        if 'cartposition' in self.context['expand_fields']:
+            from pretix.api.serializers.cart import CartPositionSerializer
+            self.fields['cartposition'] = CartPositionSerializer(read_only=True)
+            del self.fields['cartposition'].fields['seat']
+
+        if 'voucher' in self.context['expand_fields']:
+            from pretix.api.serializers.voucher import VoucherSerializer
+            self.fields['voucher'] = VoucherSerializer(read_only=True)
+            del self.fields['voucher'].fields['seat']
@@ -369,7 +369,7 @@ class ItemSerializer(SalesChannelMigrationMixin, I18nAwareModelSerializer):
        require_membership_types = validated_data.pop('require_membership_types', [])
        limit_sales_channels = validated_data.pop('limit_sales_channels', [])
        item = Item.objects.create(**validated_data)
-        if limit_sales_channels:
+        if limit_sales_channels and not validated_data.get('all_sales_channels'):
            item.limit_sales_channels.add(*limit_sales_channels)
        if picture:
            item.picture.save(os.path.basename(picture.name), picture)
@@ -441,7 +441,22 @@ class ItemCategorySerializer(I18nAwareModelSerializer):

    class Meta:
        model = ItemCategory
-        fields = ('id', 'name', 'internal_name', 'description', 'position', 'is_addon')
+        fields = (
+            'id', 'name', 'internal_name', 'description', 'position',
+            'is_addon', 'cross_selling_mode',
+            'cross_selling_condition', 'cross_selling_match_products'
+        )
+
+    def validate(self, data):
+        data = super().validate(data)
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        if full_data.get('is_addon') and full_data.get('cross_selling_mode'):
+            raise ValidationError('is_addon and cross_selling_mode are mutually exclusive')
+
+        return data


 class QuestionOptionSerializer(I18nAwareModelSerializer):
@@ -273,9 +273,15 @@ class AnswerSerializer(I18nAwareModelSerializer):


 class CheckinSerializer(I18nAwareModelSerializer):
+    device_id = serializers.SlugRelatedField(
+        source='device',
+        slug_field='device_id',
+        read_only=True,
+    )
+
    class Meta:
        model = Checkin
-        fields = ('id', 'datetime', 'list', 'auto_checked_in', 'gate', 'device', 'type')
+        fields = ('id', 'datetime', 'list', 'auto_checked_in', 'gate', 'device', 'device_id', 'type')


 class FailedCheckinSerializer(I18nAwareModelSerializer):
@@ -87,6 +87,7 @@ event_router.register(r'invoices', order.InvoiceViewSet)
 event_router.register(r'revokedsecrets', order.RevokedSecretViewSet, basename='revokedsecrets')
 event_router.register(r'blockedsecrets', order.BlockedSecretViewSet, basename='blockedsecrets')
 event_router.register(r'taxrules', event.TaxRuleViewSet)
+event_router.register(r'seats', event.SeatViewSet)
 event_router.register(r'waitinglistentries', waitinglist.WaitingListViewSet)
 event_router.register(r'checkinlists', checkin.CheckinListViewSet)
 event_router.register(r'cartpositions', cart.CartPositionViewSet)
@@ -95,6 +96,9 @@ event_router.register(r'exporters', exporters.EventExportersViewSet, basename='e
 event_router.register(r'shredders', shredders.EventShreddersViewSet, basename='shredders')
 event_router.register(r'item_meta_properties', event.ItemMetaPropertiesViewSet)

+subevent_router = routers.DefaultRouter()
+subevent_router.register(r'seats', event.SeatViewSet)
+
 checkinlist_router = routers.DefaultRouter()
 checkinlist_router.register(r'positions', checkin.CheckinListPositionViewSet, basename='checkinlistpos')

@@ -132,6 +136,7 @@ urlpatterns = [
    re_path(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/settings/$', event.EventSettingsView.as_view(),
            name="event.settings"),
    re_path(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/', include(event_router.urls)),
+    re_path(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/subevents/(?P<subevent>\d+)/', include(subevent_router.urls)),
    re_path(r'^organizers/(?P<organizer>[^/]+)/teams/(?P<team>[^/]+)/', include(team_router.urls)),
    re_path(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/items/(?P<item>[^/]+)/', include(item_router.urls)),
    re_path(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/questions/(?P<question>[^/]+)/',
@@ -377,7 +377,7 @@ def _checkin_list_position_queryset(checkinlists, ignore_status=False, ignore_pr
                Prefetch(
                    'positions',
                    OrderPosition.objects.prefetch_related(
-                        Prefetch('checkins', queryset=Checkin.objects.all()),
+                        Prefetch('checkins', queryset=Checkin.objects.select_related('device')),
                        'item', 'variation', 'answers', 'answers__options', 'answers__question',
                    )
                )
@@ -200,6 +200,11 @@ class UpdateView(APIView):
        device.save()
        device.log_action('pretix.device.updated', data=serializer.validated_data, auth=device)

+        from ...base.signals import device_info_updated
+        device_info_updated.send(
+            sender=Device, old_device=request.auth, new_device=device
+        )
+
        serializer = DeviceSerializer(device)
        return Response(serializer.data)

@@ -40,7 +40,9 @@ from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from django_scopes import scopes_disabled
 from rest_framework import serializers, views, viewsets
-from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.exceptions import (
+    NotFound, PermissionDenied, ValidationError,
+)
 from rest_framework.generics import get_object_or_404
 from rest_framework.response import Response

@@ -48,12 +50,12 @@ from pretix.api.auth.permission import EventCRUDPermission
 from pretix.api.pagination import TotalOrderingFilter
 from pretix.api.serializers.event import (
    CloneEventSerializer, DeviceEventSettingsSerializer, EventSerializer,
-    EventSettingsSerializer, ItemMetaPropertiesSerializer, SubEventSerializer,
-    TaxRuleSerializer,
+    EventSettingsSerializer, ItemMetaPropertiesSerializer, SeatSerializer,
+    SubEventSerializer, TaxRuleSerializer,
 )
 from pretix.api.views import ConditionalListView
 from pretix.base.models import (
-    CartPosition, Device, Event, ItemMetaProperty, SeatCategoryMapping,
+    CartPosition, Device, Event, ItemMetaProperty, Seat, SeatCategoryMapping,
    TaxRule, TeamAPIToken,
 )
 from pretix.base.models.event import SubEvent
@@ -295,7 +297,8 @@ class EventViewSet(viewsets.ModelViewSet):

            if 'all_sales_channels' in serializer.validated_data and 'sales_channels' in serializer.validated_data:
                new_event.all_sales_channels = serializer.validated_data['all_sales_channels']
-                new_event.limit_sales_channels.set(serializer.validated_data['limit_sales_channels'])
+                if not new_event.all_sales_channels:
+                    new_event.limit_sales_channels.set(serializer.validated_data['limit_sales_channels'])
        else:
            serializer.instance.set_defaults()

@@ -368,7 +371,7 @@ with scopes_disabled():

        class Meta:
            model = SubEvent
-            fields = ['active', 'event__live']
+            fields = ['is_public', 'active', 'event__live']

        def ends_after_qs(self, queryset, name, value):
            expr = Q(
@@ -667,3 +670,77 @@ class EventSettingsView(views.APIView):
                'request': request
            })
        return Response(s.data)
+
+
+class SeatFilter(FilterSet):
+    is_available = django_filters.BooleanFilter(method="is_available_qs")
+
+    def is_available_qs(self, queryset, name, value):
+        expr = (
+            Q(orderposition_id__isnull=True, cartposition_id__isnull=True, voucher_id__isnull=True)
+        )
+        if self.request.event.settings.seating_minimal_distance:
+            expr = expr & Q(has_closeby_taken=False)
+        if value:
+            return queryset.filter(expr)
+        else:
+            return queryset.exclude(expr)
+
+    class Meta:
+        model = Seat
+        fields = ('zone_name', 'row_name', 'row_label', 'seat_number', 'seat_label', 'seat_guid', 'blocked',)
+
+
+class SeatViewSet(ConditionalListView, viewsets.ModelViewSet):
+    serializer_class = SeatSerializer
+    queryset = Seat.objects.none()
+    write_permission = 'can_change_event_settings'
+    filter_backends = (DjangoFilterBackend, )
+    filterset_class = SeatFilter
+
+    def get_queryset(self):
+        if self.request.event.has_subevents and 'subevent' in self.request.resolver_match.kwargs:
+            try:
+                subevent = self.request.event.subevents.get(pk=self.request.resolver_match.kwargs['subevent'])
+            except SubEvent.DoesNotExist:
+                raise NotFound('Subevent not found')
+            qs = Seat.annotated(
+                event_id=self.request.event.id,
+                subevent=subevent,
+                qs=subevent.seats.all(),
+                annotate_ids=True,
+                minimal_distance=self.request.event.settings.seating_minimal_distance,
+                distance_only_within_row=self.request.event.settings.seating_distance_only_within_row,
+            )
+        elif not self.request.event.has_subevents and 'subevent' not in self.request.resolver_match.kwargs:
+            qs = Seat.annotated(
+                event_id=self.request.event.id,
+                subevent=None,
+                qs=self.request.event.seats.all(),
+                annotate_ids=True,
+                minimal_distance=self.request.event.settings.seating_minimal_distance,
+                distance_only_within_row=self.request.event.settings.seating_distance_only_within_row,
+            )
+        else:
+            raise NotFound('Please use the subevent-specific endpoint' if self.request.event.has_subevents
+                           else 'This event has no subevents')
+
+        return qs
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['expand_fields'] = self.request.query_params.getlist('expand')
+        ctx['order_context'] = {
+            'event': self.request.event,
+            'pdf_data': None,
+        }
+        return ctx
+
+    def perform_update(self, serializer):
+        super().perform_update(serializer)
+        serializer.instance.event.log_action(
+            "pretix.event.seats.blocks.changed",
+            user=self.request.user,
+            auth=self.request.auth,
+            data={"seats": [serializer.instance.pk]},
+        )
@@ -78,7 +78,7 @@ class ReusableMediaViewSet(viewsets.ModelViewSet):
                queryset=OrderPosition.objects.select_related(
                    'order', 'order__event', 'order__event__organizer', 'seat',
                ).prefetch_related(
-                    Prefetch('checkins', queryset=Checkin.objects.all()),
+                    Prefetch('checkins', queryset=Checkin.objects.select_related('device')),
                    'answers', 'answers__options', 'answers__question',
                )
            ),
@@ -49,6 +49,7 @@ from rest_framework.mixins import CreateModelMixin
 from rest_framework.permissions import SAFE_METHODS
 from rest_framework.response import Response

+from pretix.api.filters import MultipleCharFilter
 from pretix.api.models import OAuthAccessToken
 from pretix.api.pagination import TotalOrderingFilter
 from pretix.api.serializers.order import (
@@ -257,7 +258,7 @@ class OrderViewSetMixin:
            return Prefetch(
                'positions',
                opq.all().prefetch_related(
-                    Prefetch('checkins', queryset=Checkin.objects.all()),
+                    Prefetch('checkins', queryset=Checkin.objects.select_related('device')),
                    Prefetch('item', queryset=self.request.event.items.prefetch_related(
                        Prefetch('meta_values', ItemMetaValue.objects.select_related('property'), to_attr='meta_values_cached')
                    )),
@@ -278,7 +279,7 @@ class OrderViewSetMixin:
            return Prefetch(
                'positions',
                opq.all().prefetch_related(
-                    Prefetch('checkins', queryset=Checkin.objects.all()),
+                    Prefetch('checkins', queryset=Checkin.objects.select_related('device')),
                    'item', 'variation',
                    Prefetch('answers', queryset=QuestionAnswer.objects.prefetch_related('options', 'question').order_by('question__position')),
                    'seat',
@@ -1091,7 +1092,7 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
                'item_meta_properties',
            )
            qs = qs.prefetch_related(
-                Prefetch('checkins', queryset=Checkin.objects.all()),
+                Prefetch('checkins', queryset=Checkin.objects.select_related("device")),
                Prefetch('item', queryset=self.request.event.items.prefetch_related(
                    Prefetch('meta_values', ItemMetaValue.objects.select_related('property'),
                             to_attr='meta_values_cached')
@@ -1110,7 +1111,7 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
                    Prefetch(
                        'positions',
                        qs.prefetch_related(
-                            Prefetch('checkins', queryset=Checkin.objects.all()),
+                            Prefetch('checkins', queryset=Checkin.objects.select_related('device')),
                            Prefetch('item', queryset=self.request.event.items.prefetch_related(
                                Prefetch('meta_values', ItemMetaValue.objects.select_related('property'),
                                         to_attr='meta_values_cached')
@@ -1134,7 +1135,7 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
            )
        else:
            qs = qs.prefetch_related(
-                Prefetch('checkins', queryset=Checkin.objects.all()),
+                Prefetch('checkins', queryset=Checkin.objects.select_related("device")),
                'answers', 'answers__options', 'answers__question',
            ).select_related(
                'item', 'order', 'order__event', 'order__event__organizer', 'seat'
@@ -1825,17 +1826,14 @@ class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
 with scopes_disabled():
    class InvoiceFilter(FilterSet):
        refers = django_filters.CharFilter(method='refers_qs')
-        number = django_filters.CharFilter(method='nr_qs')
-        order = django_filters.CharFilter(field_name='order', lookup_expr='code__iexact')
+        number = MultipleCharFilter(field_name='nr', lookup_expr='iexact')
+        order = MultipleCharFilter(field_name='order', lookup_expr='code__iexact')

        def refers_qs(self, queryset, name, value):
            return queryset.annotate(
                refers_nr=Concat('refers__prefix', 'refers__invoice_no')
            ).filter(refers_nr__iexact=value)

-        def nr_qs(self, queryset, name, value):
-            return queryset.filter(nr__iexact=value)
-
        class Meta:
            model = Invoice
            fields = ['order', 'number', 'is_cancellation', 'refers', 'locale']
@@ -32,13 +32,16 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations under the License.

+import string
 from collections import OrderedDict
 from importlib import import_module

 from django import forms
 from django.conf import settings
 from django.contrib.auth import authenticate
-from django.utils.translation import gettext_lazy as _
+from django.contrib.auth.hashers import check_password, make_password
+from django.core.exceptions import ValidationError
+from django.utils.translation import gettext_lazy as _, ngettext


 def get_auth_backends():
@@ -160,3 +163,62 @@ class NativeAuthBackend(BaseAuthBackend):
        u = authenticate(request=request, email=form_data['email'].lower(), password=form_data['password'])
        if u and u.auth_backend == self.identifier:
            return u
+
+
+class NumericAndAlphabeticPasswordValidator:
+
+    def validate(self, password, user=None):
+        has_numeric = any(c in string.digits for c in password)
+        has_alpha = any(c in string.ascii_letters for c in password)
+        if not has_numeric or not has_alpha:
+            raise ValidationError(
+                _(
+                    "Your password must contain both numeric and alphabetic characters.",
+                ),
+                code="password_numeric_and_alphabetic",
+            )
+
+    def get_help_text(self):
+        return _(
+            "Your password must contain both numeric and alphabetic characters.",
+        )
+
+
+class HistoryPasswordValidator:
+
+    def __init__(self, history_length=4):
+        self.history_length = history_length
+
+    def validate(self, password, user=None):
+        from pretix.base.models import User
+
+        if not user or not user.pk or not isinstance(user, User):
+            return
+
+        for hp in user.historic_passwords.order_by("-created")[:self.history_length]:
+            if check_password(password, hp.password):
+                raise ValidationError(
+                    ngettext(
+                        "Your password may not be the same as your previous password.",
+                        "Your password may not be the same as one of your %(history_length)s previous passwords.",
+                        self.history_length,
+                    ),
+                    code="password_history",
+                    params={"history_length": self.history_length},
+                )
+
+    def get_help_text(self):
+        return ngettext(
+            "Your password may not be the same as your previous password.",
+            "Your password may not be the same as one of your %(history_length)s previous passwords.",
+            self.history_length,
+        ) % {"history_length": self.history_length}
+
+    def password_changed(self, password, user=None):
+        if not user:
+            pass
+
+        user.historic_passwords.create(password=make_password(password))
+        user.historic_passwords.filter(
+            pk__in=user.historic_passwords.order_by("-created")[self.history_length:].values_list("pk", flat=True),
+        ).delete()
@@ -46,6 +46,8 @@ This module contains utilities for implementing OpenID Connect for customer auth
 as well as an OpenID Provider (OP).
 """

+pretix_token_endpoint_auth_methods = ['client_secret_basic', 'client_secret_post']
+

 def _urljoin(base, path):
    if not base.endswith("/"):
@@ -127,6 +129,16 @@ def oidc_validate_and_complete_config(config):
                        fields=", ".join(provider_config.get("claims_supported", []))
                    ))

