Bump to 2.7.0

Update from Weblate (#1276 )
Update from Weblate
2019-05-09 16:20:40 +02:00 · 2019-05-09 14:48:51 +02:00 · 2019-05-09 12:48:23 +00:00 · 2019-05-09 12:48:22 +00:00 · 2019-05-09 12:45:12 +00:00 · 2019-05-09 12:45:12 +00:00
702 changed files with 304597 additions and 49527 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -17,7 +17,7 @@ pypi:
        - virtualenv env
        - source env/bin/activate
        - pip install -U pip wheel setuptools
-        - XDG_CACHE_HOME=/cache pip3 install -Ur src/requirements.txt -r src/requirements/dev.txt -r src/requirements/py34.txt
+        - XDG_CACHE_HOME=/cache pip3 install -Ur src/requirements.txt -r src/requirements/dev.txt
        - cd src
        - python setup.py sdist
        - pip install dist/pretix-*.tar.gz
--- a/.readthedocs.requirements.txt
+++ b/.readthedocs.requirements.txt
@@ -1,2 +1 @@
-r src/requirements/py34.txt
 -r doc/requirements.txt
--- a/.travis.sh
+++ b/.travis.sh
@@ -11,17 +11,16 @@ fi

 if [ "$PRETIX_CONFIG_FILE" == "tests/travis_postgres.cfg" ]; then
    psql -c 'create database travis_ci_test;' -U postgres
-    pip3 install -Ur src/requirements/postgres.txt
 fi

 if [ "$1" == "style" ]; then
-	XDG_CACHE_HOME=/cache pip3 install -Ur src/requirements.txt -r src/requirements/dev.txt -r src/requirements/py34.txt
+	XDG_CACHE_HOME=/cache pip3 install -Ur src/requirements.txt -r src/requirements/dev.txt
 	cd src
    flake8 .
    isort -c -rc -df .
 fi
 if [ "$1" == "doctests" ]; then
-	XDG_CACHE_HOME=/cache pip3 install -Ur doc/requirements.txt -r src/requirements/py34.txt
+	XDG_CACHE_HOME=/cache pip3 install -Ur doc/requirements.txt
 	cd doc
 	make doctest
 fi
@@ -39,21 +38,21 @@ if [ "$1" == "translation-spelling" ]; then
 	potypo
 fi
 if [ "$1" == "tests" ]; then
-	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt -r src/requirements/py34.txt pytest-xdist
+	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt
 	cd src
 	python manage.py check
 	make all compress
-	py.test --reruns 5 -n 2 tests
+	py.test --reruns 5 -n 3 tests
 fi
 if [ "$1" == "tests-cov" ]; then
-	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt -r src/requirements/py34.txt
+	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt
 	cd src
 	python manage.py check
 	make all compress
 	coverage run -m py.test --reruns 5 tests && codecov
 fi
 if [ "$1" == "plugins" ]; then
-	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt -r src/requirements/py34.txt
+	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt
 	cd src
 	python setup.py develop
 	make all compress
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,7 +1,8 @@
 language: python
+dist: xenial
 sudo: false
 install:
-  - pip install -U pip wheel setuptools==28.6.1
+  - pip install -U pip wheel setuptools
 script:
  - bash .travis.sh $JOB
 cache:
@@ -12,41 +13,35 @@ services:
  - postgresql
 matrix:
  include:
-    - python: 3.6
+    - python: 3.7
      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
-    - python: 3.6
+    - python: 3.7
      env: JOB=tests-cov PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.6
+    - python: 3.7
      env: JOB=style
-    - python: 3.4
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
-    - python: 3.5
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
-    - python: 3.4
+    - python: 3.7
      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
-    - python: 3.5
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
-    - python: 3.6
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
-    - python: 3.4
+    - python: 3.7
      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
    - python: 3.5
      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.6
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.6
+    - python: 3.7
      env: JOB=plugins
-    - python: 3.6
+    - python: 3.7
      env: JOB=doc-spelling
-    - python: 3.6
+    - python: 3.7
      env: JOB=translation-spelling
 addons:
  postgresql: "9.4"
+  mariadb: '10.3'
  apt:
      packages:
          - enchant
          - myspell-de-de
          - aspell-en
+          - sqlite3
+  sources:
+    - travis-ci/sqlite3
 branches:
  except:
  - /^weblate-.*/
--- a/43
+++ b/43
@@ -1,10 +1,26 @@
 FROM python:3.6

 RUN apt-get update && \
-    apt-get install -y git libxml2-dev libxslt1-dev python-dev python-virtualenv locales \
-      libffi-dev build-essential python3-dev zlib1g-dev libssl-dev gettext libpq-dev \
-      default-libmysqlclient-dev libmemcached-dev libjpeg-dev supervisor nginx sudo \
-	  --no-install-recommends && \
+    apt-get install -y --no-install-recommends \
+            build-essential \
+            default-libmysqlclient-dev \
+            gettext \
+            git \
+            libffi-dev \
+            libjpeg-dev \
+            libmemcached-dev \
+            libpq-dev \
+            libssl-dev \
+            libxml2-dev \
+            libxslt1-dev \
+            locales \
+            nginx \
+            python-dev \
+            python-virtualenv \
+            python3-dev \
+            sudo \
+            supervisor \
+            zlib1g-dev && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* && \
    dpkg-reconfigure locales && \
@@ -19,6 +35,22 @@ RUN apt-get update && \
 ENV LC_ALL=C.UTF-8 \
    DJANGO_SETTINGS_MODULE=production_settings

+# To copy only the requirements files needed to install from PIP
+COPY src/requirements /pretix/src/requirements
+COPY src/requirements.txt /pretix/src
+RUN pip3 install -U \
+        pip \
+        setuptools \
+        wheel && \
+    cd /pretix/src && \
+    pip3 install \
+        -r requirements.txt \
+        -r requirements/memcached.txt \
+        -r requirements/mysql.txt \
+        -r requirements/redis.txt \
+        gunicorn && \
+    rm -rf ~/.cache/pip
+
 COPY deployment/docker/pretix.bash /usr/local/bin/pretix
 COPY deployment/docker/supervisord.conf /etc/supervisord.conf
 COPY deployment/docker/nginx.conf /etc/nginx/nginx.conf
@@ -27,11 +59,8 @@ COPY src /pretix/src

 RUN chmod +x /usr/local/bin/pretix && \
    rm /etc/nginx/sites-enabled/default && \
-    pip3 install -U pip wheel setuptools && \
    cd /pretix/src && \
    rm -f pretix.cfg && \
-    pip3 install -r requirements.txt -r requirements/mysql.txt -r requirements/postgres.txt \
-    	-r requirements/memcached.txt -r requirements/redis.txt gunicorn && \
 	mkdir -p data && \
    chown -R pretixuser:pretixuser /pretix /data data && \
 	sudo -u pretixuser make production
--- a/doc/admin/config.rst
+++ b/doc/admin/config.rst
@@ -53,6 +53,10 @@ Example::
    A comma-separated list of plugins that are enabled by default for all new events.
    Defaults to ``pretix.plugins.sendmail,pretix.plugins.statistics``.

+``plugins_exclude``
+    A comma-separated list of plugins that are not available even though they are installed.
+    Defaults to an empty string.
+
 ``cookie_domain``
    The cookie domain to be set. Defaults to ``None``.

@@ -121,6 +125,27 @@ Example::
    Indicates if the database backend is a MySQL/MariaDB Galera cluster and
    turns on some optimizations/special case handlers. Default: ``False``

+.. _`config-replica`:
+
+Database replica settings
+-------------------------
+
+If you use a replicated database setup, pretix expects that the default database connection always points to the primary database node.
+Routing read queries to a replica on database layer is **strongly** discouraged since this can lead to inaccurate such as more tickets
+being sold than are actually available.
+
+However, pretix can still make use of a database replica to keep some expensive queries with that can tolerate some latency from your
+primary database, such as backend search queries. The ``replica`` configuration section can have the same settings as the ``database``
+section (except for the ``backend`` setting) and will default back to the ``database`` settings for all values that are not given. This
+way, you just need to specify the settings that are different for the replica.
+
+Example::
+
+    [replica]
+    host=192.168.0.2
+
+.. _`config-urls`:
+
 URLs
 ----

@@ -291,5 +316,13 @@ various places like order codes, secrets in the ticket QR codes, etc. Example::
    ; Voucher code needs to be < 255 characters, default is 16
    voucher_code=16

+External tools
+--------------
+
+pretix can make use of some external tools if they are installed. Currently, they are all optional. Example::
+
+    [tools]
+    pdftk=/usr/bin/pdftk
+
 .. _Python documentation: https://docs.python.org/3/library/configparser.html?highlight=configparser#supported-ini-file-structure
 .. _Celery documentation: http://docs.celeryproject.org/en/latest/userguide/configuration.html
--- a/doc/admin/index.rst
+++ b/doc/admin/index.rst
@@ -11,3 +11,4 @@ This documentation is for everyone who wants to install pretix on a server.
   installation/index
   config
   maintainance
+   scaling
--- a/doc/admin/installation/dev_version.rst
+++ b/doc/admin/installation/dev_version.rst
@@ -0,0 +1,37 @@
+.. highlight:: none
+
+Installing a development version
+================================
+
+If you want to use a feature of pretix that is not yet contained in the last monthly release, you can also
+install a development version with pretix.
+
+.. warning:: When in production, we strongly recommend only installing released versions. Development versions might
+             be broken, incompatible to plugins, or in rare cases incompatible to upgrade later on.
+
+
+Manual installation
+-------------------
+
+You can use ``pip`` to update pretix directly to the development branch. Then, upgrade as usual::
+
+    $ source /var/pretix/venv/bin/activate
+    (venv)$ pip3 install -U "git+https://github.com/pretix/pretix.git#egg=pretix&subdirectory=src"
+    (venv)$ python -m pretix migrate
+    (venv)$ python -m pretix rebuild
+    (venv)$ python -m pretix updatestyles
+    # systemctl restart pretix-web pretix-worker
+
+Docker installation
+-------------------
+
+To use the latest development version with Docker, first pull it from Docker Hub::
+
+    $ docker pull pretix/standalone:latest
+
+
+Then change your ``/etc/systemd/system/pretix.service`` file to use the ``:latest`` tag instead of ``:stable`` as well
+and upgrade as usual::
+
+    $ systemctl restart pretix.service
+    $ docker exec -it pretix.service pretix upgrade
--- a/doc/admin/installation/docker_smallscale.rst
+++ b/doc/admin/installation/docker_smallscale.rst
@@ -26,7 +26,7 @@ installation guides):
 * `Docker`_
 * A SMTP server to send out mails, e.g. `Postfix`_ on your machine or some third-party server you have credentials for
 * A HTTP reverse proxy, e.g. `nginx`_ or Apache to allow HTTPS connections
-* A `MySQL`_ or `PostgreSQL`_ database server
+* A `PostgreSQL`_, `MySQL`_ 5.7+, or MariaDB 10.2.7+ database server
 * A `redis`_ server

 We also recommend that you use a firewall, although this is not a pretix-specific recommendation. If you're new to
@@ -36,6 +36,9 @@ Linux and firewalls, we recommend that you start with `ufw`_.
          SSL certificates can be obtained for free these days. We also *do not* provide support for HTTP-only
          installations except for evaluation purposes.

