Locking optimizations

[CI skip]

Signed-off-by: Raphael Michel <mail@raphaelmichel.de>

.travis.yml

@@ -1,4 +1,5 @@
 language: python
+dist: xenial
 sudo: false
 install:
   - pip install -U pip wheel setuptools
@@ -12,23 +13,23 @@ services:
   - postgresql
 matrix:
   include:
-    - python: 3.6
+    - python: 3.7
       env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
-    - python: 3.6
+    - python: 3.7
       env: JOB=tests-cov PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.6
+    - python: 3.7
       env: JOB=style
-    - python: 3.6
+    - python: 3.7
       env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
-    - python: 3.6
+    - python: 3.7
       env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
     - python: 3.5
       env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.6
+    - python: 3.7
       env: JOB=plugins
-    - python: 3.6
+    - python: 3.7
       env: JOB=doc-spelling
-    - python: 3.6
+    - python: 3.7
       env: JOB=translation-spelling
 addons:
   postgresql: "9.4"

doc/admin/config.rst

@@ -125,6 +125,8 @@ Example::
     Indicates if the database backend is a MySQL/MariaDB Galera cluster and
     turns on some optimizations/special case handlers. Default: ``False``
 
+.. _`config-replica`:
+
 Database replica settings
 -------------------------
 
@@ -142,6 +144,8 @@ Example::
     [replica]
     host=192.168.0.2
 
+.. _`config-urls`:
+
 URLs
 ----
 

doc/admin/index.rst

@@ -11,3 +11,4 @@ This documentation is for everyone who wants to install pretix on a server.
    installation/index
    config
    maintainance
+   scaling

doc/admin/installation/docker_smallscale.rst

@@ -58,16 +58,29 @@ Database
 --------
 
 Next, we need a database and a database user. We can create these with any kind of database managing tool or directly on
-our database's shell, e.g. for MySQL::
+our database's shell. For PostgreSQL, we would do::
 
-    $ mysql -u root -p
-    mysql> CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
-    mysql> GRANT ALL PRIVILEGES ON pretix.* TO pretix@'localhost' IDENTIFIED BY '*********';
-    mysql> FLUSH PRIVILEGES;
+    # sudo -u postgres createuser -P pretix
+    # sudo -u postgres createdb -O pretix pretix
 
-Replace the asterisks with a password of your own. For MySQL, we will use a unix domain socket to connect to the
-database. For PostgreSQL, be sure to configure the interface binding and your firewall so that the docker container
-can reach PostgreSQL.
+Make sure that your database listens on the network. If PostgreSQL on the same same host as docker, but not inside a docker container, we recommend that you just listen on the Docker interface by changing the following line in ``/etc/postgresql/<version>/main/postgresql.conf``::
+
+    listen_addresses = 'localhost,172.17.0.1'
+
+You also need to add a new line to ``/etc/postgresql/<version>/main/pg_hba.conf`` to allow network connections to this user and database::
+
+    host    pretix          pretix          172.17.0.1/16           md5
+
+Restart PostgreSQL after you changed these files::
+
+    # systemctl restart postgresql
+
+If you have a firewall running, you should also make sure that port 5432 is reachable from the ``172.17.0.1/16`` subnet.
+
+For MySQL, you can either also use network-based connections or mount the ``/var/run/mysqld/mysqld.sock`` socket into the docker container.
+When using MySQL, make sure you set the character set of the database to ``utf8mb4``, e.g. like this::
+
+    mysql > CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
 
 Redis
 -----
@@ -114,13 +127,16 @@ Fill the configuration file ``/etc/pretix/pretix.cfg`` with the following conten
     datadir=/data
 
     [database]
-    ; Replace mysql with postgresql_psycopg2 for PostgreSQL
-    backend=mysql
+    ; Replace postgresql with mysql for MySQL
+    backend=postgresql
     name=pretix
     user=pretix
+    ; Replace with the password you chose above
     password=*********
-    ; Replace with host IP address for PostgreSQL
-    host=/var/run/mysqld/mysqld.sock
+    ; In most docker setups, 172.17.0.1 is the address of the docker host. Adjuts
+    ; this to wherever your database is running, e.g. the name of a linked container
+    ; or of a mounted MySQL socket.
+    host=172.17.0.1
 
     [mail]
     ; See config file documentation for more options
@@ -164,14 +180,15 @@ named ``/etc/systemd/system/pretix.service`` with the following content::
         -v /var/pretix-data:/data \
         -v /etc/pretix:/etc/pretix \
         -v /var/run/redis:/var/run/redis \
-        -v /var/run/mysqld:/var/run/mysqld \
         pretix/standalone:stable all
     ExecStop=/usr/bin/docker stop %n
 
     [Install]
     WantedBy=multi-user.target
 
-You can leave the MySQL socket volume out if you're using PostgreSQL. You can now run the following commands
+When using MySQL and socket mounting, you'll need the additional flag ``-v /var/run/mysqld:/var/run/mysqld`` in the command.
+
+You can now run the following commands
 to enable and start the service::
 
     # systemctl daemon-reload

doc/admin/installation/index.rst

@@ -1,3 +1,5 @@
+.. _`installation`:
+
 Installation guide
 ==================
 

doc/admin/installation/manual_smallscale.rst

@@ -50,21 +50,23 @@ Database
 --------
 
 Having the database server installed, we still need a database and a database user. We can create these with any kind
-of database managing tool or directly on our database's shell, e.g. for MySQL::
+of database managing tool or directly on our database's shell. For PostgreSQL, we would do::
 
-    $ mysql -u root -p
-    mysql> CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
-    mysql> GRANT ALL PRIVILEGES ON pretix.* TO pretix@'localhost' IDENTIFIED BY '*********';
-    mysql> FLUSH PRIVILEGES;
+    # sudo -u postgres createuser pretix
+    # sudo -u postgres createdb -O pretix pretix
+
+When using MySQL, make sure you set the character set of the database to ``utf8mb4``, e.g. like this::
+
+    mysql > CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
 
 Package dependencies
 --------------------
 
 To build and run pretix, you will need the following debian packages::
 
-    # apt-get install git build-essential python-dev python-virtualenv python3 python3-pip \
+    # apt-get install git build-essential python-dev python3-venv python3 python3-pip \
                       python3-dev libxml2-dev libxslt1-dev libffi-dev zlib1g-dev libssl-dev \
-                      gettext libpq-dev libmysqlclient-dev libjpeg-dev libopenjp2-7-dev
+                      gettext libpq-dev libmariadbclient-dev libjpeg-dev libopenjp2-7-dev
 
 Config file
 -----------
@@ -85,13 +87,18 @@ Fill the configuration file ``/etc/pretix/pretix.cfg`` with the following conten
     datadir=/var/pretix/data
 
     [database]
-    ; Replace mysql with postgresql_psycopg2 for PostgreSQL
-    backend=mysql
+    ; For MySQL, replace with "mysql"
+    backend=postgresql
     name=pretix
     user=pretix
-    password=*********
-    ; Replace with host IP address for PostgreSQL
-    host=/var/run/mysqld/mysqld.sock
+    ; For MySQL, enter the user password. For PostgreSQL on the same host,
+    ; we don't need one because we can use peer authentification if our
+    ; PostgreSQL user matches our unix user.
+    password=
+    ; For MySQL, use local socket, e.g. /var/run/mysqld/mysqld.sock
+    ; For a remote host, supply an IP address
+    ; For local postgres authentication, you can leave it empty
+    host=
 
     [mail]
     ; See config file documentation for more options
@@ -115,14 +122,14 @@ Now we will install pretix itself. The following steps are to be executed as the
 actually install pretix, we will create a virtual environment to isolate the python packages from your global
 python installation::
 
-    $ virtualenv -p python3 /var/pretix/venv
+    $ python3 -m venv /var/pretix/venv
     $ source /var/pretix/venv/bin/activate
     (venv)$ pip3 install -U pip setuptools wheel
 
-We now install pretix, its direct dependencies and gunicorn. Replace ``mysql`` with ``postgres`` in the following
-command if you're running PostgreSQL::
+We now install pretix, its direct dependencies and gunicorn. Replace ``postgres`` with ``mysql`` in the following
+command if you're running MySQL::
 
-    (venv)$ pip3 install "pretix[mysql]" gunicorn
+    (venv)$ pip3 install "pretix[postgres]" gunicorn
 
 Note that you need Python 3.5 or newer. You can find out your Python version using ``python -V``.
 
@@ -268,10 +275,10 @@ Updates
 .. warning:: While we try hard not to break things, **please perform a backup before every upgrade**.
 
 To upgrade to a new pretix release, pull the latest code changes and run the following commands (again, replace
-``mysql`` with ``postgres`` if necessary)::
+``postgres`` with ``mysql`` if necessary)::
 
     $ source /var/pretix/venv/bin/activate
-    (venv)$ pip3 install -U pretix[mysql] gunicorn
+    (venv)$ pip3 install -U pretix[postgres] gunicorn
     (venv)$ python -m pretix migrate
     (venv)$ python -m pretix rebuild
     (venv)$ python -m pretix updatestyles

doc/admin/scaling.rst

@@ -0,0 +1,236 @@
+.. _`scaling`:
+
+Scaling guide
+=============
+
+Our :ref:`installation guide <installation>` only covers "small-scale" setups, by which we mostly mean
+setups that run on a **single (virtual) machine** and do not encounter large traffic peaks.
+
+We do not offer an installation guide for larger-scale setups of pretix, mostly because we believe that
+there is no one-size-fits-all solution for this and the desired setup highly depends on your use case,
+the platform you run pretix on, and your technical capabilities. We do not recommend trying set up pretix
+in a multi-server environment if you do not already have experience with managing server clusters.
+
+This document is intended to give you a general idea on what issues you will encounter when you scale up
+and what you should think of.
+
+.. tip::
+
+   If you require more help on this, we're happy to help. Our pretix Enterprise support team has built
+   and helped building, scaling and load-testing pretix installations at any scale and we're looking
+   forward to work with you on fine-tuning your system. If you intend to sell **more than a thousand
+   tickets in a very short amount of time**, we highly recommend reaching out and at least talking this
+   through. Just get in touch at sales@pretix.eu!
+
+Scaling reasons
+---------------
+
+There's mainly two reasons to scale up a pretix installation beyond a single server:
+
+* **Availability:** Distributing pretix over multiple servers can allow you to survive failure of one or more single machines, leading to a higher uptime and reliability of your system.
+
+* **Traffic and throughput:** Distributing pretix over multiple servers can allow you to process more web requests and ticket sales at the same time.
+
+You are very unlikely to require scaling for other reasons, such as having too much data in your database.
+
+Components
+----------
+
+A pretix installation usually consists of the following components which run performance-relevant processes:
+
+* ``pretix-web`` is the Django-based web application that serves all user interaction.
+
+* ``pretix-worker`` is a Celery-based application that processes tasks that should be run asynchronously outside of the web application process.
+
+* A **SQL database** keeps all the important data and processes the actual transactions. We recommend using PostgreSQL, but MySQL/MariaDB works as well.
+
+* A **web server** that terminates TLS and HTTP connections and forwards them to ``pretix-web``. In some cases, e.g. when serving static files, the web servers might return a response directly. We recommend using ``nginx``.
+
+* A **redis** server responsible for the communication between ``pretix-web`` and ``pretix-worker``, as well as for caching.
+
+* A directory of **media files** such as user-uploaded files or generated files (tickets, invoices, …) that are created and used by ``pretix-web``, ``pretix-worker`` and the web server.
+
+In the following, we will discuss the scaling behavior of every component individually. In general, you can run all of the components
+on the same server, but you can just as well distribute every component to its own server, or even use multiple servers for some single
+components.
+
+.. warning::
+
+   When setting up your system, don't forget about security. In a multi-server environment,
+   you need to take special care to ensure that no unauthorized access to your database
+   is possible through the network and that it's not easy to wiretap your connections. We
+   recommend a rigorous use of firewalls and encryption on all communications. You can
+   ensure this either on an application level (such as using the TLS support in your
+   database) or on a network level with a VPN solution.
+
+Web server
+""""""""""
+
+Your web server is at the very front of your installation. It will need to absorb all of the traffic, and it should be able to
+at least show a decent error message, even when everything else fails. Luckily, web servers are really fast these days, so this
+can be achieved without too much work.
+
+We recommend reading up on tuning your web server for high concurrency. For nginx, this means thinking about the number of worker
+processes and the number of connections each worker process accepts. Double-check that TLS session caching works, because TLS
+handshakes can get really expensive.
+
+During a traffic peak, your web server will be able to make us of more CPU resources, while memory usage will stay comparatively low,
+so if you invest in more hardware here, invest in more and faster CPU cores.
+
+Make sure that pretix' static files (such as CSS and JavaScript assets) as well as user-uploaded media files (event logos, etc)
+are served directly by your web server and your web server caches them in-memory (nginx does it by default) and sets useful
+headers for client-side caching. As an additional performance improvement, you can turn of access logging for these types of files.
+If you want, you can even farm out serving static files to a different web server entirely and :ref:`configure pretix to reference
+them from a different URL <config-urls>`.
+
+.. tip::
+
+   If you expect *really high traffic* for your very popular event, you might want to do some rate limiting on this layer, or,
+   if you want to ensure a fair and robust first-come-first-served experience and prefer letting users wait over showing them
+   errors, consider a queuing solution. We're happy to provide you with such systems, just get in touch at sales@pretix.eu.
+
+pretix-web
+""""""""""
+
+The ``pretix-web`` process does not carry any internal state can be easily started on as many machines as you like, and you can
+use the load balancing features of your frontend web server to redirect to all of them.
+
+You can adjust the number of processes in the ``gunicorn`` command line, and we recommend choosing roughly two times the number
+of CPU cores available. Under load, the memory consumption of ``pretix-web`` will stay comparatively constant, while the CPU usage
+will increase a lot. Therefore, if you can add more or faster CPU cores, you will be able to serve more users.
+
+pretix-worker
+"""""""""""""
+
+The ``pretix-worker`` process performs all operations that are not directly executed in the request-response-cycle of ``pretix-web``.
+Just like ``pretix-web`` you can easily start up as many instances as you want on different machines to share the work. As long as they
+all talk to the same redis server, they will all receive tasks from ``pretix-web``, work on them and post their result back.
+You can configure the number of threads that run tasks in parallel through the ``--concurrency`` command line option of ``celery``.
+
+Just like ``pretix-web``, this process is mostly heavy on CPU, disk IO and network IO, although memory peaks can occur e.g. during the
+generation of large PDF files, so we recommend having some reserves here.
+
+``pretix-worker`` performs a variety of tasks which are of different importance.
+Some of them are mission-critical and need to be run quickly even during high load (such as
+creating a cart or an order), others are irrelevant and can easily run later (such as
+distributing tickets on the waiting list). You can fine-tune the capacity you assign to each
+of these tasks by running ``pretix-worker`` processes that only work on a specific **queue**.
+For example, you could have three servers dedicated only to process order creations and one
+server dedicated only to sending emails. This allows you to set priorities and also protects
+you from e.g. a slow email server lowering your ticket throughput.
+
+You can do so by specifying one or more queues on the ``celery`` command line of this process, such as ``celery -A pretix.celery_app worker -Q notifications,mail``. Currently,
+the following queues exist:
+
+* ``checkout`` -- This queue handles everything related to carts and orders and thereby everything required to process a sale. This includes adding and deleting items from carts as well as creating and canceling orders.
+
+* ``mail`` -- This queue handles sending of outgoing emails.
+
+* ``notifications`` -- This queue handles the processing of any outgoing notifications, such as email notifications to admin users (except for the actual sending) or API notifications to registered webhooks.
+
+* ``background`` -- This queue handles tasks that are expected to take long or have no human waiting for their result immediately, such as refreshing caches, re-generating CSS files, assigning tickets on the waiting list or parsing bank data files.
+
+* ``default`` -- This queue handles everything else with "medium" or unassigned priority, most prominently the generation of files for tickets, invoices, badges, admin exports, etc.
+
+Media files
+"""""""""""
+
+Both ``pretix-web``, ``pretix-worker`` and in some cases your webserver need to work with
+media files. Media files are all files generated *at runtime* by the software. This can
+include files uploaded by the event organizers, such as the event logo, files uploaded by
+ticket buyers (if you use such features) or files generated by the software, such as
+ticket files, invoice PDFs, data exports or customized CSS files.
+
+Those files are by default stored to the ``media/`` sub-folder of the data directory given
+in the ``pretix.cfg`` configuration file. Inside that ``media/`` folder, you will find a
+``pub/`` folder containing the subset of files that should be publicly accessible through
+the web server. Everything else only needs to be accessible by ``pretix-web`` and
+``pretix-worker`` themselves.
+
+If you distribute ``pretix-web`` or ``pretix-worker`` across more than one machine, you
+**must** make sure that they all have access to a shared storage to read and write these
+files, otherwise you **will** run into errors with the user interface.
+
+The easiest solution for this is probably to store them on a NFS server that you mount
+on each of the other servers.
+
+Since we use Django's file storage mechanism internally, you can in theory also use a object-storage solution like Amazon S3, Ceph, or Minio to store these files, although we currently do not expose this through pretix' configuration file and this would require you to ship your own variant of ``pretix/settings.py`` and reference it through the ``DJANGO_SETTINGS_MODULE`` environment variable.
+
+At pretix.eu, we use a custom-built `object storage cluster`_.
+
+SQL database
+""""""""""""
+
+One of the most critical parts of the whole setup is the SQL database -- and certainly the
+hardest to scale. Tuning relational databases is an art form, and while there's lots of
+material on it on the internet, there's not a single recipe that you can apply to every case.
+
+As a general rule of thumb, the more resources you can give your databases, the better.
+Most databases will happily use all CPU cores available, but only use memory up to an amount
+you configure, so make sure to set this memory usage as high as you can afford. Having more
+memory available allows your database to make more use of caching, which is usually good.
+
+Scaling your database to multiple machines needs to be treated with great caution. It's a
+good to have a replica of your database for availability reasons. In case your primary
+database server fails, you can easily switch over to the replica and continue working.
+
+However, using database replicas for performance gains is much more complicated. When using
+replicated database systems, you are always trading in consistency or availability to get
+additional performance and the consequences of this can be subtle and it is important
+that you have a deep understanding of the semantics of your replication mechanism.
+
+.. warning::
+
+   Using an off-the-shelf database proxy solution that redirects read queries to your
+   replicas and write queries to your primary database **will lead to very nasty bugs.**
+
+   As an example, if you buy a ticket, pretix first needs to calculate how many tickets
+   are left to sell. If this calculation is done on a database replica that lags behind
+   even for fractions of a second, the decision to allow selling the ticket will be made
+   on out-of-data data and you can end up with more tickets sold than configured. Similarly,
+   you could imagine situations leading to double payments etc.
+
+If you do have a replica, you *can* tell pretix about it :ref:`in your configuration <config-replica>`.
+This way, pretix can offload complex read-only queries to the replica when it is safe to do so.
+As of pretix 2.6, this is mainly used for search queries in the backend and therefore does not really accelerate sales throughput, but we plan on expanding this in the future.
+
+Therefore, for now our clear recommendation is: Try to scale your database vertically and put
+it on the most powerful machine you have available.
+
+redis
+"""""
+
+While redis is a very important part that glues together some of the components, it isn't used
+heavily and can usually handle a fairly large pretix installation easily on a single modern
+CPU core.
+Having some memory available is good in case of e.g. lots of tasks queuing up during a traffic peak, but we wouldn't expect ever needing more than a gigabyte of it.
+
+Feel free to set up a redis cluster for availability – but you won't need it for performance in a long time.
+
+The locking issue
+-----------------
+
+Currently, there is one big issue with scaling pretix. We take the reliability and correctness
+of pretix' core features very seriously and one part of this is that we want to make absolutely
+sure that pretix never sells the wrong number of tickets or tickets it otherwise shouldn't sell.
+
+However, due to pretix flexibility and complexity, ensuring this in a high-concurrency environment is really hard.
+We're not just counting down integers, since quota availability in pretix depends on a multitude of factors and requires a handful of complex database queries to calculate.
+We can't rely on database-level locking alone to get this right.
+
+Therefore, we currently use a very drastic option:
+During relevant actions that typically occur with high concurrency, such as creating carts and completing orders, we create a system-wide lock for the event and all other such
+actions need to wait. In essence, this means **for a given event we're only ever selling
+one ticket at a time**.
+
+Therefore, it is currently very unlikely that you will be able to exceed **300-400 tickets per minute per event**.
+
+For events up to a few thousand tickets, this isn't a problem and it's not even desirable to be able to sell much faster: If all tickets are reserved in the first minute, the shop shows a big "sold out" and everyone else goes away. Fifteen to thirty minutes later, depending on your settings, the first shopping carts will expire because people didn't actually go through with the purchase and tickets will become available again. This leads to a much more frustrating shopping experience for those trying to get a ticket than if tickets are sold at a slower pace and the first reservations expire before the last reservations are made. Not selling tickets through quickly (e.g. through a queue system) can do a lot to smooth out this process.
+
+That said, we still want to fix this of course and make it possible to achieve much higher
+throughput rates. We have some plans on how to soften this limitation, but they require
+lots of time and effort to be realized. If you want to use pretix for an event with
+10,000+ tickets that will be sold out within minutes, get in touch, we will make it work ;)
+
+
+.. _object storage cluster: https://behind.pretix.eu/2018/03/20/high-available-cdn/

doc/api/fundamentals.rst

@@ -181,4 +181,37 @@ as the string values ``true`` and ``false``.
 If the ``ordering`` parameter is documented for a resource, you can use it to sort the result set by one of the allowed
 fields. Prepend a ``-`` to the field name to reverse the sort order.
 
+
+Idempotency
+-----------
+
+Our API supports an idempotency mechanism to make sure you can safely retry operations without accidentally performing
+them twice. This is useful if an API call experiences interruptions in transit, e.g. due to a network failure, and you
+do not know if it completed successfully.
+
+To perform an idempotent request, add a ``X-Idempotency-Key`` header with a random string value (we recommend a version
+4 UUID) to your request. If we see a second request with the same ``X-Idempotency-Key`` and the same ``Authorization``
+and ``Cookie`` headers, we will not perform the action for a second time but return the exact same response instead.
+
+Please note that this also goes for most error responses. For example, if we returned you a ``403 Permission Denied``
+error and you retry with the same ``X-Idempotency-Key``, you will get the same error again, even if you were granted
+permission in the meantime! This includes internal server errors on our side that might have been fixed in the meantime.
+
+There are only three exceptions to the rule:
+
+* Responses with status code ``409 Conflict`` are not cached. If you send the request again, it will be executed as a
+  new request, since these responses are intended to be retried.
+
+* Rate-limited responses with status code ``429 Too Many Requests`` are not cached and you can safely retry them.
+
+* Responses with status code ``503 Service Unavailable`` are not cached and you can safely retry them.
+
+If you send a request with an ``X-Idempotency-Key`` header that we have seen before but that has not yet received a
+response, you will receive a response with status code ``409 Conflict`` and are asked to retry after five seconds.
+
+We store idempotency keys for 24 hours, so you should never retry a request after a longer time period.
+
+All ``POST``, ``PUT``, ``PATCH``, or ``DELETE`` api calls support idempotency keys. Adding an idempotency key to a
+``GET``, ``HEAD``, or ``OPTIONS`` request has no effect.
+
 .. _CSRF policies: https://docs.djangoproject.com/en/1.11/ref/csrf/#ajax

doc/api/resources/categories.rst

@@ -20,7 +20,7 @@ internal_name                         string                     An optional nam
 description                           multi-lingual string       A public description (might include markdown, can
                                                                  be ``null``)
 position                              integer                    An integer, used for sorting the categories
-is_addon                              boolean                    If ``True``, items within this category are not on sale
+is_addon                              boolean                    If ``true``, items within this category are not on sale
                                                                  on their own but the category provides a source for
                                                                  defining add-ons for other products.
 ===================================== ========================== =======================================================

doc/api/resources/checkinlists.rst

@@ -156,14 +156,14 @@ Endpoints
         "checkin_count": 17,
         "position_count": 42,
         "event": {
-          "name": "Demo Converence",
+          "name": "Demo Conference"
         },
         "items": [
           {
             "name": "T-Shirt",
             "id": 1,
             "checkin_count": 1,
-            "admission": False,
+            "admission": false,
             "position_count": 1,
             "variations": [
               {
@@ -184,7 +184,7 @@ Endpoints
             "name": "Ticket",
             "id": 2,
             "checkin_count": 15,
-            "admission": True,
+            "admission": true,
             "position_count": 22,
             "variations": []
           }
@@ -336,11 +336,24 @@ Order position endpoints
 
    The order positions endpoint has been extended by the filter queries ``voucher`` and ``voucher__code``.
 
+.. versionchanged:: 2.7
+
+   The resource now contains the new attributes ``require_attention`` and ``order__status`` and accepts the new
+   ``ignore_status`` filter. The ``attendee_name`` field is now "smart" (see below) and the redemption endpoint
+   returns ``400`` instead of ``404`` on tickets which are known but not paid.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(list)/positions/
 
    Returns a list of all order positions within a given event. The result is the same as
-   the :ref:`order-position-resource`, with one important difference: the ``checkins`` value will only include
-   check-ins for the selected list.
+   the :ref:`order-position-resource`, with the following differences:
+
+   * The ``checkins`` value will only include check-ins for the selected list.
+
+   * An additional boolean property ``require_attention`` will inform you whether either the order or the item
+     have the ``checkin_attention`` flag set.
+
+   * If ``attendee_name`` is empty, it will automatically fall back to values from a parent product or from invoice
+     addresses.
 
    **Example request**:
 
@@ -407,6 +420,8 @@ Order position endpoints
       }
 
    :query integer page: The page number in case of a multi-page result set, default is 1
+   :query string ignore_status: If set to ``true``, results will be returned regardless of the state of
+                                 the order they belong to and you will need to do your own filtering by order status.
    :query string ordering: Manually set the ordering of results. Valid fields to be used are ``order__code``,
                            ``order__datetime``, ``positionid``, ``attendee_name``, ``last_checked_in`` and ``order__email``. Default:
                            ``attendee_name,positionid``
@@ -442,8 +457,15 @@ Order position endpoints
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(list)/positions/(id)/
 
    Returns information on one order position, identified by its internal ID.
-   The result format is the same as the :ref:`order-position-resource`, with one important difference: the
-   ``checkins`` value will only include check-ins for the selected list.
+   The result is the same as the :ref:`order-position-resource`, with the following differences:
+
+   * The ``checkins`` value will only include check-ins for the selected list.
+
+   * An additional boolean property ``require_attention`` will inform you whether either the order or the item
+     have the ``checkin_attention`` flag set.
+
+   * If ``attendee_name`` is empty, it will automatically fall back to values from a parent product or from invoice
+     addresses.
 