+    if "token_endpoint_auth_methods_supported" in provider_config:
+        token_endpoint_auth_methods_supported = provider_config.get("token_endpoint_auth_methods_supported",
+                                                                    ["client_secret_basic"])
+        if not any(x in pretix_token_endpoint_auth_methods for x in token_endpoint_auth_methods_supported):
+            raise ValidationError(
+                _(f'No supported Token Endpoint Auth Methods supported: {token_endpoint_auth_methods_supported}').format(
+                    token_endpoint_auth_methods_supported=", ".join(token_endpoint_auth_methods_supported)
+                )
+            )
+
    config['provider_config'] = provider_config
    return config

@@ -147,6 +159,18 @@ def oidc_authorize_url(provider, state, redirect_uri):

 def oidc_validate_authorization(provider, code, redirect_uri):
    endpoint = provider.configuration['provider_config']['token_endpoint']
+
+    # Wall of shame and RFC ignorant IDPs
+    if endpoint == 'https://www.linkedin.com/oauth/v2/accessToken':
+        token_endpoint_auth_method = 'client_secret_post'
+    else:
+        token_endpoint_auth_methods = provider.configuration['provider_config'].get(
+            'token_endpoint_auth_methods_supported', ['client_secret_basic']
+        )
+        token_endpoint_auth_method = [
+            x for x in pretix_token_endpoint_auth_methods if x in token_endpoint_auth_methods
+        ][0]
+
    params = {
        # https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
        # https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
@@ -154,6 +178,11 @@ def oidc_validate_authorization(provider, code, redirect_uri):
        'code': code,
        'redirect_uri': redirect_uri,
    }
+
+    if token_endpoint_auth_method == 'client_secret_post':
+        params['client_id'] = provider.configuration['client_id']
+        params['client_secret'] = provider.configuration['client_secret']
+
    try:
        resp = requests.post(
            endpoint,
@@ -161,7 +190,10 @@ def oidc_validate_authorization(provider, code, redirect_uri):
            headers={
                'Accept': 'application/json',
            },
-            auth=(provider.configuration['client_id'], provider.configuration['client_secret']),
+            auth=(
+                provider.configuration['client_id'],
+                provider.configuration['client_secret']
+            ) if token_endpoint_auth_method == 'client_secret_basic' else None,
        )
        resp.raise_for_status()
        data = resp.json()
@@ -207,10 +207,13 @@ class ListExporter(BaseExporter):
    def get_filename(self):
        return 'export'

+    def get_csv_encoding(self):
+        return 'utf-8'
+
    def _render_csv(self, form_data, output_file=None, **kwargs):
        if output_file:
            if 'b' in output_file.mode:
-                output_file = io.TextIOWrapper(output_file, encoding='utf-8', newline='')
+                output_file = io.TextIOWrapper(output_file, encoding=self.get_csv_encoding(), errors='replace', newline='')
            writer = csv.writer(output_file, **kwargs)
            total = 0
            counter = 0
@@ -246,7 +249,7 @@ class ListExporter(BaseExporter):
                    if counter % max(10, total // 100) == 0:
                        self.progress_callback(counter / total * 100)
                writer.writerow(line)
-            return self.get_filename() + '.csv', 'text/csv', output.getvalue().encode("utf-8")
+            return self.get_filename() + '.csv', 'text/csv', output.getvalue().encode(self.get_csv_encoding(), errors='replace')

    def prepare_xlsx_sheet(self, ws):
        pass
@@ -1122,6 +1122,7 @@ class BaseInvoiceAddressForm(forms.ModelForm):

        if event.settings.invoice_address_custom_field:
            self.fields['custom_field'].label = event.settings.invoice_address_custom_field
+            self.fields['custom_field'].help_text = event.settings.invoice_address_custom_field_helptext
        else:
            del self.fields['custom_field']

@@ -38,6 +38,7 @@ from datetime import datetime
 from django import forms
 from django.utils.formats import get_format
 from django.utils.functional import lazy
+from django.utils.html import escape
 from django.utils.timezone import get_current_timezone, now
 from django.utils.translation import gettext_lazy as _

@@ -64,7 +65,7 @@ def format_placeholders_help_text(placeholders, event=None):
    placeholders = [(k, v.render_sample(event) if event else v) for k, v in placeholders.items()]
    placeholders.sort(key=lambda x: x[0])
    phs = [
-        '<button type="button" class="content-placeholder" title="%s">{%s}</button>' % (_("Sample: %s") % v if v else "", k)
+        '<button type="button" class="content-placeholder" title="%s">{%s}</button>' % (escape(_("Sample: %s") % v) if v else "", escape(k))
        for k, v in placeholders
    ]
    return _('Available placeholders: {list}').format(
@@ -36,6 +36,7 @@ import time
 import traceback

 from django.conf import settings
+from django.core.cache import cache
 from django.core.management.base import BaseCommand
 from django.dispatch.dispatcher import NO_RECEIVERS

@@ -50,17 +51,23 @@ class Command(BaseCommand):
    def add_arguments(self, parser):
        parser.add_argument('--tasks', action='store', type=str, help='Only execute the tasks with this name '
                                                                      '(dotted path, comma separation)')
+        parser.add_argument('--list-tasks', action='store_true', help='Only list all tasks')
        parser.add_argument('--exclude', action='store', type=str, help='Exclude the tasks with this name '
                                                                        '(dotted path, comma separation)')

    def handle(self, *args, **options):
        verbosity = int(options['verbosity'])

+        cache.set("pretix_runperiodic_executed", True, 3600 * 12)
+
        if not periodic_task.receivers or periodic_task.sender_receivers_cache.get(self) is NO_RECEIVERS:
            return

        for receiver in periodic_task._live_receivers(self):
            name = f'{receiver.__module__}.{receiver.__name__}'
+            if options['list_tasks']:
+                print(name)
+                continue
            if options.get('tasks'):
                if name not in options.get('tasks').split(','):
                    continue
@@ -0,0 +1,36 @@
+# Generated by Django 4.2.15 on 2024-09-16 15:10
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("pretixbase", "0269_order_api_meta"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="HistoricPassword",
+            fields=[
+                (
+                    "id",
+                    models.BigAutoField(
+                        auto_created=True, primary_key=True, serialize=False
+                    ),
+                ),
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("password", models.CharField(max_length=128)),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="historic_passwords",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+        ),
+    ]
@@ -0,0 +1,32 @@
+# Generated by Django 4.2.11 on 2024-05-27 13:19
+
+from django.db import migrations, models
+
+import pretix.base.models.orders
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("pretixbase", "0270_historicpassword"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="itemcategory",
+            name="cross_selling_condition",
+            field=models.CharField(null=True, max_length=10),
+        ),
+        migrations.AddField(
+            model_name="itemcategory",
+            name="cross_selling_mode",
+            field=models.CharField(null=True, max_length=5),
+        ),
+        migrations.AddField(
+            model_name="itemcategory",
+            name="cross_selling_match_products",
+            field=models.ManyToManyField(
+                related_name="matched_by_cross_selling_categories", to="pretixbase.item"
+            ),
+        ),
+    ]
@@ -213,7 +213,13 @@ class DatetimeColumnMixin:
            except (ValueError, TypeError):
                pass
        else:
-            raise ValidationError(_("Could not parse {value} as a date and time.").format(value=value))
+            try:
+                d = datetime.datetime.fromisoformat(value)
+                if not d.tzinfo:
+                    d = d.replace(tzinfo=self.timezone)
+                return d
+            except (ValueError, TypeError):
+                raise ValidationError(_("Could not parse {value} as a date and time.").format(value=value))


 class DecimalColumnMixin:
@@ -40,8 +40,8 @@ from phonenumbers import SUPPORTED_REGIONS

 from pretix.base.forms.questions import guess_country
 from pretix.base.modelimport import (
-    DatetimeColumnMixin, DecimalColumnMixin, ImportColumn, SubeventColumnMixin,
-    i18n_flat,
+    BooleanColumnMixin, DatetimeColumnMixin, DecimalColumnMixin, ImportColumn,
+    SubeventColumnMixin, i18n_flat,
 )
 from pretix.base.models import (
    Customer, ItemVariation, OrderPosition, Question, QuestionAnswer,
@@ -604,6 +604,22 @@ class Comment(ImportColumn):
        order.comment = value or ''


+class CheckinAttentionColumn(BooleanColumnMixin, ImportColumn):
+    identifier = 'checkin_attention'
+    verbose_name = gettext_lazy('Requires special attention')
+
+    def assign(self, value, order, position, invoice_address, **kwargs):
+        order.checkin_attention = value
+
+
+class CheckinTextColumn(ImportColumn):
+    identifier = 'checkin_text'
+    verbose_name = gettext_lazy('Check-in text')
+
+    def assign(self, value, order, position, invoice_address, **kwargs):
+        order.checkin_text = value
+
+
 class QuestionColumn(ImportColumn):
    def __init__(self, event, q):
        self.q = q
@@ -742,6 +758,8 @@ def get_order_import_columns(event):
        ValidUntil(event),
        Locale(event),
        Saleschannel(event),
+        CheckinAttentionColumn(event),
+        CheckinTextColumn(event),
        Expires(event),
        Comment(event),
    ]
@@ -571,13 +571,23 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):

    def get_session_auth_hash(self):
        """
-        Return an HMAC that needs to
+        Return an HMAC that needs to be the same throughout the session, used e.g. for forced
+        logout after every password change.
+        """
+        return self._get_session_auth_hash(secret=settings.SECRET_KEY)
+
+    def get_session_auth_fallback_hash(self):
+        for fallback_secret in settings.SECRET_KEY_FALLBACKS:
+            yield self._get_session_auth_hash(secret=fallback_secret)
+
+    def _get_session_auth_hash(self, secret):
+        """
        """
        key_salt = "pretix.base.models.User.get_session_auth_hash"
        payload = self.password
        payload += self.email
        payload += self.session_token
-        return salted_hmac(key_salt, payload).hexdigest()
+        return salted_hmac(key_salt, payload, secret=secret).hexdigest()

    def update_session_token(self):
        self.session_token = generate_session_token()
@@ -654,3 +664,9 @@ class WebAuthnDevice(Device):
    @property
    def webauthnpubkey(self):
        return websafe_decode(self.pub_key)
+
+
+class HistoricPassword(models.Model):
+    user = models.ForeignKey(User, on_delete=models.CASCADE, related_name="historic_passwords")
+    created = models.DateTimeField(auto_now_add=True)
+    password = models.CharField(verbose_name=_("Password"), max_length=128)
@@ -102,9 +102,9 @@ class CheckinList(LoggedModel):
    auto_checkin_sales_channels = models.ManyToManyField(
        "SalesChannel",
        verbose_name=_('Sales channels to automatically check in'),
-        help_text=_('All items on this check-in list will be automatically marked as checked-in when purchased through '
-                    'any of the selected sales channels. This option can be useful when tickets sold at the box office '
-                    'are not checked again before entry and should be considered validated directly upon purchase.'),
+        help_text=_('This option is deprecated and will be removed in the next months. As a replacement, our new plugin '
+                    '"Auto check-in" can be used. When we remove this option, we will automatically migrate your event '
+                    'to use the new plugin.'),
        blank=True,
    )
    rules = models.JSONField(default=dict, blank=True)
@@ -219,13 +219,24 @@ class Customer(LoggedModel):
        return is_password_usable(self.password)

    def get_session_auth_hash(self):
+        """
+        Return an HMAC that needs to be the same throughout the session, used e.g. for forced
+        logout after every password change.
+        """
+        return self._get_session_auth_hash(secret=settings.SECRET_KEY)
+
+    def get_session_auth_fallback_hash(self):
+        for fallback_secret in settings.SECRET_KEY_FALLBACKS:
+            yield self._get_session_auth_hash(secret=fallback_secret)
+
+    def _get_session_auth_hash(self, secret):
        """
        Return an HMAC of the password field.
        """
        key_salt = "pretix.base.models.customers.Customer.get_session_auth_hash"
        payload = self.password
        payload += self.email
-        return salted_hmac(key_salt, payload).hexdigest()
+        return salted_hmac(key_salt, payload, secret=secret).hexdigest()

    def get_email_context(self):
        from pretix.base.settings import get_name_parts_localized
@@ -20,11 +20,11 @@
 # <https://www.gnu.org/licenses/>.
 #

-from collections import defaultdict
+from collections import defaultdict, namedtuple
 from decimal import Decimal
 from itertools import groupby
-from math import ceil
-from typing import Dict, Optional, Tuple
+from math import ceil, inf
+from typing import Dict

 from django.core.exceptions import ValidationError
 from django.core.validators import MinValueValidator
@@ -36,6 +36,8 @@ from django_scopes import ScopedManager
 from pretix.base.decimal import round_decimal
 from pretix.base.models.base import LoggedModel

+PositionInfo = namedtuple('PositionInfo', ['item_id', 'subevent_id', 'line_price_gross', 'is_addon_to', 'voucher_discount'])
+

 class Discount(LoggedModel):
    SUBEVENT_MODE_MIXED = 'mixed'
@@ -245,22 +247,26 @@ class Discount(LoggedModel):
            return False
        return True

-    def _apply_min_value(self, positions, condition_idx_group, benefit_idx_group, result):
-        if self.condition_min_value and sum(positions[idx][2] for idx in condition_idx_group) < self.condition_min_value:
+    def _apply_min_value(self, positions, condition_idx_group, benefit_idx_group, result, collect_potential_discounts, subevent_id):
+        if self.condition_min_value and sum(positions[idx].line_price_gross for idx in condition_idx_group) < self.condition_min_value:
            return

        if self.condition_min_count or self.benefit_only_apply_to_cheapest_n_matches:
            raise ValueError('Validation invariant violated.')

        for idx in benefit_idx_group:
-            previous_price = positions[idx][2]
+            previous_price = positions[idx].line_price_gross
            new_price = round_decimal(
                previous_price * (Decimal('100.00') - self.benefit_discount_matching_percent) / Decimal('100.00'),
                self.event.currency,
            )
            result[idx] = new_price

-    def _apply_min_count(self, positions, condition_idx_group, benefit_idx_group, result):
+        if collect_potential_discounts is not None:
+            for idx in condition_idx_group:
+                collect_potential_discounts[idx] = [(self, inf, -1, subevent_id)]
+
+    def _apply_min_count(self, positions, condition_idx_group, benefit_idx_group, result, collect_potential_discounts, subevent_id):
        if len(condition_idx_group) < self.condition_min_count:
            return

@@ -268,23 +274,53 @@ class Discount(LoggedModel):
            raise ValueError('Validation invariant violated.')

        if self.benefit_only_apply_to_cheapest_n_matches:
-            if not self.condition_min_count:
-                raise ValueError('Validation invariant violated.')
-
-            condition_idx_group = sorted(condition_idx_group, key=lambda idx: (positions[idx][2], -idx))  # sort by line_price
-            benefit_idx_group = sorted(benefit_idx_group, key=lambda idx: (positions[idx][2], -idx))  # sort by line_price
+            # sort by line_price
+            condition_idx_group = sorted(condition_idx_group, key=lambda idx: (positions[idx].line_price_gross, -idx))
+            benefit_idx_group = sorted(benefit_idx_group, key=lambda idx: (positions[idx].line_price_gross, -idx))

            # Prevent over-consuming of items, i.e. if our discount is "buy 2, get 1 free", we only
            # want to match multiples of 3
-            n_groups = min(len(condition_idx_group) // self.condition_min_count, ceil(len(benefit_idx_group) / self.benefit_only_apply_to_cheapest_n_matches))
+
+            # how many discount applications are allowed according to condition products in cart
+            possible_applications_cond = len(condition_idx_group) // self.condition_min_count
+
+            # how many discount applications are possible according to benefitting products in cart
+            possible_applications_benefit = ceil(len(benefit_idx_group) / self.benefit_only_apply_to_cheapest_n_matches)
+
+            n_groups = min(possible_applications_cond, possible_applications_benefit)
            consume_idx = condition_idx_group[:n_groups * self.condition_min_count]
            benefit_idx = benefit_idx_group[:n_groups * self.benefit_only_apply_to_cheapest_n_matches]
+
+            if collect_potential_discounts is not None:
+                if n_groups * self.benefit_only_apply_to_cheapest_n_matches > len(benefit_idx_group):
+                    # partially used discount ("for each 1 ticket you buy, get 50% on 2 t-shirts", cart content: 1 ticket
+                    # but only 1 t-shirt) -> 1 shirt definitiv potential discount
+                    for idx in consume_idx:
+                        collect_potential_discounts[idx] = [
+                            (self, n_groups * self.benefit_only_apply_to_cheapest_n_matches - len(benefit_idx_group), -1, subevent_id)
+                        ]
+
+                if possible_applications_cond * self.benefit_only_apply_to_cheapest_n_matches > len(benefit_idx_group):
+                    # unused discount ("for each 1 ticket you buy, get 50% on 2 t-shirts", cart content: 1 ticket
+                    # but 0 t-shirts) -> 2 shirt maybe potential discount (if the 1 ticket is not consumed by a later discount)
+                    for i, idx in enumerate(condition_idx_group[
+                                            n_groups * self.condition_min_count:
+                                            possible_applications_cond * self.condition_min_count
+                                            ]):
+                        collect_potential_discounts[idx] += [
+                            (self, self.benefit_only_apply_to_cheapest_n_matches, i // self.condition_min_count, subevent_id)
+                        ]
+
        else:
            consume_idx = condition_idx_group
            benefit_idx = benefit_idx_group