+.. warning:: We recommend **PostgreSQL**. If you go for MySQL, make sure you run **MySQL 5.7 or newer** or
+             **MariaDB 10.2.7 or newer**.
+
 On this guide
 -------------

@@ -55,16 +58,29 @@ Database
 --------

 Next, we need a database and a database user. We can create these with any kind of database managing tool or directly on
-our database's shell, e.g. for MySQL::
+our database's shell. For PostgreSQL, we would do::

-    $ mysql -u root -p
-    mysql> CREATE DATABASE pretix DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
-    mysql> GRANT ALL PRIVILEGES ON pretix.* TO pretix@'localhost' IDENTIFIED BY '*********';
-    mysql> FLUSH PRIVILEGES;
+    # sudo -u postgres createuser -P pretix
+    # sudo -u postgres createdb -O pretix pretix

-Replace the asterisks with a password of your own. For MySQL, we will use a unix domain socket to connect to the
-database. For PostgreSQL, be sure to configure the interface binding and your firewall so that the docker container
-can reach PostgreSQL.
+Make sure that your database listens on the network. If PostgreSQL on the same same host as docker, but not inside a docker container, we recommend that you just listen on the Docker interface by changing the following line in ``/etc/postgresql/<version>/main/postgresql.conf``::
+
+    listen_addresses = 'localhost,172.17.0.1'
+
+You also need to add a new line to ``/etc/postgresql/<version>/main/pg_hba.conf`` to allow network connections to this user and database::
+
+    host    pretix          pretix          172.17.0.1/16           md5
+
+Restart PostgreSQL after you changed these files::
+
+    # systemctl restart postgresql
+
+If you have a firewall running, you should also make sure that port 5432 is reachable from the ``172.17.0.1/16`` subnet.
+
+For MySQL, you can either also use network-based connections or mount the ``/var/run/mysqld/mysqld.sock`` socket into the docker container.
+When using MySQL, make sure you set the character set of the database to ``utf8mb4``, e.g. like this::
+
+    mysql > CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;

 Redis
 -----
@@ -111,13 +127,16 @@ Fill the configuration file ``/etc/pretix/pretix.cfg`` with the following conten
    datadir=/data

    [database]
-    ; Replace mysql with postgresql_psycopg2 for PostgreSQL
-    backend=mysql
+    ; Replace postgresql with mysql for MySQL
+    backend=postgresql
    name=pretix
    user=pretix
+    ; Replace with the password you chose above
    password=*********
-    ; Replace with host IP address for PostgreSQL
-    host=/var/run/mysqld/mysqld.sock
+    ; In most docker setups, 172.17.0.1 is the address of the docker host. Adjuts
+    ; this to wherever your database is running, e.g. the name of a linked container
+    ; or of a mounted MySQL socket.
+    host=172.17.0.1

    [mail]
    ; See config file documentation for more options
@@ -161,14 +180,15 @@ named ``/etc/systemd/system/pretix.service`` with the following content::
        -v /var/pretix-data:/data \
        -v /etc/pretix:/etc/pretix \
        -v /var/run/redis:/var/run/redis \
-        -v /var/run/mysqld:/var/run/mysqld \
        pretix/standalone:stable all
    ExecStop=/usr/bin/docker stop %n

    [Install]
    WantedBy=multi-user.target

-You can leave the MySQL socket volume out if you're using PostgreSQL. You can now run the following commands
+When using MySQL and socket mounting, you'll need the additional flag ``-v /var/run/mysqld:/var/run/mysqld`` in the command.
+
+You can now run the following commands
 to enable and start the service::

    # systemctl daemon-reload
--- a/doc/admin/installation/enterprise.rst
+++ b/doc/admin/installation/enterprise.rst
@@ -0,0 +1,84 @@
+.. highlight:: none
+
+Installing pretix Enterprise plugins
+====================================
+
+If you want to use a feature of pretix that is part of our commercial offering pretix Enterprise, you need to follow
+some extra steps. Installation works similar to normal pretix plugins, but involves a few extra steps.
+
+Buying the license
+------------------
+
+To obtain a license, please get in touch at sales@pretix.eu. Please let us know how many tickets you roughly intend
+to sell per year and how many servers you want to use the plugin on. We recommend having a look at our `price list`_
+first.
+
+
+Manual installation
+-------------------
+
+First, generate an SSH key for the system user that you install pretix as. In our tutorial, that would be the user
+``pretix``. Choose an empty passphrase::
+
+    # su pretix
+    $ ssh-keygen
+    Generating public/private rsa key pair.
+    Enter file in which to save the key (/var/pretix/.ssh/id_rsa):
+    Enter passphrase (empty for no passphrase):
+    Enter same passphrase again:
+    Your identification has been saved in /var/pretix/.ssh/id_rsa.
+    Your public key has been saved in /var/pretix/.ssh/id_rsa.pub.
+
+Next, send the content of the *public* key to your sales representative at pretix::
+
+    $ cat /var/pretix/.ssh/id_rsa.pub
+    ssh-rsa AAAAB3N...744HZawHlD pretix@foo
+
+After we configured your key in our system, you can install the plugin directly using ``pip`` from the URL we told
+you, for example::
+
+    $ source /var/pretix/venv/bin/activate
+    (venv)$ pip3 install -U "git+ssh://git@code.rami.io:10022/pretix/pretix-slack.git@stable#egg=pretix-slack"
+    (venv)$ python -m pretix migrate
+    (venv)$ python -m pretix rebuild
+    # systemctl restart pretix-web pretix-worker
+
+Docker installation
+-------------------
+
+To install a plugin, you need to build your own docker image. To do so, create a new directory to work in. As a first
+step, generate a new SSH key in that directory to use for authentication with us::
+
+    $ cd /home/me/mypretixdocker
+    $ ssh-keygen -N "" -f id_pretix_enterprise
+
+Next, send the content of the *public* key to your sales representative at pretix::
+
+    $ cat id_pretix_enterprise.pub
+    ssh-rsa AAAAB3N...744HZawHlD pretix@foo
+
+After we configured your key in our system, you can add a ``Dockerfile`` in your directory that includes the newly
+generated key and installs the plugin from the URL we told you::
+
+    FROM pretix/standalone:stable
+    USER root
+    COPY id_pretix_enterprise /root/.ssh/id_rsa
+    COPY id_pretix_enterprise.pub /root/.ssh/id_rsa.pub
+    RUN chmod -R 0600 /root/.ssh && \
+        mkdir -p /etc/ssh && \
+        ssh-keyscan -t rsa -p 10022 code.rami.io >> /root/.ssh/known_hosts && \
+        echo StrictHostKeyChecking=no >> /root/.ssh/config && \
+        pip3 install -Ue "git+ssh://git@code.rami.io:10022/pretix/pretix-slack.git@stable#egg=pretix-slack" && \
+        cd /pretix/src && \
+        sudo -u pretixuser make production
+    USER pretixuser
+
+Then, build the image for docker::
+
+    $ docker build -t mypretix
+
+You can now use that image ``mypretix`` instead of ``pretix/standalone:stable`` in your ``/etc/systemd/system/pretix.service``
+service file. Be sure to re-build your custom image after you pulled ``pretix/standalone`` if you want to perform an
+update to a new version of pretix.
+
+.. _price list: https://pretix.eu/about/en/pricing
--- a/doc/admin/installation/general.rst
+++ b/doc/admin/installation/general.rst
@@ -21,6 +21,9 @@ To use pretix, you will need the following things:

  .. warning:: Do not ever use SQLite in production. It will break.

+  .. warning:: We recommend **PostgreSQL**. If you go for MySQL, make sure you run **MySQL 5.7 or newer** or
+               **MariaDB 10.2.7 or newer**.
+
 * A **reverse proxy**. pretix needs to deliver some static content to your users (e.g. CSS, images, ...). While pretix
  is capable of doing this, having this handled by a proper web server like **nginx** or **Apache** will be much
  faster. Also, you need a proxying web server in front to provide SSL encryption.
--- a/doc/admin/installation/index.rst
+++ b/doc/admin/installation/index.rst
@@ -1,3 +1,5 @@
+.. _`installation`:
+
 Installation guide
 ==================

@@ -10,3 +12,5 @@ for your needs.
   general
   docker_smallscale
   manual_smallscale
+   dev_version
+   enterprise
--- a/doc/admin/installation/manual_smallscale.rst
+++ b/doc/admin/installation/manual_smallscale.rst
@@ -23,7 +23,7 @@ installation guides):

 * A SMTP server to send out mails, e.g. `Postfix`_ on your machine or some third-party server you have credentials for
 * A HTTP reverse proxy, e.g. `nginx`_ or Apache to allow HTTPS connections
-* A `MySQL`_ or `PostgreSQL`_ database server
+* A `PostgreSQL`_, `MySQL`_ 5.7+, or MariaDB 10.2.7+ database server
 * A `redis`_ server

 We also recommend that you use a firewall, although this is not a pretix-specific recommendation. If you're new to
@@ -33,6 +33,9 @@ Linux and firewalls, we recommend that you start with `ufw`_.
          SSL certificates can be obtained for free these days. We also *do not* provide support for HTTP-only
          installations except for evaluation purposes.

+.. warning:: We recommend **PostgreSQL**. If you go for MySQL, make sure you run **MySQL 5.7 or newer** or
+             **MariaDB 10.2.7 or newer**.
+
 Unix user
 ---------

@@ -47,21 +50,23 @@ Database
 --------

 Having the database server installed, we still need a database and a database user. We can create these with any kind
-of database managing tool or directly on our database's shell, e.g. for MySQL::
+of database managing tool or directly on our database's shell. For PostgreSQL, we would do::

-    $ mysql -u root -p
-    mysql> CREATE DATABASE pretix DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
-    mysql> GRANT ALL PRIVILEGES ON pretix.* TO pretix@'localhost' IDENTIFIED BY '*********';
-    mysql> FLUSH PRIVILEGES;
+    # sudo -u postgres createuser pretix
+    # sudo -u postgres createdb -O pretix pretix
+
+When using MySQL, make sure you set the character set of the database to ``utf8mb4``, e.g. like this::
+
+    mysql > CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;

 Package dependencies
 --------------------

 To build and run pretix, you will need the following debian packages::

-    # apt-get install git build-essential python-dev python-virtualenv python3 python3-pip \
+    # apt-get install git build-essential python-dev python3-venv python3 python3-pip \
                      python3-dev libxml2-dev libxslt1-dev libffi-dev zlib1g-dev libssl-dev \
-                      gettext libpq-dev libmysqlclient-dev libjpeg-dev
+                      gettext libpq-dev libmariadbclient-dev libjpeg-dev libopenjp2-7-dev

 Config file
 -----------
@@ -82,13 +87,18 @@ Fill the configuration file ``/etc/pretix/pretix.cfg`` with the following conten
    datadir=/var/pretix/data

    [database]
-    ; Replace mysql with postgresql_psycopg2 for PostgreSQL
-    backend=mysql
+    ; For MySQL, replace with "mysql"
+    backend=postgresql
    name=pretix
    user=pretix
-    password=*********
-    ; Replace with host IP address for PostgreSQL
-    host=/var/run/mysqld/mysqld.sock
+    ; For MySQL, enter the user password. For PostgreSQL on the same host,
+    ; we don't need one because we can use peer authentification if our
+    ; PostgreSQL user matches our unix user.
+    password=
+    ; For MySQL, use local socket, e.g. /var/run/mysqld/mysqld.sock
+    ; For a remote host, supply an IP address
+    ; For local postgres authentication, you can leave it empty
+    host=

    [mail]
    ; See config file documentation for more options
@@ -112,17 +122,16 @@ Now we will install pretix itself. The following steps are to be executed as the
 actually install pretix, we will create a virtual environment to isolate the python packages from your global
 python installation::

-    $ virtualenv -p python3 /var/pretix/venv
+    $ python3 -m venv /var/pretix/venv
    $ source /var/pretix/venv/bin/activate
    (venv)$ pip3 install -U pip setuptools wheel

-We now install pretix, its direct dependencies and gunicorn. Replace ``mysql`` with ``postgres`` in the following
-command if you're running PostgreSQL::
+We now install pretix, its direct dependencies and gunicorn. Replace ``postgres`` with ``mysql`` in the following
+command if you're running MySQL::

-    (venv)$ pip3 install "pretix[mysql]" gunicorn
+    (venv)$ pip3 install "pretix[postgres]" gunicorn

-If you are running Python 3.4, you also need to ``pip3 install typing``. This is not required on 3.5 or newer.
-You can find out your Python version using ``python -V``.
+Note that you need Python 3.5 or newer. You can find out your Python version using ``python -V``.

 We also need to create a data directory::

@@ -266,10 +275,10 @@ Updates
 .. warning:: While we try hard not to break things, **please perform a backup before every upgrade**.