    **Instead of an ID, you can also use the ``secret`` field as the lookup parameter.**
 
@@ -528,7 +550,8 @@ Order position endpoints
    :<json boolean force: Specifies that the check-in should succeed regardless of previous check-ins or required
                          questions that have not been filled. Defaults to ``false``.
    :<json boolean ignore_unpaid: Specifies that the check-in should succeed even if the order is in pending state.
-                                 Defaults to ``false``.
+                                 Defaults to ``false`` and only works when ``include_pending`` is set on the check-in
+                                 list.
    :<json string nonce: You can set this parameter to a unique random value to identify this check-in. If you're sending
                         this request twice with the same nonce, the second request will also succeed but will always
                         create only one check-in object even when the previous request was successful as well. This

doc/api/resources/events.rst

@@ -25,7 +25,7 @@ is_public                             boolean                    If ``true``, th
 presale_start                         datetime                   The date at which the ticket shop opens (or ``null``)
 presale_end                           datetime                   The date at which the ticket shop closes (or ``null``)
 location                              multi-lingual string       The event location (or ``null``)
-has_subevents                         boolean                    ``True`` if the event series feature is active for this
+has_subevents                         boolean                    ``true`` if the event series feature is active for this
                                                                  event. Cannot change after event is created.
 meta_data                             dict                       Values set for organizer-specific meta data parameters.
 plugins                               list                       A list of package names of the enabled plugins for this

doc/api/resources/invoices.rst

@@ -13,7 +13,7 @@ Field                                 Type                       Description
 ===================================== ========================== =======================================================
 number                                string                     Invoice number (with prefix)
 order                                 string                     Order code of the order this invoice belongs to
-is_cancellation                       boolean                    ``True``, if this invoice is the cancellation of a
+is_cancellation                       boolean                    ``true``, if this invoice is the cancellation of a
                                                                  different invoice.
 invoice_from                          string                     Sender address
 invoice_to                            string                     Receiver address

doc/api/resources/item_variations.rst

@@ -18,12 +18,18 @@ default_price                         money (string)             The price set d
 price                                 money (string)             The price used for this variation. This is either the
                                                                  same as ``default_price`` if that value is set or equal
                                                                  to the item's ``default_price`` (read-only).
-active                                boolean                    If ``False``, this variation will not be sold or shown.
+original_price                        money (string)             An original price, shown for comparison, not used
+                                                                 for price calculations (or ``null``).
+active                                boolean                    If ``false``, this variation will not be sold or shown.
 description                           multi-lingual string       A public description of the variation. May contain
                                                                  Markdown syntax or can be ``null``.
 position                              integer                    An integer, used for sorting
 ===================================== ========================== =======================================================
 
+.. versionchanged:: 2.7
+
+   The attribute ``original_price`` has been added.
+
 .. versionchanged:: 1.12
 
    This resource has been added.
@@ -67,7 +73,8 @@ Endpoints
             },
             "position": 0,
             "default_price": "223.00",
-            "price": 223.0
+            "price": 223.0,
+            "original_price": null,
           },
           {
             "id": 3,
@@ -120,6 +127,7 @@ Endpoints
         },
         "default_price": "10.00",
         "price": "10.00",
+        "original_price": null,
         "active": true,
         "description": null,
         "position": 0
@@ -167,6 +175,7 @@ Endpoints
         "value": {"en": "Student"},
         "default_price": "10.00",
         "price": "10.00",
+        "original_price": null,
         "active": true,
         "description": null,
         "position": 0
@@ -216,6 +225,7 @@ Endpoints
         "value": {"en": "Student"},
         "default_price": "10.00",
         "price": "10.00",
+        "original_price": null,
         "active": false,
         "description": null,
         "position": 1

doc/api/resources/items.rst

@@ -21,18 +21,19 @@ default_price                         money (string)             The item price
                                                                  overwritten by variations or other options.
 category                              integer                    The ID of the category this item belongs to
                                                                  (or ``null``).
-active                                boolean                    If ``False``, the item is hidden from all public lists
+active                                boolean                    If ``false``, the item is hidden from all public lists
                                                                  and will not be sold.
 description                           multi-lingual string       A public description of the item. May contain Markdown
                                                                  syntax or can be ``null``.
-free_price                            boolean                    If ``True``, customers can change the price at which
+free_price                            boolean                    If ``true``, customers can change the price at which
                                                                  they buy the product (however, the price can't be set
                                                                  lower than the price defined by ``default_price`` or
                                                                  otherwise).
-tax_rate                              decimal (string)           The VAT rate to be applied for this item.
+tax_rate                              decimal (string)           The VAT rate to be applied for this item (read-only,
+                                                                 set through ``tax_rule``).
 tax_rule                              integer                    The internal ID of the applied tax rule (or ``null``).
-admission                             boolean                    ``True`` for items that grant admission to the event
-                                                                 (such as primary tickets) and ``False`` for others
+admission                             boolean                    ``true`` for items that grant admission to the event
+                                                                 (such as primary tickets) and ``false`` for others
                                                                  (such as add-ons or merchandise).
 position                              integer                    An integer, used for sorting
 picture                               string                     A product picture to be displayed in the shop
@@ -43,12 +44,12 @@ available_from                        datetime                   The first date
                                                                  (or ``null``).
 available_until                       datetime                   The last date time at which this item can be bought
                                                                  (or ``null``).
-require_voucher                       boolean                    If ``True``, this item can only be bought using a
+require_voucher                       boolean                    If ``true``, this item can only be bought using a
                                                                  voucher that is specifically assigned to this item.
-hide_without_voucher                  boolean                    If ``True``, this item is only shown during the voucher
+hide_without_voucher                  boolean                    If ``true``, this item is only shown during the voucher
                                                                  redemption process, but not in the normal shop
                                                                  frontend.
-allow_cancel                          boolean                    If ``False``, customers cannot cancel orders containing
+allow_cancel                          boolean                    If ``false``, customers cannot cancel orders containing
                                                                  this item.
 min_per_order                         integer                    This product can only be bought if it is included at
                                                                  least this many times in the order (or ``null`` for no
@@ -56,17 +57,17 @@ min_per_order                         integer                    This product ca
 max_per_order                         integer                    This product can only be bought if it is included at
                                                                  most this many times in the order (or ``null`` for no
                                                                  limitation).
-checkin_attention                     boolean                    If ``True``, the check-in app should show a warning
+checkin_attention                     boolean                    If ``true``, the check-in app should show a warning
                                                                  that this ticket requires special attention if such
                                                                  a product is being scanned.
 original_price                        money (string)             An original price, shown for comparison, not used
                                                                  for price calculations (or ``null``).
-require_approval                      boolean                    If ``True``, orders with this product will need to be
+require_approval                      boolean                    If ``true``, orders with this product will need to be
                                                                  approved by the event organizer before they can be
                                                                  paid.
-require_bundling                      boolean                    If ``True``, this item is only available as part of bundles.
-generate_tickets                      boolean                    If ``False``, tickets are never generated for this
-                                                                 product, regardless of other settings. If ``True``,
+require_bundling                      boolean                    If ``true``, this item is only available as part of bundles.
+generate_tickets                      boolean                    If ``false``, tickets are never generated for this
+                                                                 product, regardless of other settings. If ``true``,
                                                                  tickets are generated even if this is a
                                                                  non-admission or add-on product, regardless of event
                                                                  settings. If this is ``null``, regular ticketing
@@ -81,7 +82,9 @@ variations                            list of objects            A list with one
 ├ price                               money (string)             The price used for this variation. This is either the
                                                                  same as ``default_price`` if that value is set or equal
                                                                  to the item's ``default_price``.
-├ active                              boolean                    If ``False``, this variation will not be sold or shown.
+├ original_price                      money (string)             An original price, shown for comparison, not used
+                                                                 for price calculations (or ``null``).
+├ active                              boolean                    If ``false``, this variation will not be sold or shown.
 ├ description                         multi-lingual string       A public description of the variation. May contain
                                                                  Markdown syntax or can be ``null``.
 └ position                            integer                    An integer, used for sorting
@@ -105,6 +108,10 @@ bundles                               list of objects            Definition of b
                                                                  taxation. This is not added to the price.
 ===================================== ========================== =======================================================
 
+.. versionchanged:: 2.7
+
+   The attribute ``original_price`` has been added for ``variations``.
+
 .. versionchanged:: 1.7
 
    The attribute ``tax_rule`` has been added. ``tax_rate`` is kept for compatibility. The attribute
@@ -207,6 +214,7 @@ Endpoints
                  "value": {"en": "Student"},
                  "default_price": "10.00",
                  "price": "10.00",
+                 "original_price": null,
                  "active": true,
                  "description": null,
                  "position": 0
@@ -215,6 +223,7 @@ Endpoints
                  "value": {"en": "Regular"},
                  "default_price": null,
                  "price": "23.00",
+                 "original_price": null,
                  "active": true,
                  "description": null,
                  "position": 1
@@ -296,6 +305,7 @@ Endpoints
              "value": {"en": "Student"},
              "default_price": "10.00",
              "price": "10.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 0
@@ -304,6 +314,7 @@ Endpoints
              "value": {"en": "Regular"},
              "default_price": null,
              "price": "23.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 1
@@ -365,6 +376,7 @@ Endpoints
              "value": {"en": "Student"},
              "default_price": "10.00",
              "price": "10.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 0
@@ -373,6 +385,7 @@ Endpoints
              "value": {"en": "Regular"},
              "default_price": null,
              "price": "23.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 1
@@ -423,6 +436,7 @@ Endpoints
              "value": {"en": "Student"},
              "default_price": "10.00",
              "price": "10.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 0
@@ -431,6 +445,7 @@ Endpoints
              "value": {"en": "Regular"},
              "default_price": null,
              "price": "23.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 1
@@ -512,6 +527,7 @@ Endpoints
              "value": {"en": "Student"},
              "default_price": "10.00",
              "price": "10.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 0
@@ -520,6 +536,7 @@ Endpoints
              "value": {"en": "Regular"},
              "default_price": null,
              "price": "23.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 1

doc/api/resources/orders.rst

@@ -26,7 +26,7 @@ status                                string                     Order status, o
                                                                  * ``p`` – paid
                                                                  * ``e`` – expired
                                                                  * ``c`` – canceled
-testmode                              boolean                    If ``True``, this order was created when the event was in
+testmode                              boolean                    If ``true``, this order was created when the event was in
                                                                  test mode. Only orders in test mode can be deleted.
 secret                                string                     The secret contained in the link sent to the customer
 email                                 string                     The customer email address
@@ -39,13 +39,13 @@ payment_date                          date                       **DEPRECATED AN
 payment_provider                      string                     **DEPRECATED AND INACCURATE** Payment provider used for this order
 total                                 money (string)             Total value of this order
 comment                               string                     Internal comment on this order
-checkin_attention                     boolean                    If ``True``, the check-in app should show a warning
+checkin_attention                     boolean                    If ``true``, the check-in app should show a warning
                                                                  that this ticket requires special attention if a ticket
                                                                  of this order is scanned.
 invoice_address                       object                     Invoice address information (can be ``null``)
 ├ last_modified                       datetime                   Last modification date of the address
 ├ company                             string                     Customer company name
-├ is_business                         boolean                    Business or individual customers (always ``False``
+├ is_business                         boolean                    Business or individual customers (always ``false``
                                                                  for orders created before pretix 1.7, do not rely on
                                                                  it).
 ├ name                                string                     Customer name
@@ -56,7 +56,7 @@ invoice_address                       object                     Invoice address
 ├ country                             string                     Customer country
 ├ internal_reference                  string                     Customer's internal reference to be printed on the invoice
 ├ vat_id                              string                     Customer VAT ID
-└ vat_id_validated                    string                     ``True``, if the VAT ID has been validated against the
+└ vat_id_validated                    string                     ``true``, if the VAT ID has been validated against the
                                                                  EU VAT service and validation was successful. This only
                                                                  happens in rare cases.
 positions                             list of objects            List of non-canceled order positions (see below)
@@ -78,9 +78,9 @@ downloads                             list of objects            List of ticket
                                                                  download options.
 ├ output                              string                     Ticket output provider (e.g. ``pdf``, ``passbook``)
 └ url                                 string                     Download URL
-require_approval                      boolean                    If ``True`` and the order is pending, this order
+require_approval                      boolean                    If ``true`` and the order is pending, this order
                                                                  needs approval by an organizer before it can
-                                                                 continue. If ``True`` and the order is canceled,
+                                                                 continue. If ``true`` and the order is canceled,
                                                                  this order has been denied by the event organizer.
 payments                              list of objects            List of payment processes (see below)
 refunds                               list of objects            List of refund processes (see below)
@@ -295,7 +295,7 @@ List of all orders
             "require_approval": false,
             "invoice_address": {
                 "last_modified": "2017-12-01T10:00:00Z",
-                "is_business": True,
+                "is_business": true,
                 "company": "Sample company",
                 "name": "John Doe",
                 "name_parts": {"full_name": "John Doe"},
@@ -305,7 +305,7 @@ List of all orders
                 "country": "Testikistan",
                 "internal_reference": "",
                 "vat_id": "EU123456789",
-                "vat_id_validated": False
+                "vat_id_validated": false
             },
             "positions": [
               {
@@ -373,8 +373,8 @@ List of all orders
       }
 
    :query integer page: The page number in case of a multi-page result set, default is 1
-   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``datetime``, ``code`` and
-                           ``status``. Default: ``datetime``
+   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``datetime``, ``code``,
+                           ``last_modified``, and ``status``. Default: ``datetime``
    :query string code: Only return orders that match the given order code
    :query string status: Only return orders in the given order status (see above)
    :query boolean testmode: Only return orders with ``testmode`` set to ``true`` or ``false``
@@ -385,6 +385,7 @@ List of all orders
    :query datetime modified_since: Only return orders that have changed since the given date. Be careful: We only
        recommend using this in combination with ``testmode=false``, since test mode orders can vanish at any time and
        you will not notice it using this method.
+   :query datetime created_since: Only return orders that have been created since the given date.
    :param organizer: The ``slug`` field of the organizer to fetch
    :param event: The ``slug`` field of the event to fetch
    :resheader X-Page-Generated: The server time at the beginning of the operation. If you're using this API to fetch
@@ -437,7 +438,7 @@ Fetching individual orders
         "invoice_address": {
             "last_modified": "2017-12-01T10:00:00Z",
             "company": "Sample company",
-            "is_business": True,
+            "is_business": true,
             "name": "John Doe",
             "name_parts": {"full_name": "John Doe"},
             "street": "Test street 12",
@@ -446,7 +447,7 @@ Fetching individual orders
             "country": "Testikistan",
             "internal_reference": "",
             "vat_id": "EU123456789",
-            "vat_id_validated": False
+            "vat_id_validated": false
         },
         "positions": [
           {
@@ -593,7 +594,7 @@ Updating order fields
         "email": "other@example.org",
         "locale": "de",
         "comment": "Foo",
-        "checkin_attention": True
+        "checkin_attention": true
       }
 
    **Example response**:
@@ -749,6 +750,7 @@ Creating orders
      should only use this if you know the specific payment provider in detail. Please keep in mind that the payment
      provider will not be called to do anything about this (i.e. if you pass a bank account to a debit provider, *no*
      charge will be created), this is just informative in case you *handled the payment already*.
+   * ``payment_date`` (optional) – Date and time of the completion of the payment.
    * ``comment`` (optional)
    * ``checkin_attention`` (optional)
    * ``invoice_address`` (optional)
@@ -788,6 +790,8 @@ Creating orders
       * ``internal_type``
       * ``tax_rule``
 
+   * ``force`` (optional). If set to ``true``, quotas will be ignored.
+
    If you want to use add-on products, you need to set the ``positionid`` fields of all positions manually
    to incrementing integers starting with ``1``. Then, you can reference one of these
    IDs in the ``addon_to`` field of another position. Note that all add_ons for a specific position need to come
@@ -817,7 +821,7 @@ Creating orders
         ],
         "payment_provider": "banktransfer",
         "invoice_address": {
-          "is_business": False,
+          "is_business": false,
           "company": "Sample company",
           "name_parts": {"full_name": "John Doe"},
           "street": "Sesam Street 12",

doc/api/resources/questions.rst

@@ -30,12 +30,12 @@ type                                  string                     The expected ty
                                                                  * ``D`` – date
                                                                  * ``H`` – time
                                                                  * ``W`` – date and time
-required                              boolean                    If ``True``, the question needs to be filled out.
+required                              boolean                    If ``true``, the question needs to be filled out.
 position                              integer                    An integer, used for sorting
 items                                 list of integers           List of item IDs this question is assigned to.
 identifier                            string                     An arbitrary string that can be used for matching with
                                                                  other sources.
-ask_during_checkin                    boolean                    If ``True``, this question will not be asked while
+ask_during_checkin                    boolean                    If ``true``, this question will not be asked while
                                                                  buying the ticket, but will show up when redeeming
                                                                  the ticket instead.
 options                               list of objects            In case of question type ``C`` or ``M``, this lists the
@@ -53,7 +53,7 @@ dependency_question                   integer                    Internal ID of
                                                                  ``ask_during_checkin``.
 dependency_value                      string                     The value ``dependency_question`` needs to be set to.
                                                                  If ``dependency_question`` is set to a boolean
-                                                                 question, this should be ``"True"`` or ``"False"``.
+                                                                 question, this should be ``"true"`` or ``"false"``.
                                                                  Otherwise, it should be the ``identifier`` of a
                                                                  question option.
 ===================================== ========================== =======================================================

doc/api/resources/subevents.rst

@@ -20,6 +20,8 @@ name                                  multi-lingual string       The sub-event's
 event                                 string                     The slug of the parent event
 active                                boolean                    If ``true``, the sub-event ticket shop is publicly
                                                                  available.
+is_public                             boolean                    If ``true``, the sub-event ticket shop is publicly
+                                                                 shown in lists.
 date_from                             datetime                   The sub-event's start date
 date_to                               datetime                   The sub-event's end date (or ``null``)
 date_admission                        datetime                   The sub-event's admission date (or ``null``)
@@ -48,6 +50,10 @@ meta_data                             dict                       Values set for
 .. versionchanged:: 2.6
    The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
 
+.. versionchanged:: 2.7
+
+   The attribute ``is_public`` has been added.
+
 Endpoints
 ---------
 
@@ -81,6 +87,7 @@ Endpoints
             "name": {"en": "First Sample Conference"},
             "event": "sampleconf",
             "active": false,
+            "is_public": true,
             "date_from": "2017-12-27T10:00:00Z",
             "date_to": null,
             "date_admission": null,
@@ -128,6 +135,7 @@ Endpoints
       {
         "name": {"en": "First Sample Conference"},
         "active": false,
+        "is_public": true,
         "date_from": "2017-12-27T10:00:00Z",
         "date_to": null,
         "date_admission": null,
@@ -157,6 +165,7 @@ Endpoints
         "id": 1,
         "name": {"en": "First Sample Conference"},
         "active": false,
+        "is_public": true,
         "date_from": "2017-12-27T10:00:00Z",
         "date_to": null,
         "date_admission": null,
@@ -207,6 +216,7 @@ Endpoints
         "name": {"en": "First Sample Conference"},
         "event": "sampleconf",
         "active": false,
+        "is_public": true,
         "date_from": "2017-12-27T10:00:00Z",
         "date_to": null,
         "date_admission": null,
@@ -270,6 +280,7 @@ Endpoints
         "name": {"en": "New Subevent Name"},
         "event": "sampleconf",
         "active": false,
+        "is_public": true,
         "date_from": "2017-12-27T10:00:00Z",
         "date_to": null,
         "date_admission": null,
@@ -353,6 +364,7 @@ Endpoints
             "name": {"en": "First Sample Conference"},
             "event": "sampleconf",
             "active": false,
+            "is_public": true,
             "date_from": "2017-12-27T10:00:00Z",
             "date_to": null,
             "date_admission": null,

doc/api/resources/vouchers.rst

@@ -18,8 +18,8 @@ max_usages                            integer                    The maximum num
 redeemed                              integer                    The number of times this voucher already has been
                                                                  redeemed.
 valid_until                           datetime                   The voucher expiration date (or ``null``).
-block_quota                           boolean                    If ``True``, quota is blocked for this voucher.
-allow_ignore_quota                    boolean                    If ``True``, this voucher can be redeemed even if a
+block_quota                           boolean                    If ``true``, quota is blocked for this voucher.
+allow_ignore_quota                    boolean                    If ``true``, this voucher can be redeemed even if a
                                                                  product is sold out and even if quota is not blocked
                                                                  for this voucher.
 price_mode                            string                     Determines how this voucher affects product prices.

doc/api/resources/webhooks.rst

@@ -17,11 +17,11 @@ The webhook resource contains the following public fields:
 Field                                 Type                       Description
 ===================================== ========================== =======================================================
 id                                    integer                    Internal ID of the webhook
-enabled                               boolean                    If ``False``, this webhook will not receive any notifications
+enabled                               boolean                    If ``false``, this webhook will not receive any notifications
 target_url                            string                     The URL to call
-all_events                            boolean                    If ``True``, this webhook will receive notifications
+all_events                            boolean                    If ``true``, this webhook will receive notifications
                                                                  on all events of this organizer
-limit_events                          list of strings            If ``all_events`` is ``False``, this is a list of
+limit_events                          list of strings            If ``all_events`` is ``false``, this is a list of
                                                                  event slugs this webhook is active for
 action_types                          list of strings            A list of action type filters that limit the
                                                                  notifications sent to this webhook. See below for

doc/development/api/general.rst

@@ -20,13 +20,13 @@ Order events
 There are multiple signals that will be sent out in the ordering cycle:
 
 .. automodule:: pretix.base.signals
-   :members: validate_cart, order_fee_calculation, order_paid, order_placed, order_fee_type_name, allow_ticket_download
+   :members: validate_cart, order_fee_calculation, order_paid, order_placed, order_canceled, order_expired, order_modified, order_changed, order_approved, order_denied, order_fee_type_name, allow_ticket_download
 
 Frontend
 --------
 
 .. automodule:: pretix.presale.signals
-   :members: html_head, html_footer, footer_link, front_page_top, front_page_bottom, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content, checkout_all_optional
+   :members: html_head, html_footer, footer_link, front_page_top, front_page_bottom, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content, checkout_all_optional, html_page_header, sass_preamble, sass_postamble
 
 
 .. automodule:: pretix.presale.signals

doc/plugins/pretixdroid.rst

@@ -316,7 +316,7 @@ uses to communicate with the pretix server.
         "total": 42,
         "version": 3,
         "event": {
-          "name": "Demo Converence",
+          "name": "Demo Conference",
           "slug": "democon",
           "date_from": "2016-12-27T17:00:00Z",
           "date_to": "2016-12-30T18:00:00Z",

doc/spelling_wordlist.txt

@@ -15,6 +15,7 @@ boolean
 booleans
 cancelled
 casted
+Ceph
 checkbox
 checksum
 config
@@ -53,6 +54,7 @@ linters
 memcached
 metadata
 middleware
+Minio
 mixin
 mixins
 multi
@@ -95,6 +97,7 @@ renderers
 reportlab
 SaaS
 screenshot
+scss
 searchable
 selectable
 serializers
@@ -110,6 +113,7 @@ subdomains
 subevent
 subevents
 submodule
+subnet
 subpath
 Symfony
 systemd
@@ -122,6 +126,7 @@ unconfigured
 unix
 unprefixed
 untrusted
+uptime
 username
 url
 versa

src/pretix/__init__.py

@@ -1 +1 @@
-__version__ = "2.6.0.dev0"
+__version__ = "2.6.0"

src/pretix/api/auth/device.py

@@ -19,7 +19,7 @@ class DeviceTokenAuthentication(TokenAuthentication):
         if not device.initialized:
             raise exceptions.AuthenticationFailed('Device has not been initialized.')
 