+            if collect_potential_discounts is not None:
+                for idx in consume_idx:
+                    collect_potential_discounts[idx] = [(self, inf, -1, subevent_id)]
+
        for idx in benefit_idx:
-            previous_price = positions[idx][2]
+            previous_price = positions[idx].line_price_gross
            new_price = round_decimal(
                previous_price * (Decimal('100.00') - self.benefit_discount_matching_percent) / Decimal('100.00'),
                self.event.currency,
@@ -292,15 +328,16 @@ class Discount(LoggedModel):
            result[idx] = new_price

        for idx in consume_idx:
-            result.setdefault(idx, positions[idx][2])
+            result.setdefault(idx, positions[idx].line_price_gross)

-    def apply(self, positions: Dict[int, Tuple[int, Optional[int], Decimal, bool, Decimal]]) -> Dict[int, Decimal]:
+    def apply(self, positions: Dict[int, PositionInfo],
+              collect_potential_discounts=None) -> Dict[int, Decimal]:
        """
        Tries to apply this discount to a cart

-        :param positions: Dictionary mapping IDs to tuples of the form
-                          ``(item_id, subevent_id, line_price_gross, is_addon_to, voucher_discount)``.
+        :param positions: Dictionary mapping IDs to PositionInfo tuples.
                          Bundled positions may not be included.
+        :param collect_potential_discounts: For detailed description, see pretix.base.services.pricing.apply_discounts

        :return: A dictionary mapping keys from the input dictionary to new prices. All positions
                 contained in this dictionary are considered "consumed" and should not be considered
@@ -342,13 +379,13 @@ class Discount(LoggedModel):

        if self.subevent_mode == self.SUBEVENT_MODE_MIXED:  # also applies to non-series events
            if self.condition_min_count:
-                self._apply_min_count(positions, condition_candidates, benefit_candidates, result)
+                self._apply_min_count(positions, condition_candidates, benefit_candidates, result, collect_potential_discounts, None)
            else:
-                self._apply_min_value(positions, condition_candidates, benefit_candidates, result)
+                self._apply_min_value(positions, condition_candidates, benefit_candidates, result, collect_potential_discounts, None)

        elif self.subevent_mode == self.SUBEVENT_MODE_SAME:
            def key(idx):
-                return positions[idx][1] or 0  # subevent_id
+                return positions[idx].subevent_id or 0

            # Build groups of candidates with the same subevent, then apply our regular algorithm
            # to each group
@@ -357,11 +394,11 @@ class Discount(LoggedModel):
            candidate_groups = [(k, list(g)) for k, g in _groups]

            for subevent_id, g in candidate_groups:
-                benefit_g = [idx for idx in benefit_candidates if positions[idx][1] == subevent_id]
+                benefit_g = [idx for idx in benefit_candidates if positions[idx].subevent_id == subevent_id]
                if self.condition_min_count:
-                    self._apply_min_count(positions, g, benefit_g, result)
+                    self._apply_min_count(positions, g, benefit_g, result, collect_potential_discounts, subevent_id)
                else:
-                    self._apply_min_value(positions, g, benefit_g, result)
+                    self._apply_min_value(positions, g, benefit_g, result, collect_potential_discounts, subevent_id)

        elif self.subevent_mode == self.SUBEVENT_MODE_DISTINCT:
            if self.condition_min_value or not self.benefit_same_products:
@@ -377,9 +414,9 @@ class Discount(LoggedModel):
            # Build a list of subevent IDs in descending order of frequency
            subevent_to_idx = defaultdict(list)
            for idx, p in positions.items():
-                subevent_to_idx[p[1]].append(idx)
+                subevent_to_idx[p.subevent_id].append(idx)
            for v in subevent_to_idx.values():
-                v.sort(key=lambda idx: positions[idx][2])
+                v.sort(key=lambda idx: positions[idx].line_price_gross)
            subevent_order = sorted(list(subevent_to_idx.keys()), key=lambda s: len(subevent_to_idx[s]), reverse=True)

            # Build groups of exactly condition_min_count distinct subevents
@@ -394,7 +431,7 @@ class Discount(LoggedModel):
                    l = [ll for ll in l if ll in condition_candidates and ll not in current_group]
                    if cardinality and len(l) != cardinality:
                        continue
-                    if se not in {positions[idx][1] for idx in current_group}:
+                    if se not in {positions[idx].subevent_id for idx in current_group}:
                        candidates += l
                        cardinality = len(l)

@@ -403,7 +440,7 @@ class Discount(LoggedModel):

                # Sort the list by prices, then pick one. For "buy 2 get 1 free" we apply a "pick 1 from the start
                # and 2 from the end" scheme to optimize price distribution among groups
-                candidates = sorted(candidates, key=lambda idx: positions[idx][2])
+                candidates = sorted(candidates, key=lambda idx: positions[idx].line_price_gross)
                if len(current_group) < (self.benefit_only_apply_to_cheapest_n_matches or 0):
                    candidate = candidates[0]
                else:
@@ -415,14 +452,14 @@ class Discount(LoggedModel):
                if len(current_group) >= max(self.condition_min_count, 1):
                    candidate_groups.append(current_group)
                    for c in current_group:
-                        subevent_to_idx[positions[c][1]].remove(c)
+                        subevent_to_idx[positions[c].subevent_id].remove(c)
                    current_group = []

            # Distribute "leftovers"
            for se in subevent_order:
                if subevent_to_idx[se]:
                    for group in candidate_groups:
-                        if se not in {positions[idx][1] for idx in group}:
+                        if se not in {positions[idx].subevent_id for idx in group}:
                            group.append(subevent_to_idx[se].pop())
                            if not subevent_to_idx[se]:
                                break
@@ -432,6 +469,8 @@ class Discount(LoggedModel):
                    positions,
                    [idx for idx in g if idx in condition_candidates],
                    [idx for idx in g if idx in benefit_candidates],
-                    result
+                    result,
+                    None,
+                    None
                )
        return result
@@ -60,7 +60,6 @@ from django.urls import reverse
 from django.utils.crypto import get_random_string
 from django.utils.formats import date_format
 from django.utils.functional import cached_property
-from django.utils.html import format_html
 from django.utils.timezone import make_aware, now
 from django.utils.translation import gettext, gettext_lazy as _
 from django_scopes import ScopedManager, scopes_disabled
@@ -180,14 +179,10 @@ class EventMixin:
        """
        tz = tz or self.timezone
        if (not self.settings.show_date_to and not force_show_end) or not self.date_to:
-            if as_html:
-                return format_html(
-                    "<time datetime=\"{}\">{}</time>",
-                    _date(self.date_from.astimezone(tz), "Y-m-d"),
-                    _date(self.date_from.astimezone(tz), "DATE_FORMAT"),
-                )
-            return _date(self.date_from.astimezone(tz), "DATE_FORMAT")
-        return daterange(self.date_from.astimezone(tz), self.date_to.astimezone(tz), as_html)
+            df, dt = self.date_from, self.date_from
+        else:
+            df, dt = self.date_from, self.date_to
+        return daterange(df.astimezone(tz), dt.astimezone(tz), as_html)

    def get_date_range_display_as_html(self, tz=None, force_show_end=False) -> str:
        return self.get_date_range_display(tz, force_show_end, as_html=True)
@@ -875,10 +870,12 @@ class Event(EventMixin, LoggedModel):
        for i in Item.objects.filter(event=other).prefetch_related(
            'variations', 'limit_sales_channels', 'require_membership_types',
            'variations__limit_sales_channels', 'variations__require_membership_types',
+            'matched_by_cross_selling_categories',
        ):
            vars = list(i.variations.all())
            require_membership_types = list(i.require_membership_types.all())
            limit_sales_channels = list(i.limit_sales_channels.all())
+            matched_by_cross_selling_categories = list(i.matched_by_cross_selling_categories.all())
            item_map[i.pk] = i
            i.pk = None
            i.event = self
@@ -916,6 +913,9 @@ class Event(EventMixin, LoggedModel):
                if not v.all_sales_channels:
                    v.limit_sales_channels.set(self.organizer.sales_channels.filter(identifier__in=[s.identifier for s in limit_sales_channels]))

+            if matched_by_cross_selling_categories:
+                i.matched_by_cross_selling_categories.set([category_map[c.pk] for c in matched_by_cross_selling_categories])
+
        for i in self.items.filter(hidden_if_item_available__isnull=False):
            i.hidden_if_item_available = item_map[i.hidden_if_item_available_id]
            i.save()
@@ -63,14 +63,13 @@ from django_countries.fields import Country
 from django_scopes import ScopedManager
 from i18nfield.fields import I18nCharField, I18nTextField

+from pretix.base.media import MEDIA_TYPES
+from pretix.base.models import Event, SubEvent
 from pretix.base.models.base import LoggedModel
 from pretix.base.models.fields import MultiStringField
 from pretix.base.models.tax import TaxedPrice
 from pretix.base.timemachine import time_machine_now
-
-from ...helpers.images import ImageSizeValidator
-from ..media import MEDIA_TYPES
-from .event import Event, SubEvent
+from pretix.helpers.images import ImageSizeValidator


 class ItemCategory(LoggedModel):
@@ -111,6 +110,33 @@ class ItemCategory(LoggedModel):
                    'only be bought in combination with a product that has this category configured as a possible '
                    'source for add-ons.')
    )
+    CROSS_SELLING_MODES = (
+        (None, _('Normal category')),
+        ('both', _('Normal + cross-selling category')),
+        ('only', _('Cross-selling category')),
+    )
+    cross_selling_mode = models.CharField(
+        choices=CROSS_SELLING_MODES,
+        null=True,
+        max_length=5
+    )
+    CROSS_SELLING_CONDITION = (
+        ('always', _('Always show in cross-selling step')),
+        ('discounts', _('Only show products that qualify for a discount according to discount rules')),
+        ('products', _('Only show if the cart contains one of the following products')),
+    )
+    cross_selling_condition = models.CharField(
+        verbose_name=_("Cross-selling condition"),
+        choices=CROSS_SELLING_CONDITION,
+        null=True,
+        max_length=10,
+    )
+    cross_selling_match_products = models.ManyToManyField(
+        'pretixbase.Item',
+        blank=True,
+        verbose_name=_("Cross-selling condition products"),
+        related_name="matched_by_cross_selling_categories",
+    )

    class Meta:
        verbose_name = _("Product category")
@@ -119,19 +145,31 @@ class ItemCategory(LoggedModel):

    def __str__(self):
        name = self.internal_name or self.name
-        if self.is_addon:
-            return _('{category} (Add-On products)').format(category=str(name))
+        if self.category_type != 'normal':
+            return _('{category} ({category_type})').format(category=str(name),
+                                                            category_type=self.get_category_type_display())
        return str(name)

    def get_category_type_display(self):
        if self.is_addon:
-            return _('Add-On products')
+            return _('Add-on category')
+        elif self.cross_selling_mode:
+            return self.get_cross_selling_mode_display()
        else:
-            return None
+            return _('Normal category')

    @property
    def category_type(self):
-        return 'addon' if self.is_addon else 'normal'
+        return 'addon' if self.is_addon else self.cross_selling_mode or 'normal'
+
+    @category_type.setter
+    def category_type(self, new_value):
+        if new_value == 'addon':
+            self.is_addon = True
+            self.cross_selling_mode = None
+        else:
+            self.is_addon = False
+            self.cross_selling_mode = None if new_value == 'normal' else new_value

    def delete(self, *args, **kwargs):
        super().delete(*args, **kwargs)
@@ -270,7 +308,7 @@ class SubEventItemVariation(models.Model):
        return True


-def filter_available(qs, channel='web', voucher=None, allow_addons=False):
+def filter_available(qs, channel='web', voucher=None, allow_addons=False, allow_cross_sell=False):
    # Channel can currently be a SalesChannel or a str, since we need that compatibility, but a SalesChannel
    # makes the query SIGNIFICANTLY faster
    from .organizer import SalesChannel
@@ -291,6 +329,8 @@ def filter_available(qs, channel='web', voucher=None, allow_addons=False):

    if not allow_addons:
        q &= Q(Q(category__isnull=True) | Q(category__is_addon=False))
+    if not allow_cross_sell:
+        q &= Q(Q(category__isnull=True) | ~Q(category__cross_selling_mode='only'))

    if voucher:
        if voucher.item_id:
@@ -304,8 +344,8 @@ def filter_available(qs, channel='web', voucher=None, allow_addons=False):


 class ItemQuerySet(models.QuerySet):
-    def filter_available(self, channel='web', voucher=None, allow_addons=False):
-        return filter_available(self, channel, voucher, allow_addons)
+    def filter_available(self, channel='web', voucher=None, allow_addons=False, allow_cross_sell=False):
+        return filter_available(self, channel, voucher, allow_addons, allow_cross_sell)


 class ItemQuerySetManager(ScopedManager(organizer='event__organizer').__class__):
@@ -313,8 +353,8 @@ class ItemQuerySetManager(ScopedManager(organizer='event__organizer').__class__)
        super().__init__()
        self._queryset_class = ItemQuerySet

-    def filter_available(self, channel='web', voucher=None, allow_addons=False):
-        return filter_available(self.get_queryset(), channel, voucher, allow_addons)
+    def filter_available(self, channel='web', voucher=None, allow_addons=False, allow_cross_sell=False):
+        return filter_available(self.get_queryset(), channel, voucher, allow_addons, allow_cross_sell)


 class Item(LoggedModel):
@@ -40,6 +40,7 @@ import json
 import logging
 import operator
 import string
+import warnings
 from collections import Counter
 from datetime import datetime, time, timedelta
 from decimal import Decimal
@@ -381,8 +382,28 @@ class Order(LockModel, LoggedModel):
        self.event.cache.delete('complain_testmode_orders')
        self.delete()

+    def email_confirm_secret(self):
+        return self.tagged_secret("email_confirm", 9)
+
    def email_confirm_hash(self):
-        return hashlib.sha256(settings.SECRET_KEY.encode() + self.secret.encode()).hexdigest()[:9]
+        warnings.warn('Use email_confirm_secret() instead of email_confirm_hash().',
+                      DeprecationWarning)
+        return self.email_confirm_secret()
+
+    def check_email_confirm_secret(self, received_secret):
+        return (
+            hmac.compare_digest(
+                self.tagged_secret("email_confirm", 9),
+                received_secret[:9].lower()
+            ) or any(
+                # TODO: remove this clause after a while (compatibility with old secrets currently in flight)
+                hmac.compare_digest(
+                    hashlib.sha256(sk.encode() + self.secret.encode()).hexdigest()[:9],
+                    received_secret
+                )
+                for sk in [settings.SECRET_KEY, *settings.SECRET_KEY_FALLBACKS]
+            )
+        )

    def get_extended_status_display(self):
        # Changes in this method should to be replicated in pretixcontrol/orders/fragment_order_status.html
@@ -2835,6 +2856,14 @@ class OrderPosition(AbstractPosition):
            (self.order.event.settings.change_allow_user_addons and ItemAddOn.objects.filter(base_item_id__in=[op.item_id for op in positions]).exists())
        )

+    @property
+    def code(self):
+        """
+        A ticket code which is unique among all events of a single organizer,
+        built by the order code and the position number.
+        """
+        return '{order_code}-{position}'.format(order_code=self.order.code, position=self.positionid)
+

 class Transaction(models.Model):
    """
@@ -185,7 +185,7 @@ class Seat(models.Model):

    @classmethod
    def annotated(cls, qs, event_id, subevent, ignore_voucher_id=None, minimal_distance=0,
-                  ignore_order_id=None, ignore_cart_id=None, distance_only_within_row=False):
+                  ignore_order_id=None, ignore_cart_id=None, distance_only_within_row=False, annotate_ids=False):
        from . import CartPosition, Order, OrderPosition, Voucher

        vqs = Voucher.objects.filter(
@@ -214,17 +214,24 @@ class Seat(models.Model):
        )
        if ignore_cart_id:
            cqs = cqs.exclude(cart_id=ignore_cart_id)
-        qs_annotated = qs.annotate(
-            has_order=Exists(
-                opqs
-            ),
-            has_cart=Exists(
-                cqs
-            ),
-            has_voucher=Exists(
-                vqs
+        if annotate_ids:
+            qs_annotated = qs.annotate(
+                orderposition_id=Subquery(opqs.values('id')),
+                cartposition_id=Subquery(cqs.values('id')),
+                voucher_id=Subquery(vqs.values('id')),
+            )
+        else:
+            qs_annotated = qs.annotate(
+                has_order=Exists(
+                    opqs
+                ),
+                has_cart=Exists(
+                    cqs
+                ),
+                has_voucher=Exists(
+                    vqs
+                )
            )
-        )

        if minimal_distance > 0:
            # TODO: Is there a more performant implementation on PostgreSQL using
@@ -235,7 +242,11 @@ class Seat(models.Model):
                    Power(F('y') - OuterRef('y'), Value(2), output_field=models.FloatField())
                )
            ).filter(
-                Q(has_order=True) | Q(has_cart=True) | Q(has_voucher=True),
+                (
+                    (Q(orderposition_id__isnull=False) | Q(cartposition_id__isnull=False) | Q(voucher_id__isnull=False))
+                    if annotate_ids else
+                    (Q(has_order=True) | Q(has_cart=True) | Q(has_voucher=True))
+                ),
                distance__lt=minimal_distance ** 2
            )
            if distance_only_within_row:
@@ -29,6 +29,8 @@ from django.core.validators import MaxValueValidator, MinValueValidator
 from django.db import models
 from django.utils.deconstruct import deconstructible
 from django.utils.formats import localize
+from django.utils.functional import lazy
+from django.utils.html import format_html
 from django.utils.translation import gettext_lazy as _, pgettext
 from i18nfield.fields import I18nCharField
 from i18nfield.strings import LazyI18nString
@@ -120,6 +122,8 @@ EU_CURRENCIES = {
 }
 VAT_ID_COUNTRIES = EU_COUNTRIES | {'CH', 'NO'}