 To upgrade to a new pretix release, pull the latest code changes and run the following commands (again, replace
-``mysql`` with ``postgres`` if necessary)::
+``postgres`` with ``mysql`` if necessary)::

    $ source /var/pretix/venv/bin/activate
-    (venv)$ pip3 install -U pretix[mysql] gunicorn
+    (venv)$ pip3 install -U pretix[postgres] gunicorn
    (venv)$ python -m pretix migrate
    (venv)$ python -m pretix rebuild
    (venv)$ python -m pretix updatestyles
--- a/doc/admin/scaling.rst
+++ b/doc/admin/scaling.rst
@@ -0,0 +1,236 @@
+.. _`scaling`:
+
+Scaling guide
+=============
+
+Our :ref:`installation guide <installation>` only covers "small-scale" setups, by which we mostly mean
+setups that run on a **single (virtual) machine** and do not encounter large traffic peaks.
+
+We do not offer an installation guide for larger-scale setups of pretix, mostly because we believe that
+there is no one-size-fits-all solution for this and the desired setup highly depends on your use case,
+the platform you run pretix on, and your technical capabilities. We do not recommend trying set up pretix
+in a multi-server environment if you do not already have experience with managing server clusters.
+
+This document is intended to give you a general idea on what issues you will encounter when you scale up
+and what you should think of.
+
+.. tip::
+
+   If you require more help on this, we're happy to help. Our pretix Enterprise support team has built
+   and helped building, scaling and load-testing pretix installations at any scale and we're looking
+   forward to work with you on fine-tuning your system. If you intend to sell **more than a thousand
+   tickets in a very short amount of time**, we highly recommend reaching out and at least talking this
+   through. Just get in touch at sales@pretix.eu!
+
+Scaling reasons
+---------------
+
+There's mainly two reasons to scale up a pretix installation beyond a single server:
+
+* **Availability:** Distributing pretix over multiple servers can allow you to survive failure of one or more single machines, leading to a higher uptime and reliability of your system.
+
+* **Traffic and throughput:** Distributing pretix over multiple servers can allow you to process more web requests and ticket sales at the same time.
+
+You are very unlikely to require scaling for other reasons, such as having too much data in your database.
+
+Components
+----------
+
+A pretix installation usually consists of the following components which run performance-relevant processes:
+
+* ``pretix-web`` is the Django-based web application that serves all user interaction.
+
+* ``pretix-worker`` is a Celery-based application that processes tasks that should be run asynchronously outside of the web application process.
+
+* A **SQL database** keeps all the important data and processes the actual transactions. We recommend using PostgreSQL, but MySQL/MariaDB works as well.
+
+* A **web server** that terminates TLS and HTTP connections and forwards them to ``pretix-web``. In some cases, e.g. when serving static files, the web servers might return a response directly. We recommend using ``nginx``.
+
+* A **redis** server responsible for the communication between ``pretix-web`` and ``pretix-worker``, as well as for caching.
+
+* A directory of **media files** such as user-uploaded files or generated files (tickets, invoices, …) that are created and used by ``pretix-web``, ``pretix-worker`` and the web server.
+
+In the following, we will discuss the scaling behavior of every component individually. In general, you can run all of the components
+on the same server, but you can just as well distribute every component to its own server, or even use multiple servers for some single
+components.
+
+.. warning::
+
+   When setting up your system, don't forget about security. In a multi-server environment,
+   you need to take special care to ensure that no unauthorized access to your database
+   is possible through the network and that it's not easy to wiretap your connections. We
+   recommend a rigorous use of firewalls and encryption on all communications. You can
+   ensure this either on an application level (such as using the TLS support in your
+   database) or on a network level with a VPN solution.
+
+Web server
+""""""""""
+
+Your web server is at the very front of your installation. It will need to absorb all of the traffic, and it should be able to
+at least show a decent error message, even when everything else fails. Luckily, web servers are really fast these days, so this
+can be achieved without too much work.
+
+We recommend reading up on tuning your web server for high concurrency. For nginx, this means thinking about the number of worker
+processes and the number of connections each worker process accepts. Double-check that TLS session caching works, because TLS
+handshakes can get really expensive.
+
+During a traffic peak, your web server will be able to make us of more CPU resources, while memory usage will stay comparatively low,
+so if you invest in more hardware here, invest in more and faster CPU cores.
+
+Make sure that pretix' static files (such as CSS and JavaScript assets) as well as user-uploaded media files (event logos, etc)
+are served directly by your web server and your web server caches them in-memory (nginx does it by default) and sets useful
+headers for client-side caching. As an additional performance improvement, you can turn of access logging for these types of files.
+If you want, you can even farm out serving static files to a different web server entirely and :ref:`configure pretix to reference
+them from a different URL <config-urls>`.
+
+.. tip::
+
+   If you expect *really high traffic* for your very popular event, you might want to do some rate limiting on this layer, or,
+   if you want to ensure a fair and robust first-come-first-served experience and prefer letting users wait over showing them
+   errors, consider a queuing solution. We're happy to provide you with such systems, just get in touch at sales@pretix.eu.
+
+pretix-web
+""""""""""
+
+The ``pretix-web`` process does not carry any internal state can be easily started on as many machines as you like, and you can
+use the load balancing features of your frontend web server to redirect to all of them.
+
+You can adjust the number of processes in the ``gunicorn`` command line, and we recommend choosing roughly two times the number
+of CPU cores available. Under load, the memory consumption of ``pretix-web`` will stay comparatively constant, while the CPU usage
+will increase a lot. Therefore, if you can add more or faster CPU cores, you will be able to serve more users.
+
+pretix-worker
+"""""""""""""
+
+The ``pretix-worker`` process performs all operations that are not directly executed in the request-response-cycle of ``pretix-web``.
+Just like ``pretix-web`` you can easily start up as many instances as you want on different machines to share the work. As long as they
+all talk to the same redis server, they will all receive tasks from ``pretix-web``, work on them and post their result back.
+You can configure the number of threads that run tasks in parallel through the ``--concurrency`` command line option of ``celery``.
+
+Just like ``pretix-web``, this process is mostly heavy on CPU, disk IO and network IO, although memory peaks can occur e.g. during the
+generation of large PDF files, so we recommend having some reserves here.
+
+``pretix-worker`` performs a variety of tasks which are of different importance.
+Some of them are mission-critical and need to be run quickly even during high load (such as
+creating a cart or an order), others are irrelevant and can easily run later (such as
+distributing tickets on the waiting list). You can fine-tune the capacity you assign to each
+of these tasks by running ``pretix-worker`` processes that only work on a specific **queue**.
+For example, you could have three servers dedicated only to process order creations and one
+server dedicated only to sending emails. This allows you to set priorities and also protects
+you from e.g. a slow email server lowering your ticket throughput.
+
+You can do so by specifying one or more queues on the ``celery`` command line of this process, such as ``celery -A pretix.celery_app worker -Q notifications,mail``. Currently,
+the following queues exist:
+
+* ``checkout`` -- This queue handles everything related to carts and orders and thereby everything required to process a sale. This includes adding and deleting items from carts as well as creating and canceling orders.
+
+* ``mail`` -- This queue handles sending of outgoing emails.
+
+* ``notifications`` -- This queue handles the processing of any outgoing notifications, such as email notifications to admin users (except for the actual sending) or API notifications to registered webhooks.
+
+* ``background`` -- This queue handles tasks that are expected to take long or have no human waiting for their result immediately, such as refreshing caches, re-generating CSS files, assigning tickets on the waiting list or parsing bank data files.
+
+* ``default`` -- This queue handles everything else with "medium" or unassigned priority, most prominently the generation of files for tickets, invoices, badges, admin exports, etc.
+
+Media files
+"""""""""""
+
+Both ``pretix-web``, ``pretix-worker`` and in some cases your webserver need to work with
+media files. Media files are all files generated *at runtime* by the software. This can
+include files uploaded by the event organizers, such as the event logo, files uploaded by
+ticket buyers (if you use such features) or files generated by the software, such as
+ticket files, invoice PDFs, data exports or customized CSS files.
+
+Those files are by default stored to the ``media/`` sub-folder of the data directory given
+in the ``pretix.cfg`` configuration file. Inside that ``media/`` folder, you will find a
+``pub/`` folder containing the subset of files that should be publicly accessible through
+the web server. Everything else only needs to be accessible by ``pretix-web`` and
+``pretix-worker`` themselves.
+
+If you distribute ``pretix-web`` or ``pretix-worker`` across more than one machine, you
+**must** make sure that they all have access to a shared storage to read and write these
+files, otherwise you **will** run into errors with the user interface.
+
+The easiest solution for this is probably to store them on a NFS server that you mount
+on each of the other servers.
+
+Since we use Django's file storage mechanism internally, you can in theory also use a object-storage solution like Amazon S3, Ceph, or Minio to store these files, although we currently do not expose this through pretix' configuration file and this would require you to ship your own variant of ``pretix/settings.py`` and reference it through the ``DJANGO_SETTINGS_MODULE`` environment variable.
+
+At pretix.eu, we use a custom-built `object storage cluster`_.
+
+SQL database
+""""""""""""
+
+One of the most critical parts of the whole setup is the SQL database -- and certainly the
+hardest to scale. Tuning relational databases is an art form, and while there's lots of
+material on it on the internet, there's not a single recipe that you can apply to every case.
+
+As a general rule of thumb, the more resources you can give your databases, the better.
+Most databases will happily use all CPU cores available, but only use memory up to an amount
+you configure, so make sure to set this memory usage as high as you can afford. Having more
+memory available allows your database to make more use of caching, which is usually good.
+
+Scaling your database to multiple machines needs to be treated with great caution. It's a
+good to have a replica of your database for availability reasons. In case your primary
+database server fails, you can easily switch over to the replica and continue working.
+
+However, using database replicas for performance gains is much more complicated. When using
+replicated database systems, you are always trading in consistency or availability to get
+additional performance and the consequences of this can be subtle and it is important
+that you have a deep understanding of the semantics of your replication mechanism.
+
+.. warning::
+
+   Using an off-the-shelf database proxy solution that redirects read queries to your
+   replicas and write queries to your primary database **will lead to very nasty bugs.**
+
+   As an example, if you buy a ticket, pretix first needs to calculate how many tickets
+   are left to sell. If this calculation is done on a database replica that lags behind
+   even for fractions of a second, the decision to allow selling the ticket will be made
+   on out-of-data data and you can end up with more tickets sold than configured. Similarly,
+   you could imagine situations leading to double payments etc.
+
+If you do have a replica, you *can* tell pretix about it :ref:`in your configuration <config-replica>`.
+This way, pretix can offload complex read-only queries to the replica when it is safe to do so.
+As of pretix 2.7, this is mainly used for search queries in the backend and for rendering the
+product list and event lists in the frontend, but we plan on expanding this in the future.
+
+Therefore, for now our clear recommendation is: Try to scale your database vertically and put
+it on the most powerful machine you have available.
+
+redis
+"""""
+
+While redis is a very important part that glues together some of the components, it isn't used
+heavily and can usually handle a fairly large pretix installation easily on a single modern
+CPU core.
+Having some memory available is good in case of e.g. lots of tasks queuing up during a traffic peak, but we wouldn't expect ever needing more than a gigabyte of it.
+
+Feel free to set up a redis cluster for availability – but you won't need it for performance in a long time.
+
+The limitations
+---------------
+
+Up to a certain point, pretix scales really well. However, there are a few things that we consider
+even more important than scalability, and those are correctness and reliability. We want you to be
+able to trust that pretix will not sell more tickets than you intended or run into similar error
+cases.
+
+Combined with pretix' flexibility and complexity, especially around vouchers and quotas, this creates
+some hard issues. In many cases, we need to fall back to event-global locking for some actions which
+are likely to run with high concurrency and cause harm.
+
+For every event, only one of these locking actions can be run at the same time. Examples for this are
+adding products limited by a quota to a cart, adding items to a cart using a voucher or placing an order
+consisting of cart positions that don't have a valid reservation for much longer. In these cases, it is
+currently not realistically possible to exceed selling **approx. 500 orders per minute per event**, even
+if you add more hardware.
+If you have an unlimited number of tickets, we can apply fewer locking and we've reached **approx.
+1500 orders per minute per event** in benchmarks, although even more should be possible.
+
+We're working to reduce the number of cases in which this is relevant and thereby improve the possible
+throughput. If you want to use pretix for an event with 10,000+ tickets that are likely to be sold out
+within minutes, please get in touch to discuss possible solutions. We'll work something out for you!
+
+
+.. _object storage cluster: https://behind.pretix.eu/2018/03/20/high-available-cdn/
--- a/doc/api/auth.rst
+++ b/doc/api/auth.rst
@@ -0,0 +1,9 @@
+Authentication
+==============
+
+.. toctree::
+   :maxdepth: 2
+
+   tokenauth
+   oauth
+   deviceauth
--- a/doc/api/deviceauth.rst
+++ b/doc/api/deviceauth.rst
@@ -0,0 +1,137 @@
+.. _`rest-deviceauth`:
+
+Device authentication
+=====================
+
+Initializing a new device
+-------------------------
+
+Users can create new devices in the "Device" section of their organizer settings. When creating
+a new device, users can specify a list of events the device is allowed to access. After a new
+device is created, users will be presented initialization instructions, consisting of an URL
+and an initialization token. They will also be shown as a QR code with the following contents::
+
+   {"handshake_version": 1, "url": "https://pretix.eu", "token": "kpp4jn8g2ynzonp6"}
+
+Your application should be able to scan a QR code of this type, or allow to enter the URL and the
+initialization token manually. The handshake version is not used for manual initialization. When a
+QR code is scanned with a higher handshake version than you support, you should reject the request
+and prompt the user to update the client application.
+
+After your application received the token, you need to call the initialization endpoint to obtain
+a proper API token. At this point, you need to identify the name and version of your application,
+as well as the type of underlying hardware. Example:
+
+.. sourcecode:: http
+
+   POST /api/v1/device/initialize HTTP/1.1
+   Host: pretix.eu
+   Content-Type: application/json
+
+   {
+       "token": "kpp4jn8g2ynzonp6",
+       "hardware_brand": "Samsung",
+       "hardware_model": "Galaxy S",
+       "software_brand": "pretixdroid",
+       "software_version": "4.0.0"
+   }
+
+Every initialization token can only be used once. On success, you will receive a response containing
+information on your device as well as your API token:
+
+.. sourcecode:: http
+
+   HTTP/1.1 200 OK
+   Content-Type: application/json
+
+   {
+       "organizer": "foo",
+       "device_id": 5,
+       "unique_serial": "HHZ9LW9JWP390VFZ",
+       "api_token": "1kcsh572fonm3hawalrncam4l1gktr2rzx25a22l8g9hx108o9oi0rztpcvwnfnd",
+       "name": "Bar"
+   }
+
+Please make sure that you store this ``api_token`` value. We also recommend storing your device ID, your assigned
+``unique_serial``, and the ``organizer`` you have access to, but that's up to you.
+
+In case of an error, the response will look like this:
+
+.. sourcecode:: http
+
+   HTTP/1.1 400 Bad Request
+   Content-Type: application/json
+
+   {"token":["This initialization token has already been used."]}
+
+
+Performing API requests
+-----------------------
+
+You need to include the API token with every request to pretix' API in the ``Authorization`` header
+like the following:
+
+.. sourcecode:: http
+   :emphasize-lines: 3
+
+   GET /api/v1/organizers/ HTTP/1.1
+   Host: pretix.eu
+   Authorization: Device 1kcsh572fonm3hawalrncam4l1gktr2rzx25a22l8g9hx108o9oi0rztpcvwnfnd
+
+Updating the software version
+-----------------------------
+
+If your application is updated, we ask you to tell the server about the new version in use. You can do this at the
+following endpoint:
+
+.. sourcecode:: http
+
+   POST /api/v1/device/update HTTP/1.1
+   Host: pretix.eu
+   Content-Type: application/json
+   Authorization: Device 1kcsh572fonm3hawalrncam4l1gktr2rzx25a22l8g9hx108o9oi0rztpcvwnfnd
+
+   {
+       "hardware_brand": "Samsung",
+       "hardware_model": "Galaxy S",
+       "software_brand": "pretixdroid",
+       "software_version": "4.1.0"
+   }
+
+Creating a new API key
+----------------------
+
+If you think your API key might have leaked or just want to be extra cautious, the API allows you to create a new key.
+The old API key will be invalid immediately. A request for a new key looks like this:
+
+.. sourcecode:: http
+
+   POST /api/v1/device/roll HTTP/1.1
+   Host: pretix.eu
+   Authorization: Device 1kcsh572fonm3hawalrncam4l1gktr2rzx25a22l8g9hx108o9oi0rztpcvwnfnd
+
+The response will look like the response to the initialization request.
+
+Removing a device
+-----------------
+
+If you want implement a way to to deprovision a device in your software, you can call the ``revoke`` endpoint to
+invalidate your API key. There is no way to reverse this operation.
+
+.. sourcecode:: http
+
+   POST /api/v1/device/revoke HTTP/1.1
+   Host: pretix.eu
+   Authorization: Device 1kcsh572fonm3hawalrncam4l1gktr2rzx25a22l8g9hx108o9oi0rztpcvwnfnd
+
+This can also be done by the user through the web interface.
+
+Permissions
+-----------
+
+Device authentication is currently hardcoded to grant the following permissions:
+
+* View event meta data and products etc.
+* View and change orders
+
+Devices cannot change events or products and cannot access vouchers.
--- a/doc/api/fundamentals.rst
+++ b/doc/api/fundamentals.rst
@@ -9,44 +9,20 @@ with pretix' REST API, such as authentication, pagination and similar definition
 Authentication
 --------------