-        if not device.api_token:
+        if device.revoked:
             raise exceptions.AuthenticationFailed('Device access has been revoked.')
 
         return AnonymousUser(), device

src/pretix/api/auth/permission.py

@@ -1,7 +1,8 @@
 from rest_framework.permissions import SAFE_METHODS, BasePermission
 
 from pretix.api.models import OAuthAccessToken
-from pretix.base.models import Device, Event
+from pretix.base.models import Device, Event, User
+from pretix.base.models.auth import SuperuserPermissionSet
 from pretix.base.models.organizer import Organizer, TeamAPIToken
 from pretix.helpers.security import (
     SessionInvalid, SessionReauthRequired, assert_session_valid,
@@ -37,10 +38,13 @@ class EventPermission(BasePermission):
                 slug=request.resolver_match.kwargs['event'],
                 organizer__slug=request.resolver_match.kwargs['organizer'],
             ).select_related('organizer').first()
-            if not request.event or not perm_holder.has_event_permission(request.event.organizer, request.event):
+            if not request.event or not perm_holder.has_event_permission(request.event.organizer, request.event, request=request):
                 return False
             request.organizer = request.event.organizer
-            request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event)
+            if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key):
+                request.eventpermset = SuperuserPermissionSet()
+            else:
+                request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event)
 
             if required_permission and required_permission not in request.eventpermset:
                 return False
@@ -49,9 +53,12 @@ class EventPermission(BasePermission):
             request.organizer = Organizer.objects.filter(
                 slug=request.resolver_match.kwargs['organizer'],
             ).first()
-            if not request.organizer or not perm_holder.has_organizer_permission(request.organizer):
+            if not request.organizer or not perm_holder.has_organizer_permission(request.organizer, request=request):
                 return False
-            request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer)
+            if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key):
+                request.orgapermset = SuperuserPermissionSet()
+            else:
+                request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer)
 
             if required_permission and required_permission not in request.orgapermset:
                 return False

src/pretix/api/middleware.py

@@ -0,0 +1,91 @@
+import json
+from hashlib import sha1
+
+from django.conf import settings
+from django.db import transaction
+from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.utils.timezone import now
+from rest_framework import status
+
+from pretix.api.models import ApiCall
+
+
+class IdempotencyMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request: HttpRequest):
+        if request.method in ('GET', 'HEAD', 'OPTIONS'):
+            return self.get_response(request)
+
+        if not request.path.startswith('/api/'):
+            return self.get_response(request)
+
+        if not request.headers.get('X-Idempotency-Key'):
+            return self.get_response(request)
+
+        auth_hash_parts = '{}:{}'.format(
+            request.headers.get('Authorization', ''),
+            request.COOKIES.get(settings.SESSION_COOKIE_NAME, '')
+        )
+        auth_hash = sha1(auth_hash_parts.encode()).hexdigest()
+        idempotency_key = request.headers.get('X-Idempotency-Key', '')
+
+        with transaction.atomic():
+            call, created = ApiCall.objects.select_for_update().get_or_create(
+                auth_hash=auth_hash,
+                idempotency_key=idempotency_key,
+                defaults={
+                    'locked': now(),
+                    'request_method': request.method,
+                    'request_path': request.path,
+                    'response_code': 0,
+                    'response_headers': '{}',
+                    'response_body': b''
+                }
+            )
+
+        if created:
+            resp = self.get_response(request)
+            with transaction.atomic():
+                if resp.status_code in (409, 429, 503):
+                    # This is the exception: These calls are *meant* to be retried!
+                    call.delete()
+                else:
+                    call.response_code = resp.status_code
+                    if isinstance(resp.content, str):
+                        call.response_body = resp.content.encode()
+                    elif isinstance(resp.content, memoryview):
+                        call.response_body = resp.content.tobytes()
+                    elif isinstance(resp.content, bytes):
+                        call.response_body = resp.content
+                    elif hasattr(resp.content, 'read'):
+                        call.response_body = resp.read()
+                    elif hasattr(resp, 'data'):
+                        call.response_body = json.dumps(resp.data)
+                    else:
+                        call.response_body = repr(resp).encode()
+                    call.response_headers = json.dumps(resp._headers)
+                    call.locked = None
+                    call.save(update_fields=['locked', 'response_code', 'response_headers',
+                                             'response_body'])
+            return resp
+        else:
+            if call.locked:
+                r = JsonResponse(
+                    {'detail': 'Concurrent request with idempotency key.'},
+                    status=status.HTTP_409_CONFLICT,
+                )
+                r['Retry-After'] = 5
+                return r
+
+            content = call.response_body
+            if isinstance(content, memoryview):
+                content = content.tobytes()
+            r = HttpResponse(
+                content=content,
+                status=call.response_code,
+            )
+            for k, v in json.loads(call.response_headers).values():
+                r[k] = v
+            return r

src/pretix/api/migrations/0004_auto_20190405_1048.py

@@ -0,0 +1,44 @@
+# Generated by Django 2.1.5 on 2019-04-05 10:48
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('pretixbase', '0116_auto_20190402_0722'),
+        ('pretixapi', '0003_webhook_webhookcall_webhookeventlistener'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ApiCall',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('idempotency_key', models.CharField(db_index=True, max_length=190)),
+                ('auth_hash', models.CharField(db_index=True, max_length=190)),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('locked', models.DateTimeField(null=True)),
+                ('request_method', models.CharField(max_length=20)),
+                ('request_path', models.CharField(max_length=255)),
+                ('response_code', models.PositiveIntegerField()),
+                ('response_headers', models.TextField()),
+                ('response_body', models.BinaryField()),
+            ],
+        ),
+        migrations.AlterModelOptions(
+            name='webhookcall',
+            options={'ordering': ('-datetime',)},
+        ),
+        migrations.AlterModelOptions(
+            name='webhookeventlistener',
+            options={'ordering': ('action_type',)},
+        ),
+        migrations.AlterUniqueTogether(
+            name='apicall',
+            unique_together={('idempotency_key', 'auth_hash')},
+        ),
+    ]

src/pretix/api/models.py

@@ -77,6 +77,9 @@ class WebHook(models.Model):
     all_events = models.BooleanField(default=True, verbose_name=_("All events (including newly created ones)"))
     limit_events = models.ManyToManyField('pretixbase.Event', verbose_name=_("Limit to events"), blank=True)
 
+    class Meta:
+        ordering = ('id',)
+
     @property
     def action_types(self):
         return [
@@ -106,3 +109,20 @@ class WebHookCall(models.Model):
 
     class Meta:
         ordering = ("-datetime",)
+
+
+class ApiCall(models.Model):
+    idempotency_key = models.CharField(max_length=190, db_index=True)
+    auth_hash = models.CharField(max_length=190, db_index=True)
+    created = models.DateTimeField(auto_now_add=True)
+    locked = models.DateTimeField(null=True)
+
+    request_method = models.CharField(max_length=20)
+    request_path = models.CharField(max_length=255)
+
+    response_code = models.PositiveIntegerField()
+    response_headers = models.TextField()
+    response_body = models.BinaryField()
+
+    class Meta:
+        unique_together = (('idempotency_key', 'auth_hash'),)

src/pretix/api/serializers/event.py

@@ -31,10 +31,10 @@ class PluginsField(Field):
     def to_representation(self, obj):
         from pretix.base.plugins import get_all_plugins
 
-        return {
+        return sorted([
             p.module for p in get_all_plugins()
             if not p.name.startswith('.') and getattr(p, 'visible', True) and p.module in obj.get_plugins()
-        }
+        ])
 
     def to_internal_value(self, data):
         return {
@@ -199,7 +199,7 @@ class SubEventSerializer(I18nAwareModelSerializer):
     class Meta:
         model = SubEvent
         fields = ('id', 'name', 'date_from', 'date_to', 'active', 'date_admission',
-                  'presale_start', 'presale_end', 'location', 'event',
+                  'presale_start', 'presale_end', 'location', 'event', 'is_public',
                   'item_price_overrides', 'variation_price_overrides', 'meta_data')
 
     def validate(self, data):
@@ -212,8 +212,8 @@ class SubEventSerializer(I18nAwareModelSerializer):
         Event.clean_dates(data.get('date_from'), data.get('date_to'))
         Event.clean_presale(data.get('presale_start'), data.get('presale_end'))
 
-        SubEvent.clean_items(event, [item['item'] for item in full_data.get('subeventitem_set')])
-        SubEvent.clean_variations(event, [item['variation'] for item in full_data.get('subeventitemvariation_set')])
+        SubEvent.clean_items(event, [item['item'] for item in full_data.get('subeventitem_set', [])])
+        SubEvent.clean_variations(event, [item['variation'] for item in full_data.get('subeventitemvariation_set', [])])
         return data
 
     def validate_item_price_overrides(self, data):

src/pretix/api/serializers/item.py

@@ -19,7 +19,7 @@ class InlineItemVariationSerializer(I18nAwareModelSerializer):
     class Meta:
         model = ItemVariation
         fields = ('id', 'value', 'active', 'description',
-                  'position', 'default_price', 'price')
+                  'position', 'default_price', 'price', 'original_price')
 
 
 class ItemVariationSerializer(I18nAwareModelSerializer):
@@ -29,7 +29,7 @@ class ItemVariationSerializer(I18nAwareModelSerializer):
     class Meta:
         model = ItemVariation
         fields = ('id', 'value', 'active', 'description',
-                  'position', 'default_price', 'price')
+                  'position', 'default_price', 'price', 'original_price')
 
 
 class InlineItemBundleSerializer(serializers.ModelSerializer):

src/pretix/api/serializers/order.py

@@ -14,8 +14,8 @@ from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.channels import get_all_sales_channels
 from pretix.base.i18n import language
 from pretix.base.models import (
-    Checkin, Invoice, InvoiceAddress, InvoiceLine, Order, OrderPosition,
-    Question, QuestionAnswer,
+    Checkin, Invoice, InvoiceAddress, InvoiceLine, Item, ItemVariation, Order,
+    OrderPosition, Question, QuestionAnswer, SubEvent,
 )
 from pretix.base.models.orders import (
     CartPosition, OrderFee, OrderPayment, OrderRefund,
@@ -179,6 +179,55 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
             self.fields.pop('pdf_data')
 
 
+class RequireAttentionField(serializers.Field):
+    def to_representation(self, instance: OrderPosition):
+        return instance.order.checkin_attention or instance.item.checkin_attention
+
+
+class AttendeeNameField(serializers.Field):
+    def to_representation(self, instance: OrderPosition):
+        an = instance.attendee_name
+        if not an:
+            if instance.addon_to_id:
+                an = instance.addon_to.attendee_name
+        if not an:
+            try:
+                an = instance.order.invoice_address.name
+            except InvoiceAddress.DoesNotExist:
+                pass
+        return an
+
+
+class AttendeeNamePartsField(serializers.Field):
+    def to_representation(self, instance: OrderPosition):
+        an = instance.attendee_name
+        p = instance.attendee_name_parts
+        if not an:
+            if instance.addon_to_id:
+                an = instance.addon_to.attendee_name
+                p = instance.addon_to.attendee_name_parts
+        if not an:
+            try:
+                p = instance.order.invoice_address.name_parts
+            except InvoiceAddress.DoesNotExist:
+                pass
+        return p
+
+
+class CheckinListOrderPositionSerializer(OrderPositionSerializer):
+    require_attention = RequireAttentionField(source='*')
+    attendee_name = AttendeeNameField(source='*')
+    attendee_name_parts = AttendeeNamePartsField(source='*')
+    order__status = serializers.SlugRelatedField(read_only=True, slug_field='status', source='order')
+
+    class Meta:
+        model = OrderPosition
+        fields = ('id', 'order', 'positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts',
+                  'attendee_email', 'voucher', 'tax_rate', 'tax_value', 'secret', 'addon_to', 'subevent', 'checkins',
+                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data', 'require_attention',
+                  'order__status')
+
+
 class OrderPaymentTypeField(serializers.Field):
     # TODO: Remove after pretix 2.2
     def to_representation(self, instance: Order):
@@ -288,6 +337,23 @@ class OrderSerializer(I18nAwareModelSerializer):
         return instance
 
 
+class PriceCalcSerializer(serializers.Serializer):
+    item = serializers.PrimaryKeyRelatedField(queryset=Item.objects.none(), required=False, allow_null=True)
+    variation = serializers.PrimaryKeyRelatedField(queryset=ItemVariation.objects.none(), required=False, allow_null=True)
+    subevent = serializers.PrimaryKeyRelatedField(queryset=SubEvent.objects.none(), required=False, allow_null=True)
+    locale = serializers.CharField(allow_null=True, required=False)
+
+    def __init__(self, *args, **kwargs):
+        event = kwargs.pop('event')
+        super().__init__(*args, **kwargs)
+        self.fields['item'].queryset = event.items.all()
+        self.fields['variation'].queryset = ItemVariation.objects.filter(item__event=event)
+        if event.has_subevents:
+            self.fields['subevent'].queryset = event.subevents.all()
+        else:
+            del self.fields['subevent']
+
+
 class AnswerCreateSerializer(I18nAwareModelSerializer):
 
     class Meta:
@@ -457,11 +523,13 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
     payment_provider = serializers.CharField(required=True)
     payment_info = CompatibleJSONField(required=False)
     consume_carts = serializers.ListField(child=serializers.CharField(), required=False)
+    force = serializers.BooleanField(default=False, required=False)
+    payment_date = serializers.DateTimeField(required=False, allow_null=True)
 
     class Meta:
         model = Order
         fields = ('code', 'status', 'testmode', 'email', 'locale', 'payment_provider', 'fees', 'comment', 'sales_channel',
-                  'invoice_address', 'positions', 'checkin_attention', 'payment_info', 'consume_carts')
+                  'invoice_address', 'positions', 'checkin_attention', 'payment_info', 'payment_date', 'consume_carts', 'force')
 
     def validate_payment_provider(self, pp):
         if pp not in self.context['event'].get_payment_providers():
@@ -532,6 +600,8 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         positions_data = validated_data.pop('positions') if 'positions' in validated_data else []
         payment_provider = validated_data.pop('payment_provider')
         payment_info = validated_data.pop('payment_info', '{}')
+        payment_date = validated_data.pop('payment_date', now())
+        force = validated_data.pop('force', False)
 
         if 'invoice_address' in validated_data:
             iadata = validated_data.pop('invoice_address')
@@ -565,29 +635,30 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
 
             errs = [{} for p in positions_data]
 
-            for i, pos_data in enumerate(positions_data):
-                new_quotas = (pos_data.get('variation').quotas.filter(subevent=pos_data.get('subevent'))
-                              if pos_data.get('variation')
-                              else pos_data.get('item').quotas.filter(subevent=pos_data.get('subevent')))
-                if len(new_quotas) == 0:
-                    errs[i]['item'] = [ugettext_lazy('The product "{}" is not assigned to a quota.').format(
-                        str(pos_data.get('item'))
-                    )]
-                else:
-                    for quota in new_quotas:
-                        if quota not in quota_avail_cache:
-                            quota_avail_cache[quota] = list(quota.availability())
+            if not force:
+                for i, pos_data in enumerate(positions_data):
+                    new_quotas = (pos_data.get('variation').quotas.filter(subevent=pos_data.get('subevent'))
+                                  if pos_data.get('variation')
+                                  else pos_data.get('item').quotas.filter(subevent=pos_data.get('subevent')))
+                    if len(new_quotas) == 0:
+                        errs[i]['item'] = [ugettext_lazy('The product "{}" is not assigned to a quota.').format(
+                            str(pos_data.get('item'))
+                        )]
+                    else:
+                        for quota in new_quotas:
+                            if quota not in quota_avail_cache:
+                                quota_avail_cache[quota] = list(quota.availability())
 
-                        if quota_avail_cache[quota][1] is not None:
-                            quota_avail_cache[quota][1] -= 1
-                            if quota_avail_cache[quota][1] < 0:
-                                errs[i]['item'] = [
-                                    ugettext_lazy('There is not enough quota available on quota "{}" to perform the operation.').format(
-                                        quota.name
-                                    )
-                                ]
+                            if quota_avail_cache[quota][1] is not None:
+                                quota_avail_cache[quota][1] -= 1
+                                if quota_avail_cache[quota][1] < 0:
+                                    errs[i]['item'] = [
+                                        ugettext_lazy('There is not enough quota available on quota "{}" to perform the operation.').format(
+                                            quota.name
+                                        )
+                                    ]
 
-                quotadiff.update(new_quotas)
+                    quotadiff.update(new_quotas)
 
             if any(errs):
                 raise ValidationError({'positions': errs})
@@ -614,7 +685,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                     amount=order.total,
                     provider=payment_provider,
                     info=payment_info,
-                    payment_date=now(),
+                    payment_date=payment_date,
                     state=OrderPayment.PAYMENT_STATE_CONFIRMED
                 )
             elif payment_provider:

src/pretix/api/signals.py

@@ -3,7 +3,7 @@ from datetime import timedelta
 from django.dispatch import Signal, receiver
 from django.utils.timezone import now
 
-from pretix.api.models import WebHookCall
+from pretix.api.models import ApiCall, WebHookCall
 from pretix.base.signals import periodic_task
 
 register_webhook_events = Signal(
@@ -19,3 +19,8 @@ instances.
 @receiver(periodic_task)
 def cleanup_webhook_logs(sender, **kwargs):
     WebHookCall.objects.filter(datetime__lte=now() - timedelta(days=30)).delete()
+
+
+@receiver(periodic_task)
+def cleanup_api_logs(sender, **kwargs):
+    ApiCall.objects.filter(created__lte=now() - timedelta(hours=24)).delete()

src/pretix/api/views/__init__.py

@@ -31,10 +31,10 @@ class RichOrderingFilter(OrderingFilter):
 class ConditionalListView:
 
     def list(self, request, **kwargs):
-        if_modified_since = request.META.get('HTTP_IF_MODIFIED_SINCE')
+        if_modified_since = request.headers.get('If-Modified-Since')
         if if_modified_since:
             if_modified_since = parse_http_date_safe(if_modified_since)
-        if_unmodified_since = request.META.get('HTTP_IF_UNMODIFIED_SINCE')
+        if_unmodified_since = request.headers.get('If-Unmodified-Since')
         if if_unmodified_since:
             if_unmodified_since = parse_http_date_safe(if_unmodified_since)
         if not hasattr(request, 'event'):

src/pretix/api/views/checkin.py

@@ -7,13 +7,13 @@ from django.utils.functional import cached_property
 from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import viewsets
-from rest_framework.decorators import detail_route
+from rest_framework.decorators import action
 from rest_framework.fields import DateTimeField
 from rest_framework.response import Response
 
 from pretix.api.serializers.checkin import CheckinListSerializer
 from pretix.api.serializers.item import QuestionSerializer
-from pretix.api.serializers.order import OrderPositionSerializer
+from pretix.api.serializers.order import CheckinListOrderPositionSerializer
 from pretix.api.views import RichOrderingFilter
 from pretix.api.views.order import OrderPositionFilter
 from pretix.base.models import (
@@ -77,7 +77,7 @@ class CheckinListViewSet(viewsets.ModelViewSet):
         )
         super().perform_destroy(instance)
 
-    @detail_route(methods=['GET'])
+    @action(detail=True, methods=['GET'])
     def status(self, *args, **kwargs):
         clist = self.get_object()
         cqs = Checkin.objects.filter(
@@ -153,7 +153,7 @@ class CheckinOrderPositionFilter(OrderPositionFilter):
 
 
 class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
-    serializer_class = OrderPositionSerializer
+    serializer_class = CheckinListOrderPositionSerializer
     queryset = OrderPosition.objects.none()
     filter_backends = (DjangoFilterBackend, RichOrderingFilter)
     ordering = ('attendee_name_cached', 'positionid')
@@ -189,7 +189,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
         except ValueError:
             raise Http404()
 
-    def get_queryset(self):
+    def get_queryset(self, ignore_status=False):
         cqs = Checkin.objects.filter(
             position_id=OuterRef('pk'),
             list_id=self.checkinlist.pk
@@ -199,11 +199,15 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
 
         qs = OrderPosition.objects.filter(
             order__event=self.request.event,
-            order__status__in=[Order.STATUS_PAID, Order.STATUS_PENDING] if self.checkinlist.include_pending else [Order.STATUS_PAID],
             subevent=self.checkinlist.subevent
         ).annotate(
             last_checked_in=Subquery(cqs)
         )
+
+        if self.request.query_params.get('ignore_status', 'false') != 'true' and not ignore_status:
+            qs = qs.filter(
+                order__status__in=[Order.STATUS_PAID, Order.STATUS_PENDING] if self.checkinlist.include_pending else [Order.STATUS_PAID]
+            )
         if self.request.query_params.get('pdf_data', 'false') == 'true':
             qs = qs.prefetch_related(
                 Prefetch(
@@ -225,7 +229,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
                     )
                 ))
             ).select_related(
-                'item', 'variation', 'item__category', 'addon_to'
+                'item', 'variation', 'item__category', 'addon_to', 'order', 'order__invoice_address'
             )
         else:
             qs = qs.prefetch_related(
@@ -235,19 +239,19 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
                 ),
                 'answers', 'answers__options', 'answers__question',
                 Prefetch('addons', OrderPosition.objects.select_related('item', 'variation'))
-            ).select_related('item', 'variation', 'order', 'addon_to', 'order__invoice_address')
+            ).select_related('item', 'variation', 'order', 'addon_to', 'order__invoice_address', 'order')
 
         if not self.checkinlist.all_products:
             qs = qs.filter(item__in=self.checkinlist.limit_products.values_list('id', flat=True))
 
         return qs
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def redeem(self, *args, **kwargs):
         force = bool(self.request.data.get('force', False))
         ignore_unpaid = bool(self.request.data.get('ignore_unpaid', False))
         nonce = self.request.data.get('nonce')
-        op = self.get_object()
+        op = self.get_object(ignore_status=True)
 
         if 'datetime' in self.request.data:
             dt = DateTimeField().to_internal_value(self.request.data.get('datetime'))
@@ -281,7 +285,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
             return Response({
                 'status': 'incomplete',
                 'require_attention': op.item.checkin_attention or op.order.checkin_attention,
-                'position': OrderPositionSerializer(op, context=self.get_serializer_context()).data,
+                'position': CheckinListOrderPositionSerializer(op, context=self.get_serializer_context()).data,
                 'questions': [
                     QuestionSerializer(q).data for q in e.questions
                 ]
@@ -291,17 +295,17 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
                 'status': 'error',
                 'reason': e.code,
                 'require_attention': op.item.checkin_attention or op.order.checkin_attention,
-                'position': OrderPositionSerializer(op, context=self.get_serializer_context()).data
+                'position': CheckinListOrderPositionSerializer(op, context=self.get_serializer_context()).data
             }, status=400)
         else:
             return Response({
                 'status': 'ok',
                 'require_attention': op.item.checkin_attention or op.order.checkin_attention,
-                'position': OrderPositionSerializer(op, context=self.get_serializer_context()).data
+                'position': CheckinListOrderPositionSerializer(op, context=self.get_serializer_context()).data
             }, status=201)
 
-    def get_object(self):
-        queryset = self.filter_queryset(self.get_queryset())
+    def get_object(self, ignore_status=False):
+        queryset = self.filter_queryset(self.get_queryset(ignore_status=ignore_status))
         if self.kwargs['pk'].isnumeric():
             obj = get_object_or_404(queryset, Q(pk=self.kwargs['pk']) | Q(secret=self.kwargs['pk']))
         else:

src/pretix/api/views/device.py

@@ -105,7 +105,7 @@ class RevokeKeyView(APIView):
 
     def post(self, request, format=None):
         device = request.auth
-        device.api_token = None
+        device.revoked = True
         device.save()
         device.log_action('pretix.device.revoked', auth=device)
 

src/pretix/api/views/event.py

@@ -13,7 +13,7 @@ from pretix.api.serializers.event import (
 )
 from pretix.api.views import ConditionalListView
 from pretix.base.models import (
-    Device, Event, ItemCategory, TaxRule, TeamAPIToken,
+    CartPosition, Device, Event, ItemCategory, TaxRule, TeamAPIToken,
 )
 from pretix.base.models.event import SubEvent
 from pretix.helpers.dicts import merge_dicts
@@ -272,6 +272,8 @@ class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
                     auth=self.request.auth,
                     data=self.request.data
                 )
+                CartPosition.objects.filter(addon_to__subevent=instance).delete()
+                instance.cartposition_set.all().delete()
                 super().perform_destroy(instance)
         except ProtectedError:
             raise PermissionDenied('The sub-event could not be deleted as some constraints (e.g. data created by '

src/pretix/api/views/item.py

@@ -4,7 +4,7 @@ from django.shortcuts import get_object_or_404
 from django.utils.functional import cached_property
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import viewsets
-from rest_framework.decorators import detail_route
+from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.filters import OrderingFilter
 from rest_framework.response import Response
@@ -16,8 +16,8 @@ from pretix.api.serializers.item import (
 )
 from pretix.api.views import ConditionalListView
 from pretix.base.models import (
-    Item, ItemAddOn, ItemBundle, ItemCategory, ItemVariation, Question,
-    QuestionOption, Quota,
+    CartPosition, Item, ItemAddOn, ItemBundle, ItemCategory, ItemVariation,
+    Question, QuestionOption, Quota,
 )
 from pretix.helpers.dicts import merge_dicts
 
@@ -84,7 +84,8 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
             user=self.request.user,
             auth=self.request.auth,
         )
-        self.get_object().cartposition_set.all().delete()
+        CartPosition.objects.filter(addon_to__item=instance).delete()
+        instance.cartposition_set.all().delete()
         super().perform_destroy(instance)
 
 
@@ -498,7 +499,7 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
             )
         super().perform_destroy(instance)
 
-    @detail_route(methods=['get'])
+    @action(detail=True, methods=['get'])
     def availability(self, request, *args, **kwargs):
         quota = self.get_object()
 

src/pretix/api/views/order.py

@@ -12,7 +12,7 @@ from django.utils.timezone import make_aware, now
 from django.utils.translation import ugettext as _
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import mixins, serializers, status, viewsets
-from rest_framework.decorators import detail_route
+from rest_framework.decorators import action
 from rest_framework.exceptions import (
     APIException, NotFound, PermissionDenied, ValidationError,
 )
@@ -24,14 +24,16 @@ from pretix.api.models import OAuthAccessToken
 from pretix.api.serializers.order import (
     InvoiceSerializer, OrderCreateSerializer, OrderPaymentSerializer,
     OrderPositionSerializer, OrderRefundCreateSerializer,
-    OrderRefundSerializer, OrderSerializer,
+    OrderRefundSerializer, OrderSerializer, PriceCalcSerializer,
 )
+from pretix.base.i18n import language
 from pretix.base.models import (
-    CachedCombinedTicket, CachedTicket, Device, Event, Invoice, Order,
-    OrderPayment, OrderPosition, OrderRefund, Quota, TeamAPIToken,
+    CachedCombinedTicket, CachedTicket, Device, Event, Invoice, InvoiceAddress,
+    Order, OrderPayment, OrderPosition, OrderRefund, Quota, TeamAPIToken,
     generate_position_secret, generate_secret,
 )
 from pretix.base.payment import PaymentException
+from pretix.base.services import tickets
 from pretix.base.services.invoices import (
     generate_cancellation, generate_invoice, invoice_pdf, invoice_qualified,
     regenerate_invoice,
@@ -41,8 +43,12 @@ from pretix.base.services.orders import (
     OrderChangeManager, OrderError, approve_order, cancel_order, deny_order,
     extend_order, mark_order_expired, mark_order_refunded,
 )
+from pretix.base.services.pricing import get_price
 from pretix.base.services.tickets import generate
-from pretix.base.signals import order_placed, register_ticket_outputs
+from pretix.base.signals import (
+    order_modified, order_placed, register_ticket_outputs,
+)
+from pretix.base.templatetags.money import money_filter
 
 
 class OrderFilter(FilterSet):
@@ -50,6 +56,7 @@ class OrderFilter(FilterSet):
     code = django_filters.CharFilter(field_name='code', lookup_expr='iexact')
     status = django_filters.CharFilter(field_name='status', lookup_expr='iexact')
     modified_since = django_filters.IsoDateTimeFilter(field_name='last_modified', lookup_expr='gte')
+    created_since = django_filters.IsoDateTimeFilter(field_name='datetime', lookup_expr='gte')
 
     class Meta:
         model = Order
@@ -124,7 +131,7 @@ class OrderViewSet(viewsets.ModelViewSet):
         serializer = self.get_serializer(queryset, many=True)
         return Response(serializer.data, headers={'X-Page-Generated': date})
 
-    @detail_route(url_name='download', url_path='download/(?P<output>[^/]+)')
+    @action(detail=True, url_name='download', url_path='download/(?P<output>[^/]+)')
     def download(self, request, output, **kwargs):
         provider = self._get_output_provider(output)
         order = self.get_object()
@@ -146,7 +153,7 @@ class OrderViewSet(viewsets.ModelViewSet):
             )
             return resp
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def mark_paid(self, request, **kwargs):
         order = self.get_object()
 
@@ -187,7 +194,7 @@ class OrderViewSet(viewsets.ModelViewSet):
             status=status.HTTP_400_BAD_REQUEST
         )
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def mark_canceled(self, request, **kwargs):
         send_mail = request.data.get('send_email', True)
         cancellation_fee = request.data.get('cancellation_fee', None)
@@ -221,7 +228,7 @@ class OrderViewSet(viewsets.ModelViewSet):
             )
         return self.retrieve(request, [], **kwargs)
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def approve(self, request, **kwargs):
         send_mail = request.data.get('send_email', True)
 
@@ -239,7 +246,7 @@ class OrderViewSet(viewsets.ModelViewSet):
             return Response({'detail': str(e)}, status=status.HTTP_400_BAD_REQUEST)
         return self.retrieve(request, [], **kwargs)
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def deny(self, request, **kwargs):
         send_mail = request.data.get('send_email', True)
         comment = request.data.get('comment', '')
@@ -257,7 +264,7 @@ class OrderViewSet(viewsets.ModelViewSet):
             return Response({'detail': str(e)}, status=status.HTTP_400_BAD_REQUEST)
         return self.retrieve(request, [], **kwargs)
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def mark_pending(self, request, **kwargs):
         order = self.get_object()
 
@@ -276,7 +283,7 @@ class OrderViewSet(viewsets.ModelViewSet):
         )
         return self.retrieve(request, [], **kwargs)
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def mark_expired(self, request, **kwargs):
         order = self.get_object()
 