+format_html_lazy = lazy(format_html, str)
+

 def is_eu_country(cc):
    cc = str(cc)
@@ -193,11 +197,17 @@ class TaxRule(LoggedModel):
    eu_reverse_charge = models.BooleanField(
        verbose_name=_("Use EU reverse charge taxation rules"),
        default=False,
-        help_text=_("Not recommended. Most events will NOT be qualified for reverse charge since the place of "
-                    "taxation is the location of the event. This option disables charging VAT for all customers "
-                    "outside the EU and for business customers in different EU countries who entered a valid EU VAT "
-                    "ID. Only enable this option after consulting a tax counsel. No warranty given for correct tax "
-                    "calculation. USE AT YOUR OWN RISK.")
+        help_text=format_html_lazy(
+            '<span class="label label-warning" data-toggle="tooltip" title="{}">{}</span> {}',
+            _('This feature will be removed in the future as it does not handle VAT for non-business customers in '
+              'other EU countries in a way that works for all organizers. Use custom rules instead.'),
+            _('DEPRECATED'),
+            _("Not recommended. Most events will NOT be qualified for reverse charge since the place of "
+              "taxation is the location of the event. This option disables charging VAT for all customers "
+              "outside the EU and for business customers in different EU countries who entered a valid EU VAT "
+              "ID. Only enable this option after consulting a tax counsel. No warranty given for correct tax "
+              "calculation. USE AT YOUR OWN RISK.")
+        ),
    )
    home_country = FastCountryField(
        verbose_name=_('Merchant country'),
@@ -294,10 +304,24 @@ class TaxRule(LoggedModel):
                    subtract_from_gross = Decimal('0.00')
                rate = adjust_rate

+        def _limit_subtract(base_price, subtract_from_gross):
+            if not subtract_from_gross:
+                return base_price
+            if base_price >= Decimal('0.00'):
+                # For positive prices, make sure they don't go negative because of bundles
+                return max(Decimal('0.00'), base_price - subtract_from_gross)
+            else:
+                # If the price is already negative, we don't really care any more
+                return base_price - subtract_from_gross
+
        if rate == Decimal('0.00'):
+            gross = _limit_subtract(base_price, subtract_from_gross)
            return TaxedPrice(
-                net=base_price - subtract_from_gross, gross=base_price - subtract_from_gross, tax=Decimal('0.00'),
-                rate=rate, name=self.name
+                net=gross,
+                gross=gross,
+                tax=Decimal('0.00'),
+                rate=rate,
+                name=self.name,
            )

        if base_price_is == 'auto':
@@ -307,19 +331,14 @@ class TaxRule(LoggedModel):
                base_price_is = 'net'

        if base_price_is == 'gross':
-            if base_price >= Decimal('0.00'):
-                # For positive prices, make sure they don't go negative because of bundles
-                gross = max(Decimal('0.00'), base_price - subtract_from_gross)
-            else:
-                # If the price is already negative, we don't really care any more
-                gross = base_price - subtract_from_gross
+            gross = _limit_subtract(base_price, subtract_from_gross)
            net = round_decimal(gross - (gross * (1 - 100 / (100 + rate))),
                                currency)
        elif base_price_is == 'net':
            net = base_price
            gross = round_decimal((net * (1 + rate / 100)), currency)
            if subtract_from_gross:
-                gross -= subtract_from_gross
+                gross = _limit_subtract(gross, subtract_from_gross)
                net = round_decimal(gross - (gross * (1 - 100 / (100 + rate))),
                                    currency)
        else:
@@ -587,7 +587,7 @@ class BasePaymentProvider:
            return rel_date.datetime(self.event).date()

    def _is_available_by_time(self, now_dt=None, cart_id=None, order=None):
-        now_dt = now_dt or now()
+        now_dt = now_dt or time_machine_now()
        tz = ZoneInfo(self.event.settings.timezone)

        try:
@@ -956,7 +956,7 @@ class Renderer:
            )
            canvas.restoreState()

-    def _draw_textarea(self, canvas: Canvas, op: OrderPosition, order: Order, o: dict):
+    def _text_paragraph(self, op: OrderPosition, order: Order, o: dict, legacy_lineheight=False, override_fontsize=None):
        font = o['fontfamily']

        # Since pdfmetrics.registerFont is global, we want to make sure that no one tries to sneak in a font, they
@@ -970,12 +970,13 @@ class Renderer:
        if o['italic']:
            font += ' I'

+        fontsize = override_fontsize if override_fontsize is not None else float(o['fontsize'])
        try:
-            ad = getAscentDescent(font, float(o['fontsize']))
+            ad = getAscentDescent(font, fontsize)
        except KeyError:  # font not known, fall back
            logger.warning(f'Use of unknown font "{font}"')
            font = 'Open Sans'
-            ad = getAscentDescent(font, float(o['fontsize']))
+            ad = getAscentDescent(font, fontsize)

        align_map = {
            'left': TA_LEFT,
@@ -985,16 +986,17 @@ class Renderer:
        # lineheight display differs from browser canvas. This calc is just empirical values to get
        # reportlab render similarly to browser canvas.
        # for backwards compatability use „uncorrected“ lineheight of 1.0 instead of 1.15
-        lineheight = float(o['lineheight']) * 1.15 if 'lineheight' in o else 1.0
+        lineheight = float(o['lineheight']) * 1.15 if not legacy_lineheight or 'lineheight' in o else 1.0
        style = ParagraphStyle(
            name=uuid.uuid4().hex,
            fontName=font,
-            fontSize=float(o['fontsize']),
-            leading=lineheight * float(o['fontsize']),
+            fontSize=fontsize,
+            leading=lineheight * fontsize,
            # for backwards compatability use autoLeading if no lineheight is given
-            autoLeading='off' if 'lineheight' in o else 'max',
+            autoLeading='off' if not legacy_lineheight or 'lineheight' in o else 'max',
            textColor=Color(o['color'][0] / 255, o['color'][1] / 255, o['color'][2] / 255),
-            alignment=align_map[o['align']]
+            alignment=align_map[o['align']],
+            splitLongWords=o.get('splitlongwords', True),
        )
        # add an almost-invisible space &hairsp; after hyphens as word-wrap in ReportLab only works on space chars
        text = conditional_escape(
@@ -1013,6 +1015,41 @@ class Renderer:
            logger.exception('Reshaping/Bidi fixes failed on string {}'.format(repr(text)))

        p = Paragraph(text, style=style)
+        return p, ad, lineheight
+
+    def _draw_textcontainer(self, canvas: Canvas, op: OrderPosition, order: Order, o: dict):
+        fontsize = float(o['fontsize'])
+        height = float(o['height']) * mm
+        width = float(o['width']) * mm
+        while True:
+            p, ad, lineheight = self._text_paragraph(op, order, o, override_fontsize=fontsize)
+            w, h = p.wrapOn(canvas, width, 1000 * mm)
+            widths = p.getActualLineWidths0()
+            if not widths:
+                break
+            actual_w = max(widths)
+            if not o.get('autoresize', False) or (h <= height and actual_w <= width) or fontsize <= 1.0:
+                break
+            if h > height:  # we can do larger steps for height
+                fontsize -= max(1.0, fontsize * .1)
+            else:
+                fontsize -= max(.25, fontsize * .025)
+
+        canvas.saveState()
+        # The ascent/descent offsets here are not really proven to be correct, they're just empirical values to get
+        # reportlab render similarly to browser canvas.
+        canvas.translate(float(o['left']) * mm, float(o['bottom']) * mm + height)
+        canvas.rotate(o.get('rotation', 0) * -1)
+        if o.get('verticalalign', 'top') == 'top':
+            p.drawOn(canvas, 0, - h)
+        elif o.get('verticalalign', 'top') == 'middle':
+            p.drawOn(canvas, 0, (-height - h) / 2)
+        elif o.get('verticalalign', 'top') == 'bottom':
+            p.drawOn(canvas, 0, -height)
+        canvas.restoreState()
+
+    def _draw_textarea(self, canvas: Canvas, op: OrderPosition, order: Order, o: dict):
+        p, ad, lineheight = self._text_paragraph(op, order, o, legacy_lineheight=True)
        w, h = p.wrapOn(canvas, float(o['width']) * mm, 1000 * mm)
        # p_size = p.wrap(float(o['width']) * mm, 1000 * mm)
        canvas.saveState()
@@ -1051,6 +1088,8 @@ class Renderer:
                    self._draw_barcodearea(canvas, op, order, o)
                elif o['type'] == "imagearea":
                    self._draw_imagearea(canvas, op, order, o)
+                elif o['type'] == "textcontainer":
+                    self._draw_textcontainer(canvas, op, order, o)
                elif o['type'] == "textarea":
                    self._draw_textarea(canvas, op, order, o)
                elif o['type'] == "poweredby":
@@ -1542,10 +1542,9 @@ def add_items_to_cart(self, event: int, items: List[dict], cart_id: str=None, lo
@app.task(base=ProfiledEventTask, bind=True, max_retries=5, default_retry_delay=1, throws=(CartError,))
 def apply_voucher(self, event: Event, voucher: str, cart_id: str=None, locale='en', sales_channel='web', override_now_dt: datetime=None) -> None:
    """
-    Removes a list of items from a user's cart.
    :param event: The event ID in question
    :param voucher: A voucher code
-    :param session: Session ID of a guest
+    :param cart_id: The cart ID of the cart to modify
    """
    with language(locale), time_machine_now_assigned(override_now_dt):
        try:
@@ -1566,10 +1565,10 @@ def apply_voucher(self, event: Event, voucher: str, cart_id: str=None, locale='e
@app.task(base=ProfiledEventTask, bind=True, max_retries=5, default_retry_delay=1, throws=(CartError,))
 def remove_cart_position(self, event: Event, position: int, cart_id: str=None, locale='en', sales_channel='web', override_now_dt: datetime=None) -> None:
    """
-    Removes a list of items from a user's cart.
+    Removes an item specified by its position ID from a user's cart.
    :param event: The event ID in question
    :param position: A cart position ID
-    :param session: Session ID of a guest
+    :param cart_id: The cart ID of the cart to modify
    """
    with language(locale), time_machine_now_assigned(override_now_dt):
        try:
@@ -1590,9 +1589,9 @@ def remove_cart_position(self, event: Event, position: int, cart_id: str=None, l
@app.task(base=ProfiledEventTask, bind=True, max_retries=5, default_retry_delay=1, throws=(CartError,))
 def clear_cart(self, event: Event, cart_id: str=None, locale='en', sales_channel='web', override_now_dt: datetime=None) -> None:
    """
-    Removes a list of items from a user's cart.
+    Removes all items from a user's cart.
    :param event: The event ID in question
-    :param session: Session ID of a guest
+    :param cart_id: The cart ID of the cart to modify
    """
    with language(locale), time_machine_now_assigned(override_now_dt):
        try:
@@ -1611,13 +1610,15 @@ def clear_cart(self, event: Event, cart_id: str=None, locale='en', sales_channel


@app.task(base=ProfiledEventTask, bind=True, max_retries=5, default_retry_delay=1, throws=(CartError,))
-def set_cart_addons(self, event: Event, addons: List[dict], cart_id: str=None, locale='en',
+def set_cart_addons(self, event: Event, addons: List[dict], add_to_cart_items: List[dict], cart_id: str=None, locale='en',
                    invoice_address: int=None, sales_channel='web', override_now_dt: datetime=None) -> None:
    """
-    Removes a list of items from a user's cart.
+    Assigns addons to eligible products in a user's cart, adding and removing the addon products as necessary to
+    ensure the requested addon state.
    :param event: The event ID in question
    :param addons: A list of dicts with the keys addon_to, item, variation
-    :param session: Session ID of a guest
+    :param add_to_cart_items: A list of dicts with the keys item, variation, count, custom_price, voucher, seat ID
+    :param cart_id: The cart ID of the cart to modify
    """
    with language(locale), time_machine_now_assigned(override_now_dt):
        ia = False
@@ -1635,6 +1636,7 @@ def set_cart_addons(self, event: Event, addons: List[dict], cart_id: str=None, l
            try:
                cm = CartManager(event=event, cart_id=cart_id, invoice_address=ia, sales_channel=sales_channel)
                cm.set_addons(addons)
+                cm.add_new_items(add_to_cart_items)
                cm.commit()
            except LockTimeoutException:
                self.retry()
@@ -1154,7 +1154,7 @@ def perform_checkin(op: OrderPosition, clist: CheckinList, given_answers: dict,
            )


-@receiver(order_placed, dispatch_uid="autocheckin_order_placed")
+@receiver(order_placed, dispatch_uid="legacy_autocheckin_order_placed")
 def order_placed(sender, **kwargs):
    order = kwargs['order']
    event = sender
@@ -1171,7 +1171,7 @@ def order_placed(sender, **kwargs):
                    checkin_created.send(event, checkin=ci)