-If you're building an application for end users, we strongly recommend that you use our
-:ref:`OAuth-based authentication progress <rest-oauth>`. However, for simpler needs, you
-can also go with static API tokens that you can create on a per-team basis (see below).
+To access the API, you need to present valid authentication credentials. pretix currently
+supports the following authorization schemes:

-You need to include the API token with every request to pretix' API in the ``Authorization`` header
-like the following:
-
-.. sourcecode:: http
-   :emphasize-lines: 3
-
-   GET /api/v1/organizers/ HTTP/1.1
-   Host: pretix.eu
-   Authorization: Token e1l6gq2ye72thbwkacj7jbri7a7tvxe614ojv8ybureain92ocub46t5gab5966k
-
-.. note:: The API currently also supports authentication via browser sessions, i.e. the
-          same way that you authenticate with pretix when using the browser interface.
-          Using this type of authentication is *not* officially supported for use by
-          third-party clients and might change or be removed at any time. We plan on
-          adding OAuth2 support in the future for user-level authentication. If you want
-          to use session authentication, be sure to comply with Django's `CSRF policies`_.
-
-Obtaining an API token
----------------------
-
-To authenticate your API requests, you need to obtain an API token. You can create a
-token in the pretix web interface on the level of organizer teams. Create a new team
-or choose an existing team that has the level of permissions the token should have and
-create a new token using the form below the list of team members:
-
-.. image:: img/token_form.png
-    :class: screenshot
-
-You can enter a description for the token to distinguish from other tokens later on.
-Once you click "Add", you will be provided with an API token in the success message.
-Copy this token, as you won't be able to retrieve it again.
-
-.. image:: img/token_success.png
-    :class: screenshot
+* :ref:`rest-tokenauth`: This is the simplest way and recommended for server-side applications
+  that interact with pretix without user interaction.
+* :ref:`rest-oauth`: This is the recommended way to use if you write a third-party application
+  that users can connect with their pretix account. It provides the best user experience, but
+  requires user interaction and slightly more implementation effort.
+* :ref:`rest-deviceauth`: This is the recommended way if you build apps or hardware devices that can
+  connect to pretix, e.g. for processing check-ins or to sell tickets offline. It provides a way
+  to uniquely identify devices and allows for a quick configuration flow inside your software.
+* Authentication using browser sessions: This is used by the pretix web interface and it is *not*
+  officially supported for use by third-party applications. It might change or be removed at any
+  time without prior notice. If you use it, you need to comply with Django's `CSRF policies`_.

 Permissions
 -----------
@@ -172,6 +148,7 @@ Field specific input errors include the name of the offending fields as keys in

   {"amount": ["A valid integer is required."], "description": ["This field may not be blank."]}

+If you see errors of type ``429 Too Many Requests``, you should read our documentation on :ref:`rest-ratelimit`.

 Data types
 ----------
@@ -204,4 +181,37 @@ as the string values ``true`` and ``false``.
 If the ``ordering`` parameter is documented for a resource, you can use it to sort the result set by one of the allowed
 fields. Prepend a ``-`` to the field name to reverse the sort order.

-.. _CSRF policies: https://docs.djangoproject.com/en/1.11/ref/csrf/#ajax
+
+Idempotency
+-----------
+
+Our API supports an idempotency mechanism to make sure you can safely retry operations without accidentally performing
+them twice. This is useful if an API call experiences interruptions in transit, e.g. due to a network failure, and you
+do not know if it completed successfully.
+
+To perform an idempotent request, add a ``X-Idempotency-Key`` header with a random string value (we recommend a version
+4 UUID) to your request. If we see a second request with the same ``X-Idempotency-Key`` and the same ``Authorization``
+and ``Cookie`` headers, we will not perform the action for a second time but return the exact same response instead.
+
+Please note that this also goes for most error responses. For example, if we returned you a ``403 Permission Denied``
+error and you retry with the same ``X-Idempotency-Key``, you will get the same error again, even if you were granted
+permission in the meantime! This includes internal server errors on our side that might have been fixed in the meantime.
+
+There are only three exceptions to the rule:
+
+* Responses with status code ``409 Conflict`` are not cached. If you send the request again, it will be executed as a
+  new request, since these responses are intended to be retried.
+
+* Rate-limited responses with status code ``429 Too Many Requests`` are not cached and you can safely retry them.
+
+* Responses with status code ``503 Service Unavailable`` are not cached and you can safely retry them.
+
+If you send a request with an ``X-Idempotency-Key`` header that we have seen before but that has not yet received a
+response, you will receive a response with status code ``409 Conflict`` and are asked to retry after five seconds.
+
+We store idempotency keys for 24 hours, so you should never retry a request after a longer time period.
+
+All ``POST``, ``PUT``, ``PATCH``, or ``DELETE`` api calls support idempotency keys. Adding an idempotency key to a
+``GET``, ``HEAD``, or ``OPTIONS`` request has no effect.
+
+.. _CSRF policies: https://docs.djangoproject.com/en/1.11/ref/csrf/#ajax
--- a/doc/api/index.rst
+++ b/doc/api/index.rst
@@ -14,5 +14,7 @@ in functionality over time.
   :maxdepth: 2

   fundamentals
-   oauth
+   auth
   resources/index
+   ratelimit
+   webhooks
--- a/doc/api/oauth.rst
+++ b/doc/api/oauth.rst
@@ -1,7 +1,7 @@
 .. _`rest-oauth`:

-OAuth support / "Connect with pretix"
-=====================================
+OAuth authentication / "Connect with pretix"
+============================================

 In addition to static tokens, pretix supports `OAuth2`_-based authentication starting with
 pretix 1.16. This allows you to put a "Connect with pretix" button into your website or tool
@@ -166,6 +166,42 @@ endpoint to revoke it.
 If you want to revoke your client secret, you can generate a new one in the list of your managed applications in the
 pretix user interface.

+Fetching the user profile
+-------------------------
+
+If you need the user's meta data, you can fetch it here:
+
+.. http:get:: /api/v1/me
+
+   Returns the profile of the authenticated user
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/me HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Authorization: Bearer i3ytqTSRWsKp16fqjekHXa4tdM4qNC
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        email: "admin@localhost",
+        fullname: "John Doe",
+        locale: "de",
+        timezone: "Europe/Berlin"
+      }
+
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+
 .. _OAuth2: https://en.wikipedia.org/wiki/OAuth
 .. _OAuth2 Simplified: https://aaronparecki.com/oauth-2-simplified/
-.. _HTTP Basic authentication: https://en.wikipedia.org/wiki/Basic_access_authentication
+.. _HTTP Basic authentication: https://en.wikipedia.org/wiki/Basic_access_authentication
--- a/doc/api/ratelimit.rst
+++ b/doc/api/ratelimit.rst
@@ -0,0 +1,31 @@
+.. _`rest-ratelimit`:
+
+Rate limiting
+=============
+
+.. note:: This page only applies to the pretix Hosted service at pretix.eu. APIs of custom pretix installations do not
+          enforce any rate limiting by default.
+
+All authenticated requests to pretix' API are rate limited. If you exceed the limits, you will receive a response
+with HTTP status code ``429 Too Many Requests``. This response will have a ``Retry-After`` header, containing the number
+of seconds you are supposed to wait until you try again. We expect that all API clients respect this. If you continue
+to burst requests after a ``429`` status code, we might get in touch with you or, in extreme cases, disable your API
+access.
+
+Currently, the following rate limits apply:
+
+
+
+.. rst-class:: rest-resource-table
+
+===================================== =================================================================================
+Authentication method                 Rate limit
+===================================== =================================================================================
+:ref:`rest-deviceauth`                360 requests per minute per device
+:ref:`rest-tokenauth`                 360 requests per minute per organizer account
+:ref:`rest-oauth`                     360 requests per minute per combination of accessed organizer and OAuth application
+Session authentication                *Not an officially supported authentication method for external access*
+===================================== =================================================================================
+
+If you require a higher rate limit, please get in touch at support@pretix.eu and tell us about your use case, we are
+sure we can work something out.
--- a/doc/api/resources/carts.rst
+++ b/doc/api/resources/carts.rst
@@ -25,6 +25,7 @@ item                                  integer                    ID of the item
 variation                             integer                    ID of the variation (or ``null``)
 price                                 money (string)             Price of this position
 attendee_name                         string                     Specified attendee name for this position (or ``null``)
+attendee_name_parts                   object of strings          Composition of attendee name (i.e. first name, last name, …)
 attendee_email                        string                     Specified attendee email address for this position (or ``null``)
 voucher                               integer                    Internal ID of the voucher used for this position (or ``null``)
 addon_to                              integer                    Internal ID of the position this position is an add-on for (or ``null``)
@@ -78,6 +79,7 @@ Cart position endpoints
            "variation": null,
            "price": "23.00",
            "attendee_name": null,
+            "attendee_name_parts": {},
            "attendee_email": null,
            "voucher": null,
            "addon_to": null,
@@ -122,6 +124,7 @@ Cart position endpoints
        "variation": null,
        "price": "23.00",
        "attendee_name": null,
+        "attendee_name_parts": {},
        "attendee_email": null,
        "voucher": null,
        "addon_to": null,
@@ -175,7 +178,7 @@ Cart position endpoints
   * ``item``
   * ``variation`` (optional)
   * ``price``
-   * ``attendee_name`` (optional)
+   * ``attendee_name`` **or** ``attendee_name_parts`` (optional)
   * ``attendee_email`` (optional)
   * ``subevent`` (optional)
   * ``expires`` (optional)
@@ -199,7 +202,10 @@ Cart position endpoints
        "item": 1,
        "variation": null,
        "price": "23.00",
-        "attendee_name": "Peter",
+        "attendee_name_parts": {
+          "given_name": "Peter",
+          "family_name": "Miller"
+        },
        "attendee_email": null,
        "answers": [
          {
--- a/doc/api/resources/categories.rst
+++ b/doc/api/resources/categories.rst
@@ -20,7 +20,7 @@ internal_name                         string                     An optional nam
 description                           multi-lingual string       A public description (might include markdown, can
                                                                 be ``null``)
 position                              integer                    An integer, used for sorting the categories
-is_addon                              boolean                    If ``True``, items within this category are not on sale
+is_addon                              boolean                    If ``true``, items within this category are not on sale
                                                                 on their own but the category provides a source for
                                                                 defining add-ons for other products.
 ===================================== ========================== =======================================================
--- a/doc/api/resources/checkinlists.rst
+++ b/doc/api/resources/checkinlists.rst
@@ -156,14 +156,14 @@ Endpoints
        "checkin_count": 17,
        "position_count": 42,
        "event": {
-          "name": "Demo Converence",
+          "name": "Demo Conference"
        },
        "items": [
          {
            "name": "T-Shirt",
            "id": 1,
            "checkin_count": 1,
-            "admission": False,
+            "admission": false,
            "position_count": 1,
            "variations": [
              {
@@ -184,7 +184,7 @@ Endpoints
            "name": "Ticket",
            "id": 2,
            "checkin_count": 15,
-            "admission": True,
+            "admission": true,
            "position_count": 22,
            "variations": []
          }
@@ -332,11 +332,28 @@ Order position endpoints