@@ -293,7 +300,7 @@ class OrderViewSet(viewsets.ModelViewSet):
         )
         return self.retrieve(request, [], **kwargs)
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def mark_refunded(self, request, **kwargs):
         order = self.get_object()
 
@@ -310,7 +317,7 @@ class OrderViewSet(viewsets.ModelViewSet):
         )
         return self.retrieve(request, [], **kwargs)
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def create_invoice(self, request, **kwargs):
         order = self.get_object()
         has_inv = order.invoices.exists() and not (
@@ -342,7 +349,7 @@ class OrderViewSet(viewsets.ModelViewSet):
             status=status.HTTP_201_CREATED
         )
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def resend_link(self, request, **kwargs):
         order = self.get_object()
         if not order.email:
@@ -356,7 +363,7 @@ class OrderViewSet(viewsets.ModelViewSet):
             status=status.HTTP_204_NO_CONTENT
         )
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     @transaction.atomic
     def regenerate_secrets(self, request, **kwargs):
         order = self.get_object()
@@ -367,6 +374,8 @@ class OrderViewSet(viewsets.ModelViewSet):
         order.save(update_fields=['secret'])
         CachedTicket.objects.filter(order_position__order=order).delete()
         CachedCombinedTicket.objects.filter(order=order).delete()
+        tickets.invalidate_cache.apply_async(kwargs={'event': self.request.event.pk,
+                                                     'order': order.pk})
         order.log_action(
             'pretix.event.order.secret.changed',
             user=self.request.user,
@@ -374,7 +383,7 @@ class OrderViewSet(viewsets.ModelViewSet):
         )
         return self.retrieve(request, [], **kwargs)
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def extend(self, request, **kwargs):
         new_date = request.data.get('expires', None)
         force = request.data.get('force', False)
@@ -450,61 +459,65 @@ class OrderViewSet(viewsets.ModelViewSet):
             )
         return super().update(request, *args, **kwargs)
 
-    @transaction.atomic
     def perform_update(self, serializer):
-        if 'comment' in self.request.data and serializer.instance.comment != self.request.data.get('comment'):
-            serializer.instance.log_action(
-                'pretix.event.order.comment',
-                user=self.request.user,
-                auth=self.request.auth,
-                data={
-                    'new_comment': self.request.data.get('comment')
-                }
-            )
+        with transaction.atomic():
+            if 'comment' in self.request.data and serializer.instance.comment != self.request.data.get('comment'):
+                serializer.instance.log_action(
+                    'pretix.event.order.comment',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data={
+                        'new_comment': self.request.data.get('comment')
+                    }
+                )
 
-        if 'checkin_attention' in self.request.data and serializer.instance.checkin_attention != self.request.data.get('checkin_attention'):
-            serializer.instance.log_action(
-                'pretix.event.order.checkin_attention',
-                user=self.request.user,
-                auth=self.request.auth,
-                data={
-                    'new_value': self.request.data.get('checkin_attention')
-                }
-            )
+            if 'checkin_attention' in self.request.data and serializer.instance.checkin_attention != self.request.data.get('checkin_attention'):
+                serializer.instance.log_action(
+                    'pretix.event.order.checkin_attention',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data={
+                        'new_value': self.request.data.get('checkin_attention')
+                    }
+                )
 
-        if 'email' in self.request.data and serializer.instance.email != self.request.data.get('email'):
-            serializer.instance.log_action(
-                'pretix.event.order.contact.changed',
-                user=self.request.user,
-                auth=self.request.auth,
-                data={
-                    'old_email': serializer.instance.email,
-                    'new_email': self.request.data.get('email'),
-                }
-            )
+            if 'email' in self.request.data and serializer.instance.email != self.request.data.get('email'):
+                serializer.instance.log_action(
+                    'pretix.event.order.contact.changed',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data={
+                        'old_email': serializer.instance.email,
+                        'new_email': self.request.data.get('email'),
+                    }
+                )
 
-        if 'locale' in self.request.data and serializer.instance.locale != self.request.data.get('locale'):
-            serializer.instance.log_action(
-                'pretix.event.order.locale.changed',
-                user=self.request.user,
-                auth=self.request.auth,
-                data={
-                    'old_locale': serializer.instance.locale,
-                    'new_locale': self.request.data.get('locale'),
-                }
-            )
+            if 'locale' in self.request.data and serializer.instance.locale != self.request.data.get('locale'):
+                serializer.instance.log_action(
+                    'pretix.event.order.locale.changed',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data={
+                        'old_locale': serializer.instance.locale,
+                        'new_locale': self.request.data.get('locale'),
+                    }
+                )
+
+            if 'invoice_address' in self.request.data:
+                serializer.instance.log_action(
+                    'pretix.event.order.modified',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data={
+                        'invoice_data': self.request.data.get('invoice_address'),
+                    }
+                )
+
+            serializer.save()
+            tickets.invalidate_cache.apply_async(kwargs={'event': serializer.instance.event.pk, 'order': serializer.instance.pk})
 
         if 'invoice_address' in self.request.data:
-            serializer.instance.log_action(
-                'pretix.event.order.modified',
-                user=self.request.user,
-                auth=self.request.auth,
-                data={
-                    'invoice_data': self.request.data.get('invoice_address'),
-                }
-            )
-
-        serializer.save()
+            order_modified.send(sender=serializer.instance.event, order=serializer.instance)
 
     def perform_create(self, serializer):
         serializer.save()
@@ -613,7 +626,84 @@ class OrderPositionViewSet(mixins.DestroyModelMixin, viewsets.ReadOnlyModelViewS
                 return prov
         raise NotFound('Unknown output provider.')
 
-    @detail_route(url_name='download', url_path='download/(?P<output>[^/]+)')
+    @action(detail=True, methods=['POST'], url_name='price_calc')
+    def price_calc(self, request, *args, **kwargs):
+        """
+        This calculates the price assuming a change of product or subevent. This endpoint
+        is deliberately not documented and considered a private API, only to be used by
+        pretix' web interface.
+
+        Sample input:
+
+        {
+            "item": 2,
+            "variation": null,
+            "subevent": 3
+        }
+
+        Sample output:
+
+        {
+            "gross": "2.34",
+            "gross_formatted": "2,34",
+            "net": "2.34",
+            "tax": "0.00",
+            "rate": "0.00",
+            "name": "VAT"
+        }
+        """
+        serializer = PriceCalcSerializer(data=request.data, event=request.event)
+        serializer.is_valid(raise_exception=True)
+        data = serializer.validated_data
+        pos = self.get_object()
+
+        try:
+            ia = pos.order.invoice_address
+        except InvoiceAddress.DoesNotExist:
+            ia = InvoiceAddress()
+
+        kwargs = {
+            'item': pos.item,
+            'variation': pos.variation,
+            'voucher': pos.voucher,
+            'subevent': pos.subevent,
+            'addon_to': pos.addon_to,
+            'invoice_address': ia,
+        }
+
+        if data.get('item'):
+            item = data.get('item')
+            kwargs['item'] = item
+
+            if item.has_variations:
+                variation = data.get('variation') or pos.variation
+                if not variation:
+                    raise ValidationError('No variation given')
+                if variation.item != item:
+                    raise ValidationError('Variation does not belong to item')
+                kwargs['variation'] = variation
+            else:
+                variation = None
+                kwargs['variation'] = None
+
+            if pos.voucher and not pos.voucher.applies_to(item, variation):
+                kwargs['voucher'] = None
+
+        if data.get('subevent'):
+            kwargs['subevent'] = data.get('subevent')
+
+        price = get_price(**kwargs)
+        with language(data.get('locale') or self.request.event.settings.locale):
+            return Response({
+                'gross': price.gross,
+                'gross_formatted': money_filter(price.gross, self.request.event.currency, hide_currency=True),
+                'net': price.net,
+                'rate': price.rate,
+                'name': str(price.name),
+                'tax': price.tax,
+            })
+
+    @action(detail=True, url_name='download', url_path='download/(?P<output>[^/]+)')
     def download(self, request, output, **kwargs):
         provider = self._get_output_provider(output)
         pos = self.get_object()
@@ -664,7 +754,7 @@ class PaymentViewSet(viewsets.ReadOnlyModelViewSet):
         order = get_object_or_404(Order, code=self.kwargs['order'], event=self.request.event)
         return order.payments.all()
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def confirm(self, request, **kwargs):
         payment = self.get_object()
         force = request.data.get('force', False)
@@ -685,7 +775,7 @@ class PaymentViewSet(viewsets.ReadOnlyModelViewSet):
             pass
         return self.retrieve(request, [], **kwargs)
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def refund(self, request, **kwargs):
         payment = self.get_object()
         amount = serializers.DecimalField(max_digits=10, decimal_places=2).to_internal_value(
@@ -750,7 +840,7 @@ class PaymentViewSet(viewsets.ReadOnlyModelViewSet):
                     payment.order.save(update_fields=['status', 'expires'])
             return Response(OrderRefundSerializer(r).data, status=status.HTTP_200_OK)
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def cancel(self, request, **kwargs):
         payment = self.get_object()
 
@@ -778,7 +868,7 @@ class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
         order = get_object_or_404(Order, code=self.kwargs['order'], event=self.request.event)
         return order.refunds.all()
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def cancel(self, request, **kwargs):
         refund = self.get_object()
 
@@ -795,7 +885,7 @@ class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
             }, user=self.request.user if self.request.user.is_authenticated else None, auth=self.request.auth)
         return self.retrieve(request, [], **kwargs)
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def process(self, request, **kwargs):
         refund = self.get_object()
 
@@ -820,7 +910,7 @@ class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
             refund.order.save(update_fields=['status', 'expires'])
         return self.retrieve(request, [], **kwargs)
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def done(self, request, **kwargs):
         refund = self.get_object()
 
@@ -910,7 +1000,7 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
             nr=Concat('prefix', 'invoice_no')
         )
 
-    @detail_route()
+    @action(detail=True, )
     def download(self, request, **kwargs):
         invoice = self.get_object()
 
@@ -928,7 +1018,7 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
         resp['Content-Disposition'] = 'attachment; filename="{}.pdf"'.format(invoice.number)
         return resp
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def regenerate(self, request, **kwarts):
         inv = self.get_object()
         if inv.canceled:
@@ -947,7 +1037,7 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
             )
             return Response(status=204)
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def reissue(self, request, **kwarts):
         inv = self.get_object()
         if inv.canceled:

src/pretix/api/views/voucher.py

@@ -7,7 +7,7 @@ from django_filters.rest_framework import (
     BooleanFilter, DjangoFilterBackend, FilterSet,
 )
 from rest_framework import status, viewsets
-from rest_framework.decorators import list_route
+from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.filters import OrderingFilter
 from rest_framework.response import Response
@@ -111,9 +111,12 @@ class VoucherViewSet(viewsets.ModelViewSet):
             user=self.request.user,
             auth=self.request.auth,
         )
-        super().perform_destroy(instance)
+        with transaction.atomic():
+            instance.cartposition_set.filter(addon_to__isnull=False).delete()
+            instance.cartposition_set.all().delete()
+            super().perform_destroy(instance)
 
-    @list_route(methods=['POST'])
+    @action(detail=False, methods=['POST'])
     def batch_create(self, request, *args, **kwargs):
         if any(self._predict_quota_check(d, None) for d in request.data):
             lockfn = request.event.lock

src/pretix/api/views/waitinglist.py

@@ -1,7 +1,7 @@
 import django_filters
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import viewsets
-from rest_framework.decorators import detail_route
+from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.filters import OrderingFilter
 from rest_framework.response import Response
@@ -69,7 +69,7 @@ class WaitingListViewSet(viewsets.ModelViewSet):
         )
         super().perform_destroy(instance)
 
-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
     def send_voucher(self, *args, **kwargs):
         try:
             self.get_object().send_voucher(

src/pretix/base/exporters/__init__.py

@@ -1,4 +1,5 @@
 from .answers import *  # noqa
+from .dekodi import *  # noqa
 from .invoices import *  # noqa
 from .json import *  # noqa
 from .mail import *  # noqa

src/pretix/base/exporters/dekodi.py

@@ -0,0 +1,219 @@
+import json
+from collections import OrderedDict
+from decimal import Decimal
+
+import dateutil
+from django import forms
+from django.core.serializers.json import DjangoJSONEncoder
+from django.dispatch import receiver
+from django.utils.translation import ugettext, ugettext_lazy
+
+from pretix.base.i18n import language
+from pretix.base.models import Invoice, OrderPayment
+
+from ..exporter import BaseExporter
+from ..signals import register_data_exporters
+
+
+class DekodiNREIExporter(BaseExporter):
+    identifier = 'dekodi_nrei'
+    verbose_name = 'dekodi NREI (JSON)'
+
+    # Specification: http://manuals.dekodi.de/nexuspub/schnittstellenbuch/
+
+    def _encode_invoice(self, invoice: Invoice):
+        p_last = invoice.order.payments.filter(state=[OrderPayment.PAYMENT_STATE_CONFIRMED, OrderPayment.PAYMENT_STATE_REFUNDED]).last()
+        gross_total = Decimal('0.00')
+        net_total = Decimal('0.00')
+
+        positions = []
+        for l in invoice.lines.all():
+            positions.append({
+                'ADes': l.description.replace("<br />", "\n"),
+                'ANetA': round(float(l.net_value), 2),
+                'ANo': self.event.slug,
+                'AQ': -1 if invoice.is_cancellation else 1,
+                'AVatP': round(float(l.tax_rate), 2),
+                'DIDt': (l.subevent or invoice.order.event).date_from.isoformat().replace('Z', '+00:00'),
+                'PosGrossA': round(float((-1 if invoice.is_cancellation else 1) * l.gross_value), 2),
+                'PosNetA': round(float((-1 if invoice.is_cancellation else 1) * l.net_value), 2),
+            })
+            gross_total += l.gross_value
+            net_total += l.net_value
+
+        payments = []
+        paypal_email = None
+        for p in invoice.order.payments.filter(
+                state__in=(OrderPayment.PAYMENT_STATE_CONFIRMED, OrderPayment.PAYMENT_STATE_PENDING,
+                           OrderPayment.PAYMENT_STATE_CREATED, OrderPayment.PAYMENT_STATE_REFUNDED)
+        ):
+            if p.provider == 'paypal':
+                paypal_email = p.info_data.get('payer', {}).get('payer_info', {}).get('email')
+                try:
+                    ppid = p.info_data['transactions'][0]['related_resources']['sale']['id']
+                except:
+                    ppid = p.info_data.get('id')
+                payments.append({
+                    'PTID': '1',
+                    'PTN': 'PayPal',
+                    'PTNo1': ppid,
+                    'PTNo2': p.info_data.get('id'),
+                    'PTNo7': round(float(p.amount), 2),
+                    'PTNo8': str(self.event.currency),
+                    'PTNo11': paypal_email or '',
+                    'PTNo15': p.full_id or '',
+                })
+            elif p.provider == 'banktransfer':
+                payments.append({
+                    'PTID': '4',
+                    'PTN': 'Vorkasse',
+                    'PTNo4': p.info_data.get('reference') or p.payment_provider._code(invoice.order),
+                    'PTNo7': round(float(p.amount), 2),
+                    'PTNo8': str(self.event.currency),
+                    'PTNo10': p.info_data.get('payer') or '',
+                    'PTNo14': p.info_data.get('date') or '',
+                    'PTNo15': p.full_id or '',
+                })
+            elif p.provider == 'sepadebit':
+                with language(invoice.order.locale):
+                    payments.append({
+                        'PTID': '5',
+                        'PTN': 'Lastschrift',
+                        'PTNo4': ugettext('Event ticket {event}-{code}').format(
+                            event=self.event.slug.upper(),
+                            code=invoice.order.code
+                        ),
+                        'PTNo5': p.info_data.get('iban') or '',
+                        'PTNo6': p.info_data.get('bic') or '',
+                        'PTNo7': round(float(p.amount), 2),
+                        'PTNo8': str(self.event.currency) or '',
+                        'PTNo9': p.info_data.get('date') or '',
+                        'PTNo10': p.info_data.get('account') or '',
+                        'PTNo14': p.info_data.get('reference') or '',
+                        'PTNo15': p.full_id or '',
+                    })
+            elif p.provider.startswith('stripe'):
+                src = p.info_data.get("source", "{}")
+                payments.append({
+                    'PTID': '81',
+                    'PTN': 'Stripe',
+                    'PTNo1': p.info_data.get("id") or '',
+                    'PTNo5': src.get("card", {}).get("last4") or '',
+                    'PTNo7': round(float(p.amount), 2) or '',
+                    'PTNo8': str(self.event.currency) or '',
+                    'PTNo10': src.get('owner', {}).get('verified_name') or src.get('owner', {}).get('name') or '',
+                    'PTNo15': p.full_id or '',
+                })
+            else:
+                payments.append({
+                    'PTID': '0',
+                    'PTN': p.provider,
+                    'PTNo7': round(float(p.amount), 2) or '',
+                    'PTNo8': str(self.event.currency) or '',
+                    'PTNo15': p.full_id or '',
+                })
+
+        payments = [
+            {
+                k: v for k, v in p.items() if v is not None
+            } for p in payments
+        ]
+
+        hdr = {
+            'C': str(invoice.invoice_to_country) or self.event.settings.invoice_address_from_country,
+            'CC': self.event.currency,
+            'City': invoice.invoice_to_city,
+            'CN': invoice.invoice_to_company,
+            'DIC': self.event.settings.invoice_address_from_country,
+            # DIC is  a little bit unclean, should be the event location's country
+            'DIDt': invoice.order.datetime.isoformat().replace('Z', '+00:00'),
+            'DT': '30' if invoice.is_cancellation else '10',
+            'EM': invoice.order.email,
+            'FamN': invoice.invoice_to_name.rsplit(' ', 1)[-1],
+            'FN': invoice.invoice_to_name.rsplit(' ', 1)[0] if ' ' in invoice.invoice_to_name else '',
+            'IDt': invoice.date.isoformat() + 'T08:00:00+01:00',
+            'INo': invoice.full_invoice_no,
+            'IsNet': invoice.reverse_charge,
+            'ODt': invoice.order.datetime.isoformat().replace('Z', '+00:00'),
+            'OID': invoice.order.code,
+            'SID': self.event.slug,
+            'SN': str(self.event),
+            'Str': invoice.invoice_to_street or '',
+            'TGrossA': round(float(gross_total), 2),
+            'TNetA': round(float(net_total), 2),
+            'TVatA': round(float(gross_total - net_total), 2),
+            'VatDp': False,
+            'Zip': invoice.invoice_to_zipcode
+        }
+        if not hdr['FamN'] and not hdr['CN']:
+            hdr['CN'] = "Unbekannter Kunde"
+
+        if invoice.refers:
+            hdr['PvrINo'] = invoice.refers.full_invoice_no
+        if p_last:
+            hdr['PmDt'] = p_last.payment_date.isoformat().replace('Z', '+00:00')
+        if paypal_email:
+            hdr['PPEm'] = paypal_email
+        if invoice.invoice_to_vat_id:
+            hdr['VatID'] = invoice.invoice_to_vat_id
+
+        return {
+            'IsValid': True,
+            'Hdr': hdr,
+            'InvcPstns': positions,
+            'PmIs': payments,
+            'ValidationMessage': ''
+        }
+
+    def render(self, form_data):
+        qs = self.event.invoices.select_related('order').prefetch_related('lines', 'lines__subevent')
+
+        if form_data.get('date_from'):
+            date_value = form_data.get('date_from')
+            if isinstance(date_value, str):
+                date_value = dateutil.parser.parse(date_value).date()
+            qs = qs.filter(date__gte=date_value)
+
+        if form_data.get('date_to'):
+            date_value = form_data.get('date_to')
+            if isinstance(date_value, str):
+                date_value = dateutil.parser.parse(date_value).date()
+            qs = qs.filter(date__lte=date_value)
+
+        jo = {
+            'Format': 'NREI',
+            'Version': '18.10.2.0',
+            'SourceSystem': 'pretix',
+            'Data': [
+                self._encode_invoice(i) for i in qs
+            ]
+        }
+        return '{}_nrei.json'.format(self.event.slug), 'application/json', json.dumps(jo, cls=DjangoJSONEncoder, indent=4)
+
+    @property
+    def export_form_fields(self):
+        return OrderedDict(
+            [
+                ('date_from',
+                 forms.DateField(
+                     label=ugettext_lazy('Start date'),
+                     widget=forms.DateInput(attrs={'class': 'datepickerfield'}),
+                     required=False,
+                     help_text=ugettext_lazy('Only include invoices issued on or after this date. Note that the invoice date does '
+                                             'not always correspond to the order or payment date.')
+                 )),
+                ('date_to',
+                 forms.DateField(
+                     label=ugettext_lazy('End date'),
+                     widget=forms.DateInput(attrs={'class': 'datepickerfield'}),
+                     required=False,
+                     help_text=ugettext_lazy('Only include invoices issued on or before this date. Note that the invoice date '
+                                             'does not always correspond to the order or payment date.')
+                 )),
+            ]
+        )
+
+
+@receiver(register_data_exporters, dispatch_uid="exporter_dekodi_nrei")
+def register_dekodi_export(sender, **kwargs):
+    return DekodiNREIExporter

src/pretix/base/exporters/orderlist.py

@@ -6,7 +6,7 @@ from django import forms
 from django.db.models import DateTimeField, F, Max, OuterRef, Subquery, Sum
 from django.dispatch import receiver
 from django.utils.formats import date_format, localize
-from django.utils.translation import ugettext as _, ugettext_lazy
+from django.utils.translation import pgettext, ugettext as _, ugettext_lazy
 
 from pretix.base.models import (
     InvoiceAddress, InvoiceLine, Order, OrderPosition,
@@ -269,6 +269,10 @@ class OrderListExporter(MultiSheetListExporter):
             _('Status'),
             _('Email'),
             _('Order date'),
+        ]
+        if self.event.has_subevents:
+            headers.append(pgettext('subevent', 'Date'))
+        headers += [
             _('Product'),
             _('Variation'),
             _('Price'),
@@ -311,6 +315,10 @@ class OrderListExporter(MultiSheetListExporter):
                 order.get_status_display(),
                 order.email,
                 order.datetime.astimezone(tz).strftime('%Y-%m-%d'),
+            ]
+            if self.event.has_subevents:
+                row.append(op.subevent)
+            row += [
                 str(op.item),
                 str(op.variation) if op.variation else '',
                 op.price,

src/pretix/base/invoice.py

@@ -9,14 +9,17 @@ import vat_moss.exchange_rates
 from django.contrib.staticfiles import finders
 from django.dispatch import receiver
 from django.utils.formats import date_format, localize
-from django.utils.translation import get_language, pgettext, ugettext
+from django.utils.translation import (
+    get_language, pgettext, ugettext, ugettext_lazy,
+)
 from PIL.Image import BICUBIC
 from reportlab.lib import pagesizes
-from reportlab.lib.enums import TA_LEFT
+from reportlab.lib.enums import TA_LEFT, TA_RIGHT
 from reportlab.lib.styles import ParagraphStyle, StyleSheet1
 from reportlab.lib.units import mm
 from reportlab.lib.utils import ImageReader
 from reportlab.pdfbase import pdfmetrics
+from reportlab.pdfbase.pdfmetrics import stringWidth
 from reportlab.pdfbase.ttfonts import TTFont
 from reportlab.pdfgen.canvas import Canvas
 from reportlab.platypus import (
@@ -122,6 +125,7 @@ class BaseReportlabInvoiceRenderer(BaseInvoiceRenderer):
         """
         stylesheet = StyleSheet1()
         stylesheet.add(ParagraphStyle(name='Normal', fontName=self.font_regular, fontSize=10, leading=12))
+        stylesheet.add(ParagraphStyle(name='InvoiceFrom', parent=stylesheet['Normal']))
         stylesheet.add(ParagraphStyle(name='Heading1', fontName=self.font_bold, fontSize=15, leading=15 * 1.2))
         stylesheet.add(ParagraphStyle(name='FineprintHeading', fontName=self.font_bold, fontSize=8, leading=12))
         stylesheet.add(ParagraphStyle(name='Fineprint', fontName=self.font_regular, fontSize=8, leading=10))
@@ -254,49 +258,64 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
 
         canvas.restoreState()
 
+    invoice_to_width = 85 * mm
+    invoice_to_height = 50 * mm
+    invoice_to_left = 25 * mm
+    invoice_to_top = 52 * mm
+
     def _draw_invoice_to(self, canvas):
-        p = Paragraph(self.invoice.invoice_to.strip().replace('\n', '<br />\n'), style=self.stylesheet['Normal'])
-        p.wrapOn(canvas, 85 * mm, 50 * mm)
-        p_size = p.wrap(85 * mm, 50 * mm)
-        p.drawOn(canvas, 25 * mm, (297 - 52) * mm - p_size[1])
+        p = Paragraph(self.invoice.address_invoice_to.strip().replace('\n', '<br />\n'), style=self.stylesheet['Normal'])
+        p.wrapOn(canvas, self.invoice_to_width, self.invoice_to_height)
+        p_size = p.wrap(self.invoice_to_width, self.invoice_to_height)
+        p.drawOn(canvas, self.invoice_to_left, self.pagesize[1] - p_size[1] - self.invoice_to_top)
+
+    invoice_from_width = 70 * mm
+    invoice_from_height = 50 * mm
+    invoice_from_left = 25 * mm
+    invoice_from_top = 17 * mm
 
     def _draw_invoice_from(self, canvas):
-        p = Paragraph(self.invoice.full_invoice_from.strip().replace('\n', '<br />\n'), style=self.stylesheet['Normal'])
-        p.wrapOn(canvas, 70 * mm, 50 * mm)
-        p_size = p.wrap(70 * mm, 50 * mm)
-        p.drawOn(canvas, 25 * mm, (297 - 17) * mm - p_size[1])
-
-    def _on_first_page(self, canvas: Canvas, doc):
-        canvas.setCreator('pretix.eu')
-        canvas.setTitle(pgettext('invoice', 'Invoice {num}').format(num=self.invoice.number))
-
-        canvas.saveState()
-        canvas.setFont(self.font_regular, 8)
-
-        if self.invoice.order.testmode:
-            canvas.saveState()
-            canvas.setFont('OpenSansBd', 30)
-            canvas.setFillColorRGB(32, 0, 0)
-            canvas.drawRightString(self.pagesize[0] - 20 * mm, (297 - 100) * mm, ugettext('TEST MODE'))
-            canvas.restoreState()
-
-        for i, line in enumerate(self.invoice.footer_text.split('\n')[::-1]):
-            canvas.drawCentredString(self.pagesize[0] / 2, 25 + (3.5 * i) * mm, line.strip())
+        p = Paragraph(self.invoice.full_invoice_from.strip().replace('\n', '<br />\n'), style=self.stylesheet[
+            'InvoiceFrom'])
+        p.wrapOn(canvas, self.invoice_from_width, self.invoice_from_height)
+        p_size = p.wrap(self.invoice_from_width, self.invoice_from_height)
+        p.drawOn(canvas, self.invoice_from_left, self.pagesize[1] - p_size[1] - self.invoice_from_top)
 