-@receiver(periodic_task, dispatch_uid="autocheckin_exit_all")
+@receiver(periodic_task, dispatch_uid="autocheckout_exit_all")
@scopes_disabled()
 def process_exit_all(sender, **kwargs):
    qs = CheckinList.objects.filter(
@@ -1182,10 +1182,11 @@ def process_exit_all(sender, **kwargs):
        positions = cl.positions_inside_query(ignore_status=True, at_time=cl.exit_all_at)
        for p in positions:
            with scope(organizer=cl.event.organizer):
-                ci = Checkin.objects.create(
+                ci, created = Checkin.objects.get_or_create(
                    position=p, list=cl, auto_checked_in=True, type=Checkin.TYPE_EXIT, datetime=cl.exit_all_at
                )
-                checkin_created.send(cl.event, checkin=ci)
+                if created:
+                    checkin_created.send(cl.event, checkin=ci)
        d = cl.exit_all_at.astimezone(cl.event.timezone)
        if cl.event.settings.get(f'autocheckin_dst_hack_{cl.pk}'):  # move time back if yesterday was DST switch
            d -= timedelta(hours=1)
@@ -0,0 +1,234 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020 Raphael Michel and contributors
+# Copyright (C) 2020-2021 rami.io GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+
+from collections import defaultdict
+from decimal import Decimal
+from itertools import groupby
+from math import inf
+from typing import List
+
+from django.utils.functional import cached_property
+
+from pretix.base.models import CartPosition, ItemCategory, SalesChannel
+from pretix.presale.views.event import get_grouped_items
+
+
+class DummyCategory:
+    """
+    Used to create fake category objects for displaying the same cross-selling category multiple times,
+    once for each subevent
+    """
+
+    def __init__(self, category: ItemCategory, subevent):
+        self.id = category.id
+        self.name = str(category.name)
+        self.subevent_name = str(subevent)
+        self.description = category.description
+
+
+class CrossSellingService:
+    def __init__(self, event, sales_channel: SalesChannel, cartpositions: List[CartPosition], customer):
+        self.event = event
+        self.sales_channel = sales_channel
+        self.cartpositions = cartpositions
+        self.customer = customer
+
+    def get_data(self):
+        if self.event.has_subevents:
+            subevents = set(pos.subevent for pos in self.cartpositions)
+            result = (
+                (DummyCategory(category, subevent),
+                 self._prepare_items(subevent, items_qs, discount_info),
+                 f'subevent_{subevent.pk}_')
+                for subevent in subevents
+                for (category, items_qs, discount_info) in self._applicable_categories(subevent.pk)
+            )
+        else:
+            result = (
+                (category,
+                 self._prepare_items(None, items_qs, discount_info),
+                 '')
+                for (category, items_qs, discount_info) in self._applicable_categories(0)
+            )
+        result = [(category, items, form_prefix) for (category, items, form_prefix) in result if len(items) > 0]
+        for category, items, form_prefix in result:
+            category.category_has_discount = any(item.original_price or (
+                item.has_variations and any(var.original_price for var in item.available_variations)
+            ) for item in items)
+        return result
+
+    def _applicable_categories(self, subevent_id):
+        return [
+            (c, products_qs, discount_info) for (c, products_qs, discount_info) in
+            (
+                (c, *self._get_visible_items_for_category(subevent_id, c))
+                for c in self.event.categories.filter(cross_selling_mode__isnull=False).prefetch_related('items')
+            )
+            if products_qs is not None
+        ]
+
+    def _get_visible_items_for_category(self, filter_subevent_id, category: ItemCategory):
+        """
+        If this category should be visible in the cross-selling step for a given cart and sales_channel, this method
+        returns a queryset of the items that should be displayed, as well as a dict giving additional information on them.
+
+        :returns: (QuerySet<Item>, dict<(subevent_id, item_pk): (max_count, discount_rule)>)
+            max_count is `inf` if the item should not be limited
+            discount_rule is None if the item will not be discounted
+        """
+        if category.cross_selling_mode is None:
+            return None, {}
+        if category.cross_selling_condition == 'always':
+            return category.items.all(), {}
+        if category.cross_selling_condition == 'products':
+            match = set(match.pk for match in category.cross_selling_match_products.only('pk'))  # TODO prefetch this
+            return (category.items.all(), {}) if any(pos.item.pk in match for pos in self.cartpositions) else (None, {})
+        if category.cross_selling_condition == 'discounts':
+            my_item_pks = [item.id for item in category.items.all()]
+            potential_discount_items = {
+                item.pk: (max_count, discount_rule)
+                for subevent_id, item, max_count, discount_rule in self._potential_discounts_by_subevent_and_item_for_current_cart
+                if max_count > 0 and item.pk in my_item_pks and item.is_available() and (subevent_id == filter_subevent_id or subevent_id is None)
+            }
+            return category.items.filter(pk__in=potential_discount_items), potential_discount_items
+
+    @cached_property
+    def _potential_discounts_by_subevent_and_item_for_current_cart(self):
+        potential_discounts_by_cartpos = defaultdict(list)
+
+        from ..services.pricing import apply_discounts
+        self._discounted_prices = apply_discounts(
+            self.event,
+            self.sales_channel,
+            [
+                (cp.item_id, cp.subevent_id, cp.line_price_gross, bool(cp.addon_to), cp.is_bundled,
+                 cp.listed_price - cp.price_after_voucher)
+                for cp in self.cartpositions
+            ],
+            collect_potential_discounts=potential_discounts_by_cartpos
+        )
+
+        # flatten potential_discounts_by_cartpos (a dict of lists of potential discounts) into a set of potential discounts
+        # (which is technically stored as a dict, but we use it as an OrderedSet here)
+        potential_discount_set = dict.fromkeys(
+            info for lst in potential_discounts_by_cartpos.values() for info in lst)
+
+        # sum up the max_counts and pass them on (also pass on the discount_rules so we can calculate actual discounted prices later):
+        # group by benefit product
+        # - max_count for product: sum up max_counts
+        # - discount_rule for product: take first discount_rule
+
+        def discount_info(subevent_id, item, infos_for_item):
+            infos_for_item = list(infos_for_item)
+            return (
+                subevent_id,
+                item,
+                sum(max_count for (subevent_id, item, discount_rule, max_count, i) in infos_for_item),
+                next(discount_rule for (subevent_id, item, discount_rule, max_count, i) in infos_for_item),
+            )
+
+        return [
+            discount_info(subevent_id, item, infos_for_item) for (subevent_id, item), infos_for_item in
+            groupby(
+                sorted(
+                    (
+                        (subevent_id, item, discount_rule, max_count, i)
+                        for (discount_rule, max_count, i, subevent_id) in potential_discount_set.keys()
+                        for item in discount_rule.benefit_limit_products.all()
+                    ),
+                    key=lambda tup: (tup[0], tup[1].pk)
+                ),
+                lambda tup: (tup[0], tup[1]))
+        ]
+
+    def _prepare_items(self, subevent, items_qs, discount_info):
+        items, _btn = get_grouped_items(
+            self.event,
+            subevent=subevent,
+            voucher=None,
+            channel=self.sales_channel,
+            base_qs=items_qs,
+            allow_addons=False,
+            allow_cross_sell=True,
+            memberships=(
+                self.customer.usable_memberships(
+                    for_event=subevent or self.event,
+                    testmode=self.event.testmode
+                )
+                if self.customer else None
+            ),
+        )
+        new_items = list()
+        for item in items:
+            max_count = inf
+            if item.pk in discount_info:
+                (max_count, discount_rule) = discount_info[item.pk]
+
+                # only benefit_only_apply_to_cheapest_n_matches discounted items have a max_count, all others get 'inf'
+                if not max_count:
+                    max_count = inf
+
+                # calculate discounted price
+                if discount_rule and discount_rule.benefit_discount_matching_percent > 0:
+                    if not item.has_variations:
+                        item.original_price = item.original_price or item.display_price
+                        previous_price = item.display_price
+                        new_price = (
+                            previous_price * (
+                                (Decimal('100.00') - discount_rule.benefit_discount_matching_percent) / Decimal('100.00'))
+                        )
+                        item.display_price = new_price
+                    else:
+                        # discounts always match "whole" items, not specific variations -> we apply the discount to all
+                        # available variations of the item
+                        for var in item.available_variations:
+                            var.original_price = var.original_price or var.display_price
+                            previous_price = var.display_price
+                            new_price = (
+                                previous_price * (
+                                    (Decimal('100.00') - discount_rule.benefit_discount_matching_percent) / Decimal('100.00'))
+                            )
+                            var.display_price = new_price
+
+            if not item.has_variations:
+                # reduce order_max by number of items already in cart (prevent recommending a product the user can't add anyway)
+                item.order_max = min(
+                    item.order_max - sum(1 for pos in self.cartpositions if pos.item_id == item.pk),
+                    max_count
+                )
+                if item.order_max > 0:
+                    new_items.append(item)
+            else:
+                new_vars = list()
+                for var in item.available_variations:
+                    # reduce order_max by number of items already in cart (prevent recommending a product the user can't add anyway)
+                    var.order_max = min(
+                        var.order_max - sum(1 for pos in self.cartpositions if pos.item_id == item.pk and pos.variation_id == var.pk),
+                        max_count
+                    )
+                    if var.order_max > 0:
+                        new_vars.append(var)
+                if len(new_vars):
+                    item.available_variations = new_vars
+                    new_items.append(item)
+
+        return new_items
@@ -58,6 +58,7 @@ from django.core.mail import (
 from django.core.mail.message import SafeMIMEText
 from django.db import transaction
 from django.template.loader import get_template
+from django.utils.html import escape
 from django.utils.timezone import now, override
 from django.utils.translation import gettext as _, pgettext
 from django_scopes import scope, scopes_disabled
@@ -109,6 +110,22 @@ def clean_sender_name(sender_name: str) -> str:
    return sender_name


+def prefix_subject(settings_holder, subject, highlight=False):
+    prefix = settings_holder.settings.get('mail_prefix')
+    if prefix and prefix.startswith('[') and prefix.endswith(']'):
+        prefix = prefix[1:-1]
+    if prefix:
+        prefix = f"[{prefix}]"
+        if highlight:
+            prefix = '<span class="placeholder" title="{}">{}</span>'.format(
+                _('This prefix has been set in your event or organizer settings.'),
+                escape(prefix)
+            )
+
+        subject = f"{prefix} {subject}"
+    return subject
+
+
 def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, LazyI18nString],
         context: Dict[str, Any] = None, event: Event = None, locale: str = None, order: Order = None,
         position: OrderPosition = None, *, headers: dict = None, sender: str = None, organizer: Organizer = None,
@@ -240,11 +257,7 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
                    and settings_holder.settings.contact_mail and not headers.get('Reply-To'):
                headers['Reply-To'] = settings_holder.settings.contact_mail

-            prefix = settings_holder.settings.get('mail_prefix')
-            if prefix and prefix.startswith('[') and prefix.endswith(']'):
-                prefix = prefix[1:-1]
-            if prefix:
-                subject = "[%s] %s" % (prefix, subject)
+            subject = prefix_subject(settings_holder, subject)

            body_plain += "\r\n\r\n-- \r\n"

@@ -288,7 +301,7 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
                        order.event, 'presale:event.order.open', kwargs={
                            'order': order.code,
                            'secret': order.secret,
-                            'hash': order.email_confirm_hash()
+                            'hash': order.email_confirm_secret()
                        }
                    )
                )
@@ -3152,7 +3152,7 @@ def signal_listener_issue_memberships(sender: Event, order: Order, **kwargs):
    if order.status != Order.STATUS_PAID or not order.customer:
        return
    for p in order.positions.all():
-        if p.item.grant_membership_type_id:
+        if p.item.grant_membership_type_id and not p.granted_memberships.exists():
            create_membership(order.customer, p)


@@ -262,7 +262,7 @@ def base_placeholders(sender, **kwargs):
                'presale:event.order.open', kwargs={
                    'order': order.code,
                    'secret': order.secret,
-                    'hash': order.email_confirm_hash()
+                    'hash': order.email_confirm_secret()
                }
            ), lambda event: build_absolute_uri(
                event,
@@ -443,7 +443,7 @@ def base_placeholders(sender, **kwargs):
                        'organizer': event.organizer.slug,
                        'order': order.code,
                        'secret': order.secret,
-                        'hash': order.email_confirm_hash(),
+                        'hash': order.email_confirm_secret(),
                    }),
                )
                for order in orders
@@ -20,8 +20,9 @@
 # <https://www.gnu.org/licenses/>.
 #
 import re
+from collections import defaultdict
 from decimal import Decimal
-from typing import List, Optional, Tuple
+from typing import List, Optional, Tuple, Union

 from django import forms
 from django.db.models import Q
@@ -31,6 +32,7 @@ from pretix.base.models import (
    AbstractPosition, InvoiceAddress, Item, ItemAddOn, ItemVariation,
    SalesChannel, Voucher,
 )
+from pretix.base.models.discount import Discount, PositionInfo
 from pretix.base.models.event import Event, SubEvent
 from pretix.base.models.tax import TAXED_ZERO, TaxedPrice, TaxRule
 from pretix.base.timemachine import time_machine_now
@@ -155,14 +157,22 @@ def get_line_price(price_after_voucher: Decimal, custom_price_input: Decimal, cu
    return price


-def apply_discounts(event: Event, sales_channel: str,
-                    positions: List[Tuple[int, Optional[int], Decimal, bool, bool]]) -> List[Decimal]:
+def apply_discounts(event: Event, sales_channel: Union[str, SalesChannel],
+                    positions: List[Tuple[int, Optional[int], Decimal, bool, bool, Decimal]],
+                    collect_potential_discounts: Optional[defaultdict]=None) -> List[Tuple[Decimal, Optional[Discount]]]:
    """
    Applies any dynamic discounts to a cart

    :param event: Event the cart belongs to
    :param sales_channel: Sales channel the cart was created with
    :param positions: Tuple of the form ``(item_id, subevent_id, line_price_gross, is_addon_to, is_bundled, voucher_discount)``
+    :param collect_potential_discounts: If a `defaultdict(list)` is supplied, all discounts that could be applied to the cart
+    based on the "consumed" items, but lack matching "benefitting" items will be collected therein.
+    The dict will contain a mapping from index in the `positions` list of the item that could be consumed, to a list
+    of tuples describing the discounts that could be applied in the form `(discount, max_count, grouping_id)`.
+    `max_count` is either the maximum number of benefitting items that the discount would apply to, or `inf` if that number
+    is not limited. The `grouping_id` can be used to distinguish several occurrences of the same discount.
+
    :return: A list of ``(new_gross_price, discount)`` tuples in the same order as the input
    """
    if isinstance(sales_channel, SalesChannel):
@@ -177,10 +187,10 @@ def apply_discounts(event: Event, sales_channel: str,
    ).prefetch_related('condition_limit_products', 'benefit_limit_products').order_by('position', 'pk')
    for discount in discount_qs:
        result = discount.apply({
-            idx: (item_id, subevent_id, line_price_gross, is_addon_to, voucher_discount)
+            idx: PositionInfo(item_id, subevent_id, line_price_gross, is_addon_to, voucher_discount)
            for idx, (item_id, subevent_id, line_price_gross, is_addon_to, is_bundled, voucher_discount) in enumerate(positions)
            if not is_bundled and idx not in new_prices
-        })
+        }, collect_potential_discounts)
        for k in result.keys():
            result[k] = (result[k], discount)
        new_prices.update(result)
@@ -53,7 +53,7 @@ def vouchers_send(event: Event, vouchers: list, subject: str, message: str, reci
                    v.tag = r.get('tag')
                if v.comment:
                    v.comment += '\n\n'
-                v.comment = gettext('The voucher has been sent to {recipient}.').format(recipient=r['email'])
+                v.comment += gettext('The voucher has been sent to {recipient}.').format(recipient=r['email'])
                logs.append(v.log_action(
                    'pretix.voucher.sent',
                    user=user,
@@ -571,7 +571,7 @@ DEFAULTS = {
        'form_class': I18nFormField,
        'serializer_class': I18nField,
        'form_kwargs': dict(
-            label=_("Custom recipient field"),
+            label=_("Custom recipient field label"),
            widget=I18nTextInput,
            help_text=_("If you want to add a custom text field, e.g. for a country-specific registration number, to "
                        "your invoice address form, please fill in the label here. This label will both be used for "
@@ -580,6 +580,18 @@ DEFAULTS = {
                        "The field will not be required.")
        )
    },
+    'invoice_address_custom_field_helptext': {
+        'default': '',
+        'type': LazyI18nString,
+        'form_class': I18nFormField,
+        'serializer_class': I18nField,
+        'form_kwargs': dict(
+            label=_("Custom recipient field help text"),
+            widget=I18nTextInput,
+            help_text=_("If you use the custom recipient field, you can specify a help text which will be displayed "
+                        "underneath the field. It will not be displayed on the invoice.")
+        )
+    },
    'invoice_address_vatid': {
        'default': 'False',
        'type': bool,
@@ -1295,7 +1307,8 @@ DEFAULTS = {
        'form_kwargs': dict(
            label=_("Show event times and dates on the ticket shop"),
            help_text=_("If disabled, no date or time will be shown on the ticket shop's front page. This settings "
-                        "does however not affect the display in other locations."),
+                        "also affects a few other locations, however it should not be expected that the date of the "
+                        "event is shown nowhere to users."),
        )
    },
    'show_date_to': {
@@ -1480,7 +1493,7 @@ DEFAULTS = {
            widget=forms.NumberInput(),
            help_text=_('With an increased limit, a customer may request more than one ticket for a specific product '
                        'using the same, unique email address. However, regardless of this setting, they will need to '
-                        'fill the waitlist form multiple times if they want more than one ticket, as every entry only '
+                        'fill the waiting list form multiple times if they want more than one ticket, as every entry only '
                        'grants one single ticket at a time.'),
        )
    },
@@ -3363,7 +3376,9 @@ Your {organizer} team"""))  # noqa: W291
    },
    'seating_allow_blocked_seats_for_channel': {
        'default': [],
-        'type': list
+        'type': list,
+        'serializer_class': serializers.ListField,
+        'serializer_kwargs': lambda: dict(child=serializers.CharField()),
    },
    'seating_distance_within_row': {
        'default': 'False',
@@ -3801,6 +3816,16 @@ def validate_event_settings(event, settings_dict):
                'payment_term_last': _('The last payment date cannot be before the end of presale.')
            })

+    if settings_dict.get('seating_allow_blocked_seats_for_channel'):
+        allowed_channels = set(event.organizer.sales_channels.values_list("identifier", flat=True))
+        for channel in settings_dict['seating_allow_blocked_seats_for_channel']:
+            if channel not in allowed_channels:
+                raise ValidationError({
+                    'seating_allow_blocked_seats_for_channel': _('The value "{identifier}" is not a valid sales channel.').format(
+                        identifier=channel
+                    )
+                })
+
    if isinstance(event, Event):
        validate_event_settings.send(sender=event, settings_dict=settings_dict)

@@ -838,3 +838,12 @@ is given as the first argument.