   The ``.../redeem/`` endpoint has been added.

+.. versionchanged:: 2.0
+
+   The order positions endpoint has been extended by the filter queries ``voucher`` and ``voucher__code``.
+
+.. versionchanged:: 2.7
+
+   The resource now contains the new attributes ``require_attention`` and ``order__status`` and accepts the new
+   ``ignore_status`` filter. The ``attendee_name`` field is now "smart" (see below) and the redemption endpoint
+   returns ``400`` instead of ``404`` on tickets which are known but not paid.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(list)/positions/

   Returns a list of all order positions within a given event. The result is the same as
-   the :ref:`order-position-resource`, with one important difference: the ``checkins`` value will only include
-   check-ins for the selected list.
+   the :ref:`order-position-resource`, with the following differences:
+
+   * The ``checkins`` value will only include check-ins for the selected list.
+
+   * An additional boolean property ``require_attention`` will inform you whether either the order or the item
+     have the ``checkin_attention`` flag set.
+
+   * If ``attendee_name`` is empty, it will automatically fall back to values from a parent product or from invoice
+     addresses.

   **Example request**:

@@ -367,6 +384,9 @@ Order position endpoints
            "variation": null,
            "price": "23.00",
            "attendee_name": "Peter",
+            "attendee_name_parts": {
+              "full_name": "Peter",
+            },
            "attendee_email": null,
            "voucher": null,
            "tax_rate": "0.00",
@@ -400,6 +420,8 @@ Order position endpoints
      }

   :query integer page: The page number in case of a multi-page result set, default is 1
+   :query string ignore_status: If set to ``true``, results will be returned regardless of the state of
+                                 the order they belong to and you will need to do your own filtering by order status.
   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``order__code``,
                           ``order__datetime``, ``positionid``, ``attendee_name``, ``last_checked_in`` and ``order__email``. Default:
                           ``attendee_name,positionid``
@@ -422,6 +444,8 @@ Order position endpoints
   :query integer addon_to: Only return positions that are add-ons to the position with the given ID.
   :query integer addon_to__in: Only return positions that are add-ons to one of the positions with the given
                                      comma-separated IDs.
+   :query string voucher: Only return positions with a specific voucher.
+   :query string voucher__code: Only return positions with a specific voucher code.
   :param organizer: The ``slug`` field of the organizer to fetch
   :param event: The ``slug`` field of the event to fetch
   :param list: The ID of the check-in list to look for
@@ -433,8 +457,17 @@ Order position endpoints
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(list)/positions/(id)/

   Returns information on one order position, identified by its internal ID.
-   The result format is the same as the :ref:`order-position-resource`, with one important difference: the
-   ``checkins`` value will only include check-ins for the selected list.
+   The result is the same as the :ref:`order-position-resource`, with the following differences:
+
+   * The ``checkins`` value will only include check-ins for the selected list.
+
+   * An additional boolean property ``require_attention`` will inform you whether either the order or the item
+     have the ``checkin_attention`` flag set.
+
+   * If ``attendee_name`` is empty, it will automatically fall back to values from a parent product or from invoice
+     addresses.
+
+   **Instead of an ID, you can also use the ``secret`` field as the lookup parameter.**

   **Example request**:

@@ -460,6 +493,9 @@ Order position endpoints
        "variation": null,
        "price": "23.00",
        "attendee_name": "Peter",
+        "attendee_name_parts": {
+          "full_name": "Peter",
+        },
        "attendee_email": null,
        "voucher": null,
        "tax_rate": "0.00",
@@ -504,6 +540,8 @@ Order position endpoints
   Tries to redeem an order position, identified by its internal ID, i.e. checks the attendee in. This endpoint
   accepts a number of optional requests in the body.

+   **Instead of an ID, you can also use the ``secret`` field as the lookup parameter.**
+
   :<json boolean questions_supported: When this parameter is set to ``true``, handling of questions is supported. If
                                       you do not implement question handling in your user interface, you **must**
                                       set this to ``false``. In that case, questions will just be ignored. Defaults
@@ -512,7 +550,8 @@ Order position endpoints
   :<json boolean force: Specifies that the check-in should succeed regardless of previous check-ins or required
                         questions that have not been filled. Defaults to ``false``.
   :<json boolean ignore_unpaid: Specifies that the check-in should succeed even if the order is in pending state.
-                                 Defaults to ``false``.
+                                 Defaults to ``false`` and only works when ``include_pending`` is set on the check-in
+                                 list.
   :<json string nonce: You can set this parameter to a unique random value to identify this check-in. If you're sending
                        this request twice with the same nonce, the second request will also succeed but will always
                        create only one check-in object even when the previous request was successful as well. This
@@ -549,7 +588,10 @@ Order position endpoints
      Content-Type: application/json

      {
-        "status": "ok"
+        "status": "ok",
+        "position": {
+          …
+        }
      }

   **Example response with required questions**:
@@ -560,7 +602,10 @@ Order position endpoints
      Content-Type: text/json

      {
-        "status": "incomplete"
+        "status": "incomplete",
+        "position": {
+          …
+        },
        "questions": [
          {
            "id": 1,
@@ -605,6 +650,9 @@ Order position endpoints
      {
        "status": "error",
        "reason": "unpaid",
+        "position": {
+          …
+        }
      }

   Possible error reasons:
--- a/doc/api/resources/events.rst
+++ b/doc/api/resources/events.rst
@@ -15,6 +15,7 @@ name                                  multi-lingual string       The event's ful
 slug                                  string                     A short form of the name, used e.g. in URLs.
 live                                  boolean                    If ``true``, the event ticket shop is publicly
                                                                 available.
+testmode                              boolean                    If ``true``, the ticket shop is in test mode.
 currency                              string                     The currency this event is handled in.
 date_from                             datetime                   The event's start date
 date_to                               datetime                   The event's end date (or ``null``)
@@ -24,7 +25,7 @@ is_public                             boolean                    If ``true``, th
 presale_start                         datetime                   The date at which the ticket shop opens (or ``null``)
 presale_end                           datetime                   The date at which the ticket shop closes (or ``null``)
 location                              multi-lingual string       The event location (or ``null``)
-has_subevents                         boolean                    ``True`` if the event series feature is active for this
+has_subevents                         boolean                    ``true`` if the event series feature is active for this
                                                                 event. Cannot change after event is created.
 meta_data                             dict                       Values set for organizer-specific meta data parameters.
 plugins                               list                       A list of package names of the enabled plugins for this
@@ -41,6 +42,14 @@ plugins                               list                       A list of packa
   The ``plugins`` field has been added.
   The operations POST, PATCH, PUT and DELETE have been added.

+.. versionchanged:: 2.1
+
+   Filters have been added to the list of events.
+
+.. versionchanged:: 2.5
+
+   The ``testmode`` attribute has been added.
+
 Endpoints
 ---------

@@ -75,6 +84,7 @@ Endpoints
            "name": {"en": "Sample Conference"},
            "slug": "sampleconf",
            "live": false,
+            "testmode": false,
            "currency": "EUR",
            "date_from": "2017-12-27T10:00:00Z",
            "date_to": null,
@@ -96,6 +106,12 @@ Endpoints
      }

   :query page: The page number in case of a multi-page result set, default is 1
+   :query is_public: If set to ``true``/``false``, only events with a matching value of ``is_public`` are returned.
+   :query live: If set to ``true``/``false``, only events with a matching value of ``live`` are returned.
+   :query has_subevents: If set to ``true``/``false``, only events with a matching value of ``has_subevents`` are returned.
+   :query is_future: If set to ``true`` (``false``), only events that happen currently or in the future are (not) returned. Event series are never (always) returned.
+   :query is_past: If set to ``true`` (``false``), only events that are over are (not) returned. Event series are never (always) returned.
+   :query ends_after: If set to a date and time, only events that happen during of after the given time are returned. Event series are never returned.
   :param organizer: The ``slug`` field of a valid organizer
   :statuscode 200: no error
   :statuscode 401: Authentication failure
@@ -127,6 +143,7 @@ Endpoints
        "name": {"en": "Sample Conference"},
        "slug": "sampleconf",
        "live": false,
+        "testmode": false,
        "currency": "EUR",
        "date_from": "2017-12-27T10:00:00Z",
        "date_to": null,
@@ -173,6 +190,7 @@ Endpoints
        "name": {"en": "Sample Conference"},
        "slug": "sampleconf",
        "live": false,
+        "testmode": false,
        "currency": "EUR",
        "date_from": "2017-12-27T10:00:00Z",
        "date_to": null,
@@ -201,6 +219,7 @@ Endpoints
        "name": {"en": "Sample Conference"},
        "slug": "sampleconf",
        "live": false,
+        "testmode": false,
        "currency": "EUR",
        "date_from": "2017-12-27T10:00:00Z",
        "date_to": null,
@@ -249,6 +268,7 @@ Endpoints
        "name": {"en": "Sample Conference"},
        "slug": "sampleconf",
        "live": false,
+        "testmode": false,
        "currency": "EUR",
        "date_from": "2017-12-27T10:00:00Z",
        "date_to": null,
@@ -277,6 +297,7 @@ Endpoints
        "name": {"en": "Sample Conference"},
        "slug": "sampleconf",
        "live": false,
+        "testmode": false,
        "currency": "EUR",
        "date_from": "2017-12-27T10:00:00Z",
        "date_to": null,
@@ -337,6 +358,7 @@ Endpoints
        "name": {"en": "Sample Conference"},
        "slug": "sampleconf",
        "live": false,
+        "testmode": false,
        "currency": "EUR",
        "date_from": "2017-12-27T10:00:00Z",
        "date_to": null,
@@ -357,7 +379,7 @@ Endpoints

   :param organizer: The ``slug`` field of the organizer of the event to update
   :param event: The ``slug`` field of the event to update
-   :statuscode 201: no error
+   :statuscode 200: no error
   :statuscode 400: The event could not be created due to invalid submitted data.
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
--- a/doc/api/resources/index.rst
+++ b/doc/api/resources/index.rst
@@ -11,6 +11,7 @@ Resources and endpoints
   categories
   items
   item_variations
+   item_bundles
   item_add-ons
   questions
   question_options
@@ -21,3 +22,4 @@ Resources and endpoints
   checkinlists
   waitinglist
   carts
+   webhooks
--- a/doc/api/resources/invoices.rst
+++ b/doc/api/resources/invoices.rst
@@ -13,7 +13,7 @@ Field                                 Type                       Description
 ===================================== ========================== =======================================================
 number                                string                     Invoice number (with prefix)
 order                                 string                     Order code of the order this invoice belongs to
-is_cancellation                       boolean                    ``True``, if this invoice is the cancellation of a
+is_cancellation                       boolean                    ``true``, if this invoice is the cancellation of a
                                                                 different invoice.
 invoice_from                          string                     Sender address
 invoice_to                            string                     Receiver address
--- a/doc/api/resources/item_add-ons.rst
+++ b/doc/api/resources/item_add-ons.rst
@@ -189,7 +189,7 @@ Endpoints