+    def _draw_invoice_from_label(self, canvas):
         textobject = canvas.beginText(25 * mm, (297 - 15) * mm)
         textobject.setFont(self.font_bold, 8)
         textobject.textLine(self._upper(pgettext('invoice', 'Invoice from')))
         canvas.drawText(textobject)
 
-        self._draw_invoice_from(canvas)
-
+    def _draw_invoice_to_label(self, canvas):
         textobject = canvas.beginText(25 * mm, (297 - 50) * mm)
         textobject.setFont(self.font_bold, 8)
         textobject.textLine(self._upper(pgettext('invoice', 'Invoice to')))
         canvas.drawText(textobject)
 
-        self._draw_invoice_to(canvas)
+    logo_width = 25 * mm
+    logo_height = 25 * mm
+    logo_left = 95 * mm
+    logo_top = 13 * mm
+    logo_anchor = 'n'
 
+    def _draw_logo(self, canvas):
+        if self.invoice.event.settings.invoice_logo_image:
+            logo_file = self.invoice.event.settings.get('invoice_logo_image', binary_file=True)
+            ir = ThumbnailingImageReader(logo_file)
+            try:
+                ir.resize(self.logo_width, self.logo_height, 300)
+            except:
+                logger.exception("Can not resize image")
+                pass
+            canvas.drawImage(ir,
+                             self.logo_left,
+                             self.pagesize[1] - self.logo_height - self.logo_top,
+                             width=self.logo_width, height=self.logo_height,
+                             preserveAspectRatio=True, anchor=self.logo_anchor,
+                             mask='auto')
+
+    def _draw_metadata(self, canvas):
         textobject = canvas.beginText(125 * mm, (297 - 38) * mm)
         textobject.setFont(self.font_bold, 8)
         textobject.textLine(self._upper(pgettext('invoice', 'Order code')))
@@ -348,37 +367,37 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
 
         canvas.drawText(textobject)
 
-        if self.invoice.event.settings.invoice_logo_image:
-            logo_file = self.invoice.event.settings.get('invoice_logo_image', binary_file=True)
-            ir = ThumbnailingImageReader(logo_file)
-            try:
-                ir.resize(25 * mm, 25 * mm, 300)
-            except:
-                logger.exception("Can not resize image")
-                pass
-            canvas.drawImage(ir,
-                             95 * mm, (297 - 38) * mm,
-                             width=25 * mm, height=25 * mm,
-                             preserveAspectRatio=True, anchor='n',
-                             mask='auto')
+    event_left = 125 * mm
+    event_top = 17 * mm
+    event_width = 65 * mm
+    event_height = 50 * mm
 
+    def _draw_event_label(self, canvas):
+        textobject = canvas.beginText(125 * mm, (297 - 15) * mm)
+        textobject.setFont(self.font_bold, 8)
+        textobject.textLine(self._upper(pgettext('invoice', 'Event')))
+        canvas.drawText(textobject)
+
+    def _draw_event(self, canvas):
         def shorten(txt):
             txt = str(txt)
             p = Paragraph(txt.strip().replace('\n', '<br />\n'), style=self.stylesheet['Normal'])
-            p_size = p.wrap(65 * mm, 50 * mm)
+            p_size = p.wrap(self.event_width, self.event_height)
 
             while p_size[1] > 2 * self.stylesheet['Normal'].leading:
                 txt = ' '.join(txt.replace('…', '').split()[:-1]) + '…'
                 p = Paragraph(txt.strip().replace('\n', '<br />\n'), style=self.stylesheet['Normal'])
-                p_size = p.wrap(65 * mm, 50 * mm)
+                p_size = p.wrap(self.event_width, self.event_height)
             return txt
 
         if not self.invoice.event.has_subevents:
             if self.invoice.event.settings.show_date_to and self.invoice.event.date_to:
                 p_str = (
-                    shorten(self.invoice.event.name) + '\n' + pgettext('invoice', '{from_date}\nuntil {to_date}').format(
+                    shorten(self.invoice.event.name) + '\n' +
+                    pgettext('invoice', '{from_date}\nuntil {to_date}').format(
                         from_date=self.invoice.event.get_date_from_display(),
-                        to_date=self.invoice.event.get_date_to_display())
+                        to_date=self.invoice.event.get_date_to_display()
+                    )
                 )
             else:
                 p_str = (
@@ -388,15 +407,38 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
             p_str = shorten(self.invoice.event.name)
 
         p = Paragraph(p_str.strip().replace('\n', '<br />\n'), style=self.stylesheet['Normal'])
-        p.wrapOn(canvas, 65 * mm, 50 * mm)
-        p_size = p.wrap(65 * mm, 50 * mm)
-        p.drawOn(canvas, 125 * mm, (297 - 17) * mm - p_size[1])
+        p.wrapOn(canvas, self.event_width, self.event_height)
+        p_size = p.wrap(self.event_width, self.event_height)
+        p.drawOn(canvas, self.event_left, self.pagesize[1] - self.event_top - p_size[1])
+        self._draw_event_label(canvas)
 
-        textobject = canvas.beginText(125 * mm, (297 - 15) * mm)
-        textobject.setFont(self.font_bold, 8)
-        textobject.textLine(self._upper(pgettext('invoice', 'Event')))
-        canvas.drawText(textobject)
+    def _draw_footer(self, canvas):
+        canvas.setFont(self.font_regular, 8)
+        for i, line in enumerate(self.invoice.footer_text.split('\n')[::-1]):
+            canvas.drawCentredString(self.pagesize[0] / 2, 25 + (3.5 * i) * mm, line.strip())
 
+    def _draw_testmode(self, canvas):
+        if self.invoice.order.testmode:
+            canvas.saveState()
+            canvas.setFont('OpenSansBd', 30)
+            canvas.setFillColorRGB(32, 0, 0)
+            canvas.drawRightString(self.pagesize[0] - 20 * mm, (297 - 100) * mm, ugettext('TEST MODE'))
+            canvas.restoreState()
+
+    def _on_first_page(self, canvas: Canvas, doc):
+        canvas.setCreator('pretix.eu')
+        canvas.setTitle(pgettext('invoice', 'Invoice {num}').format(num=self.invoice.number))
+
+        canvas.saveState()
+        self._draw_footer(canvas)
+        self._draw_testmode(canvas)
+        self._draw_invoice_from_label(canvas)
+        self._draw_invoice_from(canvas)
+        self._draw_invoice_to_label(canvas)
+        self._draw_invoice_to(canvas)
+        self._draw_metadata(canvas)
+        self._draw_logo(canvas)
+        self._draw_event(canvas)
         canvas.restoreState()
 
     def _get_first_page_frames(self, doc):
@@ -434,6 +476,13 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                 self.stylesheet['Normal']
             ))
 
+        if self.invoice.invoice_to_vat_id:
+            story.append(Paragraph(
+                pgettext('invoice', 'Customer VAT ID') + ':<br />' +
+                bleach.clean(self.invoice.invoice_to_vat_id, tags=[]).replace("\n", "<br />\n"),
+                self.stylesheet['Normal']
+            ))
+
         if self.invoice.invoice_to_beneficiary:
             story.append(Paragraph(
                 pgettext('invoice', 'Beneficiary') + ':<br />' +
@@ -554,6 +603,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
             colwidths = [a * doc.width for a in (.25, .15, .15, .15, .3)]
             table = Table(tdata, colWidths=colwidths, repeatRows=2, hAlign=TA_LEFT)
             table.setStyle(TableStyle(tstyledata))
+            story.append(Spacer(5 * mm, 5 * mm))
             story.append(KeepTogether([
                 Paragraph(pgettext('invoice', 'Included taxes'), self.stylesheet['FineprintHeading']),
                 table
@@ -607,6 +657,114 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
         return story
 
 
+class Modern1Renderer(ClassicInvoiceRenderer):
+    identifier = 'modern1'
+    verbose_name = ugettext_lazy('Modern Invoice Renderer (pretix 2.7)')
+    bottom_margin = 16.9 * mm
+    top_margin = 16.9 * mm
+    right_margin = 20 * mm
+    invoice_to_height = 27.3 * mm
+    invoice_to_width = 80 * mm
+    invoice_to_left = 25 * mm
+    invoice_to_top = (40 + 17.7) * mm
+    invoice_from_left = 125 * mm
+    invoice_from_top = 50 * mm
+    invoice_from_width = pagesizes.A4[0] - invoice_from_left - right_margin
+    invoice_from_height = 50 * mm
+
+    logo_width = 75 * mm
+    logo_height = 25 * mm
+    logo_left = pagesizes.A4[0] - logo_width - right_margin
+    logo_top = top_margin
+    logo_anchor = 'e'
+
+    event_left = 25 * mm
+    event_top = top_margin
+    event_width = 80 * mm
+    event_height = 25 * mm
+
+    def _get_stylesheet(self):
+        stylesheet = super()._get_stylesheet()
+        stylesheet.add(ParagraphStyle(name='Sender', fontName=self.font_regular, fontSize=8, leading=10))
+        stylesheet['InvoiceFrom'].alignment = TA_RIGHT
+        return stylesheet
+
+    def _draw_invoice_from(self, canvas):
+        if not self.invoice.invoice_from:
+            return
+        c = self.invoice.address_invoice_from.strip().split('\n')
+        p = Paragraph(' · '.join(c), style=self.stylesheet['Sender'])
+        p.wrapOn(canvas, self.invoice_to_width, 15.7 * mm)
+        p.drawOn(canvas, self.invoice_to_left, self.pagesize[1] - self.invoice_to_top + 2 * mm)
+        super()._draw_invoice_from(canvas)
+
+    def _draw_invoice_to_label(self, canvas):
+        pass
+
+    def _draw_invoice_from_label(self, canvas):
+        pass
+
+    def _draw_event_label(self, canvas):
+        pass
+
+    def _get_first_page_frames(self, doc):
+        footer_length = 3.5 * len(self.invoice.footer_text.split('\n')) * mm
+        return [
+            Frame(doc.leftMargin, doc.bottomMargin, doc.width, doc.height - 95 * mm,
+                  leftPadding=0, rightPadding=0, topPadding=0, bottomPadding=footer_length,
+                  id='normal')
+        ]
+
+    def _draw_metadata(self, canvas):
+        begin_top = 100 * mm
+
+        textobject = canvas.beginText(self.left_margin, self.pagesize[1] - begin_top)
+        textobject.setFont(self.font_regular, 8)
+        textobject.textLine(pgettext('invoice', 'Order code'))
+        textobject.moveCursor(0, 5)
+        textobject.setFont(self.font_regular, 10)
+        textobject.textLine(self.invoice.order.full_code)
+        canvas.drawText(textobject)
+
+        if self.invoice.is_cancellation:
+            textobject = canvas.beginText(self.left_margin + 50 * mm, self.pagesize[1] - begin_top)
+            textobject.setFont(self.font_regular, 8)
+            textobject.textLine(pgettext('invoice', 'Cancellation number'))
+            textobject.moveCursor(0, 5)
+            textobject.setFont(self.font_regular, 10)
+            textobject.textLine(self.invoice.number)
+            canvas.drawText(textobject)
+
+            textobject = canvas.beginText(self.left_margin + 100 * mm, self.pagesize[1] - begin_top)
+            textobject.setFont(self.font_regular, 8)
+            textobject.textLine(pgettext('invoice', 'Original invoice'))
+            textobject.moveCursor(0, 5)
+            textobject.setFont(self.font_regular, 10)
+            textobject.textLine(self.invoice.refers.number)
+            canvas.drawText(textobject)
+        else:
+            textobject = canvas.beginText(self.left_margin + 70 * mm, self.pagesize[1] - begin_top)
+            textobject.textLine(pgettext('invoice', 'Invoice number'))
+            textobject.moveCursor(0, 5)
+            textobject.setFont(self.font_regular, 10)
+            textobject.textLine(self.invoice.number)
+            canvas.drawText(textobject)
+
+        p = Paragraph(date_format(self.invoice.date, "DATE_FORMAT"), style=self.stylesheet['Normal'])
+        w = stringWidth(p.text, p.frags[0].fontName, p.frags[0].fontSize)
+        p.wrapOn(canvas, w, 15 * mm)
+        date_x = self.pagesize[0] - w - self.right_margin
+        p.drawOn(canvas, date_x, self.pagesize[1] - begin_top - 10 - 6)
+
+        textobject = canvas.beginText(date_x, self.pagesize[1] - begin_top)
+        textobject.setFont(self.font_regular, 8)
+        if self.invoice.is_cancellation:
+            textobject.textLine(pgettext('invoice', 'Cancellation date'))
+        else:
+            textobject.textLine(pgettext('invoice', 'Invoice date'))
+        canvas.drawText(textobject)
+
+
 @receiver(register_invoice_renderers, dispatch_uid="invoice_renderer_classic")
 def recv_classic(sender, **kwargs):
-    return ClassicInvoiceRenderer
+    return [ClassicInvoiceRenderer, Modern1Renderer]

src/pretix/base/middleware.py

@@ -97,7 +97,7 @@ def get_language_from_event(request: HttpRequest) -> str:
 
 
 def get_language_from_browser(request: HttpRequest) -> str:
-    accept = request.META.get('HTTP_ACCEPT_LANGUAGE', '')
+    accept = request.headers.get('Accept-Language', '')
     for accept_lang, unused in parse_accept_lang_header(accept):
         if accept_lang == '*':
             break

src/pretix/base/migrations/0115_auto_20190323_2238.py

@@ -0,0 +1,24 @@
+# Generated by Django 2.1.7 on 2019-03-23 22:38
+
+from decimal import Decimal
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0114_auto_20190316_1014'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='itembundle',
+            name='designated_price',
+            field=models.DecimalField(blank=True, decimal_places=2, default=Decimal('0.00'), help_text="If set, it will be shown that this bundled item is responsible for the given value of the total gross price. This might be important in cases of mixed taxation, but can be kept blank otherwise. This value will NOT be added to the base item's price.", max_digits=10, verbose_name='Designated price part'),
+        ),
+    ]

src/pretix/base/migrations/0116_auto_20190402_0722.py

@@ -0,0 +1,22 @@
+# Generated by Django 2.1.5 on 2019-04-02 07:22
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0115_auto_20190323_2238'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='device',
+            name='revoked',
+            field=models.BooleanField(default=False),
+        ),
+    ]

src/pretix/base/migrations/0117_auto_20190418_1149.py

@@ -0,0 +1,23 @@
+# Generated by Django 2.2 on 2019-04-18 11:49
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0116_auto_20190402_0722'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='itemvariation',
+            name='original_price',
+            field=models.DecimalField(blank=True, decimal_places=2, help_text='If set, this will be displayed next to '
+                                                                              'the current price to show that the '
+                                                                              'current price is a discounted one. '
+                                                                              'This is just a cosmetic setting and '
+                                                                              'will not actually impact pricing.',
+                                      max_digits=7, null=True, verbose_name='Original price'),
+        ),
+    ]

src/pretix/base/migrations/0118_auto_20190423_0839.py

@@ -0,0 +1,22 @@
+# Generated by Django 2.2 on 2019-04-23 08:39
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0117_auto_20190418_1149'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='subevent',
+            name='is_public',
+            field=models.BooleanField(default=True, help_text='If selected, this event will show up publicly on the list of dates for your event.', verbose_name='Show in lists'),
+        ),
+    ]

src/pretix/base/models/auth.py

@@ -111,6 +111,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
     class Meta:
         verbose_name = _("User")
         verbose_name_plural = _("Users")
+        ordering = ('email',)
 
     def save(self, *args, **kwargs):
         self.email = self.email.lower()

src/pretix/base/models/devices.py

@@ -41,6 +41,7 @@ class Device(LoggedModel):
     api_token = models.CharField(max_length=190, unique=True, null=True)
     all_events = models.BooleanField(default=False, verbose_name=_("All events (including newly created ones)"))
     limit_events = models.ManyToManyField('Event', verbose_name=_("Limit to events"), blank=True)
+    revoked = models.BooleanField(default=False)
     name = models.CharField(
         max_length=190,
         verbose_name=_('Name')

src/pretix/base/models/event.py

@@ -639,22 +639,6 @@ class Event(EventMixin, LoggedModel):
         irs = self.get_invoice_renderers()
         return irs[self.settings.invoice_renderer]
 
-    @property
-    def active_subevents(self):
-        """
-        Returns a queryset of active subevents.
-        """
-        return self.subevents.filter(active=True).order_by('-date_from', 'name')
-
-    @property
-    def active_future_subevents(self):
-        return self.subevents.filter(
-            Q(active=True) & (
-                Q(Q(date_to__isnull=True) & Q(date_from__gte=now()))
-                | Q(date_to__gte=now())
-            )
-        ).order_by('date_from', 'name')
-
     def subevents_annotated(self, channel):
         return SubEvent.annotated(self.subevents, channel)
 
@@ -667,7 +651,7 @@ class Event(EventMixin, LoggedModel):
             'name_descending': ('-name', 'date_from'),
         }[ordering]
         subevs = queryset.filter(
-            Q(active=True) & (
+            Q(active=True) & Q(is_public=True) & (
                 Q(Q(date_to__isnull=True) & Q(date_from__gte=now() - timedelta(hours=24)))
                 | Q(date_to__gte=now() - timedelta(hours=24))
             )
@@ -759,6 +743,7 @@ class Event(EventMixin, LoggedModel):
         return not self.orders.exists() and not self.invoices.exists()
 
     def delete_sub_objects(self):
+        self.cartposition_set.filter(addon_to__isnull=False).delete()
         self.cartposition_set.all().delete()
         self.items.all().delete()
         self.subevents.all().delete()
@@ -832,6 +817,8 @@ class SubEvent(EventMixin, LoggedModel):
     :type event: Event
     :param active: Whether to show the subevent
     :type active: bool
+    :param is_public: Whether to show the subevent in lists
+    :type is_public: bool
     :param name: This event's full title
     :type name: str
     :param date_from: The datetime this event starts
@@ -850,6 +837,10 @@ class SubEvent(EventMixin, LoggedModel):
     active = models.BooleanField(default=False, verbose_name=_("Active"),
                                  help_text=_("Only with this checkbox enabled, this date is visible in the "
                                              "frontend to users."))
+    is_public = models.BooleanField(default=True,
+                                    verbose_name=_("Show in lists"),
+                                    help_text=_("If selected, this event will show up publicly on the list of dates "
+                                                "for your event."))
     name = I18nCharField(
         max_length=200,
         verbose_name=_("Name"),

src/pretix/base/models/fields.py

@@ -37,7 +37,7 @@ class MultiStringField(TextField):
     def get_prep_lookup(self, lookup_type, value):  # NOQA
         raise TypeError('Lookups on multi strings are currently not supported.')
 
-    def from_db_value(self, value, expression, connection, context):
+    def from_db_value(self, value, expression, connection):
         if value:
             return [v for v in value.split(DELIMITER) if v]
         else:

src/pretix/base/models/invoices.py

@@ -117,12 +117,35 @@ class Invoice(models.Model):
             self.invoice_from_name,
             self.invoice_from,
             (self.invoice_from_zipcode or "") + " " + (self.invoice_from_city or ""),
-            str(self.invoice_from_country),
+            self.invoice_from_country.name if self.invoice_from_country else "",
             pgettext("invoice", "VAT-ID: %s") % self.invoice_from_vat_id if self.invoice_from_vat_id else "",
             pgettext("invoice", "Tax ID: %s") % self.invoice_from_tax_id if self.invoice_from_tax_id else "",
         ]
         return '\n'.join([p.strip() for p in parts if p and p.strip()])
 
+    @property
+    def address_invoice_from(self):
+        parts = [
+            self.invoice_from_name,
+            self.invoice_from,
+            (self.invoice_from_zipcode or "") + " " + (self.invoice_from_city or ""),
+            self.invoice_from_country.name if self.invoice_from_country else "",
+        ]
+        return '\n'.join([p.strip() for p in parts if p and p.strip()])
+
+    @property
+    def address_invoice_to(self):
+        if self.invoice_to and not self.invoice_to_company and not self.invoice_to_name:
+            return self.invoice_to
+        parts = [
+            self.invoice_to_company,
+            self.invoice_to_name,
+            self.invoice_to_street,
+            (self.invoice_to_zipcode or "") + " " + (self.invoice_to_city or ""),
+            self.invoice_to_country.name if self.invoice_to_country else "",
+        ]
+        return '\n'.join([p.strip() for p in parts if p and p.strip()])
+
     def _get_numeric_invoice_number(self):
         numeric_invoices = Invoice.objects.filter(
             event__organizer=self.event.organizer,

src/pretix/base/models/items.py

@@ -550,6 +550,8 @@ class ItemVariation(models.Model):
     :type active: bool
     :param default_price: This variation's default price
     :type default_price: decimal.Decimal
+    :param original_price: The item's "original" price. Will not be used for any calculations, will just be shown.
+    :type original_price: decimal.Decimal
     """
     item = models.ForeignKey(
         Item,
@@ -578,6 +580,13 @@ class ItemVariation(models.Model):
         null=True, blank=True,
         verbose_name=_("Default price"),
     )
+    original_price = models.DecimalField(
+        verbose_name=_('Original price'),
+        blank=True, null=True,
+        max_digits=7, decimal_places=2,
+        help_text=_('If set, this will be displayed next to the current price to show that the current price is a '
+                    'discounted one. This is just a cosmetic setting and will not actually impact pricing.')
+    )
 
     class Meta:
         verbose_name = _("Product variation")
@@ -818,7 +827,7 @@ class ItemBundle(models.Model):
         verbose_name=_('Number')
     )
     designated_price = models.DecimalField(
-        null=True, blank=True,
+        default=Decimal('0.00'), blank=True,
         decimal_places=2, max_digits=10,
         verbose_name=_('Designated price part'),
         help_text=_('If set, it will be shown that this bundled item is responsible for the given value of the total '
@@ -1391,7 +1400,7 @@ class Quota(LoggedModel):
 
     @staticmethod
     def clean_variations(items, variations):
-        for variation in variations:
+        for variation in (variations or []):
             if variation.item not in items:
                 raise ValidationError(_('All variations must belong to an item contained in the items list.'))
                 break

src/pretix/base/models/orders.py

@@ -32,6 +32,7 @@ from pretix.base.decimal import round_decimal
 from pretix.base.i18n import language
 from pretix.base.models import User
 from pretix.base.reldate import RelativeDateWrapper
+from pretix.base.services.locking import NoLockManager
 from pretix.base.settings import PERSON_NAME_SCHEMES
 
 from .base import LockModel, LoggedModel
@@ -606,7 +607,7 @@ class Order(LockModel, LoggedModel):
             ), tz)
         return term_last
 
-    def _can_be_paid(self, count_waitinglist=True) -> Union[bool, str]:
+    def _can_be_paid(self, count_waitinglist=True, ignore_date=False) -> Union[bool, str]:
         error_messages = {
             'late_lastdate': _("The payment can not be accepted as the last date of payments configured in the "
                                "payment settings is over."),
@@ -617,13 +618,13 @@ class Order(LockModel, LoggedModel):
         if self.require_approval:
             return error_messages['require_approval']
         term_last = self.payment_term_last
-        if term_last:
+        if term_last and not ignore_date:
             if now() > term_last:
                 return error_messages['late_lastdate']
 
         if self.status == self.STATUS_PENDING:
             return True
-        if not self.event.settings.get('payment_term_accept_late'):
+        if not self.event.settings.get('payment_term_accept_late') and not ignore_date:
             return error_messages['late']
 
         return self._is_still_available(count_waitinglist=count_waitinglist)
@@ -1137,9 +1138,9 @@ class OrderPayment(models.Model):
         """
         return self.order.event.get_payment_providers().get(self.provider)
 
-    def _mark_paid(self, force, count_waitinglist, user, auth, overpaid=False):
+    def _mark_paid(self, force, count_waitinglist, user, auth, ignore_date=False, overpaid=False):
         from pretix.base.signals import order_paid
-        can_be_paid = self.order._can_be_paid(count_waitinglist=count_waitinglist)
+        can_be_paid = self.order._can_be_paid(count_waitinglist=count_waitinglist, ignore_date=ignore_date)
         if not force and can_be_paid is not True:
             self.order.log_action('pretix.event.order.quotaexceeded', {
                 'message': can_be_paid
@@ -1159,7 +1160,7 @@ class OrderPayment(models.Model):
             self.order.log_action('pretix.event.order.overpaid', {}, user=user, auth=auth)
         order_paid.send(self.order.event, order=self.order)
 
-    def confirm(self, count_waitinglist=True, send_mail=True, force=False, user=None, auth=None, mail_text=''):
+    def confirm(self, count_waitinglist=True, send_mail=True, force=False, user=None, auth=None, mail_text='', ignore_date=False, lock=True):
         """
         Marks the payment as complete. If possible, this also marks the order as paid if no further
         payment is required
@@ -1169,6 +1170,7 @@ class OrderPayment(models.Model):
         :type count_waitinglist: boolean
         :param force: Whether this payment should be marked as paid even if no remaining
                       quota is available (default: ``False``).
+        :param ignore_date: Whether this order should be marked as paid even when the last date of payments is over.
         :type force: boolean
         :param send_mail: Whether an email should be sent to the user about this event (default: ``True``).
         :type send_mail: boolean
@@ -1218,14 +1220,16 @@ class OrderPayment(models.Model):
         if payment_sum - refund_sum < self.order.total:
             return
 
-        if self.order.status == Order.STATUS_PENDING and self.order.expires > now() + timedelta(hours=12):
+        if (self.order.status == Order.STATUS_PENDING and self.order.expires > now() + timedelta(hours=12)) or not lock:
             # Performance optimization. In this case, there's really no reason to lock everything and an atomic
             # database transaction is more than enough.
-            with transaction.atomic():
-                self._mark_paid(force, count_waitinglist, user, auth, overpaid=payment_sum - refund_sum > self.order.total)
+            lockfn = NoLockManager
         else:
-            with self.order.event.lock():
-                self._mark_paid(force, count_waitinglist, user, auth, overpaid=payment_sum - refund_sum > self.order.total)
+            lockfn = self.order.event.lock
+
+        with lockfn():
+            self._mark_paid(force, count_waitinglist, user, auth, overpaid=payment_sum - refund_sum > self.order.total,
+                            ignore_date=ignore_date)
 
         invoice = None
         if invoice_qualified(self.order):

src/pretix/base/models/tax.py

@@ -118,6 +118,9 @@ class TaxRule(LoggedModel):
     )
     custom_rules = models.TextField(blank=True, null=True)
 