 The ``sender`` keyword argument will contain the organizer.
 """
+
+device_info_updated = django.dispatch.Signal()
+"""
+Arguments: ``old_device``, ``new_device``
+
+This signal is sent out each time the information for a Device is modified.
+Both the original and updated versions of the Device are included to allow
+receivers to see what has been updated.
+"""
@@ -143,7 +143,7 @@
        </tr>
    </table>
    <div class="order-button">
-        <a href="{% abseventurl event "presale:event.order.open" hash=order.email_confirm_hash order=order.code secret=order.secret %}" class="button">
+        <a href="{% abseventurl event "presale:event.order.open" hash=order.email_confirm_secret order=order.code secret=order.secret %}" class="button">
            {% trans "View order details" %}
        </a>
    </div>
@@ -103,7 +103,7 @@ def timeline_for_event(event, subevent=None):
        tl.append(TimelineEvent(
            event=event, subevent=subevent,
            datetime=rd.datetime(ev),
-            description=pgettext_lazy('timeline', 'Customers can no longer modify their orders'),
+            description=pgettext_lazy('timeline', 'Customers can no longer modify their order information'),
            edit_url=ev_edit_url
        ))

@@ -159,6 +159,18 @@ def timeline_for_event(event, subevent=None):
            })
        ))

+    rd = event.settings.get('change_allow_user_until', as_type=RelativeDateWrapper)
+    if rd and event.settings.change_allow_user_until:
+        tl.append(TimelineEvent(
+            event=event, subevent=subevent,
+            datetime=rd.datetime(ev),
+            description=pgettext_lazy('timeline', 'Customers can no longer make changes to their orders'),
+            edit_url=reverse('control:event.settings.cancel', kwargs={
+                'event': event.slug,
+                'organizer': event.organizer.slug
+            })
+        ))
+
    rd = event.settings.get('waiting_list_auto_disable', as_type=RelativeDateWrapper)
    if rd and event.settings.waiting_list_enabled:
        tl.append(TimelineEvent(
@@ -30,7 +30,9 @@ from celery import states
 from celery.result import AsyncResult
 from django.conf import settings
 from django.contrib import messages
-from django.core.exceptions import PermissionDenied, ValidationError
+from django.core.exceptions import (
+    BadRequest, PermissionDenied, ValidationError,
+)
 from django.core.files.uploadedfile import UploadedFile
 from django.db import transaction
 from django.http import HttpResponse, JsonResponse, QueryDict
@@ -131,6 +133,8 @@ class AsyncMixin:
        return data

    def get_result(self, request):
+        if not request.GET.get('async_id'):
+            raise BadRequest("No async_id given")
        res = AsyncResult(request.GET.get('async_id'))
        if 'ajax' in self.request.GET:
            return JsonResponse(self._return_ajax_result(res, timeout=0.25))
@@ -140,7 +144,12 @@ class AsyncMixin:
                    return self.success(res.info)
                else:
                    return self.error(res.info)
-            return render(request, 'pretixpresale/waiting.html')
+            state, info = res.state, res.info
+            return render(request, 'pretixpresale/waiting.html', {
+                'started': state in ('PROGRESS', 'STARTED'),
+                'percentage': info.get('value', 0) if isinstance(info, dict) else 0,
+                'steps': info.get('steps', []) if isinstance(info, dict) else None,
+            })

    def success(self, value):
        smes = self.get_success_message(value)
@@ -208,6 +217,8 @@ class AsyncAction(AsyncMixin):

    def get(self, request, *args, **kwargs):
        if 'async_id' in request.GET and settings.HAS_CELERY:
+            if not request.GET.get('async_id'):
+                raise BadRequest("No async_id given")
            return self.get_result(request)
        return self.http_method_not_allowed(request)

@@ -36,6 +36,7 @@ import sys
 from importlib import import_module

 from django.conf import settings
+from django.core.cache import cache
 from django.db.models import Q
 from django.urls import Resolver404, get_script_prefix, resolve
 from django.utils.translation import get_language
@@ -152,6 +153,8 @@ def _default_context(request):
            ctx['warning_update_available'] = True
        if not gs.settings.update_check_ack and 'runserver' not in sys.argv:
            ctx['warning_update_check_active'] = True
+        if not cache.get('pretix_runperiodic_executed') and not settings.DEBUG:
+            ctx['warning_cronjob'] = True

    ctx['ie_deprecation_warning'] = 'MSIE' in request.headers.get('User-Agent', '') or 'Trident/' in request.headers.get('User-Agent', '')

@@ -844,6 +844,7 @@ class InvoiceSettingsForm(EventSettingsValidationMixin, SettingsForm):
        'invoice_address_company_required',
        'invoice_address_beneficiary',
        'invoice_address_custom_field',
+        'invoice_address_custom_field_helptext',
        'invoice_name_required',
        'invoice_address_not_asked_free',
        'invoice_include_free',
@@ -1143,12 +1144,12 @@ class MailSettingsForm(FormPlaceholderMixin, SettingsForm):
        widget=I18nTextInput,
    )
    mail_subject_order_incomplete_payment = I18nFormField(
-        label=_("Subject"),
+        label=_("Subject (if an incomplete payment was received)"),
        required=False,
        widget=I18nTextInput,
    )
    mail_text_order_incomplete_payment = I18nFormField(
-        label=_("Text"),
+        label=_("Text (if an incomplete payment was received)"),
        required=False,
        widget=I18nMarkdownTextarea,
        help_text=_("This email only applies to payment methods that can receive incomplete payments, "
@@ -48,6 +48,7 @@ from django.utils.formats import date_format, localize
 from django.utils.functional import cached_property
 from django.utils.timezone import get_current_timezone, make_aware, now
 from django.utils.translation import gettext, gettext_lazy as _, pgettext_lazy
+from django_countries.fields import CountryField
 from django_scopes.forms import SafeModelChoiceField

 from pretix.base.forms.widgets import (
@@ -60,6 +61,7 @@ from pretix.base.models import (
    SubEvent, SubEventMetaValue, Team, TeamAPIToken, TeamInvite, Voucher,
 )
 from pretix.base.signals import register_payment_providers
+from pretix.control.forms import SplitDateTimeField
 from pretix.control.forms.widgets import Select2, Select2ItemVarQuota
 from pretix.control.signals import order_search_filter_q
 from pretix.helpers.countries import CachedCountries
@@ -67,7 +69,7 @@ from pretix.helpers.database import (
    get_deterministic_ordering, rolledback_transaction,
 )
 from pretix.helpers.dicts import move_to_end
-from pretix.helpers.i18n import i18ncomp
+from pretix.helpers.i18n import get_format_without_seconds, i18ncomp

 PAYMENT_PROVIDERS = []

@@ -687,11 +689,71 @@ class EventOrderExpertFilterForm(EventOrderFilterForm):
        )
        self.fields['quota'].widget.choices = self.fields['quota'].choices
        for q in self.event.questions.all():
-            self.fields['question_{}'.format(q.pk)] = forms.CharField(
-                label=q.question,
-                required=False,
-                help_text=_('Exact matches only')
-            )
+            kwargs = {
+                "label": q.question,
+                "required": False,
+            }
+            fname = 'question_{}'.format(q.pk)
+            if q.type == Question.TYPE_NUMBER:
+                self.fields[fname] = forms.DecimalField(
+                    help_text=_('Exact matches only'),
+                    **kwargs,
+                )
+            elif q.type == Question.TYPE_BOOLEAN:
+                self.fields[fname] = forms.ChoiceField(
+                    choices=(
+                        ("", ""),
+                        ("True", _("Yes")),
+                        ("False", _("No")),
+                    ),
+                    **kwargs,
+                )
+            elif q.type in (Question.TYPE_CHOICE, Question.TYPE_CHOICE_MULTIPLE):
+                self.fields[fname] = forms.ModelChoiceField(
+                    queryset=q.options,
+                    widget=forms.Select,
+                    to_field_name='identifier',
+                    empty_label='',
+                    **kwargs,
+                )
+            elif q.type == Question.TYPE_COUNTRYCODE:
+                self.fields[fname] = CountryField(
+                    countries=CachedCountries,
+                    blank=True, null=True, blank_label=' ',
+                ).formfield(
+                    **kwargs,
+                    widget=forms.Select,
+                    empty_label=' ',
+                )
+            elif q.type == Question.TYPE_DATE:
+                self.fields[fname] = forms.DateField(
+                    widget=DatePickerWidget(),
+                    help_text=_('Exact matches only'),
+                    **kwargs,
+                )
+            elif q.type == Question.TYPE_TIME:
+                self.fields[fname] = forms.TimeField(
+                    widget=TimePickerWidget(time_format=get_format_without_seconds('TIME_INPUT_FORMATS')),
+                    help_text=_('Exact matches only'),
+                    **kwargs,
+                )
+            elif q.type == Question.TYPE_DATETIME:
+                self.fields[fname] = SplitDateTimeField(
+                    widget=SplitDateTimePickerWidget(
+                        time_format=get_format_without_seconds('TIME_INPUT_FORMATS'),
+                        min_date=q.valid_datetime_min,
+                        max_date=q.valid_datetime_max
+                    ),
+                    help_text=_('Exact matches only'),
+                    **kwargs,
+                )
+            elif q.type == Question.TYPE_FILE:
+                continue
+            else:
+                self.fields[fname] = forms.CharField(
+                    help_text=_('Exact matches only'),
+                    **kwargs,
+                )

    def filter_qs(self, qs):
        fdata = self.cleaned_data
@@ -787,11 +849,24 @@ class EventOrderExpertFilterForm(EventOrderFilterForm):
            ).distinct()
        for q in self.event.questions.all():
            if fdata.get(f'question_{q.pk}'):
-                answers = QuestionAnswer.objects.filter(
-                    question_id=q.pk,
-                    orderposition__order_id=OuterRef('pk'),
-                    answer__iexact=fdata.get(f'question_{q.pk}')
-                )
+                if q.type == Question.TYPE_BOOLEAN:
+                    answers = QuestionAnswer.objects.filter(
+                        question_id=q.pk,
+                        orderposition__order_id=OuterRef('pk'),
+                        answer__exact=fdata.get(f'question_{q.pk}')
+                    )
+                elif q.type in (Question.TYPE_CHOICE, Question.TYPE_CHOICE_MULTIPLE):
+                    answers = QuestionAnswer.objects.filter(
+                        question_id=q.pk,
+                        orderposition__order_id=OuterRef('pk'),
+                        options=fdata.get(f'question_{q.pk}')
+                    )
+                else:
+                    answers = QuestionAnswer.objects.filter(
+                        question_id=q.pk,
+                        orderposition__order_id=OuterRef('pk'),
+                        answer__iexact=fdata.get(f'question_{q.pk}')
+                    )
                qs = qs.annotate(**{f'q_{q.pk}': Exists(answers)}).filter(**{f'q_{q.pk}': True})

        return qs
@@ -2577,6 +2652,9 @@ class DeviceFilterForm(FilterForm):
        if fdata.get('gate'):
            qs = qs.filter(gate=fdata['gate'])

+        if fdata.get('software_brand'):
+            qs = qs.filter(software_brand=fdata['software_brand'])
+
        if fdata.get('state') == 'active':
            qs = qs.filter(revoked=False)
        elif fdata.get('state') == 'revoked':
@@ -40,7 +40,8 @@ from urllib.parse import urlencode
 from django import forms
 from django.conf import settings
 from django.core.exceptions import ValidationError
-from django.db.models import Max
+from django.db.models import Max, Q
+from django.forms import ChoiceField, RadioSelect
 from django.forms.formsets import DELETION_FIELD_NAME
 from django.urls import reverse
 from django.utils.functional import cached_property
@@ -79,11 +80,67 @@ class CategoryForm(I18nModelForm):
            'name',
            'internal_name',
            'description',
-            'is_addon'
+            'cross_selling_condition',
+            'cross_selling_match_products',
        ]
        widgets = {
            'description': I18nMarkdownTextarea,
+            'cross_selling_condition': RadioSelect,
        }
+        field_classes = {
+            'cross_selling_match_products': SafeModelMultipleChoiceField,
+        }
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        tpl = '{} &nbsp; <span class="text-muted">{}</span>'
+        self.fields['category_type'] = ChoiceField(widget=RadioSelect, choices=(
+            ('normal', mark_safe(tpl.format(
+                _('Normal category'),
+                _('Products in this category are regular products displayed on the front page.')
+            )),),
+            ('addon', mark_safe(tpl.format(
+                _('Add-on product category'),
+                _('Products in this category are add-on products and can only be bought as add-ons.')
+            )),),
+            ('only', mark_safe(tpl.format(
+                _('Cross-selling category'),
+                _('Products in this category are regular products, but are only shown in the cross-selling step, '
+                  'according to the configuration below.')
+            )),),
+            ('both', mark_safe(tpl.format(
+                _('Normal + cross-selling category'),
+                _('Products in this category are regular products displayed on the front page, but are additionally '
+                  'shown in the cross-selling step, according to the configuration below.')
+            )),),
+        ))
+        self.fields['category_type'].initial = self.instance.category_type
+
+        self.fields['cross_selling_condition'].widget.attrs['data-display-dependency'] = '#id_category_type_2,#id_category_type_3'
+        self.fields['cross_selling_condition'].widget.attrs['data-disable-dependent'] = 'true'
+        self.fields['cross_selling_condition'].widget.choices = self.fields['cross_selling_condition'].widget.choices[1:]
+        self.fields['cross_selling_condition'].required = False
+
+        self.fields['cross_selling_match_products'].widget = forms.CheckboxSelectMultiple(
+            attrs={
+                'class': 'scrolling-multiple-choice',
+                'data-display-dependency': '#id_cross_selling_condition_2'
+            }
+        )
+        self.fields['cross_selling_match_products'].queryset = self.event.items.filter(
+            # don't show products which are only visible in addon/cross-sell step themselves
+            Q(category__isnull=True) | Q(
+                Q(category__is_addon=False) & Q(Q(category__cross_selling_mode='both') | Q(category__cross_selling_mode__isnull=True))
+            )
+        )
+
+    def clean(self):
+        d = super().clean()
+        if d.get('category_type') == 'only' or d.get('category_type') == 'both':
+            if not d.get('cross_selling_condition'):
+                raise ValidationError({'cross_selling_condition': [_('This field is required')]})
+        self.instance.category_type = d.get('category_type')
+        return d


 class QuestionForm(I18nModelForm):
@@ -49,6 +49,7 @@ from pretix.base.forms import (
    I18nModelForm, MarkdownTextarea, PlaceholderValidator,
 )
 from pretix.base.forms.widgets import format_placeholders_help_text
+from pretix.base.i18n import language
 from pretix.base.models import Item, Voucher
 from pretix.control.forms import SplitDateTimeField, SplitDateTimePickerWidget
 from pretix.control.forms.widgets import Select2, Select2ItemVarQuota
@@ -238,11 +239,14 @@ class VoucherForm(I18nModelForm):
                self.instance.event, self.instance.quota, self.instance.item, self.instance.variation
            )
        Voucher.clean_voucher_code(data, self.instance.event, self.instance.pk)
-        if 'seat' in self.fields and data.get('seat'):
-            self.instance.seat = Voucher.clean_seat_id(
-                data, self.instance.item, self.instance.quota, self.instance.event, self.instance.pk
-            )
-            self.instance.item = self.instance.seat.product
+        if 'seat' in self.fields:
+            if data.get('seat'):
+                self.instance.seat = Voucher.clean_seat_id(
+                    data, self.instance.item, self.instance.quota, self.instance.event, self.instance.pk
+                )
+                self.instance.item = self.instance.seat.product
+            else:
+                self.instance.seat = None

        voucher_form_validation.send(sender=self.instance.event, form=self, data=data)

@@ -289,8 +293,9 @@ class VoucherBulkForm(VoucherForm):
            )
        }),
        required=False,
-        help_text=_('You can either supply a list of email addresses with one email address per line, or a CSV file with a title column '
-                    'and one or more of the columns "email", "number", "name", or "tag".')
+        help_text=_('You can either supply a list of email addresses with one email address per line, or the contents '
+                    'of a CSV file with a title column and one or more of the columns "email", "number", "name", '
+                    'or "tag".')
    )
    Recipient = namedtuple('Recipient', 'email number name tag')

@@ -332,6 +337,11 @@ class VoucherBulkForm(VoucherForm):
        super().__init__(*args, **kwargs)
        self._set_field_placeholders('send_subject', ['event', 'name'])
        self._set_field_placeholders('send_message', ['event', 'voucher_list', 'name'])
+
+        with language(self.instance.event.settings.locale, self.instance.event.settings.region):
+            for f in ("send_subject", "send_message"):
+                self.fields[f].initial = str(self.fields[f].initial)
+
        if 'seat' in self.fields:
            self.fields['seats'] = forms.CharField(
                label=_("Specific seat IDs"),
@@ -421,6 +421,14 @@
                            </a>
                        </div>
                    {% endif %}
+                    {% if warning_cronjob %}
+                        <div class="alert alert-warning">
+                            {% blocktrans trimmed %}
+                                The cronjob component of pretix was not executed in the last hours. Please check that
+                                you have completed all installation steps and your cronjob is executed correctly.
+                            {% endblocktrans %}
+                        </div>
+                    {% endif %}