      {
        "min_count": 0,
-        "max_count": 10,
+        "max_count": 10
      }

   **Example response**:
--- a/doc/api/resources/item_bundles.rst
+++ b/doc/api/resources/item_bundles.rst
@@ -0,0 +1,242 @@
+Item bundles
+============
+
+Resource description
+--------------------
+
+With bundles, you can specify products that are included within other products. There are two premier use cases of this:
+
+* Package discounts. For example, you could offer a discounted package that includes three tickets but can only be
+  bought as a whole. With a bundle including three times the usual product, the package will automatically pull three
+  sub-items into the cart, making sure of correct quota calculation and issuance of the correct number of tickets.
+
+* Tax splitting. For example, if your conference ticket includes a part that is subject to different taxation and that
+  you need to put on the invoice separately. When you putting a "designated price" on a bundled sub-item, pretix will
+  use that price to show a split taxation.
+
+The bundles resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the bundling configuration
+bundled_item                          integer                    Internal ID of the item that is included.
+bundled_variation                     integer                    Internal ID of the variation of the item (or ``null``).
+count                                 integer                    Number of items included
+designated_price                      money (string)             Designated price of the bundled product. This will be
+                                                                 used to split the price of the base item e.g. for mixed
+                                                                 taxation. This is not added to the price.
+===================================== ========================== =======================================================
+
+.. versionchanged:: 2.6
+
+   This resource has been added.
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/bundles/
+
+   Returns a list of all bundles for a given item.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/items/11/bundles/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 2,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 3,
+            "bundled_item": 3,
+            "bundled_variation": null,
+            "count": 1,
+            "designated_price": "0.00"
+          },
+          {
+            "id": 3,
+            "bundled_item": 3,
+            "bundled_variation": null,
+            "count": 2,
+            "designated_price": "1.50"
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param item: The ``id`` field of the item to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/item does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/bundles/(id)/
+
+   Returns information on one bundle configuration, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/items/1/bundles/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "bundled_item": 3,
+        "bundled_variation": null,
+        "count": 2,
+        "designated_price": "1.50"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param item: The ``id`` field of the item to fetch
+   :param id: The ``id`` field of the bundle to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/bigevents/events/sampleconf/items/1/bundles/
+
+   Creates a new bundle configuration
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/(organizer)/events/(event)/items/(item)/bundles/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "bundled_item": 3,
+        "bundled_variation": null,
+        "count": 2,
+        "designated_price": "1.50"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "bundled_item": 3,
+        "bundled_variation": null,
+        "count": 2,
+        "designated_price": "1.50"
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event/item to create a bundle-configuration for
+   :param event: The ``slug`` field of the event to create a bundle configuration for
+   :param item: The ``id`` field of the item to create a bundle configuration for
+   :statuscode 201: no error
+   :statuscode 400: The bundle could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/bundles/(id)/
+
+   Update a bundle configuration. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all
+   fields of the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields
+   that you want to change.
+
+   You can change all fields of the resource except the ``id`` field.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/items/1/bundles/3/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "count": 2
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "bundled_item": 3,
+        "bundled_variation": null,
+        "count": 2,
+        "designated_price": "1.50"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param item: The ``id`` field of the item to modify
+   :param id: The ``id`` field of the bundle to modify
+   :statuscode 200: no error
+   :statuscode 400: The bundle configuration could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/items/(id)/bundles/(id)/
+
+   Delete a bundle configuration.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/items/1/bundles/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the item to modify
+   :param id: The ``id`` field of the bundle to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.
--- a/doc/api/resources/item_variations.rst
+++ b/doc/api/resources/item_variations.rst
@@ -18,12 +18,18 @@ default_price                         money (string)             The price set d
 price                                 money (string)             The price used for this variation. This is either the
                                                                 same as ``default_price`` if that value is set or equal
                                                                 to the item's ``default_price`` (read-only).
-active                                boolean                    If ``False``, this variation will not be sold or shown.
+original_price                        money (string)             An original price, shown for comparison, not used
+                                                                 for price calculations (or ``null``).
+active                                boolean                    If ``false``, this variation will not be sold or shown.
 description                           multi-lingual string       A public description of the variation. May contain
                                                                 Markdown syntax or can be ``null``.
 position                              integer                    An integer, used for sorting
 ===================================== ========================== =======================================================

+.. versionchanged:: 2.7
+
+   The attribute ``original_price`` has been added.
+
 .. versionchanged:: 1.12

   This resource has been added.
@@ -67,7 +73,8 @@ Endpoints
            },
            "position": 0,
            "default_price": "223.00",
-            "price": 223.0
+            "price": 223.0,
+            "original_price": null,
          },
          {
            "id": 3,
@@ -120,6 +127,7 @@ Endpoints
        },
        "default_price": "10.00",
        "price": "10.00",
+        "original_price": null,
        "active": true,
        "description": null,
        "position": 0
@@ -167,6 +175,7 @@ Endpoints
        "value": {"en": "Student"},
        "default_price": "10.00",
        "price": "10.00",
+        "original_price": null,
        "active": true,
        "description": null,
        "position": 0
@@ -216,6 +225,7 @@ Endpoints
        "value": {"en": "Student"},
        "default_price": "10.00",
        "price": "10.00",
+        "original_price": null,
        "active": false,
        "description": null,
        "position": 1
--- a/doc/api/resources/items.rst
+++ b/doc/api/resources/items.rst
@@ -21,32 +21,35 @@ default_price                         money (string)             The item price
                                                                 overwritten by variations or other options.
 category                              integer                    The ID of the category this item belongs to
                                                                 (or ``null``).
-active                                boolean                    If ``False``, the item is hidden from all public lists
+active                                boolean                    If ``false``, the item is hidden from all public lists
                                                                 and will not be sold.
 description                           multi-lingual string       A public description of the item. May contain Markdown
                                                                 syntax or can be ``null``.
-free_price                            boolean                    If ``True``, customers can change the price at which
+free_price                            boolean                    If ``true``, customers can change the price at which
                                                                 they buy the product (however, the price can't be set
                                                                 lower than the price defined by ``default_price`` or
                                                                 otherwise).
-tax_rate                              decimal (string)           The VAT rate to be applied for this item.
+tax_rate                              decimal (string)           The VAT rate to be applied for this item (read-only,
+                                                                 set through ``tax_rule``).
 tax_rule                              integer                    The internal ID of the applied tax rule (or ``null``).
-admission                             boolean                    ``True`` for items that grant admission to the event
-                                                                 (such as primary tickets) and ``False`` for others
+admission                             boolean                    ``true`` for items that grant admission to the event
+                                                                 (such as primary tickets) and ``false`` for others
                                                                 (such as add-ons or merchandise).
 position                              integer                    An integer, used for sorting
 picture                               string                     A product picture to be displayed in the shop
-                                                                 (read-only).
+                                                                 (read-only, can be ``null``).
+sales_channels                        list of strings            Sales channels this product is available on, such as
+                                                                 ``"web"`` or ``"resellers"``. Defaults to ``["web"]``.
 available_from                        datetime                   The first date time at which this item can be bought
                                                                 (or ``null``).
 available_until                       datetime                   The last date time at which this item can be bought
                                                                 (or ``null``).
-require_voucher                       boolean                    If ``True``, this item can only be bought using a
+require_voucher                       boolean                    If ``true``, this item can only be bought using a
                                                                 voucher that is specifically assigned to this item.
-hide_without_voucher                  boolean                    If ``True``, this item is only shown during the voucher
+hide_without_voucher                  boolean                    If ``true``, this item is only shown during the voucher
                                                                 redemption process, but not in the normal shop
                                                                 frontend.
-allow_cancel                          boolean                    If ``False``, customers cannot cancel orders containing
+allow_cancel                          boolean                    If ``false``, customers cannot cancel orders containing
                                                                 this item.
 min_per_order                         integer                    This product can only be bought if it is included at
                                                                 least this many times in the order (or ``null`` for no
@@ -54,11 +57,21 @@ min_per_order                         integer                    This product ca
 max_per_order                         integer                    This product can only be bought if it is included at
                                                                 most this many times in the order (or ``null`` for no
                                                                 limitation).
-checkin_attention                     boolean                    If ``True``, the check-in app should show a warning
+checkin_attention                     boolean                    If ``true``, the check-in app should show a warning
                                                                 that this ticket requires special attention if such
                                                                 a product is being scanned.
 original_price                        money (string)             An original price, shown for comparison, not used
-                                                                 for price calculations.
+                                                                 for price calculations (or ``null``).
+require_approval                      boolean                    If ``true``, orders with this product will need to be
+                                                                 approved by the event organizer before they can be
+                                                                 paid.
+require_bundling                      boolean                    If ``true``, this item is only available as part of bundles.
+generate_tickets                      boolean                    If ``false``, tickets are never generated for this
+                                                                 product, regardless of other settings. If ``true``,
+                                                                 tickets are generated even if this is a
+                                                                 non-admission or add-on product, regardless of event
+                                                                 settings. If this is ``null``, regular ticketing
+                                                                 rules apply.
 has_variations                        boolean                    Shows whether or not this item has variations.
 variations                            list of objects            A list with one object for each variation of this item.
                                                                 Can be empty. Only writable during creation,
@@ -69,7 +82,9 @@ variations                            list of objects            A list with one
 ├ price                               money (string)             The price used for this variation. This is either the
                                                                 same as ``default_price`` if that value is set or equal
                                                                 to the item's ``default_price``.
-├ active                              boolean                    If ``False``, this variation will not be sold or shown.
+├ original_price                      money (string)             An original price, shown for comparison, not used
+                                                                 for price calculations (or ``null``).
+├ active                              boolean                    If ``false``, this variation will not be sold or shown.
 ├ description                         multi-lingual string       A public description of the variation. May contain
                                                                 Markdown syntax or can be ``null``.
 └ position                            integer                    An integer, used for sorting
@@ -80,10 +95,23 @@ addons                                list of objects            Definition of a
                                                                 chosen from.
 ├ min_count                           integer                    The minimal number of add-ons that need to be chosen.
 ├ max_count                           integer                    The maximal number of add-ons that can be chosen.
-└ position                            integer                    An integer, used for sorting
+├ position                            integer                    An integer, used for sorting
 └ price_included                      boolean                    Adding this add-on to the item is free
+bundles                               list of objects            Definition of bundles that are included in this item.
+                                                                 Only writable during creation,
+                                                                 use separate endpoint to modify this later.
+├ bundled_item                        integer                    Internal ID of the item that is included.
+├ bundled_variation                   integer                    Internal ID of the variation of the item (or ``null``).
+├ count                               integer                    Number of items included
+└ designated_price                    money (string)             Designated price of the bundled product. This will be
+                                                                 used to split the price of the base item e.g. for mixed
+                                                                 taxation. This is not added to the price.
 ===================================== ========================== =======================================================

+.. versionchanged:: 2.7
+
+   The attribute ``original_price`` has been added for ``variations``.
+
 .. versionchanged:: 1.7

   The attribute ``tax_rule`` has been added. ``tax_rate`` is kept for compatibility. The attribute
@@ -96,17 +124,34 @@ addons                                list of objects            Definition of a

 .. versionchanged:: 1.16

-   The field ``internal_name`` and ``original_price`` fields have been added.
+   The ``internal_name`` and ``original_price`` fields have been added.
+
+.. versionchanged:: 2.0
+
+   The field ``require_approval`` has been added.
+
+.. versionchanged:: 2.3
+
+   The ``sales_channels`` attribute has been added.
+
+.. versionchanged:: 2.4
+
+   The ``generate_tickets`` attribute has been added.
+
+.. versionchanged:: 2.6
+
+   The ``bundles`` and ``require_bundling`` attributes have been added.

 Notes
 -----
+
 Please note that an item either always has variations or never has. Once created with variations the item can never
 change to an item without and vice versa. To create an item with variations ensure that you POST an item with at least
 one variation.

-Also note that ``variations`` and ``addons`` are only supported on ``POST``. To update/delete variations and add-ons please
-use the dedicated nested endpoints. By design this endpoint does not support ``PATCH`` and ``PUT`` with nested
-``variations`` and/or ``addons``.
+Also note that ``variations``, ``bundles``, and  ``addons`` are only supported on ``POST``. To update/delete variations,
+bundles, and add-ons please use the dedicated nested endpoints. By design this endpoint does not support ``PATCH`` and ``PUT``
+with nested ``variations``, ``bundles`` and/or ``addons``.