+    class Meta:
+        ordering = ('event', 'rate', 'id')
+
     def allow_delete(self):
         from pretix.base.models.orders import OrderFee, OrderPosition
 

src/pretix/base/models/vouchers.py

@@ -344,6 +344,8 @@ class Voucher(LoggedModel):
         a variation).
         """
         if self.quota_id:
+            if variation:
+                return variation.quotas.filter(pk=self.quota_id).exists()
             return item.quotas.filter(pk=self.quota_id).exists()
         if self.item_id and not self.variation_id:
             return self.item_id == item.pk

src/pretix/base/payment.py

@@ -721,13 +721,10 @@ class BoxOfficeProvider(BasePaymentProvider):
         return False
 
     def payment_control_render(self, request, payment) -> str:
-        template = None
-        payment_info = None
-
-        if payment.info:
-            payment_info = json.loads(payment.info)
-            if payment_info['payment_type'] == "sumup":
-                template = get_template('pretixcontrol/boxoffice/payment_sumup.html')
+        if not payment.info:
+            return
+        payment_info = json.loads(payment.info)
+        template = get_template('pretixcontrol/boxoffice/payment.html')
 
         ctx = {
             'request': request,
@@ -737,11 +734,7 @@ class BoxOfficeProvider(BasePaymentProvider):
             'payment': payment,
             'provider': self,
         }
-
-        if template:
-            return template.render(ctx)
-        else:
-            return
+        return template.render(ctx)
 
 
 class ManualPayment(BasePaymentProvider):

src/pretix/base/pdf.py

@@ -87,6 +87,15 @@ DEFAULT_VARIABLES = OrderedDict((
         "editor_sample": _("123.45 EUR"),
         "evaluate": lambda op, order, event: money_filter(op.price, event.currency)
     }),
+    ("price_with_addons", {
+        "label": _("Price including add-ons"),
+        "editor_sample": _("123.45 EUR"),
+        "evaluate": lambda op, order, event: money_filter(op.price + sum(
+            p.price
+            for p in op.addons.all()
+            if not p.canceled
+        ), event.currency)
+    }),
     ("attendee_name", {
         "label": _("Attendee name"),
         "editor_sample": _("John Doe"),

src/pretix/base/services/cart.py

@@ -1,14 +1,14 @@
 from collections import Counter, defaultdict, namedtuple
-from datetime import timedelta
+from datetime import datetime, time, timedelta
 from decimal import Decimal
 from typing import List, Optional
 
 from celery.exceptions import MaxRetriesExceededError
 from django.core.exceptions import ValidationError
-from django.db import transaction
+from django.db import DatabaseError, transaction
 from django.db.models import Q
 from django.dispatch import receiver
-from django.utils.timezone import now
+from django.utils.timezone import make_aware, now
 from django.utils.translation import pgettext_lazy, ugettext as _
 
 from pretix.base.i18n import language
@@ -19,8 +19,9 @@ from pretix.base.models import (
 from pretix.base.models.event import SubEvent
 from pretix.base.models.orders import OrderFee
 from pretix.base.models.tax import TAXED_ZERO, TaxedPrice, TaxRule
+from pretix.base.reldate import RelativeDateWrapper
 from pretix.base.services.checkin import _save_answers
-from pretix.base.services.locking import LockTimeoutException
+from pretix.base.services.locking import LockTimeoutException, NoLockManager
 from pretix.base.services.pricing import get_price
 from pretix.base.services.tasks import ProfiledTask
 from pretix.base.settings import PERSON_NAME_SCHEMES
@@ -134,6 +135,15 @@ class CartManager:
             raise CartError(error_messages['not_started'])
         if self.event.presale_has_ended:
             raise CartError(error_messages['ended'])
+        if not self.event.has_subevents:
+            tlv = self.event.settings.get('payment_term_last', as_type=RelativeDateWrapper)
+            if tlv:
+                term_last = make_aware(datetime.combine(
+                    tlv.datetime(self.event).date(),
+                    time(hour=23, minute=59, second=59)
+                ), self.event.timezone)
+                if term_last < self.now_dt:
+                    raise CartError(error_messages['ended'])
 
     def _extend_expiry_of_valid_existing_positions(self):
         # Extend this user's cart session to ensure all items in the cart expire at the same time
@@ -152,6 +162,18 @@ class CartManager:
                 err = error_messages['some_subevent_ended']
                 cp.addons.all().delete()
                 cp.delete()
+
+            if cp.subevent:
+                tlv = self.event.settings.get('payment_term_last', as_type=RelativeDateWrapper)
+                if tlv:
+                    term_last = make_aware(datetime.combine(
+                        tlv.datetime(cp.subevent).date(),
+                        time(hour=23, minute=59, second=59)
+                    ), self.event.timezone)
+                    if term_last < self.now_dt:
+                        err = error_messages['some_subevent_ended']
+                        cp.addons.all().delete()
+                        cp.delete()
         return err
 
     def _update_subevents_cache(self, se_ids: List[int]):
@@ -216,6 +238,16 @@ class CartManager:
             if op.subevent and op.subevent.presale_has_ended:
                 raise CartError(error_messages['ended'])
 
+            if op.subevent:
+                tlv = self.event.settings.get('payment_term_last', as_type=RelativeDateWrapper)
+                if tlv:
+                    term_last = make_aware(datetime.combine(
+                        tlv.datetime(op.subevent).date(),
+                        time(hour=23, minute=59, second=59)
+                    ), self.event.timezone)
+                    if term_last < self.now_dt:
+                        raise CartError(error_messages['ended'])
+
         if isinstance(op, self.AddOperation):
             if op.item.category and op.item.category.is_addon and not (op.addon_to and op.addon_to != 'FAKE'):
                 raise CartError(error_messages['addon_only'])
@@ -276,6 +308,10 @@ class CartManager:
         err = None
         changed_prices = {}
         for cp in expired:
+            removed_positions = {op.position.pk for op in self._operations if isinstance(op, self.RemoveOperation)}
+            if cp.pk in removed_positions or (cp.addon_to_id and cp.addon_to_id in removed_positions):
+                continue
+
             if cp.is_bundled:
                 try:
                     bundle = cp.addon_to.item.bundles.get(bundled_item=cp.item, bundled_variation=cp.variation)
@@ -755,7 +791,11 @@ class CartManager:
                     if available_count == 1:
                         op.position.expires = self._expiry
                         op.position.price = op.price.gross
-                        op.position.save()
+                        try:
+                            op.position.save(force_update=True)
+                        except DatabaseError:
+                            # Best effort... The position might have been deleted in the meantime!
+                            pass
                     elif available_count == 0:
                         op.position.addons.all().delete()
                         op.position.delete()
@@ -770,17 +810,33 @@ class CartManager:
         CartPosition.objects.bulk_create([p for p in new_cart_positions if not getattr(p, '_answers', None) and not p.pk])
         return err
 
+    def _require_locking(self):
+        if self._voucher_use_diff:
+            # If any vouchers are used, we lock to make sure we don't redeem them to often
+            return True
+
+        if self._quota_diff and any(q.size is not None for q in self._quota_diff):
+            # If any quotas are affected that are not unlimited, we lock
+            return True
+
+        return False
+
     def commit(self):
         self._check_presale_dates()
         self._check_max_cart_size()
         self._calculate_expiry()
 
-        with self.event.lock() as now_dt:
+        err = self._delete_out_of_timeframe()
+        err = self.extend_expired_positions() or err
+
+        lockfn = NoLockManager
+        if self._require_locking():
+            lockfn = self.event.lock
+
+        with lockfn() as now_dt:
             with transaction.atomic():
                 self.now_dt = now_dt
                 self._extend_expiry_of_valid_existing_positions()
-                err = self._delete_out_of_timeframe()
-                err = self.extend_expired_positions() or err
                 err = self._perform_operations() or err
             if err:
                 raise CartError(err)

src/pretix/base/services/invoices.py

@@ -120,7 +120,7 @@ def build_invoice(invoice: Invoice) -> Invoice:
         positions = list(
             invoice.order.positions.select_related('addon_to', 'item', 'tax_rule', 'subevent', 'variation').annotate(
                 addon_c=Count('addons')
-            )
+            ).order_by('positionid', 'id')
         )
 
         reverse_charge = False

src/pretix/base/services/locking.py

@@ -13,6 +13,18 @@ logger = logging.getLogger('pretix.base.locking')
 LOCK_TIMEOUT = 120
 
 
+class NoLockManager:
+    def __init__(self):
+        pass
+
+    def __enter__(self):
+        return now()
+
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        if exc_type is not None:
+            return False
+
+
 class LockManager:
     def __init__(self, event):
         self.event = event

src/pretix/base/services/mail.py

@@ -15,6 +15,7 @@ from pretix.base.email import ClassicMailRenderer
 from pretix.base.i18n import language
 from pretix.base.models import Event, Invoice, InvoiceAddress, Order
 from pretix.base.services.invoices import invoice_pdf_task
+from pretix.base.services.tasks import TransactionAwareTask
 from pretix.base.services.tickets import get_tickets_for_order
 from pretix.base.signals import email_filter
 from pretix.celery_app import app
@@ -177,7 +178,7 @@ def mail(email: str, subject: str, template: Union[str, LazyI18nString],
         chain(*task_chain).apply_async()
 
 
-@app.task(bind=True)
+@app.task(base=TransactionAwareTask, bind=True)
 def mail_send_task(self, *args, to: List[str], subject: str, body: str, html: str, sender: str,
                    event: int=None, headers: dict=None, bcc: List[str]=None, invoices: List[int]=None,
                    order: int=None, attach_tickets=False) -> bool:
@@ -212,15 +213,30 @@ def mail_send_task(self, *args, to: List[str], subject: str, body: str, html: st
                 order = None
             else:
                 if attach_tickets:
+                    args = []
+                    attach_size = 0
                     for name, ct in get_tickets_for_order(order):
-                        try:
-                            email.attach(
-                                name,
-                                ct.file.read(),
-                                ct.type
-                            )
-                        except:
-                            pass
+                        content = ct.file.read()
+                        args.append((name, content, ct.type))
+                        attach_size += len(content)
+
+                    if attach_size < 4 * 1024 * 1024:
+                        # Do not attach more than 4MB, it will bounce way to often.
+                        for a in args:
+                            try:
+                                email.attach(*a)
+                            except:
+                                pass
+                    else:
+                        order.log_action(
+                            'pretix.event.order.email.attachments.skipped',
+                            data={
+                                'subject': 'Attachments skipped',
+                                'message': 'Attachment have not been send because {} bytes are likely too large to arrive.'.format(attach_size),
+                                'recipient': '',
+                                'invoices': [],
+                            }
+                        )
 
         email = email_filter.send_chained(event, 'message', message=email, order=order)
 

src/pretix/base/services/orders.py

@@ -1,7 +1,7 @@
 import json
 import logging
 from collections import Counter, namedtuple
-from datetime import datetime, timedelta
+from datetime import datetime, time, timedelta
 from decimal import Decimal
 from typing import List, Optional
 
@@ -14,7 +14,7 @@ from django.db.models.functions import Greatest
 from django.dispatch import receiver
 from django.utils.formats import date_format
 from django.utils.functional import cached_property
-from django.utils.timezone import now
+from django.utils.timezone import make_aware, now
 from django.utils.translation import ugettext as _
 
 from pretix.api.models import OAuthApplication
@@ -28,21 +28,25 @@ from pretix.base.models import (
 from pretix.base.models.event import SubEvent
 from pretix.base.models.items import ItemBundle
 from pretix.base.models.orders import (
-    CachedCombinedTicket, CachedTicket, InvoiceAddress, OrderFee, OrderRefund,
-    generate_position_secret, generate_secret,
+    InvoiceAddress, OrderFee, OrderRefund, generate_position_secret,
+    generate_secret,
 )
 from pretix.base.models.organizer import TeamAPIToken
 from pretix.base.models.tax import TaxedPrice
 from pretix.base.payment import BasePaymentProvider, PaymentException
+from pretix.base.reldate import RelativeDateWrapper
+from pretix.base.services import tickets
 from pretix.base.services.invoices import (
     generate_cancellation, generate_invoice, invoice_qualified,
 )
-from pretix.base.services.locking import LockTimeoutException
+from pretix.base.services.locking import LockTimeoutException, NoLockManager
 from pretix.base.services.mail import SendMailException
 from pretix.base.services.pricing import get_price
 from pretix.base.services.tasks import ProfiledTask
 from pretix.base.signals import (
-    allow_ticket_download, order_fee_calculation, order_placed, periodic_task,
+    allow_ticket_download, order_approved, order_canceled, order_changed,
+    order_denied, order_expired, order_fee_calculation, order_placed,
+    periodic_task,
 )
 from pretix.celery_app import app
 from pretix.helpers.models import modelcopy
@@ -134,55 +138,58 @@ def mark_order_refunded(order, user=None, auth=None, api_token=None):
     )
 
 
-@transaction.atomic
 def mark_order_expired(order, user=None, auth=None):
     """
     Mark this order as expired. This sets the payment status and returns the order object.
     :param order: The order to change
     :param user: The user that performed the change
     """
-    if isinstance(order, int):
-        order = Order.objects.get(pk=order)
-    if isinstance(user, int):
-        user = User.objects.get(pk=user)
-    with order.event.lock():
-        order.status = Order.STATUS_EXPIRED
-        order.save(update_fields=['status'])
+    with transaction.atomic():
+        if isinstance(order, int):
+            order = Order.objects.get(pk=order)
+        if isinstance(user, int):
+            user = User.objects.get(pk=user)
+        with order.event.lock():
+            order.status = Order.STATUS_EXPIRED
+            order.save(update_fields=['status'])
 
-    order.log_action('pretix.event.order.expired', user=user, auth=auth)
-    i = order.invoices.filter(is_cancellation=False).last()
-    if i:
-        generate_cancellation(i)
+        order.log_action('pretix.event.order.expired', user=user, auth=auth)
+        i = order.invoices.filter(is_cancellation=False).last()
+        if i:
+            generate_cancellation(i)
 
+    order_expired.send(order.event, order=order)
     return order
 
 
-@transaction.atomic
-def approve_order(order, user=None, send_mail: bool=True, auth=None):
+def approve_order(order, user=None, send_mail: bool=True, auth=None, force=False):
     """
     Mark this order as approved
     :param order: The order to change
     :param user: The user that performed the change
     """
-    if not order.require_approval or not order.status == Order.STATUS_PENDING:
-        raise OrderError(_('This order is not pending approval.'))
+    with transaction.atomic():
+        if not order.require_approval or not order.status == Order.STATUS_PENDING:
+            raise OrderError(_('This order is not pending approval.'))
 
-    order.require_approval = False
-    order.set_expires(now(), order.event.subevents.filter(id__in=[p.subevent_id for p in order.positions.all()]))
-    order.save(update_fields=['require_approval', 'expires'])
+        order.require_approval = False
+        order.set_expires(now(), order.event.subevents.filter(id__in=[p.subevent_id for p in order.positions.all()]))
+        order.save(update_fields=['require_approval', 'expires'])
 
-    order.log_action('pretix.event.order.approved', user=user, auth=auth)
-    if order.total == Decimal('0.00'):
-        p = order.payments.create(
-            state=OrderPayment.PAYMENT_STATE_CREATED,
-            provider='free',
-            amount=0,
-            fee=None
-        )
-        try:
-            p.confirm(send_mail=False, count_waitinglist=False, user=user, auth=auth)
-        except Quota.QuotaExceededException:
-            raise OrderError(error_messages['unavailable'])
+        order.log_action('pretix.event.order.approved', user=user, auth=auth)
+        if order.total == Decimal('0.00'):
+            p = order.payments.create(
+                state=OrderPayment.PAYMENT_STATE_CREATED,
+                provider='free',
+                amount=0,
+                fee=None
+            )
+            try:
+                p.confirm(send_mail=False, count_waitinglist=False, user=user, auth=auth, ignore_date=True, force=force)
+            except Quota.QuotaExceededException:
+                raise OrderError(error_messages['unavailable'])
+
+    order_approved.send(order.event, order=order)
 
     invoice = order.invoices.last()  # Might be generated by plugin already
     if order.event.settings.get('invoice_generate') == 'True' and invoice_qualified(order):
@@ -234,30 +241,32 @@ def approve_order(order, user=None, send_mail: bool=True, auth=None):
     return order.pk
 
 
-@transaction.atomic
 def deny_order(order, comment='', user=None, send_mail: bool=True, auth=None):
     """
     Mark this order as canceled
     :param order: The order to change
     :param user: The user that performed the change
     """
-    if not order.require_approval or not order.status == Order.STATUS_PENDING:
-        raise OrderError(_('This order is not pending approval.'))
+    with transaction.atomic():
+        if not order.require_approval or not order.status == Order.STATUS_PENDING:
+            raise OrderError(_('This order is not pending approval.'))
 
-    with order.event.lock():
-        order.status = Order.STATUS_CANCELED
-        order.save(update_fields=['status'])
+        with order.event.lock():
+            order.status = Order.STATUS_CANCELED
+            order.save(update_fields=['status'])
 
-    order.log_action('pretix.event.order.denied', user=user, auth=auth, data={
-        'comment': comment
-    })
-    i = order.invoices.filter(is_cancellation=False).last()
-    if i:
-        generate_cancellation(i)
+        order.log_action('pretix.event.order.denied', user=user, auth=auth, data={
+            'comment': comment
+        })
+        i = order.invoices.filter(is_cancellation=False).last()
+        if i:
+            generate_cancellation(i)
 
-    for position in order.positions.all():
-        if position.voucher:
-            Voucher.objects.filter(pk=position.voucher.pk).update(redeemed=Greatest(0, F('redeemed') - 1))
+        for position in order.positions.all():
+            if position.voucher:
+                Voucher.objects.filter(pk=position.voucher.pk).update(redeemed=Greatest(0, F('redeemed') - 1))
+
+    order_denied.send(order.event, order=order)
 
     if send_mail:
         try:
@@ -294,7 +303,6 @@ def deny_order(order, comment='', user=None, send_mail: bool=True, auth=None):
     return order.pk
 
 
-@transaction.atomic
 def _cancel_order(order, user=None, send_mail: bool=True, api_token=None, device=None, oauth_application=None,
                   cancellation_fee=None):
     """
@@ -302,85 +310,87 @@ def _cancel_order(order, user=None, send_mail: bool=True, api_token=None, device
     :param order: The order to change
     :param user: The user that performed the change
     """
-    if isinstance(order, int):
-        order = Order.objects.get(pk=order)
-    if isinstance(user, int):
-        user = User.objects.get(pk=user)
-    if isinstance(api_token, int):
-        api_token = TeamAPIToken.objects.get(pk=api_token)
-    if isinstance(device, int):
-        device = Device.objects.get(pk=device)
-    if isinstance(oauth_application, int):
-        oauth_application = OAuthApplication.objects.get(pk=oauth_application)
-    if isinstance(cancellation_fee, str):
-        cancellation_fee = Decimal(cancellation_fee)
+    with transaction.atomic():
+        if isinstance(order, int):
+            order = Order.objects.get(pk=order)
+        if isinstance(user, int):
+            user = User.objects.get(pk=user)
+        if isinstance(api_token, int):
+            api_token = TeamAPIToken.objects.get(pk=api_token)
+        if isinstance(device, int):
+            device = Device.objects.get(pk=device)
+        if isinstance(oauth_application, int):
+            oauth_application = OAuthApplication.objects.get(pk=oauth_application)
+        if isinstance(cancellation_fee, str):
+            cancellation_fee = Decimal(cancellation_fee)
 
-    if not order.cancel_allowed():
-        raise OrderError(_('You cannot cancel this order.'))
-    i = order.invoices.filter(is_cancellation=False).last()
-    if i:
-        generate_cancellation(i)
+        if not order.cancel_allowed():
+            raise OrderError(_('You cannot cancel this order.'))
+        i = order.invoices.filter(is_cancellation=False).last()
+        if i:
+            generate_cancellation(i)
+
+        if cancellation_fee:
+            with order.event.lock():
+                for position in order.positions.all():
+                    if position.voucher:
+                        Voucher.objects.filter(pk=position.voucher.pk).update(redeemed=Greatest(0, F('redeemed') - 1))
+                    position.canceled = True
+                    position.save(update_fields=['canceled'])
+                for fee in order.fees.all():
+                    fee.canceled = True
+                    fee.save(update_fields=['canceled'])
+
+                f = OrderFee(
+                    fee_type=OrderFee.FEE_TYPE_CANCELLATION,
+                    value=cancellation_fee,
+                    tax_rule=order.event.settings.tax_rate_default,
+                    order=order,
+                )
+                f._calculate_tax()
+                f.save()
+
+                if order.payment_refund_sum < cancellation_fee:
+                    raise OrderError(_('The cancellation fee cannot be higher than the payment credit of this order.'))
+                order.status = Order.STATUS_PAID
+                order.total = f.value
+                order.save(update_fields=['status', 'total'])
+
+            if i:
+                generate_invoice(order)
+        else:
+            with order.event.lock():
+                order.status = Order.STATUS_CANCELED
+                order.save(update_fields=['status'])
 
-    if cancellation_fee:
-        with order.event.lock():
             for position in order.positions.all():
                 if position.voucher:
                     Voucher.objects.filter(pk=position.voucher.pk).update(redeemed=Greatest(0, F('redeemed') - 1))
-                position.canceled = True
-                position.save(update_fields=['canceled'])
-            for fee in order.fees.all():
-                fee.canceled = True
-                fee.save(update_fields=['canceled'])
 
-            f = OrderFee(
-                fee_type=OrderFee.FEE_TYPE_CANCELLATION,
-                value=cancellation_fee,
-                tax_rule=order.event.settings.tax_rate_default,
-                order=order,
-            )
-            f._calculate_tax()
-            f.save()
+        order.log_action('pretix.event.order.canceled', user=user, auth=api_token or oauth_application or device,
+                         data={'cancellation_fee': cancellation_fee})
 
-            if order.payment_refund_sum < cancellation_fee:
-                raise OrderError(_('The cancellation fee cannot be higher than the payment credit of this order.'))
-            order.status = Order.STATUS_PAID
-            order.total = f.value
-            order.save(update_fields=['status', 'total'])
-
-        if i:
-            generate_invoice(order)
-    else:
-        with order.event.lock():
-            order.status = Order.STATUS_CANCELED
-            order.save(update_fields=['status'])
-
-        for position in order.positions.all():
-            if position.voucher:
-                Voucher.objects.filter(pk=position.voucher.pk).update(redeemed=Greatest(0, F('redeemed') - 1))
-
-    order.log_action('pretix.event.order.canceled', user=user, auth=api_token or oauth_application or device,
-                     data={'cancellation_fee': cancellation_fee})
-
-    if send_mail:
-        email_template = order.event.settings.mail_text_order_canceled
-        email_context = {
-            'event': order.event.name,
-            'code': order.code,
-            'url': build_absolute_uri(order.event, 'presale:event.order', kwargs={
-                'order': order.code,
-                'secret': order.secret
-            })
-        }
-        with language(order.locale):
-            email_subject = _('Order canceled: %(code)s') % {'code': order.code}
-            try:
-                order.send_mail(
-                    email_subject, email_template, email_context,
-                    'pretix.event.order.email.order_canceled', user
-                )
-            except SendMailException:
-                logger.exception('Order canceled email could not be sent')
+        if send_mail:
+            email_template = order.event.settings.mail_text_order_canceled
+            email_context = {
+                'event': order.event.name,
+                'code': order.code,
+                'url': build_absolute_uri(order.event, 'presale:event.order', kwargs={
+                    'order': order.code,
+                    'secret': order.secret
+                })
+            }
+            with language(order.locale):
+                email_subject = _('Order canceled: %(code)s') % {'code': order.code}
+                try:
+                    order.send_mail(
+                        email_subject, email_template, email_context,
+                        'pretix.event.order.email.order_canceled', user
+                    )
+                except SendMailException:
+                    logger.exception('Order canceled email could not be sent')
 
+    order_canceled.send(order.event, order=order)
     return order.pk
 
 
@@ -394,6 +404,16 @@ def _check_date(event: Event, now_dt: datetime):
     if event.presale_has_ended:
         raise OrderError(error_messages['ended'])
 
+    if not event.has_subevents:
+        tlv = event.settings.get('payment_term_last', as_type=RelativeDateWrapper)
+        if tlv:
+            term_last = make_aware(datetime.combine(
+                tlv.datetime(event).date(),
+                time(hour=23, minute=59, second=59)
+            ), event.timezone)
+            if term_last < now_dt:
+                raise OrderError(error_messages['ended'])
+
 
 def _check_positions(event: Event, now_dt: datetime, positions: List[CartPosition], address: InvoiceAddress=None):
     err = None
@@ -448,6 +468,18 @@ def _check_positions(event: Event, now_dt: datetime, positions: List[CartPositio
             delete(cp)
             break
 
+        if cp.subevent:
+            tlv = event.settings.get('payment_term_last', as_type=RelativeDateWrapper)
+            if tlv:
+                term_last = make_aware(datetime.combine(
+                    tlv.datetime(cp.subevent).date(),
+                    time(hour=23, minute=59, second=59)
+                ), event.timezone)
+                if term_last < now_dt:
+                    err = err or error_messages['some_subevent_ended']
+                    delete(cp)
+                    break
+
         if cp.subevent and cp.subevent.presale_has_ended:
             err = err or error_messages['some_subevent_ended']
             delete(cp)
@@ -559,6 +591,7 @@ def _create_order(event: Event, email: str, positions: List[CartPosition], now_d
                   meta_info: dict=None, sales_channel: str='web'):
     fees, pf = _get_fees(positions, payment_provider, address, meta_info, event)
     total = sum([c.price for c in positions]) + sum([c.value for c in fees])
+    p = None
 
     with transaction.atomic():
         order = Order(
@@ -592,7 +625,7 @@ def _create_order(event: Event, email: str, positions: List[CartPosition], now_d
             fee.save()
 
         if payment_provider and not order.require_approval:
-            order.payments.create(
+            p = order.payments.create(
                 state=OrderPayment.PAYMENT_STATE_CREATED,
                 provider=payment_provider.identifier,
                 amount=total,
@@ -608,7 +641,7 @@ def _create_order(event: Event, email: str, positions: List[CartPosition], now_d
                 order.log_action('pretix.event.order.consent', data={'msg': msg})
 
     order_placed.send(event, order=order)
-    return order
+    return order, p
 
 
 def _perform_order(event: str, payment_provider: str, position_ids: List[str],
@@ -632,16 +665,32 @@ def _perform_order(event: str, payment_provider: str, position_ids: List[str],
         except InvoiceAddress.DoesNotExist:
             pass
 