                    {% if debug_warning %}
                        <div class="alert alert-danger">
@@ -32,6 +32,7 @@
                {% bootstrap_field form.invoice_address_beneficiary layout="control" %}
                {% bootstrap_field form.invoice_address_not_asked_free layout="control" %}
                {% bootstrap_field form.invoice_address_custom_field layout="control" %}
+                {% bootstrap_field form.invoice_address_custom_field_helptext layout="control" %}
                {% bootstrap_field form.invoice_address_explanation_text layout="control" %}
            </fieldset>
            <fieldset>
@@ -372,6 +372,19 @@
                </div>
                {% bootstrap_field sform.waiting_list_enabled layout="control" %}
                {% bootstrap_field sform.waiting_list_auto layout="control" %}
+                <div class="form-group">
+                    <label class="control-label col-md-3">
+                        {% trans "Waiting customers" %}
+                    </label>
+                    <div class="col-md-9 static-form-row">
+                        <p>
+                            <a href="{% url "control:event.orders.waitinglist" event=request.event.slug organizer=request.organizer.slug %}#tab-0-1-open"
+                               target="_blank">
+                                {% trans "Manage waiting list" %}
+                            </a>
+                        </p>
+                    </div>
+                </div>
                {% bootstrap_field sform.waiting_list_hours layout="control" %}
                {% bootstrap_field sform.waiting_list_auto_disable layout="control" %}
                {% bootstrap_field sform.waiting_list_names_asked_required layout="control" %}
@@ -41,7 +41,7 @@
                        {% bootstrap_field form.eu_reverse_charge layout="control" %}
                        {% bootstrap_field form.home_country layout="control" %}
                        {% bootstrap_field form.keep_gross_if_rate_changes layout="control" %}
-                        <h3>{% trans "Custom taxation rules" %}</h3>
+                        <h3>{% trans "Custom rules" %}</h3>
                        <div class="alert alert-warning">
                            {% blocktrans trimmed %}
                                These settings are intended for professional users with very specific taxation situations.
@@ -31,6 +31,7 @@
                <thead>
                <tr>
                    <th>{% trans "Product categories" %}</th>
+                    <th>{% trans "Category type" %}</th>
                    <th class="action-col-2"></th>
                </tr>
                </thead>
@@ -40,6 +41,9 @@
                        <td>
                            <strong><a href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}">{{ c.internal_name|default:c.name }}</a></strong>
                        </td>
+                        <td>
+                            {{ c.get_category_type_display }}
+                        </td>
                        <td class="text-right flip">
                            <button title="{% trans "Move up" %}" formaction="{% url "control:event.items.categories.up" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm sortable-up"{% if forloop.counter0 == 0 and not page_obj.has_previous %} disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
                            <button title="{% trans "Move down" %}" formaction="{% url "control:event.items.categories.down" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm sortable-down"{% if forloop.revcounter0 == 0 and not page_obj.has_next %} disabled{% endif %}><i class="fa fa-arrow-down"></i></button>
@@ -16,7 +16,9 @@
                        {% bootstrap_field form.internal_name layout="control" %}
                    </div>
                    {% bootstrap_field form.description layout="control" %}
-                    {% bootstrap_field form.is_addon layout="control" %}
+                    {% bootstrap_field form.category_type layout="control" horizontal_field_class="big-radio-wrapper col-lg-9" %}
+                    {% bootstrap_field form.cross_selling_condition layout="control" horizontal_field_class="col-lg-9" %}
+                    {% bootstrap_field form.cross_selling_match_products layout="control" %}
                </fieldset>
            </div>
            {% if category %}
@@ -133,7 +133,7 @@
                                {% endif %}
                                {{ i.default_price|money:request.event.currency }}
                                {% if i.original_price %}<strike class="text-muted">{{ i.original_price|money:request.event.currency }}</strike>{% endif %}
-                                {% if i.tax_rule and i.default_price %}
+                                {% if i.tax_rule %}
                                    <br/>
                                    <small class="text-muted">
                                        {% if not i.tax_rule.price_includes_tax %}
@@ -13,31 +13,52 @@
            {% trans "Edit question" %}
        </a>
    </h1>
-    <form class="form-inline helper-display-inline" action="" method="get">
-        <p>
-            <select name="status" class="form-control">
-                <option value="" {% if request.GET.status == "" %}selected="selected"{% endif %}>{% trans "All orders" %}</option>
-                <option value="p" {% if request.GET.status == "p" %}selected="selected"{% endif %}>{% trans "Paid" %}</option>
-                <option value="pv" {% if request.GET.status == "pv" %}selected="selected"{% endif %}>{% trans "Paid or confirmed" %}</option>
-                <option value="n" {% if request.GET.status == "n" %}selected="selected"{% endif %}>{% trans "Pending" %}</option>
-                <option value="np" {% if request.GET.status == "np" or "status" not in request.GET %}selected="selected"{% endif %}>{% trans "Pending or paid" %}</option>
-                <option value="o" {% if request.GET.status == "o" %}selected="selected"{% endif %}>{% trans "Pending (overdue)" %}</option>
-                <option value="e" {% if request.GET.status == "e" %}selected="selected"{% endif %}>{% trans "Expired" %}</option>
-                <option value="ne" {% if request.GET.status == "ne" %}selected="selected"{% endif %}>{% trans "Pending or expired" %}</option>
-                <option value="c" {% if request.GET.status == "c" %}selected="selected"{% endif %}>{% trans "Canceled" %}</option>
-            </select>
-            <select name="item" class="form-control">
-                <option value="">{% trans "All products" %}</option>
-                {% for item in items %}
-                    <option value="{{ item.id }}"
-                            {% if request.GET.item|add:0 == item.id %}selected="selected"{% endif %}>
-                        {{ item.name }}
-                    </option>
-                {% endfor %}
-            </select>
-            <button class="btn btn-primary" type="submit">{% trans "Filter" %}</button>
-        </p>
-    </form>
+
+    <div class="panel panel-default">
+        <div class="panel-heading">
+            <h3 class="panel-title">{% trans "Filter" %}</h3>
+        </div>
+        <form class="panel-body filter-form" action="" method="get">
+            <div class="row">
+                <div class="col-lg-2 col-sm-6 col-xs-6">
+                    <select name="status" class="form-control">
+                        <option value="" {% if request.GET.status == "" %}selected="selected"{% endif %}>{% trans "All orders" %}</option>
+                        <option value="p" {% if request.GET.status == "p" %}selected="selected"{% endif %}>{% trans "Paid" %}</option>
+                        <option value="pv" {% if request.GET.status == "pv" %}selected="selected"{% endif %}>{% trans "Paid or confirmed" %}</option>
+                        <option value="n" {% if request.GET.status == "n" %}selected="selected"{% endif %}>{% trans "Pending" %}</option>
+                        <option value="np" {% if request.GET.status == "np" or "status" not in request.GET %}selected="selected"{% endif %}>{% trans "Pending or paid" %}</option>
+                        <option value="o" {% if request.GET.status == "o" %}selected="selected"{% endif %}>{% trans "Pending (overdue)" %}</option>
+                        <option value="e" {% if request.GET.status == "e" %}selected="selected"{% endif %}>{% trans "Expired" %}</option>
+                        <option value="ne" {% if request.GET.status == "ne" %}selected="selected"{% endif %}>{% trans "Pending or expired" %}</option>
+                        <option value="c" {% if request.GET.status == "c" %}selected="selected"{% endif %}>{% trans "Canceled" %}</option>
+                    </select>
+                </div>
+                <div class="col-lg-5 col-sm-6 col-xs-6">
+                    <select name="item" class="form-control">
+                        <option value="">{% trans "All products" %}</option>
+                        {% for item in items %}
+                            <option value="{{ item.id }}"
+                                    {% if request.GET.item|add:0 == item.id %}selected="selected"{% endif %}>
+                                {{ item.name }}
+                            </option>
+                        {% endfor %}
+                    </select>
+                </div>
+                {% if request.event.has_subevents %}
+                    <div class="col-lg-5 col-sm-6 col-xs-6">
+                        {% include "pretixcontrol/event/fragment_subevent_choice_simple.html" %}
+                    </div>
+                {% endif %}
+            </div>
+            <div class="text-right">
+                <button class="btn btn-primary btn-lg" type="submit">
+                    <span class="fa fa-filter"></span>
+                    {% trans "Filter" %}
+                </button>
+            </div>
+        </form>
+    </div>
+
    <div class="row" id="question-stats">
        {% if not stats %}
            <div class="empty-collection col-md-10 col-xs-12">
@@ -75,7 +96,7 @@
                    {% for stat in stats %}
                        <tr>
                            <td>
-                                <a href="{% url "control:event.orders" event=request.event.slug organizer=request.event.organizer.slug %}?status={{ request.GET.status|default:"np" }}&item={{ request.GET.item }}&question={{ question.pk }}&answer={{ stat.alink|default:stat.answer|urlencode }}">
+                                <a href="{% url "control:event.orders" event=request.event.slug organizer=request.event.organizer.slug %}?status={{ request.GET.status|default:"np" }}&item={{ request.GET.item }}&subevent={{ request.GET.subevent }}&question={{ question.pk }}&answer={{ stat.alink|default:stat.answer|urlencode }}">
                                    {{ stat.answer }}
                                </a>
                            </td>
@@ -151,6 +151,12 @@
                            </div>
                            <div class="col-sm-4">
                                {% bootstrap_field position.form.itemvar layout='inline' %}
+                                {% if position.granted_memberships.all %}
+                                    <span class="text-muted">
+                                        <span class="fa fa-warning text-warning" aria-hidden="true"></span>
+                                        {% trans "The sale of this position created a membership. Changing the product here will not affect the membership. Memberships can be managed in the customer account." %}
+                                    </span>
+                                {% endif %}
                            </div>
                        </div>

@@ -254,6 +260,12 @@
                                    {% trans "–" %}
                                </div>
                                {% bootstrap_field position.form.valid_until layout='inline' %}
+                                {% if position.granted_memberships.all %}
+                                    <span class="text-muted">
+                                        <span class="fa fa-warning text-warning" aria-hidden="true"></span>
+                                        {% trans "The sale of this position created a membership. Changing the validity of the ticket here will not affect the membership. Memberships can be managed in the customer account." %}
+                                    </span>
+                                {% endif %}
                            </div>
                        </div>