 Endpoints
 ---------
@@ -140,6 +185,7 @@ Endpoints
            "id": 1,
            "name": {"en": "Standard ticket"},
            "internal_name": "",
+            "sales_channels": ["web"],
            "default_price": "23.00",
            "original_price": null,
            "category": null,
@@ -160,11 +206,15 @@ Endpoints
            "max_per_order": null,
            "checkin_attention": false,
            "has_variations": false,
+            "generate_tickets": null,
+            "require_approval": false,
+            "require_bundling": false,
            "variations": [
              {
                 "value": {"en": "Student"},
                 "default_price": "10.00",
                 "price": "10.00",
+                 "original_price": null,
                 "active": true,
                 "description": null,
                 "position": 0
@@ -173,12 +223,14 @@ Endpoints
                 "value": {"en": "Regular"},
                 "default_price": null,
                 "price": "23.00",
+                 "original_price": null,
                 "active": true,
                 "description": null,
                 "position": 1
              }
            ],
-            "addons": []
+            "addons": [],
+            "bundles": []
          }
        ]
      }
@@ -224,6 +276,7 @@ Endpoints
        "id": 1,
        "name": {"en": "Standard ticket"},
        "internal_name": "",
+        "sales_channels": ["web"],
        "default_price": "23.00",
        "original_price": null,
        "category": null,
@@ -240,15 +293,19 @@ Endpoints
        "require_voucher": false,
        "hide_without_voucher": false,
        "allow_cancel": true,
+        "generate_tickets": null,
        "min_per_order": null,
        "max_per_order": null,
        "checkin_attention": false,
        "has_variations": false,
+        "require_approval": false,
+        "require_bundling": false,
        "variations": [
          {
             "value": {"en": "Student"},
             "default_price": "10.00",
             "price": "10.00",
+             "original_price": null,
             "active": true,
             "description": null,
             "position": 0
@@ -257,12 +314,14 @@ Endpoints
             "value": {"en": "Regular"},
             "default_price": null,
             "price": "23.00",
+             "original_price": null,
             "active": true,
             "description": null,
             "position": 1
          }
        ],
-        "addons": []
+        "addons": [],
+        "bundles": []
      }

   :param organizer: The ``slug`` field of the organizer to fetch
@@ -289,6 +348,7 @@ Endpoints
        "id": 1,
        "name": {"en": "Standard ticket"},
        "internal_name": "",
+        "sales_channels": ["web"],
        "default_price": "23.00",
        "original_price": null,
        "category": null,
@@ -305,14 +365,18 @@ Endpoints
        "require_voucher": false,
        "hide_without_voucher": false,
        "allow_cancel": true,
+        "generate_tickets": null,
        "min_per_order": null,
        "max_per_order": null,
        "checkin_attention": false,
+        "require_approval": false,
+        "require_bundling": false,
        "variations": [
          {
             "value": {"en": "Student"},
             "default_price": "10.00",
             "price": "10.00",
+             "original_price": null,
             "active": true,
             "description": null,
             "position": 0
@@ -321,12 +385,14 @@ Endpoints
             "value": {"en": "Regular"},
             "default_price": null,
             "price": "23.00",
+             "original_price": null,
             "active": true,
             "description": null,
             "position": 1
          }
        ],
-        "addons": []
+        "addons": [],
+        "bundles": []
      }

   **Example response**:
@@ -341,6 +407,7 @@ Endpoints
        "id": 1,
        "name": {"en": "Standard ticket"},
        "internal_name": "",
+        "sales_channels": ["web"],
        "default_price": "23.00",
        "original_price": null,
        "category": null,
@@ -359,13 +426,17 @@ Endpoints
        "allow_cancel": true,
        "min_per_order": null,
        "max_per_order": null,
+        "generate_tickets": null,
        "checkin_attention": false,
        "has_variations": true,
+        "require_approval": false,
+        "require_bundling": false,
        "variations": [
          {
             "value": {"en": "Student"},
             "default_price": "10.00",
             "price": "10.00",
+             "original_price": null,
             "active": true,
             "description": null,
             "position": 0
@@ -374,12 +445,14 @@ Endpoints
             "value": {"en": "Regular"},
             "default_price": null,
             "price": "23.00",
+             "original_price": null,
             "active": true,
             "description": null,
             "position": 1
          }
        ],
-        "addons": []
+        "addons": [],
+        "bundles": []
      }

   :param organizer: The ``slug`` field of the organizer of the event to create an item for
@@ -425,6 +498,7 @@ Endpoints
        "id": 1,
        "name": {"en": "Ticket"},
        "internal_name": "",
+        "sales_channels": ["web"],
        "default_price": "25.00",
        "original_price": null,
        "category": null,
@@ -440,16 +514,20 @@ Endpoints
        "available_until": null,
        "require_voucher": false,
        "hide_without_voucher": false,
+        "generate_tickets": null,
        "allow_cancel": true,
        "min_per_order": null,
        "max_per_order": null,
        "checkin_attention": false,
        "has_variations": true,
+        "require_approval": false,
+        "require_bundling": false,
        "variations": [
          {
             "value": {"en": "Student"},
             "default_price": "10.00",
             "price": "10.00",
+             "original_price": null,
             "active": true,
             "description": null,
             "position": 0
@@ -458,12 +536,14 @@ Endpoints
             "value": {"en": "Regular"},
             "default_price": null,
             "price": "23.00",
+             "original_price": null,
             "active": true,
             "description": null,
             "position": 1
          }
        ],
-        "addons": []
+        "addons": [],
+        "bundles": []
      }

   :param organizer: The ``slug`` field of the organizer to modify
--- a/doc/api/resources/orders.rst
+++ b/doc/api/resources/orders.rst
--- a/doc/api/resources/question_options.rst
+++ b/doc/api/resources/question_options.rst
@@ -128,7 +128,7 @@ Endpoints
      POST /api/v1/organizers/bigevents/events/sampleconf/questions/1/options/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json

      {
        "identifier": "LVETRWVU",
--- a/doc/api/resources/questions.rst
+++ b/doc/api/resources/questions.rst
@@ -30,14 +30,17 @@ type                                  string                     The expected ty
                                                                 * ``D`` – date
                                                                 * ``H`` – time
                                                                 * ``W`` – date and time
-required                              boolean                    If ``True``, the question needs to be filled out.
+                                                                 * ``CC`` – country code (ISO 3666-1 alpha-2)
+required                              boolean                    If ``true``, the question needs to be filled out.
 position                              integer                    An integer, used for sorting
 items                                 list of integers           List of item IDs this question is assigned to.
 identifier                            string                     An arbitrary string that can be used for matching with
                                                                 other sources.
-ask_during_checkin                    boolean                    If ``True``, this question will not be asked while
+ask_during_checkin                    boolean                    If ``true``, this question will not be asked while
                                                                 buying the ticket, but will show up when redeeming
                                                                 the ticket instead.
+hidden                                boolean                    If ``true``, the question will only be shown in the
+                                                                 backend.
 options                               list of objects            In case of question type ``C`` or ``M``, this lists the
                                                                 available objects. Only writable during creation,
                                                                 use separate endpoint to modify this later.
@@ -46,6 +49,16 @@ options                               list of objects            In case of ques
 ├ identifier                          string                     An arbitrary string that can be used for matching with
                                                                 other sources.
 └ answer                              multi-lingual string       The displayed value of this option
+dependency_question                   integer                    Internal ID of a different question. The current
+                                                                 question will only be shown if the question given in
+                                                                 this attribute is set to the value given in
+                                                                 ``dependency_value``. This cannot be combined with
+                                                                 ``ask_during_checkin``.
+dependency_value                      string                     The value ``dependency_question`` needs to be set to.
+                                                                 If ``dependency_question`` is set to a boolean
+                                                                 question, this should be ``"true"`` or ``"false"``.
+                                                                 Otherwise, it should be the ``identifier`` of a
+                                                                 question option.
 ===================================== ========================== =======================================================

 .. versionchanged:: 1.12
@@ -58,6 +71,10 @@ options                               list of objects            In case of ques
  Write methods have been added. The attribute ``identifier`` has been added to both the resource itself and the
  options resource. The ``position`` attribute has been added to the options resource.

+.. versionchanged:: 2.7
+
+  The attribute ``hidden`` and the question type ``CC`` have been added.
+
 Endpoints
 ---------

@@ -100,6 +117,9 @@ Endpoints
            "position": 1,
            "identifier": "WY3TP9SL",
            "ask_during_checkin": false,
+            "hidden": false,
+            "dependency_question": null,
+            "dependency_value": null,
            "options": [
              {
                "id": 1,
@@ -165,6 +185,9 @@ Endpoints
        "position": 1,
        "identifier": "WY3TP9SL",
        "ask_during_checkin": false,
+        "hidden": false,
+        "dependency_question": null,
+        "dependency_value": null,
        "options": [
          {
            "id": 1,
@@ -214,6 +237,9 @@ Endpoints
        "items": [1, 2],
        "position": 1,
        "ask_during_checkin": false,
+        "hidden": false,
+        "dependency_question": null,
+        "dependency_value": null,
        "options": [
          {
            "answer": {"en": "S"}
@@ -245,6 +271,9 @@ Endpoints
        "position": 1,
        "identifier": "WY3TP9SL",
        "ask_during_checkin": false,
+        "hidden": false,
+        "dependency_question": null,
+        "dependency_value": null,
        "options": [
          {
            "id": 1,
@@ -314,6 +343,9 @@ Endpoints
        "position": 2,
        "identifier": "WY3TP9SL",
        "ask_during_checkin": false,
+        "hidden": false,
+        "dependency_question": null,
+        "dependency_value": null,
        "options": [
          {
            "id": 1,
--- a/doc/api/resources/subevents.rst
+++ b/doc/api/resources/subevents.rst
@@ -17,8 +17,11 @@ Field                                 Type                       Description
 ===================================== ========================== =======================================================
 id                                    integer                    Internal ID of the sub-event
 name                                  multi-lingual string       The sub-event's full name
+event                                 string                     The slug of the parent event
 active                                boolean                    If ``true``, the sub-event ticket shop is publicly
                                                                 available.
+is_public                             boolean                    If ``true``, the sub-event ticket shop is publicly
+                                                                 shown in lists.
 date_from                             datetime                   The sub-event's start date
 date_to                               datetime                   The sub-event's end date (or ``null``)
 date_admission                        datetime                   The sub-event's admission date (or ``null``)
@@ -40,6 +43,16 @@ meta_data                             dict                       Values set for

   The ``meta_data`` field has been added.

+.. versionchanged:: 2.1
+
+   The ``event`` field has been added, together with filters on the list of dates and an organizer-level list.
+
+.. versionchanged:: 2.6
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
+
+.. versionchanged:: 2.7
+
+   The attribute ``is_public`` has been added.

 Endpoints
 ---------
@@ -72,7 +85,9 @@ Endpoints
          {
            "id": 1,
            "name": {"en": "First Sample Conference"},
+            "event": "sampleconf",
            "active": false,
+            "is_public": true,
            "date_from": "2017-12-27T10:00:00Z",
            "date_to": null,
            "date_admission": null,
@@ -92,12 +107,90 @@ Endpoints
      }

   :query page: The page number in case of a multi-page result set, default is 1
+   :query active: If set to ``true``/``false``, only events with a matching value of ``active`` are returned.
+   :query is_future: If set to ``true`` (``false``), only events that happen currently or in the future are (not) returned.
+   :query is_past: If set to ``true`` (``false``), only events that are over are (not) returned.
+   :query ends_after: If set to a date and time, only events that happen during of after the given time are returned.
   :param organizer: The ``slug`` field of a valid organizer
-   :param event: The ``slug`` field of the event to fetch
+   :param event: The ``slug`` field of the main event
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer does not exist **or** you have no permission to view it.