-    with event.lock() as now_dt:
-        positions = list(CartPosition.objects.filter(
-            id__in=position_ids).select_related('item', 'variation', 'subevent', 'addon_to').prefetch_related('addons'))
+    positions = CartPosition.objects.filter(id__in=position_ids, event=event)
+
+    lockfn = NoLockManager
+    locked = False
+    if positions.filter(Q(voucher__isnull=False) | Q(expires__lt=now() + timedelta(minutes=2))).exists():
+        # Performance optimization: If no voucher is used and no cart position is dangerously close to its expiry date,
+        # creating this order shouldn't be prone to any race conditions and we don't need to lock the event.
+        locked = True
+        lockfn = event.lock
+
+    with lockfn() as now_dt:
+        positions = list(positions.select_related('item', 'variation', 'subevent', 'addon_to').prefetch_related('addons'))
         if len(positions) == 0:
             raise OrderError(error_messages['empty'])
         if len(position_ids) != len(positions):
             raise OrderError(error_messages['internal'])
         _check_positions(event, now_dt, positions, address=addr)
-        order = _create_order(event, email, positions, now_dt, pprov,
-                              locale=locale, address=addr, meta_info=meta_info, sales_channel=sales_channel)
+        order, payment = _create_order(event, email, positions, now_dt, pprov,
+                                       locale=locale, address=addr, meta_info=meta_info, sales_channel=sales_channel)
+
+        free_order_flow = payment and payment_provider == 'free' and order.total == Decimal('0.00') and not order.require_approval
+        if free_order_flow:
+            try:
+                payment.confirm(send_mail=False, lock=not locked)
+            except Quota.QuotaExceededException:
+                pass
 
     invoice = order.invoices.last()  # Might be generated by plugin already
     if event.settings.get('invoice_generate') == 'True' and invoice_qualified(order):
@@ -656,7 +705,7 @@ def _perform_order(event: str, payment_provider: str, position_ids: List[str],
         if order.require_approval:
             email_template = event.settings.mail_text_order_placed_require_approval
             log_entry = 'pretix.event.order.email.order_placed_require_approval'
-        elif payment_provider == 'free':
+        elif free_order_flow:
             email_template = event.settings.mail_text_order_free
             log_entry = 'pretix.event.order.email.order_free'
         else:
@@ -832,8 +881,8 @@ class OrderChangeManager:
         'addon_invalid': _('The selected base position does not allow you to add this product as an add-on.'),
         'subevent_required': _('You need to choose a subevent for the new position.'),
     }
-    ItemOperation = namedtuple('ItemOperation', ('position', 'item', 'variation', 'price'))
-    SubeventOperation = namedtuple('SubeventOperation', ('position', 'subevent', 'price'))
+    ItemOperation = namedtuple('ItemOperation', ('position', 'item', 'variation'))
+    SubeventOperation = namedtuple('SubeventOperation', ('position', 'subevent'))
     PriceOperation = namedtuple('PriceOperation', ('position', 'price'))
     CancelOperation = namedtuple('CancelOperation', ('position',))
     AddOperation = namedtuple('AddOperation', ('item', 'variation', 'price', 'addon_to', 'subevent'))
@@ -844,6 +893,7 @@ class OrderChangeManager:
         self.order = order
         self.user = user
         self.auth = auth
+        self.event = order.event
         self.split_order = None
         self._committed = False
         self._totaldiff = 0
@@ -852,33 +902,18 @@ class OrderChangeManager:
         self.notify = notify
         self._invoice_dirty = False
 
-    def change_item(self, position: OrderPosition, item: Item, variation: Optional[ItemVariation], keep_price=False):
+    def change_item(self, position: OrderPosition, item: Item, variation: Optional[ItemVariation]):
         if (not variation and item.has_variations) or (variation and variation.item_id != item.pk):
             raise OrderError(self.error_messages['product_without_variation'])
 
-        if keep_price:
-            price = TaxedPrice(gross=position.price, net=position.price - position.tax_value,
-                               tax=position.tax_value, rate=position.tax_rate,
-                               name=position.tax_rule.name if position.tax_rule else None)
-        else:
-            price = get_price(item, variation, voucher=position.voucher, subevent=position.subevent,
-                              invoice_address=self._invoice_address)
-
-        if price is None:  # NOQA
-            raise OrderError(self.error_messages['product_invalid'])
-
         new_quotas = (variation.quotas.filter(subevent=position.subevent)
                       if variation else item.quotas.filter(subevent=position.subevent))
         if not new_quotas:
             raise OrderError(self.error_messages['quota_missing'])
 
-        if self.order.event.settings.invoice_include_free or price.gross != Decimal('0.00') or position.price != Decimal('0.00'):
-            self._invoice_dirty = True
-
-        self._totaldiff += price.gross - position.price
         self._quotadiff.update(new_quotas)
         self._quotadiff.subtract(position.quotas)
-        self._operations.append(self.ItemOperation(position, item, variation, price))
+        self._operations.append(self.ItemOperation(position, item, variation))
 
     def change_subevent(self, position: OrderPosition, subevent: SubEvent):
         price = get_price(position.item, position.variation, voucher=position.voucher, subevent=subevent,
@@ -892,19 +927,15 @@ class OrderChangeManager:
         if not new_quotas:
             raise OrderError(self.error_messages['quota_missing'])
 
-        if self.order.event.settings.invoice_include_free or price.gross != Decimal('0.00') or position.price != Decimal('0.00'):
-            self._invoice_dirty = True
-
-        self._totaldiff += price.gross - position.price
         self._quotadiff.update(new_quotas)
         self._quotadiff.subtract(position.quotas)
-        self._operations.append(self.SubeventOperation(position, subevent, price))
+        self._operations.append(self.SubeventOperation(position, subevent))
 
     def regenerate_secret(self, position: OrderPosition):
         self._operations.append(self.RegenerateSecretOperation(position))
 
     def change_price(self, position: OrderPosition, price: Decimal):
-        price = position.item.tax(price)
+        price = position.item.tax(price, base_price_is='gross')
 
         self._totaldiff += price.gross - position.price
 
@@ -1061,14 +1092,11 @@ class OrderChangeManager:
                     'new_variation': op.variation.pk if op.variation else None,
                     'old_price': op.position.price,
                     'addon_to': op.position.addon_to_id,
-                    'new_price': op.price.gross
+                    'new_price': op.position.price
                 })
                 op.position.item = op.item
                 op.position.variation = op.variation
-                op.position.price = op.price.gross
-                op.position.tax_rate = op.price.rate
-                op.position.tax_value = op.price.tax
-                op.position.tax_rule = op.item.tax_rule
+                op.position._calculate_tax()
                 op.position.save()
             elif isinstance(op, self.SubeventOperation):
                 self.order.log_action('pretix.event.order.changed.subevent', user=self.user, auth=self.auth, data={
@@ -1077,13 +1105,9 @@ class OrderChangeManager:
                     'old_subevent': op.position.subevent.pk,
                     'new_subevent': op.subevent.pk,
                     'old_price': op.position.price,
-                    'new_price': op.price.gross
+                    'new_price': op.position.price
                 })
                 op.position.subevent = op.subevent
-                op.position.price = op.price.gross
-                op.position.tax_rate = op.price.rate
-                op.position.tax_value = op.price.tax
-                op.position.tax_rule = op.position.item.tax_rule
                 op.position.save()
             elif isinstance(op, self.PriceOperation):
                 self.order.log_action('pretix.event.order.changed.price', user=self.user, auth=self.auth, data={
@@ -1094,9 +1118,7 @@ class OrderChangeManager:
                     'new_price': op.price.gross
                 })
                 op.position.price = op.price.gross
-                op.position.tax_rate = op.price.rate
-                op.position.tax_value = op.price.tax
-                op.position.tax_rule = op.position.item.tax_rule
+                op.position._calculate_tax()
                 op.position.save()
             elif isinstance(op, self.CancelOperation):
                 for opa in op.position.addons.all():
@@ -1146,8 +1168,8 @@ class OrderChangeManager:
             elif isinstance(op, self.RegenerateSecretOperation):
                 op.position.secret = generate_position_secret()
                 op.position.save()
-                CachedTicket.objects.filter(order_position__order=self.order).delete()
-                CachedCombinedTicket.objects.filter(order=self.order).delete()
+                tickets.invalidate_cache.apply_async(kwargs={'event': self.event.pk,
+                                                             'order': self.order.pk})
                 self.order.log_action('pretix.event.order.changed.secret', user=self.user, auth=self.auth, data={
                     'position': op.position.pk,
                     'positionid': op.position.positionid,
@@ -1377,12 +1399,14 @@ class OrderChangeManager:
             if self.split_order:
                 self._notify_user(self.split_order)
 
+        order_changed.send(self.order.event, order=self.order)
+
     def _clear_tickets_cache(self):
-        CachedTicket.objects.filter(order_position__order=self.order).delete()
-        CachedCombinedTicket.objects.filter(order=self.order).delete()
+        tickets.invalidate_cache.apply_async(kwargs={'event': self.event.pk,
+                                                     'order': self.order.pk})
         if self.split_order:
-            CachedTicket.objects.filter(order_position__order=self.split_order).delete()
-            CachedCombinedTicket.objects.filter(order=self.split_order).delete()
+            tickets.invalidate_cache.apply_async(kwargs={'event': self.event.pk,
+                                                         'order': self.split_order.pk})
 
     def _get_payment_provider(self):
         lp = self.order.payments.last()
@@ -1470,7 +1494,7 @@ def cancel_order(self, order: int, user: int=None, send_mail: bool=True, api_tok
         raise OrderError(error_messages['busy'])
 
 
-def change_payment_provider(order: Order, payment_provider, amount=None):
+def change_payment_provider(order: Order, payment_provider, amount=None, new_payment=None):
     e = OrderPayment.objects.filter(fee=OuterRef('pk'), state__in=(OrderPayment.PAYMENT_STATE_CONFIRMED,
                                                                    OrderPayment.PAYMENT_STATE_REFUNDED))
     open_fees = list(
@@ -1502,7 +1526,10 @@ def change_payment_provider(order: Order, payment_provider, amount=None):
             fee = None
 
     open_payment = None
-    lp = order.payments.exclude(provider=payment_provider.identifier).last()
+    if new_payment:
+        lp = order.payments.exclude(pk=new_payment.pk).last()
+    else:
+        lp = order.payments.last()
     if lp and lp.state not in (OrderPayment.PAYMENT_STATE_CONFIRMED, OrderPayment.PAYMENT_STATE_REFUNDED):
         open_payment = lp
 

src/pretix/base/services/quotas.py

@@ -31,6 +31,6 @@ def refresh_quota_caches():
         Q(cached_availability_time__isnull=True) |
         Q(cached_availability_time__lt=F('last_activity')) |
         Q(cached_availability_time__lt=now() - timedelta(hours=2), last_activity__gt=now() - timedelta(days=7))
-    )
+    ).select_related('subevent')
     for q in quotas:
         q.availability()

src/pretix/base/services/tickets.py

@@ -123,8 +123,10 @@ def get_tickets_for_order(order):
                     order=order, provider=p.identifier, file__isnull=False
                 ).last()
                 if not ct or not ct.file:
-                    retval = generate.apply(args=('order', order.pk, p.identifier))
-                    ct = CachedCombinedTicket.objects.get(pk=retval.get())
+                    retval = generate_order(order.pk, p.identifier)
+                    if not retval:
+                        continue
+                    ct = CachedCombinedTicket.objects.get(pk=retval)
                 tickets.append((
                     "{}-{}-{}{}".format(
                         order.event.slug.upper(), order.code, ct.provider, ct.extension,
@@ -140,8 +142,10 @@ def get_tickets_for_order(order):
                         order_position=pos, provider=p.identifier, file__isnull=False
                     ).last()
                     if not ct or not ct.file:
-                        retval = generate.apply(args=('orderposition', pos.pk, p.identifier))
-                        ct = CachedTicket.objects.get(pk=retval.get())
+                        retval = generate_orderposition(pos.pk, p.identifier)
+                        if not retval:
+                            continue
+                        ct = CachedCombinedTicket.objects.get(pk=retval)
                     tickets.append((
                         "{}-{}-{}-{}{}".format(
                             order.event.slug.upper(), order.code, pos.positionid, ct.provider, ct.extension,
@@ -152,3 +156,26 @@ def get_tickets_for_order(order):
                     logger.exception('Failed to generate ticket.')
 
     return tickets
+
+
+@app.task(base=ProfiledTask)
+def invalidate_cache(event: int, item: int=None, provider: str=None, order: int=None, **kwargs):
+    event = Event.objects.get(id=event)
+    qs = CachedTicket.objects.filter(order_position__order__event=event)
+    qsc = CachedCombinedTicket.objects.filter(order__event=event)
+
+    if item:
+        qs = qs.filter(order_position__item_id=item)
+
+    if provider:
+        qs = qs.filter(provider=provider)
+        qsc = qsc.filter(provider=provider)
+
+    if order:
+        qs = qs.filter(order_position__order_id=order)
+        qsc = qsc.filter(order_id=order)
+
+    for ct in qs:
+        ct.delete()
+    for ct in qsc:
+        ct.delete()

src/pretix/base/settings.py

@@ -49,6 +49,10 @@ DEFAULTS = {
         'default': 'True',
         'type': bool,
     },
+    'invoice_address_not_asked_free': {
+        'default': 'False',
+        'type': bool,
+    },
     'invoice_name_required': {
         'default': 'False',
         'type': bool,
@@ -97,6 +101,14 @@ DEFAULTS = {
         'default': '30',
         'type': int
     },
+    'redirect_to_checkout_directly': {
+        'default': 'False',
+        'type': bool
+    },
+    'presale_has_ended_text': {
+        'default': '',
+        'type': LazyI18nString
+    },
     'payment_explanation': {
         'default': '',
         'type': LazyI18nString

src/pretix/base/signals.py

@@ -275,6 +275,66 @@ because an already-paid order has been split.
 As with all event-plugin signals, the ``sender`` keyword argument will contain the event.
 """
 
+order_canceled = EventPluginSignal(
+    providing_args=["order"]
+)
+"""
+This signal is sent out every time an order is canceled. The order object is given
+as the first argument.
+
+As with all event-plugin signals, the ``sender`` keyword argument will contain the event.
+"""
+
+order_expired = EventPluginSignal(
+    providing_args=["order"]
+)
+"""
+This signal is sent out every time an order is marked as expired. The order object is given
+as the first argument.
+
+As with all event-plugin signals, the ``sender`` keyword argument will contain the event.
+"""
+
+order_modified = EventPluginSignal(
+    providing_args=["order"]
+)
+"""
+This signal is sent out every time an order's information is modified. The order object is given
+as the first argument.
+
+As with all event-plugin signals, the ``sender`` keyword argument will contain the event.
+"""
+
+order_changed = EventPluginSignal(
+    providing_args=["order"]
+)
+"""
+This signal is sent out every time an order's content is changed. The order object is given
+as the first argument.
+
+As with all event-plugin signals, the ``sender`` keyword argument will contain the event.
+"""
+
+order_approved = EventPluginSignal(
+    providing_args=["order"]
+)
+"""
+This signal is sent out every time an order is being approved. The order object is given
+as the first argument.
+
+As with all event-plugin signals, the ``sender`` keyword argument will contain the event.
+"""
+
+order_denied = EventPluginSignal(
+    providing_args=["order"]
+)
+"""
+This signal is sent out every time an order is being denied. The order object is given
+as the first argument.
+
+As with all event-plugin signals, the ``sender`` keyword argument will contain the event.
+"""
+
 logentry_display = EventPluginSignal(
     providing_args=["logentry"]
 )

src/pretix/base/templates/400.html

@@ -1,6 +1,6 @@
 {% extends "error.html" %}
 {% load i18n %}
-{% load staticfiles %}
+{% load static %}
 {% block title %}{% trans "Bad Request" %}{% endblock %}
 {% block content %}
     <i class="fa fa-frown-o fa-fw big-icon"></i>

src/pretix/base/templates/403.html

@@ -1,6 +1,6 @@
 {% extends "error.html" %}
 {% load i18n %}
-{% load staticfiles %}
+{% load static %}
 {% block title %}{% trans "Permission denied" %}{% endblock %}
 {% block content %}
     <i class="fa fa-fw fa-lock big-icon"></i>

src/pretix/base/templates/404.html

@@ -1,6 +1,6 @@
 {% extends "error.html" %}
 {% load i18n %}
-{% load staticfiles %}
+{% load static %}
 {% block title %}{% trans "Not found" %}{% endblock %}
 {% block content %}
     <i class="fa fa-meh-o fa-fw big-icon"></i>

src/pretix/base/templates/500.html

@@ -1,6 +1,6 @@
 {% extends "error.html" %}
 {% load i18n %}
-{% load staticfiles %}
+{% load static %}
 {% block title %}{% trans "Internal Server Error" %}{% endblock %}
 {% block content %}
     <i class="fa fa-bolt big-icon fa-fw"></i>

src/pretix/base/templates/csrffail.html

@@ -1,6 +1,6 @@
 {% extends "error.html" %}
 {% load i18n %}
-{% load staticfiles %}
+{% load static %}
 {% block title %}{% trans "Verification failed" %}{% endblock %}
 {% block content %}
     <i class="fa fa-frown-o big-icon fa-fw"></i>

src/pretix/base/templates/debug_toolbar/base.html

@@ -1,66 +0,0 @@
-{% load i18n %}{% load static from staticfiles %}
-<link rel="stylesheet" href="{% static 'debug_toolbar/css/print.css' %}" type="text/css" media="print" />
-<link rel="stylesheet" href="{% static 'debug_toolbar/css/toolbar.css' %}" type="text/css" />
-
-<!-- Prevent our copy of jQuery from registering as an AMD module on sites that use RequireJS. -->
-    <script src="{% static 'debug_toolbar/js/jquery_pre.js' %}"></script>
-    <script type="text/javascript" src="{% static "jquery/js/jquery-2.1.1.min.js" %}"></script>
-    <script src="{% static 'debug_toolbar/js/jquery_post.js' %}"></script>
-
-<script src="{% static 'debug_toolbar/js/toolbar.js' %}"></script>
-<div id="djDebug" class="djdt-hidden" dir="ltr"
-     data-store-id="{{ toolbar.store_id }}" data-render-panel-url="{% url 'djdt:render_panel' %}"
-     {{ toolbar.config.ROOT_TAG_EXTRA_ATTRS|safe }}>
-	<div class="djdt-hidden" id="djDebugToolbar">
-		<ul id="djDebugPanelList">
-			{% if toolbar.panels %}
-			<li><a id="djHideToolBarButton" href="#" title="{% trans "Hide toolbar" %}">{% trans "Hide" %} &#187;</a></li>
-			{% else %}
-			<li id="djDebugButton">DEBUG</li>
-			{% endif %}
-			{% for panel in toolbar.panels %}
-				<li class="djDebugPanelButton">
-					<input type="checkbox" data-cookie="djdt{{ panel.panel_id }}" {% if panel.enabled %}checked="checked" title="{% trans "Disable for next and successive requests" %}"{% else %}title="{% trans "Enable for next and successive requests" %}"{% endif %} />
-					{% if panel.has_content and panel.enabled %}
-						<a href="#" title="{{ panel.title }}" class="{{ panel.panel_id }}">
-					{% else %}
-						<div class="djdt-contentless{% if not panel.enabled %} djdt-disabled{% endif %}">
-					{% endif %}
-					{{ panel.nav_title }}
-					{% if panel.enabled %}
-					{% with panel.nav_subtitle as subtitle %}
-						{% if subtitle %}<br /><small>{{ subtitle }}</small>{% endif %}
-					{% endwith %}
-					{% endif %}
-					{% if panel.has_content and panel.enabled %}
-						</a>
-					{% else %}
-						</div>
-					{% endif %}
-				</li>
-			{% endfor %}
-		</ul>
-	</div>
-	<div class="djdt-hidden" id="djDebugToolbarHandle">
-		<span title="{% trans "Show toolbar" %}" id="djShowToolBarButton">&#171;</span>
-	</div>
-	{% for panel in toolbar.panels %}
-		{% if panel.has_content and panel.enabled %}
-			<div id="{{ panel.panel_id }}" class="djdt-panelContent">
-				<div class="djDebugPanelTitle">
-					<a href="" class="djDebugClose"></a>
-					<h3>{{ panel.title|safe }}</h3>
-				</div>
-				<div class="djDebugPanelContent">
-					{% if toolbar.store_id %}
-					<img src="{% static 'debug_toolbar/img/ajax-loader.gif' %}" alt="loading" class="djdt-loader" />
-					<div class="djdt-scroll"></div>
-					{% else %}
-					<div class="djdt-scroll">{{ panel.content }}</div>
-					{% endif %}
-				</div>
-			</div>
-		{% endif %}
-	{% endfor %}
-	<div id="djDebugWindow" class="djdt-panelContent"></div>
-</div>

src/pretix/base/templates/error.html

@@ -1,6 +1,6 @@
 {% load compress %}
 {% load i18n %}
-{% load staticfiles %}
+{% load static %}
 <!DOCTYPE html>
 <html>
 <head>

src/pretix/base/templates/pretixbase/forms/widgets/thumbnailed_file_input.html

@@ -0,0 +1,6 @@
+{% load thumb %}
+{% if widget.is_initial %}{{ widget.initial_text }}: <a href="{{ widget.value.url }}">{{ widget.value }}</a>{% if not widget.required %}
+    <input type="checkbox" name="{{ widget.checkbox_name }}" id="{{ widget.checkbox_id }}">
+    <label for="{{ widget.checkbox_id }}">{{ widget.clear_checkbox_label }}</label>{% endif %}{% if widget.value.is_img %}<br><a href="{{ widget.value.url }}" data-lightbox="{{ widget.value.name }}"><img src="{{ widget.value|thumb:"200x100" }}" /></a>{% endif %}<br>
+    {{ widget.input_text }}:{% endif %}
+<input type="{{ widget.type }}" name="{{ widget.name }}"{% include "django/forms/widgets/attrs.html" %}>

src/pretix/base/templatetags/rich_text.py

@@ -72,9 +72,11 @@ def safelink_callback(attrs, new=False):
 
 
 def abslink_callback(attrs, new=False):
-    attrs[None, 'href'] = urllib.parse.urljoin(settings.SITE_URL, attrs.get((None, 'href'), '/'))
-    attrs[None, 'target'] = '_blank'
-    attrs[None, 'rel'] = 'noopener'
+    url = attrs.get((None, 'href'), '/')
+    if not url.startswith('mailto:') and not url.startswith('tel:'):
+        attrs[None, 'href'] = urllib.parse.urljoin(settings.SITE_URL, url)
+        attrs[None, 'target'] = '_blank'
+        attrs[None, 'rel'] = 'noopener'
     return attrs
 
 
@@ -90,7 +92,7 @@ def markdown_compile_email(source):
         tags=ALLOWED_TAGS,
         attributes=ALLOWED_ATTRIBUTES,
         protocols=ALLOWED_PROTOCOLS,
-    ))
+    ), parse_email=True)
 
 
 def markdown_compile(source):
@@ -116,6 +118,7 @@ def rich_text(text: str, **kwargs):
     text = str(text)
     body_md = bleach.linkify(
         markdown_compile(text),
-        callbacks=DEFAULT_CALLBACKS + ([safelink_callback] if kwargs.get('safelinks', True) else [abslink_callback])
+        callbacks=DEFAULT_CALLBACKS + ([safelink_callback] if kwargs.get('safelinks', True) else [abslink_callback]),
+        parse_email=True
     )
     return mark_safe(body_md)

src/pretix/base/views/errors.py

@@ -56,7 +56,9 @@ def page_not_found(request, exception):
     }
     template = get_template('404.html')
     body = template.render(context, request)
-    return HttpResponseNotFound(body)
+    r = HttpResponseNotFound(body)
+    r.xframe_options_exempt = True
+    return r
 
 
 @requires_csrf_token
@@ -65,7 +67,9 @@ def server_error(request):
         template = loader.get_template('500.html')
     except TemplateDoesNotExist:
         return HttpResponseServerError('<h1>Server Error (500)</h1>', content_type='text/html')
-    return HttpResponseServerError(template.render({
+    r = HttpResponseServerError(template.render({
         'request': request,
         'sentry_event_id': last_event_id(),
     }))
+    r.xframe_options_exempt = True
+    return r

src/pretix/base/views/js_catalog.py

@@ -2,7 +2,7 @@ from django.utils import timezone
 from django.utils.translation.trans_real import DjangoTranslation
 from django.views.decorators.cache import cache_page
 from django.views.decorators.http import etag
-from django.views.i18n import JavaScriptCatalog, render_javascript_catalog
+from django.views.i18n import JavaScriptCatalog
 
 # Yes, we want to regenerate this every time the module has been imported to
 # refresh the cache at least at every code deployment
@@ -21,4 +21,5 @@ js_info_dict = {
 def js_catalog(request, lang):
     c = JavaScriptCatalog()
     c.translation = DjangoTranslation(lang, domain='djangojs')
-    return render_javascript_catalog(c.get_catalog(), c.get_plural())
+    context = c.get_context_data()
+    return c.render_to_response(context)

src/pretix/base/views/metrics.py

@@ -20,10 +20,10 @@ def serve_metrics(request):
         return unauthed_response()
 
     # check if the user is properly authorized:
-    if "HTTP_AUTHORIZATION" not in request.META:
+    if "Authorization" not in request.headers:
         return unauthed_response()
 
-    method, credentials = request.META["HTTP_AUTHORIZATION"].split(" ", 1)
+    method, credentials = request.headers["Authorization"].split(" ", 1)
     if method.lower() != "basic":
         return unauthed_response()
 

src/pretix/base/views/mixins.py

@@ -1,5 +1,6 @@
 import json
 from collections import OrderedDict
+from decimal import Decimal
 
 from django import forms
 from django.core.files.uploadedfile import UploadedFile
@@ -186,25 +187,35 @@ class OrderQuestionsViewMixin(BaseQuestionsViewMixin):
         except InvoiceAddress.DoesNotExist:
             return InvoiceAddress(order=self.order)
 
+    @cached_property
+    def address_asked(self):
+        return self.request.event.settings.invoice_address_asked and (
+            self.order.total != Decimal('0.00') or not self.request.event.settings.invoice_address_not_asked_free
+        )
+
     @cached_property
     def invoice_form(self):
-        if not self.request.event.settings.invoice_address_asked and self.request.event.settings.invoice_name_required:
+        if not self.address_asked and self.request.event.settings.invoice_name_required:
             return self.invoice_name_form_class(
                 data=self.request.POST if self.request.method == "POST" else None,
                 event=self.request.event,
                 instance=self.invoice_address, validate_vat_id=False,
                 all_optional=self.all_optional
             )
-        return self.invoice_form_class(
-            data=self.request.POST if self.request.method == "POST" else None,
-            event=self.request.event,
-            instance=self.invoice_address, validate_vat_id=False,
-            all_optional=self.all_optional,
-        )
+        if self.address_asked:
+            return self.invoice_form_class(
+                data=self.request.POST if self.request.method == "POST" else None,
+                event=self.request.event,
+                instance=self.invoice_address, validate_vat_id=False,
+                all_optional=self.all_optional,
+            )
+        else:
+            return forms.Form(data=self.request.POST if self.request.method == "POST" else None)
 
     def get_context_data(self, **kwargs):
         ctx = super().get_context_data(**kwargs)
         ctx['order'] = self.order
         ctx['formgroups'] = self.formdict.items()
         ctx['invoice_form'] = self.invoice_form
+        ctx['invoice_address_asked'] = self.address_asked
         return ctx

src/pretix/base/views/tasks.py

@@ -133,7 +133,7 @@ class AsyncAction:
             return str(exception)
         else:
             logger.error('Unexpected exception: %r' % exception)
-            return _('An unexpected error has occurred.')
+            return _('An unexpected error has occurred, please try again later.')
 
     def get_success_message(self, value):
         return _('The task has been completed.')