@@ -102,16 +102,24 @@
            </tr>
            </thead>
            <tbody>
-            {% for t in team.active_tokens %}
+            {% for t in tokens %}
                <tr>
-                    <td>
+                    <td {% if not t.active %}class="text-muted"{% endif %}>
+                        {% if not t.active %}
+                            <del>
+                        {% endif %}
                        {{ t.name }}
+                        {% if not t.active %}
+                            </del>
+                        {% endif %}
                    </td>
                    <td class="text-right flip">
-                        <button type="submit" name="remove-token" value="{{ t.id }}"
-                                class="btn btn-danger btn-sm btn-block">
-                            <i class="fa fa-times"></i> {% trans "Remove" %}
-                        </button>
+                        {% if t.active %}
+                            <button type="submit" name="remove-token" value="{{ t.id }}"
+                                    class="btn btn-danger btn-sm btn-block">
+                                <i class="fa fa-times"></i> {% trans "Remove" %}
+                            </button>
+                        {% endif %}
                    </td>
                </tr>
            {% endfor %}
@@ -177,7 +177,7 @@
                    {% if name %}
                        <div class="row control-group pdf-info">
                            <div class="col-sm-12">
-                                <label>{% trans "Layout name" %}</label><br>
+                                <label for="pdf-info-name">{% trans "Layout name" %}</label><br>
                                <input type="text" id="pdf-info-name" class="input-block-level form-control" name="name" value="{{ name }}">
                            </div>
                        </div>
@@ -185,11 +185,11 @@
                    <div class="row control-group pdf-info">
                        <hr/>
                        <div class="col-sm-6">
-                            <label>{% trans "Width (mm)" %}</label><br>
+                            <label for="pdf-info-width">{% trans "Width (mm)" %}</label><br>
                            <input type="number" id="pdf-info-width" class="input-block-level form-control">
                        </div>
                        <div class="col-sm-6">
-                            <label>{% trans "Height (mm)" %}</label><br>
+                            <label for="pdf-info-height">{% trans "Height (mm)" %}</label><br>
                            <input type="number" id="pdf-info-height" class="input-block-level form-control">
                        </div>
                    </div>
@@ -227,7 +227,7 @@
                    <div class="row control-group pdf-info">
                        <hr/>
                        <div class="col-sm-12">
-                            <label>{% trans "Preferred language" %}</label><br>
+                            <label for="pdf-info-locale">{% trans "Preferred language" %}</label><br>
                            <select class="form-control" id="pdf-info-locale">
                                <option value="">{% trans "Order locale" %}</option>
                                {% for l in locales %}
@@ -238,7 +238,7 @@
                    </div>
                    <div class="row control-group poweredby">
                        <div class="col-sm-12">
-                            <label>{% trans "Style" %}</label><br>
+                            <label for="toolbox-poweredby-style">{% trans "Style" %}</label><br>
                            <select class="input-block-level form-control" id="toolbox-poweredby-style">
                                <option value="dark">{% trans "Dark" %}</option>
                                <option value="white">{% trans "Light" %}</option>
@@ -247,7 +247,7 @@
                    </div>
                    <div class="row control-group imagecontent">
                        <div class="col-sm-12">
-                            <label>{% trans "Image content" %}</label><br>
+                            <label for="toolbox-imagecontent">{% trans "Image content" %}</label><br>
                            <select class="input-block-level form-control" id="toolbox-imagecontent">
                                <option value="">{% trans "Empty" %}</option>
                                {% for varname, var in images.items %}
@@ -258,7 +258,7 @@
                    </div>
                    <div class="row control-group text textcontent">
                        <div class="col-sm-12">
-                            <label>{% trans "Content" %}</label><br>
+                            <label for="toolbox-content">{% trans "Content" %}</label><br>
                            <select class="input-block-level form-control" id="toolbox-content">
                                {% for varname, var in variables.items %}
                                    {% if not var.hidden %}
@@ -293,31 +293,31 @@
                    <div class="row control-group position">
                        <hr/>
                        <div class="col-sm-6">
-                            <label>{% trans "x (mm)" %}</label><br>
+                            <label for="toolbox-position-x">{% trans "x (mm)" %}</label><br>
                            <input type="number" value="13" class="input-block-level form-control" step="0.01"
                                    id="toolbox-position-x">
                        </div>
                        <div class="col-sm-6">
-                            <label>{% trans "y (mm)" %}</label><br>
+                            <label for="toolbox-position-y">{% trans "y (mm)" %}</label><br>
                            <input type="number" value="13" class="input-block-level form-control" step="0.01"
                                    id="toolbox-position-y">
                        </div>
                    </div>
                    <div class="row control-group rectsize">
                        <div class="col-sm-6">
-                            <label>{% trans "Width (mm)" %}</label><br>
+                            <label for="toolbox-width">{% trans "Width (mm)" %}</label><br>
                            <input type="number" value="13" class="input-block-level form-control" step="0.01"
                                    id="toolbox-width">
                        </div>
                        <div class="col-sm-6">
-                            <label>{% trans "Height (mm)" %}</label><br>
+                            <label for="toolbox-height">{% trans "Height (mm)" %}</label><br>
                            <input type="number" value="13" class="input-block-level form-control" step="0.01"
                                    id="toolbox-height">
                        </div>
                    </div>
                    <div class="row control-group squaresize poweredby">
                        <div class="col-sm-12">
-                            <label>{% trans "Size (mm)" %}</label><br>
+                            <label for="toolbox-squaresize">{% trans "Size (mm)" %}</label><br>
                            <input type="number" value="13" class="input-block-level form-control" step="0.01"
                                    id="toolbox-squaresize">
                        </div>
@@ -335,13 +335,13 @@
                        </div>
                    </div>
                    <div class="row control-group text">
-                        <div class="col-sm-6">
-                            <label>{% trans "Width (mm)" %}</label><br>
+                        <div class="col-sm-6 textarea">
+                            <label for="toolbox-textwidth">{% trans "Width (mm)" %}</label><br>
                            <input type="number" value="13" class="input-block-level form-control" step="0.01"
                                    id="toolbox-textwidth">
                        </div>
                        <div class="col-sm-6">
-                            <label>{% trans "Rotation (°)" %}</label><br>
+                            <label for="toolbox-textrotation">{% trans "Rotation (°)" %}</label><br>
                            <input type="number" value="0" class="input-block-level form-control" step="0.1"
                                    id="toolbox-textrotation">
                        </div>
@@ -349,7 +349,7 @@
                    <div class="row control-group text">
                        <hr/>
                        <div class="col-sm-12">
-                            <label>{% trans "Font" %}</label><br>
+                            <label for="toolbox-fontfamily">{% trans "Font" %}</label><br>
                            <select class="input-block-level form-control" id="toolbox-fontfamily">
                                <option>Open Sans</option>
                                {% for family in fonts.keys %}
@@ -360,43 +360,50 @@
                    </div>
                    <div class="row control-group text">
                        <div class="col-sm-6">
-                            <label>{% trans "Font size (pt)" %}</label><br>
+                            <label for="toolbox-fontsize">{% trans "Font size (pt)" %}</label><br>
                            <input type="number" value="13" class="input-block-level form-control" step="0.1"
                                    id="toolbox-fontsize">
                        </div>
                        <div class="col-sm-6">
-                            <label>{% trans "Line height" %}</label><br>
+                            <label for="toolbox-lineheight">{% trans "Line height" %}</label><br>
                            <input type="number" value="1" class="input-block-level form-control" step="0.1"
                                    id="toolbox-lineheight">
                        </div>
                    </div>
                    <div class="row control-group text">
                        <div class="col-sm-6">
-                            <label>{% trans "Text color" %}</label><br>
-                            <input type="text" value="#000000" class="input-block-level form-control colorpickerfield"
-                                    id="toolbox-col">
+                            <label for="toolbox-col">{% trans "Text color" %}</label><br>
+                            <div class="input-group">
+                                <input type="text" value="#000000" class="input-block-level form-control colorpickerfield"
+                                       id="toolbox-col">
+                                <span class="input-group-addon contrast-icon">
+                                </span>
+                            </div>
                        </div>
                        <div class="col-sm-6">
                            <label>&nbsp;</label><br>
                            <div class="btn-group btn-group-justified" role="group">
-                                <div class="btn-group" role="group">
+                                <div class="btn-group text" role="group">
                                    <button type="button" class="btn btn-default toggling" data-action="bold">
                                        <span class="fa fa-bold"></span>
                                    </button>
                                </div>
-                                <div class="btn-group" role="group">
+                                <div class="btn-group text" role="group">
                                    <button type="button" class="btn btn-default toggling" data-action="italic">
                                        <span class="fa fa-italic"></span>
                                    </button>
                                </div>
-                                <div class="btn-group" role="group">
+                                <div class="btn-group textarea" role="group">
                                    <button type="button" class="btn btn-default toggling" data-action="downward"
-                                        data-toggle="tooltip" title="{% trans "Flow multiple lines downward from specified position" %}">
+                                            data-toggle="tooltip" title="{% trans "Flow multiple lines downward from specified position" %}">
                                        <span class="fa fa-caret-square-o-down"></span>
                                    </button>
                                </div>
                            </div>
-                            <label>&nbsp;</label><br>
+                        </div>
+                    </div>
+                    <div class="row control-group text">
+                        <div class="col-sm-6">
                            <div class="btn-group btn-group-justified" id="toolbox-align">
                                <div class="btn-group" role="group">
                                    <button type="button" class="btn btn-default option toggling" data-action="left">
@@ -415,6 +422,45 @@
                                </div>
                            </div>
                        </div>
+                        <div class="col-sm-6">
+                            <div class="textcontainer">
+                                <div class="btn-group btn-group-justified" id="toolbox-verticalalign">
+                                    <div class="btn-group" role="group">
+                                        <button type="button" class="btn btn-default option toggling" data-action="top">
+                                            <span class="fa fa-toggle-down"></span>
+                                        </button>
+                                    </div>
+                                    <div class="btn-group" role="group">
+                                        <button type="button" class="btn btn-default option toggling" data-action="middle">
+                                            <span class="fa fa-sort"></span>
+                                        </button>
+                                    </div>
+                                    <div class="btn-group" role="group">
+                                        <button type="button" class="btn btn-default option toggling" data-action="bottom">
+                                            <span class="fa fa-toggle-up"></span>
+                                        </button>
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                    <div class="row control-group textcontainer">
+                        <div class="col-sm-6">
+                            <div class="btn-group btn-group-justified">
+                                <div class="btn-group textcontainer" role="group">
+                                    <button type="button" class="btn btn-default toggling" data-action="autoresize"
+                                            data-toggle="tooltip" title="{% trans "Automatically reduce font size to fit content" %}">
+                                        <span class="fa fa-text-height"></span>
+                                    </button>
+                                </div>
+                                <div class="btn-group textcontainer" role="group">
+                                    <button type="button" class="btn btn-default toggling" data-action="splitlongwords"
+                                            data-toggle="tooltip" title="{% trans "Allow long words to be split (preview is not accurate)" %}">
+                                        <span class="fa fa-scissors fa-rotate-90"></span>
+                                    </button>
+                                </div>
+                            </div>
+                        </div>
                    </div>
                </div>
            </div>
@@ -423,9 +469,13 @@
                    {% trans "Add a new object" %}
                </div>
                <div class="panel-body add-buttons">
+                    <button class="btn btn-default btn-block" id="editor-add-textcontainer" disabled>
+                        <span class="fa fa-font"></span>
+                        {% trans "Text box" %}
+                    </button>
                    <button class="btn btn-default btn-block" id="editor-add-text" disabled>
                        <span class="fa fa-font"></span>
-                        {% trans "Text" %}
+                        {% trans "Text (deprecated)" %}
                    </button>
                    <button class="btn btn-default btn-block" id="editor-add-qrcode" data-content="secret" disabled>
                        <span class="fa fa-qrcode"></span>
@@ -456,7 +506,6 @@
                    </button>
                </div>
            </div>
-
            <form method="post" action="" id="preview-form" target="_blank">
                <div class="form-group submit-group">
                    {% csrf_token %}
@@ -472,6 +521,13 @@
                    </button>
                </div>
            </form>
+            <p>&nbsp;</p>
+            <div class="alert alert-info" id="version-notice">
+                {% blocktrans trimmed with print_version="2.18" scan_version="1.22" %}
+                    This layout uses new features. If you print from your device, make sure you use pretixPRINT version
+                    {{ print_version }} (or newer) or pretixSCAN Desktop version {{ scan_version }} (or newer).
+                {% endblocktrans %}
+            </div>
        </div>
    </div>
    <script type="text/plain" id="schema-url">{% static "schema/pdf-layout.schema.json" %}</script>
@@ -5,7 +5,13 @@
 {% load urlreplace %}
 {% block title %}{% trans "Waiting list" %}{% endblock %}
 {% block content %}
-    <h1>{% trans "Waiting list" %}</h1>
+    <h1>
+        {% trans "Waiting list" %}
+        <a href="{% url "control:event.settings" event=request.event.slug organizer=request.organizer.slug %}#waiting-list-open" class="btn btn-default">
+            <span class="fa fa-cog"></span>
+            {% trans "Settings" %}
+        </a>
+    </h1>
    {% if not request.event.settings.waiting_list_enabled %}
        <div class="alert alert-danger">
            {% trans "The waiting list is disabled, so if the event is sold out, people cannot add themselves to this list. If you want to enable it, go to the event settings." %}
@@ -15,6 +21,11 @@
            {% trans "The waiting list is no longer active for this event. The waiting list no longer affects quotas and no longer notifies waiting users." %}
        </div>
    {% endif %}
+    {% if request.event.settings.hide_sold_out %}
+        <div class="alert alert-warning">
+            {% trans "According to your event settings, sold out products are hidden from customers. This way, customers will not be able to discover the waiting list." %}
+        </div>
+    {% endif %}
    <div class="row">
        {% if 'can_change_orders' in request.eventpermset %}
            <form method="post" class="col-md-6"
@@ -94,7 +94,9 @@ def process_login(request, user, keep_logged_in):
        pretix_successful_logins.inc(1)
        handle_login_source(user, request)
        auth_login(request, user)
-        request.session['pretix_auth_login_time'] = int(time.time())
+        t = int(time.time())
+        request.session['pretix_auth_login_time'] = t
+        request.session['pretix_auth_last_used'] = t
        if next_url and url_has_allowed_host_and_scheme(next_url, allowed_hosts=None):
            return redirect_to_url(next_url)
        return redirect('control:index')
@@ -39,7 +39,7 @@ from django.contrib import messages
 from django.core.exceptions import PermissionDenied
 from django.db import transaction
 from django.db.models import Exists, Max, OuterRef, Prefetch, Q, Subquery
-from django.http import Http404, HttpResponseRedirect
+from django.http import Http404, HttpResponseNotAllowed, HttpResponseRedirect
 from django.shortcuts import get_object_or_404
 from django.urls import reverse
 from django.utils.functional import cached_property
@@ -193,6 +193,9 @@ class CheckInListShow(EventPermissionRequiredMixin, PaginationMixin, CheckInList
 class CheckInListBulkRevertConfirmView(CheckInListQueryMixin, EventPermissionRequiredMixin, TemplateView):
    template_name = "pretixcontrol/checkin/bulk_revert_confirm.html"

+    def get(self, request, *args, **kwargs):
+        return HttpResponseNotAllowed(permitted_methods=["POST"])
+
    def post(self, request, *args, **kwargs):
        self.list = get_object_or_404(self.request.event.checkin_lists.all(), pk=kwargs.get("list"))
        return super().get(request, *args, **kwargs)
@@ -62,6 +62,7 @@ from django.http import (
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.functional import cached_property
+from django.utils.html import escape
 from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.timezone import now
 from django.utils.translation import gettext, gettext_lazy as _, gettext_noop
@@ -98,6 +99,7 @@ from ...base.i18n import language
 from ...base.models.items import (
    Item, ItemCategory, ItemMetaProperty, Question, Quota,
 )
+from ...base.services.mail import prefix_subject
 from ...base.settings import LazyI18nStringList
 from ...helpers.compat import CompatDeleteView
 from ...helpers.format import format_map
@@ -726,7 +728,7 @@ class MailSettingsPreview(EventPermissionRequiredMixin, View):
            else:
                ctx[p.identifier] = '<span class="placeholder" title="{}">{}</span>'.format(
                    _('This value will be replaced based on dynamic parameters.'),
-                    s
+                    escape(s)
                )
        return ctx

@@ -746,9 +748,9 @@ class MailSettingsPreview(EventPermissionRequiredMixin, View):
                    with language(self.supported_locale[idx], self.request.event.settings.region):
                        try:
                            if k.startswith('mail_subject_'):
-                                msgs[self.supported_locale[idx]] = format_map(
+                                msgs[self.supported_locale[idx]] = prefix_subject(self.request.event, format_map(
                                    bleach.clean(v), self.placeholders(preview_item), raise_on_missing=True
-                                )
+                                ), highlight=True)
                            else:
                                msgs[self.supported_locale[idx]] = markdown_compile_email(
                                    format_map(v, self.placeholders(preview_item), raise_on_missing=True)
@@ -776,7 +778,7 @@ class MailSettingsRendererPreview(MailSettingsPreview):
    def placeholders(self, item):
        ctx = {}
        for p in get_available_placeholders(self.request.event, MailSettingsForm.base_context[item]).values():
-            ctx[p.identifier] = str(p.render_sample(self.request.event))
+            ctx[p.identifier] = escape(str(p.render_sample(self.request.event)))
        return ctx

    def get(self, request, *args, **kwargs):
@@ -302,6 +302,8 @@ class CategoryCreate(EventPermissionRequiredMixin, CreateView):
            i = modelcopy(self.copy_from)
            i.pk = None
            kwargs['instance'] = i
+            kwargs.setdefault('initial', {})
+            kwargs['initial']['cross_selling_match_products'] = [str(i.pk) for i in self.copy_from.cross_selling_match_products.all()]
        else:
            kwargs['instance'] = ItemCategory(event=self.request.event)
        return kwargs
@@ -661,6 +663,10 @@ class QuestionView(EventPermissionRequiredMixin, QuestionMixin, ChartContainingV
            question=self.object, orderposition__isnull=False,
            orderposition__order__event=self.request.event
        )
+
+        if self.request.GET.get("subevent", "") != "":
+            qs = qs.filter(orderposition__subevent=self.request.GET["subevent"])
+
        s = self.request.GET.get("status", "np")
        if s != "":
            if s == 'o':
@@ -62,8 +62,9 @@ from django.urls import reverse
 from django.utils import formats
 from django.utils.formats import date_format, get_format
 from django.utils.functional import cached_property
-from django.utils.html import conditional_escape
+from django.utils.html import conditional_escape, escape
 from django.utils.http import url_has_allowed_host_and_scheme
+from django.utils.safestring import mark_safe
 from django.utils.timezone import make_aware, now
 from django.utils.translation import gettext, gettext_lazy as _, ngettext
 from django.views.generic import (
@@ -94,7 +95,9 @@ from pretix.base.services.invoices import (
    invoice_qualified, regenerate_invoice,
 )
 from pretix.base.services.locking import LockTimeoutException
-from pretix.base.services.mail import SendMailException, render_mail
+from pretix.base.services.mail import (
+    SendMailException, prefix_subject, render_mail,
+)
 from pretix.base.services.orders import (
    OrderChangeManager, OrderError, approve_order, cancel_order, deny_order,
    extend_order, mark_order_expired, mark_order_refunded,
@@ -1900,7 +1903,7 @@ class OrderChange(OrderView):
        positions = list(self.order.positions.select_related(
            'item', 'item__tax_rule', 'used_membership', 'used_membership__membership_type', 'tax_rule',
            'seat', 'subevent',
-        ))
+        ).prefetch_related('granted_memberships'))
        for p in positions:
            p.form = OrderPositionChangeForm(prefix='op-{}'.format(p.pk), instance=p, items=self.items,
                                             initial={'seat': p.seat.seat_guid if p.seat else None},
@@ -2304,7 +2307,9 @@ class OrderSendMail(EventPermissionRequiredMixin, OrderViewMixin, FormView):
        email_content = render_mail(email_template, email_context)
        if self.request.POST.get('action') == 'preview':
            self.preview_output = {
-                'subject': _('Subject: {subject}').format(subject=email_subject),
+                'subject': mark_safe(_('Subject: {subject}').format(
+                    subject=prefix_subject(order.event, escape(email_subject), highlight=True)
+                )),
                'html': markdown_compile_email(email_content)
            }
            return self.get(self.request, *self.args, **self.kwargs)
@@ -2369,7 +2374,9 @@ class OrderPositionSendMail(OrderSendMail):
        email_content = render_mail(email_template, email_context)
        if self.request.POST.get('action') == 'preview':
            self.preview_output = {
-                'subject': _('Subject: {subject}').format(subject=email_subject),
+                'subject': mark_safe(_('Subject: {subject}').format(
+                    subject=prefix_subject(position.order.event, escape(email_subject), highlight=True))
+                ),
                'html': markdown_compile_email(email_content)
            }
            return self.get(self.request, *self.args, **self.kwargs)
@@ -90,7 +90,7 @@ from pretix.base.models.orders import CancellationRequest
 from pretix.base.models.organizer import SalesChannel, TeamAPIToken
 from pretix.base.payment import PaymentException
 from pretix.base.services.export import multiexport, scheduled_organizer_export
-from pretix.base.services.mail import SendMailException, mail
+from pretix.base.services.mail import SendMailException, mail, prefix_subject
 from pretix.base.signals import register_multievent_data_exporters
 from pretix.base.templatetags.rich_text import markdown_compile_email
 from pretix.base.views.tasks import AsyncAction
@@ -351,8 +351,11 @@ class MailSettingsPreview(OrganizerPermissionRequiredMixin, View):
                if idx in self.supported_locale:
                    with language(self.supported_locale[idx], self.request.organizer.settings.region):
                        if k.startswith('mail_subject_'):
-                            msgs[self.supported_locale[idx]] = format_map(bleach.clean(v),
-                                                                          self.placeholders(preview_item))
+                            msgs[self.supported_locale[idx]] = prefix_subject(
+                                self.request.organizer,
+                                format_map(bleach.clean(v), self.placeholders(preview_item)),
+                                highlight=True,
+                            )
                        else:
                            msgs[self.supported_locale[idx]] = markdown_compile_email(
                                format_map(v, self.placeholders(preview_item))
@@ -683,14 +686,24 @@ class TeamDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin,
        try:
            self.object.log_action('pretix.team.deleted', user=self.request.user)
            self.object.delete()
-        except ProtectedError:
-            messages.error(
-                self.request,
-                _(
-                    'The team could not be deleted as some constraints (e.g. data created by '
-                    'plug-ins) do not allow it.'
+        except ProtectedError as e:
+            is_logs = any(isinstance(e, LogEntry) for e in e.protected_objects)
+            if is_logs:
+                messages.error(
+                    self.request,
+                    _(
+                        "The team could not be deleted because the team or one of its API tokens is part of "
+                        "historical audit logs."
+                    )
+                )
+            else:
+                messages.error(
+                    self.request,
+                    _(
+                        'The team could not be deleted as some constraints (e.g. data created by '
+                        'plug-ins) do not allow it.'
+                    )
                )
-            )
            return redirect(success_url)

        messages.success(request, _('The selected team has been deleted.'))
@@ -720,6 +733,7 @@ class TeamMemberView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin,
        ctx = super().get_context_data(**kwargs)
        ctx['add_form'] = self.add_form
        ctx['add_token_form'] = self.add_token_form
+        ctx['tokens'] = self.object.tokens.order_by("-active", "name", "pk")
        return ctx

    def _send_invite(self, instance):
@@ -156,7 +156,7 @@ def event_list(request):
        max_fromto=Greatest(Max('subevents__date_to'), Max('subevents__date_from'))
    ).annotate(
        order_from=Coalesce('min_from', 'date_from'),
-    ).order_by('-order_from')
+    ).order_by('-order_from', 'slug')

    total = qs.count()
    pagesize = 20
@@ -318,7 +318,7 @@ def nav_context_list(request):
        max_fromto=Greatest(Max('subevents__date_to'), Max('subevents__date_from'))
    ).annotate(
        order_from=Coalesce('min_from', 'date_from'),
-    ).order_by('-order_from')
+    ).order_by('-order_from', 'slug')

    if request.user.has_active_staff_session(request.session.session_key):
        qs_orga = Organizer.objects.all()
--- a/Show More
+++ b/Show More