src/pretix/control/forms/__init__.py

@@ -4,8 +4,8 @@ import os
 from django import forms
 from django.conf import settings
 from django.core.exceptions import ValidationError
+from django.core.files import File
 from django.forms.utils import from_current_timezone
-from django.utils.html import conditional_escape
 from django.utils.translation import ugettext_lazy as _
 
 from ...base.forms import I18nModelForm
@@ -67,16 +67,31 @@ def selector(values, prop):
 
 
 class ClearableBasenameFileInput(forms.ClearableFileInput):
+    template_name = 'pretixbase/forms/widgets/thumbnailed_file_input.html'
 
-    def get_template_substitution_values(self, value):
-        """
-        Return value-related substitutions.
-        """
-        bname = os.path.basename(value.name)
-        return {
-            'initial': conditional_escape(bname),
-            'initial_url': conditional_escape(value.url),
-        }
+    class FakeFile(File):
+        def __init__(self, file):
+            self.file = file
+
+        @property
+        def name(self):
+            return self.file.name
+
+        @property
+        def is_img(self):
+            return any(self.file.name.endswith(e) for e in ('.jpg', '.jpeg', '.png', '.gif'))
+
+        def __str__(self):
+            return os.path.basename(self.file.name).split('.', 1)[-1]
+
+        @property
+        def url(self):
+            return self.file.url
+
+    def get_context(self, name, value, attrs):
+        ctx = super().get_context(name, value, attrs)
+        ctx['widget']['value'] = self.FakeFile(value)
+        return ctx
 
 
 class ExtFileField(forms.FileField):

src/pretix/control/forms/event.py

@@ -621,6 +621,10 @@ class InvoiceSettingsForm(SettingsForm):
         widget=forms.CheckboxInput(attrs={'data-checkbox-dependency': '#id_invoice_address_asked'}),
         required=False
     )
+    invoice_address_not_asked_free = forms.BooleanField(
+        label=_('Do not ask for invoice address if an order is free'),
+        required=False
+    )
     invoice_include_free = forms.BooleanField(
         label=_("Show free products on invoices"),
         help_text=_("Note that invoices will never be generated for orders that contain only free "
@@ -1049,6 +1053,14 @@ class DisplaySettingsForm(SettingsForm):
         required=False,
         widget=I18nTextarea
     )
+    presale_has_ended_text = I18nFormField(
+        label=_("End of presale text"),
+        required=False,
+        widget=I18nTextarea,
+        widget_kwargs={'attrs': {'rows': '2'}},
+        help_text=_("This text will be shown above the ticket shop once the designated sales timeframe for this event "
+                    "is over. You can use it to describe other options to get a ticket, such as a box office.")
+    )
     voucher_explanation_text = I18nFormField(
         label=_("Voucher explanation"),
         required=False,
@@ -1074,6 +1086,10 @@ class DisplaySettingsForm(SettingsForm):
         label=_('Ask search engines not to index the ticket shop'),
         required=False
     )
+    redirect_to_checkout_directly = forms.BooleanField(
+        label=_('Directly redirect to check-out after a product has been added to the cart.'),
+        required=False
+    )
 
     def __init__(self, *args, **kwargs):
         event = kwargs['obj']

src/pretix/control/forms/item.py

@@ -43,6 +43,7 @@ class QuestionForm(I18nModelForm):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.fields['items'].queryset = self.instance.event.items.all()
+        self.fields['items'].required = True
         self.fields['dependency_question'].queryset = self.instance.event.questions.filter(
             type__in=(Question.TYPE_BOOLEAN, Question.TYPE_CHOICE, Question.TYPE_CHOICE_MULTIPLE)
         )
@@ -462,6 +463,7 @@ class ItemVariationForm(I18nModelForm):
             'value',
             'active',
             'default_price',
+            'original_price',
             'description',
         ]
 

src/pretix/control/forms/orders.py

@@ -9,9 +9,7 @@ from django.utils.timezone import now
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
 
 from pretix.base.forms import I18nModelForm, PlaceholderValidator
-from pretix.base.models import (
-    InvoiceAddress, Item, ItemAddOn, Order, OrderPosition,
-)
+from pretix.base.models import InvoiceAddress, ItemAddOn, Order, OrderPosition
 from pretix.base.models.event import SubEvent
 from pretix.base.services.pricing import get_price
 from pretix.control.forms.widgets import Select2
@@ -150,15 +148,6 @@ class CommentForm(I18nModelForm):
         }
 
 
-class SubEventChoiceField(forms.ModelChoiceField):
-    def label_from_instance(self, obj):
-        p = get_price(self.instance.item, self.instance.variation,
-                      voucher=self.instance.voucher,
-                      subevent=obj)
-        return '{} – {} ({})'.format(obj.name, obj.get_date_range_display(),
-                                     p.print(self.instance.order.event.currency))
-
-
 class OtherOperationsForm(forms.Form):
     recalculate_taxes = forms.BooleanField(
         label=_('Re-calculate taxes'),
@@ -265,12 +254,13 @@ class OrderPositionAddForm(forms.Form):
 
 
 class OrderPositionChangeForm(forms.Form):
-    itemvar = forms.ChoiceField()
-    subevent = SubEventChoiceField(
+    itemvar = forms.ChoiceField(
+        required=False,
+    )
+    subevent = forms.ModelChoiceField(
         SubEvent.objects.none(),
-        label=pgettext_lazy('subevent', 'New date'),
-        required=True,
-        empty_label=None
+        required=False,
+        empty_label=_('(Unchanged)')
     )
     price = forms.DecimalField(
         required=False,
@@ -278,53 +268,49 @@ class OrderPositionChangeForm(forms.Form):
         localize=True,
         label=_('New price (gross)')
     )
-    operation = forms.ChoiceField(
+    operation_secret = forms.BooleanField(
         required=False,
-        widget=forms.RadioSelect,
-        choices=(
-            ('product', 'Change product'),
-            ('price', 'Change price'),
-            ('subevent', 'Change event date'),
-            ('cancel', 'Remove product'),
-            ('split', 'Split into new order'),
-            ('secret', 'Regenerate secret'),
-        )
+        label=_('Generate a new secret')
+    )
+    operation_cancel = forms.BooleanField(
+        required=False,
+        label=_('Cancel this position')
+    )
+    operation_split = forms.BooleanField(
+        required=False,
+        label=_('Split into new order')
     )
-    change_product_keep_price = forms.BooleanField(required=False)
 
     def __init__(self, *args, **kwargs):
         instance = kwargs.pop('instance')
         initial = kwargs.get('initial', {})
 
-        try:
-            ia = instance.order.invoice_address
-        except InvoiceAddress.DoesNotExist:
-            ia = None
-
-        if instance:
-            try:
-                if instance.variation:
-                    initial['itemvar'] = '%d-%d' % (instance.item.pk, instance.variation.pk)
-                elif instance.item:
-                    initial['itemvar'] = str(instance.item.pk)
-            except Item.DoesNotExist:
-                pass
-
-            if instance.item.tax_rule and not instance.item.tax_rule.price_includes_tax:
-                initial['price'] = instance.price - instance.tax_value
-            else:
-                initial['price'] = instance.price
-        initial['subevent'] = instance.subevent
+        if instance.item.tax_rule and not instance.item.tax_rule.price_includes_tax:
+            initial['price'] = instance.price - instance.tax_value
+        else:
+            initial['price'] = instance.price
 
         kwargs['initial'] = initial
         super().__init__(*args, **kwargs)
         if instance.order.event.has_subevents:
-            self.fields['subevent'].instance = instance
             self.fields['subevent'].queryset = instance.order.event.subevents.all()
+            self.fields['subevent'].widget = Select2(
+                attrs={
+                    'data-model-select2': 'event',
+                    'data-select2-url': reverse('control:event.subevents.select2', kwargs={
+                        'event': instance.order.event.slug,
+                        'organizer': instance.order.event.organizer.slug,
+                    }),
+                    'data-placeholder': _('(Unchanged)')
+                }
+            )
+            self.fields['subevent'].widget.choices = self.fields['subevent'].choices
         else:
             del self.fields['subevent']
 
-        choices = []
+        choices = [
+            ('', _('(Unchanged)'))
+        ]
         for i in instance.order.event.items.prefetch_related('variations').all():
             pname = str(i)
             if not i.is_available():
@@ -333,14 +319,10 @@ class OrderPositionChangeForm(forms.Form):
 
             if variations:
                 for v in variations:
-                    p = get_price(i, v, voucher=instance.voucher, subevent=instance.subevent,
-                                  invoice_address=ia)
                     choices.append(('%d-%d' % (i.pk, v.pk),
-                                    '%s – %s (%s)' % (pname, v.value, p.print(instance.order.event.currency))))
+                                    '%s – %s' % (pname, v.value)))
             else:
-                p = get_price(i, None, voucher=instance.voucher, subevent=instance.subevent,
-                              invoice_address=ia)
-                choices.append((str(i.pk), '%s (%s)' % (pname, p.print(instance.order.event.currency))))
+                choices.append((str(i.pk), pname))
         self.fields['itemvar'].choices = choices
         change_decimal_field(self.fields['price'], instance.order.event.currency)
 

src/pretix/control/forms/subevents.py

@@ -29,6 +29,7 @@ class SubEventForm(I18nModelForm):
         fields = [
             'name',
             'active',
+            'is_public',
             'date_from',
             'date_to',
             'date_admission',

src/pretix/control/forms/vouchers.py

@@ -140,7 +140,7 @@ class VoucherForm(I18nModelForm):
             data['codes'] = [a.strip() for a in data.get('codes', '').strip().split("\n") if a]
             cnt = len(data['codes']) * data.get('max_usages', 0)
         else:
-            cnt = data['max_usages']
+            cnt = data.get('max_usages', 0)
 
         Voucher.clean_item_properties(
             data, self.instance.event,

src/pretix/control/logdisplay.py

@@ -189,6 +189,8 @@ def pretixcontrol_logentry_display(sender: Event, logentry: LogEntry, **kwargs):
         'pretix.event.order.payment.changed': _('A new payment {local_id} has been started instead of the previous one.'),
         'pretix.event.order.email.sent': _('An unidentified type email has been sent.'),
         'pretix.event.order.email.error': _('Sending of an email has failed.'),
+        'pretix.event.order.email.attachments.skipped': _('The email has been sent without attachments since they '
+                                                          'would have been too large to be likely to arrive.'),
         'pretix.event.order.email.custom_sent': _('A custom email has been sent.'),
         'pretix.event.order.email.download_reminder_sent': _('An email has been sent with a reminder that the ticket '
                                                              'is available for download.'),
@@ -389,6 +391,9 @@ def pretixcontrol_logentry_display(sender: Event, logentry: LogEntry, **kwargs):
     if logentry.action_type == 'pretix.team.invite.created':
         return _('{user} has been invited to the team.').format(user=data.get('email'))
 
+    if logentry.action_type == 'pretix.team.invite.resent':
+        return _('Invite for {user} has been resent.').format(user=data.get('email'))
+
     if logentry.action_type == 'pretix.team.invite.deleted':
         return _('The invite for {user} has been revoked.').format(user=data.get('email'))
 

src/pretix/control/templates/pretixcontrol/auth/base.html

@@ -1,6 +1,6 @@
 {% load compress %}
 {% load i18n %}
-{% load staticfiles %}
+{% load static %}
 <!DOCTYPE html>
 <html>
 <head>

src/pretix/control/templates/pretixcontrol/base.html

@@ -12,6 +12,7 @@
             {{ settings.PRETIX_INSTANCE_NAME }}</title>
 		{% compress css %}
     		<link rel="stylesheet" type="text/x-scss" href="{% static "pretixcontrol/scss/main.scss" %}" />
+            <link rel="stylesheet" type="text/x-scss" href="{% static "lightbox/css/lightbox.scss" %}" />
 		{% endcompress %}
         {% if DEBUG %}
             <script type="text/javascript" src="{% url 'javascript-catalog' lang=request.LANGUAGE_CODE %}"
@@ -43,6 +44,7 @@
             <script type="text/javascript" src="{% static "pretixcontrol/js/ui/subevent.js" %}"></script>
             <script type="text/javascript" src="{% static "pretixcontrol/js/ui/question.js" %}"></script>
             <script type="text/javascript" src="{% static "pretixcontrol/js/ui/mail.js" %}"></script>
+            <script type="text/javascript" src="{% static "pretixcontrol/js/ui/orderchange.js" %}"></script>
             <script type="text/javascript" src="{% static "pretixcontrol/js/ui/typeahead.js" %}"></script>
             <script type="text/javascript" src="{% static "pretixcontrol/js/ui/quicksetup.js" %}"></script>
             <script type="text/javascript" src="{% static "pretixbase/js/details.js" %}"></script>
@@ -50,6 +52,7 @@
             <script type="text/javascript" src="{% static "colorpicker/bootstrap-colorpicker.js" %}"></script>
             <script type="text/javascript" src="{% static "fileupload/jquery.ui.widget.js" %}"></script>
             <script type="text/javascript" src="{% static "fileupload/jquery.fileupload.js" %}"></script>
+            <script type="text/javascript" src="{% static "lightbox/js/lightbox.min.js" %}"></script>
 		{% endcompress %}
         {{ html_head|safe }}
 
@@ -101,6 +104,11 @@
                                 <i class="fa fa-eye"></i>
                             </a>
                         {% endif %}
+                    {% elif request.organizer %}
+                        <a href="{% eventurl request.organizer "presale:organizer.index" %}" title="{% trans "Public profile" %}"  target="_blank"
+                            class="navbar-toggle mobile-navbar-view-link">
+                            <i class="fa fa-eye"></i>
+                        </a>
                     {% endif %}
                     <a class="navbar-brand" href="{% url "control:index" %}">
                         <img src="{% static "pretixbase/img/pretix-icon.svg" %}" />
@@ -123,6 +131,12 @@
                                 </a>
                             {% endif %}
                         </li>
+                    {% elif request.organizer %}
+                        <li>
+                            <a href="{% eventurl request.organizer "presale:organizer.index" %}" title="{% trans "Public profile" %}"  target="_blank">
+                                <i class="fa fa-eye"></i> {% trans "Public profile" %}
+                            </a>
+                        </li>
                     {% endif %}
                 </ul>
                 <ul class="nav navbar-nav navbar-top-links navbar-right">
@@ -366,6 +380,12 @@
                     {% block content %}
                     {% endblock %}
                     <footer>
+                        {% if request.timezone %}
+                            <span class="fa fa-globe"></span>
+                            {% blocktrans trimmed with tz=request.timezone %}
+                                Times displayed in {{ tz }}
+                            {% endblocktrans %} &middot;
+                        {% endif %}
                         {% with "href='http://pretix.eu'" as a_attr %}
                             {% blocktrans trimmed %}
                                 powered by <a {{ a_attr }}>pretix</a>

src/pretix/control/templates/pretixcontrol/boxoffice/payment.html

@@ -1,11 +1,15 @@
 {% load i18n %}
 
-{% if payment_info %}
-    <dl class="dl-horizontal">
+<dl class="dl-horizontal">
+    <dt>{% trans "Device ID" %}</dt>
+    <dd>{{ payment_info.pos_id }}</dd>
+    <dt>{% trans "Receipt ID" %}</dt>
+    <dd>{{ payment_info.receipt_id }}</dd>
+    {% if payment_info.payment_type == "sumup" %}
         <dt>{% trans "Payment provider" %}</dt>
         <dd>SumUp</dd>
         <dt>{% trans "Transaction Code" %}</dt>
-        <dd>{{ payment_info.payment_data.tx_code}}</dd>
+        <dd>{{ payment_info.payment_data.tx_code }}</dd>
         <dt>{% trans "Merchant Code" %}</dt>
         <dd>{{ payment_info.payment_data.merchant_code }}</dd>
         <dt>{% trans "Currency" %}</dt>
@@ -17,6 +21,8 @@
         <dt>{% trans "Card Entry Mode" %}</dt>
         <dd>{{ payment_info.payment_data.entry_mode }}</dd>
         <dt>{% trans "Card number" %}</dt>
-        <dd><i class="fa fa-cc-{{ payment_info.payment_data.card_type|lower }}"></i> **** **** **** {{ payment_info.payment_data.last4 }}</dd>
-    </dl>
-{% endif %}
+        <dd>
+            <i class="fa fa-cc-{{ payment_info.payment_data.card_type|lower }}"></i> **** **** **** {{ payment_info.payment_data.last4 }}
+        </dd>
+    {% endif %}
+</dl>

src/pretix/control/templates/pretixcontrol/checkin/index.html

@@ -95,7 +95,15 @@
                                 {% endif %}
                             </td>
                             <td>{{ e.item }}{% if e.variation %} – {{ e.variation }}{% endif %}</td>
-                            <td>{{ e.order.email }}</td>
+                            <td>
+                                {% if e.addon_to and e.addon_to.attendee_email %}
+                                    {{ e.addon_to.attendee_email }}
+                                {% elif e.attendee_email %}
+                                    {{ e.attendee_email }}
+                                {% else %}
+                                    {{ e.order.email }}
+                                {% endif %}
+                            </td>
                             <td>
                                 {% if e.addon_to %}
                                     {{ e.addon_to.attendee_name }}

src/pretix/control/templates/pretixcontrol/event/display.html

@@ -11,12 +11,14 @@
             <legend>{% trans "Event page" %}</legend>
             {% bootstrap_field form.logo_image layout="control" %}
             {% bootstrap_field form.frontpage_text layout="control" %}
+            {% bootstrap_field form.presale_has_ended_text layout="control" %}
             {% bootstrap_field form.voucher_explanation_text layout="control" %}
             {% bootstrap_field form.show_variations_expanded layout="control" %}
             {% bootstrap_field form.meta_noindex layout="control" %}
             {% if form.frontpage_subevent_ordering %}
                 {% bootstrap_field form.frontpage_subevent_ordering layout="control" %}
             {% endif %}
+            {% bootstrap_field form.redirect_to_checkout_directly layout="control" %}
         </fieldset>
         <fieldset>
             <legend>{% trans "Shop design" %}</legend>

src/pretix/control/templates/pretixcontrol/event/invoicing.html

@@ -24,6 +24,7 @@
             {% bootstrap_field form.invoice_address_company_required layout="control" %}
             {% bootstrap_field form.invoice_address_vatid layout="control" %}
             {% bootstrap_field form.invoice_address_beneficiary layout="control" %}
+            {% bootstrap_field form.invoice_address_not_asked_free layout="control" %}
         </fieldset>
         <fieldset>
             <legend>{% trans "Your invoice details" %}</legend>

src/pretix/control/templates/pretixcontrol/events/index.html

@@ -106,6 +106,9 @@
                                 {{ e.get_short_date_to_display }}
                             {% endif %}
                         {% endif %}
+                        {% if e.settings.timezone != request.timezone %}
+                            <span class="fa fa-globe text-muted" data-toggle="tooltip" title="{{ e.timezone }}"></span>
+                        {% endif %}
                     </td>
                     <td>
                         {% for q in e.first_quotas|slice:":3" %}

src/pretix/control/templates/pretixcontrol/item/variations.html

@@ -45,6 +45,7 @@
                             {% bootstrap_form_errors form %}
                             {% bootstrap_field form.active layout="control" %}
                             {% bootstrap_field form.default_price addon_after=request.event.currency layout="control" %}
+                            {% bootstrap_field form.original_price addon_after=request.event.currency layout="control" %}
                             {% bootstrap_field form.description layout="control" %}
                         </div>
                     </div>
@@ -78,6 +79,7 @@
                         <div class="panel-body form-horizontal">
                             {% bootstrap_field formset.empty_form.active layout="control" %}
                             {% bootstrap_field formset.empty_form.default_price addon_after=request.event.currency layout="control" %}
+                            {% bootstrap_field formset.empty_form.original_price addon_after=request.event.currency layout="control" %}
                             {% bootstrap_field formset.empty_form.description layout="control" %}
                         </div>
                     </div>

src/pretix/control/templates/pretixcontrol/order/change.html

@@ -1,6 +1,7 @@
 {% extends "pretixcontrol/event/base.html" %}
 {% load i18n %}
 {% load bootstrap3 %}
+{% load money %}
 {% block title %}
     {% blocktrans trimmed with code=order.code %}
         Change order: {{ code }}
@@ -71,92 +72,87 @@
                     </h3>
                 </div>
                 <div class="panel-body">
-                    <div class="form-inline form-order-change">
+                    <div class="form-order-change" data-pricecalc-endpoint="{% url "api-v1:orderposition-price_calc" organizer=order.event.organizer.slug event=order.event.slug pk=position.pk %}">
                         {% bootstrap_form_errors position.form %}
                         {% if position.custom_error %}
                             <div class="alert alert-danger">
                                 {{ position.custom_error }}
                             </div>
                         {% endif %}
-                        <p class="help-block">
-                            {% trans "Ticket secret:" %} {{ position.secret|slice:":12" }}…
-                        </p>
-                        <div class="radio">
-                            <label>
-                                <input name="{{ position.form.prefix }}-operation" type="radio" value=""
-                                        {% if not position.form.operation.value %}checked="checked"{% endif %}>
-                                {% trans "Keep unchanged" %}
-                            </label>
+                        <div class="row">
+                            <div class="col-sm-5 col-sm-offset-3">
+                                <strong>{% trans "Current value" %}</strong>
+                            </div>
+                            <div class="col-sm-4">
+                                <strong>{% trans "Change to" %}</strong>
+                            </div>
                         </div>
-                        <div class="radio">
-                            <label>
-                                <input name="{{ position.form.prefix }}-operation" type="radio" value="product"
-                                        {% if position.form.operation.value == "product" %}checked="checked"{% endif %}>
-                                {% trans "Change product to" %}
+                        <div class="row">
+                            <div class="col-sm-3">
+                                <strong>{% trans "Product" %}</strong>
+                            </div>
+                            <div class="col-sm-5">
+                                {{ position.item }}
+                                {% if position.variation %}
+                                    – {{ position.variation }}
+                                {% endif %}
+                            </div>
+                            <div class="col-sm-4">
                                 {% bootstrap_field position.form.itemvar layout='inline' %}
-                            </label>
-                            <label class="checkbox">
-                                {{ position.form.change_product_keep_price }}
-                                {% trans "Keep price the same" %}
-                            </label>
+                            </div>
                         </div>
+
                         {% if request.event.has_subevents %}
-                            <div class="radio">
-                                <label>
-                                    <input name="{{ position.form.prefix }}-operation" type="radio" value="subevent"
-                                            {% if position.form.operation.value == "subevent" %}checked="checked"{% endif %}>
-                                    {% trans "Change date to" context "subevent" %}
+                            <div class="row">
+                                <div class="col-sm-3">
+                                    <strong>{% trans "Date" context "subevent" %}</strong>
+                                </div>
+                                <div class="col-sm-5">
+                                    {{ position.subevent }}
+                                </div>
+                                <div class="col-sm-4">
                                     {% bootstrap_field position.form.subevent layout='inline' %}
-                                </label>
+                                </div>
                             </div>
                         {% endif %}
-                        <div class="radio">
-                            <label>
-                                <input name="{{ position.form.prefix }}-operation" type="radio" value="price"
-                                        {% if position.form.operation.value == "price" %}checked="checked"{% endif %}>
-                                {% trans "Change price to" %}
+
+                        <div class="row">
+                            <div class="col-sm-3">
+                                <strong>{% trans "Price" %}</strong>
+                            </div>
+                            <div class="col-sm-5">
+                                {{ position.price|money:request.event.currency }}<br>
+                                {% if position.tax_rate %}
+                                    <small>{% blocktrans trimmed with rate=position.tax_rate name=position.tax_rule.name %}
+                                        <strong>incl.</strong> {{ rate }}% {{ name }}
+                                    {% endblocktrans %}</small>
+                                {% endif %}
+                            </div>
+                            <div class="col-sm-4 field-container">
                                 {% bootstrap_field position.form.price addon_after=request.event.currency layout='inline' %}
-                                {% if position.apply_tax %}
-                                    {% if position.item.tax_rule and not position.item.tax_rule.price_includes_tax %}
-                                        {% blocktrans trimmed with rate=position.item.tax_rule.rate name=position.item.tax_rule.name %}
-                                            <strong>plus</strong> {{ rate }}% {{ name }}
-                                        {% endblocktrans %}
-                                    {% elif position.item.tax_rule %}
-                                        {% blocktrans trimmed with rate=position.item.tax_rule.rate name=position.item.tax_rule.name %}
-                                            <strong>incl.</strong> {{ rate }}% {{ name }}
-                                        {% endblocktrans %}
-                                    {% endif %}
-                                {% else %}
-                                    {% trans "no taxes apply" %}
-                                {% endif %}
-                            </label>
+                                <small><strong>{% trans "including all taxes" %}</strong></small>
+                            </div>
                         </div>
-                        <div class="radio">
-                            <label>
-                                <input name="{{ position.form.prefix }}-operation" type="radio" value="split"
-                                        {% if position.form.operation.value == "split" %}checked="checked"{% endif %}>
-                                {% trans "Split into new order" %}
-                            </label>
-                        </div>
-                        <div class="radio">
-                            <label>
-                                <input name="{{ position.form.prefix }}-operation" type="radio" value="secret"
-                                        {% if position.form.operation.value == "secret" %}checked="checked"{% endif %}>
-                                {% trans "Generate a new secret" %}
-                            </label>
-                        </div>
-                        <div class="radio">
-                            <label>
-                                <input name="{{ position.form.prefix }}-operation" type="radio" value="cancel"
-                                        {% if position.form.operation.value == "cancel" %}checked="checked"{% endif %}>
-                                {% trans "Cancel position" %}
-                                {% if position.addons.exists %}
-                                    <em class="text-danger">
-                                        {% trans "Removing this position will also remove all add-ons to this position." %}
-                                    </em>
-                                {% endif %}
-                            </label>
+
+                        <div class="row">
+                            <div class="col-sm-3">
+                                <strong>{% trans "Ticket secret" %}</strong>
+                            </div>
+                            <div class="col-sm-5">
+                                {{ position.secret|slice:":12" }}…
+                            </div>
+                            <div class="col-sm-4">
+                                {% bootstrap_field position.form.operation_secret layout='inline' %}
+                            </div>
                         </div>
+
+                        {% bootstrap_field position.form.operation_cancel layout='inline' %}
+                        {% bootstrap_field position.form.operation_split layout='inline' %}
+                        {% if position.addons.exists %}
+                            <em class="text-danger">
+                                {% trans "Removing this position will also remove all add-ons to this position." %}
+                            </em>
+                        {% endif %}
                     </div>
                 </div>
             </div>

src/pretix/control/templates/pretixcontrol/order/change_questions.html

@@ -18,7 +18,7 @@
     <form method="post" class="form-horizontal" href="" enctype="multipart/form-data">
         {% csrf_token %}
         <div class="panel-group" id="questions_accordion">
-            {% if request.event.settings.invoice_address_asked or order.invoice_address or request.event.settings.invoice_name_required %}
+            {% if invoice_address_asked or order.invoice_address or request.event.settings.invoice_name_required %}
                 <details class="panel panel-default" open>
                     <summary class="panel-heading">
                         <h4 class="panel-title">