+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/subevents/
+
+   Creates a new subevent.
+
+   Permission required: "Can create events"
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/subevents/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "name": {"en": "First Sample Conference"},
+        "active": false,
+        "is_public": true,
+        "date_from": "2017-12-27T10:00:00Z",
+        "date_to": null,
+        "date_admission": null,
+        "presale_start": null,
+        "presale_end": null,
+        "location": null,
+        "item_price_overrides": [
+          {
+            "item": 2,
+            "price": "12.00"
+          }
+        ],
+        "variation_price_overrides": [],
+        "meta_data": {}
+      }
+
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": {"en": "First Sample Conference"},
+        "active": false,
+        "is_public": true,
+        "date_from": "2017-12-27T10:00:00Z",
+        "date_to": null,
+        "date_admission": null,
+        "presale_start": null,
+        "presale_end": null,
+        "location": null,
+        "item_price_overrides": [
+          {
+            "item": 2,
+            "price": "12.00"
+          }
+        ],
+        "variation_price_overrides": [],
+        "meta_data": {}
+      }
+
+
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the main event
+   :statuscode 201: no error
+   :statuscode 400: The sub-event could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/subevents/(id)/

   Returns information on one sub-event, identified by its ID.
@@ -121,7 +214,9 @@ Endpoints
      {
        "id": 1,
        "name": {"en": "First Sample Conference"},
+        "event": "sampleconf",
        "active": false,
+        "is_public": true,
        "date_from": "2017-12-27T10:00:00Z",
        "date_to": null,
        "date_admission": null,
@@ -138,9 +233,164 @@ Endpoints
        "meta_data": {}
      }

-   :param organizer: The ``slug`` field of the organizer to fetch
-   :param event: The ``slug`` field of the event to fetch
-   :param id: The ``slug`` field of the sub-event to fetch
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the main event
+   :param id: The ``id`` field of the sub-event to fetch
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view it.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/subevents/(id)/
+
+   Updates a sub-event, identified by its ID. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to
+   provide all fields of the resource, other fields will be reset to default. With ``PATCH``, you only need to provide
+   the fields that you want to change.
+
+   Permission required: "Can change event settings"
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/subevents/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "name": {"en": "New Subevent Name"},
+        "item_price_overrides": [
+          {
+            "item": 2,
+            "price": "23.42"
+          }
+        ],
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": {"en": "New Subevent Name"},
+        "event": "sampleconf",
+        "active": false,
+        "is_public": true,
+        "date_from": "2017-12-27T10:00:00Z",
+        "date_to": null,
+        "date_admission": null,
+        "presale_start": null,
+        "presale_end": null,
+        "location": null,
+        "item_price_overrides": [
+          {
+            "item": 2,
+            "price": "23.42"
+          }
+        ],
+        "variation_price_overrides": [],
+        "meta_data": {}
+      }
+
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the main event
+   :param id: The ``id`` field of the sub-event to update
+   :statuscode 200: no error
+   :statuscode 400: The sub-event could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/sub-event does not exist **or** you have no permission to update this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/subevents/(id)/
+
+   Delete a sub-event. Note that events with orders cannot be deleted to ensure data integrity.
+
+   Permission required: "Can change event settings"
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/subevents/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the main event
+   :param id: The ``id`` field of the sub-event to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/sub-event does not exist **or** you have no permission to delete this resource.
+
+
+.. http:get:: /api/v1/organizers/(organizer)/subevents/
+
+   Returns a list of all sub-events of any event series you have access to within an organizer account.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/subevents/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "name": {"en": "First Sample Conference"},
+            "event": "sampleconf",
+            "active": false,
+            "is_public": true,
+            "date_from": "2017-12-27T10:00:00Z",
+            "date_to": null,
+            "date_admission": null,
+            "presale_start": null,
+            "presale_end": null,
+            "location": null,
+            "item_price_overrides": [
+              {
+                "item": 2,
+                "price": "12.00"
+              }
+            ],
+            "variation_price_overrides": [],
+            "meta_data": {}
+          }
+        ]
+      }
+
+   :query page: The page number in case of a multi-page result set, default is 1
+   :query active: If set to ``true``/``false``, only events with a matching value of ``active`` are returned.
+   :query event__live: If set to ``true``/``false``, only events with a matching value of ``live`` on the parent event are returned.
+   :query is_future: If set to ``true`` (``false``), only events that happen currently or in the future are (not) returned.
+   :query is_past: If set to ``true`` (``false``), only events that are over are (not) returned.
+   :query ends_after: If set to a date and time, only events that happen during of after the given time are returned.
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the event to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view it.
--- a/doc/api/resources/vouchers.rst
+++ b/doc/api/resources/vouchers.rst
@@ -18,8 +18,8 @@ max_usages                            integer                    The maximum num
 redeemed                              integer                    The number of times this voucher already has been
                                                                 redeemed.
 valid_until                           datetime                   The voucher expiration date (or ``null``).
-block_quota                           boolean                    If ``True``, quota is blocked for this voucher.
-allow_ignore_quota                    boolean                    If ``True``, this voucher can be redeemed even if a
+block_quota                           boolean                    If ``true``, quota is blocked for this voucher.
+allow_ignore_quota                    boolean                    If ``true``, this voucher can be redeemed even if a
                                                                 product is sold out and even if quota is not blocked
                                                                 for this voucher.
 price_mode                            string                     Determines how this voucher affects product prices.
@@ -231,6 +231,76 @@ Endpoints
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
   :statuscode 409: The server was unable to acquire a lock and could not process your request. You can try again after a short waiting period.

+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/vouchers/batch_create/
+
+   Creates multiple new vouchers atomically.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/vouchers/batch_create/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 408
+
+      [
+        {
+          "code": "43K6LKM37FBVR2YG",
+          "max_usages": 1,
+          "valid_until": null,
+          "block_quota": false,
+          "allow_ignore_quota": false,
+          "price_mode": "set",
+          "value": "12.00",
+          "item": 1,
+          "variation": null,
+          "quota": null,
+          "tag": "testvoucher",
+          "comment": "",
+          "subevent": null
+        },
+        {
+          "code": "ASDKLJCYXCASDASD",
+          "max_usages": 1,
+          "valid_until": null,
+          "block_quota": false,
+          "allow_ignore_quota": false,
+          "price_mode": "set",
+          "value": "12.00",
+          "item": 1,
+          "variation": null,
+          "quota": null,
+          "tag": "testvoucher",
+          "comment": "",
+          "subevent": null
+        },
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      [
+        {
+          "id": 1,
+          "code": "43K6LKM37FBVR2YG",
+          …
+        }, …
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a vouchers for
+   :param event: The ``slug`` field of the event to create a vouchers for
+   :statuscode 201: no error
+   :statuscode 400: The vouchers could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+   :statuscode 409: The server was unable to acquire a lock and could not process your request. You can try again after a short waiting period.
+
 .. http:patch:: /api/v1/organizers/(organizer)/events/(event)/vouchers/(id)/

   Update a voucher. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
--- a/doc/api/resources/webhooks.rst
+++ b/doc/api/resources/webhooks.rst
@@ -0,0 +1,242 @@
+.. _`rest-webhooks`:
+
+Webhooks
+========
+
+.. note:: This page is about how to modify webhook settings themselves through the REST API. If you just want to know
+          how webhooks work, go here: :ref:`webhooks`
+
+Resource description
+--------------------
+
+The webhook resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the webhook
+enabled                               boolean                    If ``false``, this webhook will not receive any notifications
+target_url                            string                     The URL to call
+all_events                            boolean                    If ``true``, this webhook will receive notifications
+                                                                 on all events of this organizer
+limit_events                          list of strings            If ``all_events`` is ``false``, this is a list of
+                                                                 event slugs this webhook is active for
+action_types                          list of strings            A list of action type filters that limit the
+                                                                 notifications sent to this webhook. See below for
+                                                                 valid values
+===================================== ========================== =======================================================
+
+The following values for ``action_types`` are valid with pretix core:
+
+    * ``pretix.event.order.placed``
+    * ``pretix.event.order.paid``
+    * ``pretix.event.order.canceled``
+    * ``pretix.event.order.expired``
+    * ``pretix.event.order.modified``
+    * ``pretix.event.order.contact.changed``
+    * ``pretix.event.order.changed.*``
+    * ``pretix.event.order.refund.created.externally``
+    * ``pretix.event.order.approved``
+    * ``pretix.event.order.denied``
+    * ``pretix.event.checkin``
+    * ``pretix.event.checkin.reverted``
+
+Installed plugins might register more valid values.
+
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/webhooks/
+
+   Returns a list of all webhooks within a given organizer.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/webhooks/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 2,
+            "enabled": true,
+            "target_url": "https://httpstat.us/200",
+            "all_events": false,
+            "limit_events": ["democon"],
+            "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/webhooks/(id)/
+
+   Returns information on one webhook, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/webhooks/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "enabled": true,
+        "target_url": "https://httpstat.us/200",
+        "all_events": false,
+        "limit_events": ["democon"],
+        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param id: The ``id`` field of the webhook to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/webhooks/
+
+   Creates a new webhook
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/webhooks/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "enabled": true,
+        "target_url": "https://httpstat.us/200",
+        "all_events": false,
+        "limit_events": ["democon"],
+        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "enabled": true,
+        "target_url": "https://httpstat.us/200",
+        "all_events": false,
+        "limit_events": ["democon"],
+        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a webhook for
+   :statuscode 201: no error
+   :statuscode 400: The webhook could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/webhooks/(id)/
+
+   Update a webhook. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``id`` field.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/webhooks/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "enabled": false
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "enabled": false,
+        "target_url": "https://httpstat.us/200",
+        "all_events": false,
+        "limit_events": ["democon"],
+        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param id: The ``id`` field of the webhook to modify
+   :statuscode 200: no error
+   :statuscode 400: The webhook could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/webhook/(id)/
+
+   Delete a webhook. Currently, this will not delete but just disable the webhook.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/webhooks/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param id: The ``id`` field of the webhook to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to delete this resource.
--- a/doc/api/tokenauth.rst
+++ b/doc/api/tokenauth.rst
@@ -0,0 +1,36 @@
+.. _`rest-tokenauth`:
+
+Token-based authentication
+==========================
+
+Obtaining an API token
+----------------------
+
+To authenticate your API requests with Tokens, you need to obtain a team-level API token.
+You can create a token in the pretix web interface on the level of organizer teams. Create
+a new team or choose an existing team that has the level of permissions the token should
+have and create a new token using the form below the list of team members:
+
+.. image:: img/token_form.png
+   :class: screenshot
+
+You can enter a description for the token to distinguish from other tokens later on.
+Once you click "Add", you will be provided with an API token in the success message.
+Copy this token, as you won't be able to retrieve it again.
+
+.. image:: img/token_success.png
+   :class: screenshot
+
+Using an API token
+------------------
+
+You need to include the API token with every request to pretix' API in the ``Authorization`` header
+like the following:
+
+.. sourcecode:: http
+   :emphasize-lines: 3
+
+   GET /api/v1/organizers/ HTTP/1.1
+   Host: pretix.eu
+   Authorization: Token e1l6gq2ye72thbwkacj7jbri7a7tvxe614ojv8ybureain92ocub46t5gab5966k
+
--- a/doc/api/webhooks.rst
+++ b/doc/api/webhooks.rst
@@ -0,0 +1,108 @@
+.. _`webhooks`:
+
+Webhooks
+========
+
+pretix can send webhook calls to notify your application of any changes that happen inside pretix. This is especially
+useful for everything triggered by an actual user, such as a new ticket sale or the arrival of a payment.
+
+You can register any number of webhook URLs that pretix will notify any time one of the supported events occurs inside
+your organizer account. A great example use case of webhooks would be to add the buyer to your mailing list every time
+a new order comes in.
+
+Configuring webhooks
+--------------------
+
+You can find the list of your active webhooks in the "Webhook" section of your organizer account:
+
+.. thumbnail:: ../screens/organizer/webhook_list.png
+   :align: center
+   :class: screenshot
+
+Click "Create webhook" if you want to add a new URL. You will then be able to enter the URL pretix shall call for
+notifications. You need to select any number of notification types that you want to receive and you can optionally
+filter the events you want to receive notifications for.
+
+.. thumbnail:: ../screens/organizer/webhook_edit.png
+   :align: center
+   :class: screenshot
+
+You can also configure webhooks :ref:`through the API itself <rest-webhooks>`.
+
+Receiving webhooks
+------------------
+
+Creating a webhook endpoint on your server is no different from creating any other page on your website. If your
+website is written in PHP, you might just create a new ``.php`` file on your server; if you use a web framework like
+Symfony or Django, you would just create a new route with the desired URL.
+
+We will call your URL with a HTTP ``POST`` request with a ``JSON`` body. In PHP, you can parse this like this::
+
+    $input = @file_get_contents('php://input');
+    $event_json = json_decode($input);
+    // Do something with $event_json
+
+In Django, you would create a view like this::
+
+    def my_webhook_view(request):
+      event_json = json.loads(request.body)
+      # Do something with event_json
+      return HttpResponse(status=200)
+
+More samples for the language of your choice are easy to find online.
+
+The exact body of the request varies by notification type, but for the main types included with pretix core, such as
+those related to changes of an order, it will look like this::
+
+    {
+      "notification_id": 123455,
+      "organizer": "acmecorp",
+      "event": "democon",
+      "code": "ABC23",
+      "action": "pretix.event.order.placed"
+    }
+
+Notifications regarding a check-in will contain more details like ``orderposition_id``
+and ``checkin_list``.
+
+.. warning:: You should not trust data supplied to your webhook, but only use it as a trigger to fetch updated data.
+             Anyone could send data there if they guess the correct URL and you won't be able to tell. Therefore, we
+             only include the minimum amount of data necessary for you to fetch the changed objects from our
+             :ref:`rest-api` in an authenticated way.
+
+If you want to further prevent others from accessing your webhook URL, you can also use `Basic authentication`_ and
+supply the URL to us in the format of ``https://username:password@domain.com/path/``.
+We recommend that you use HTTPS for your webhook URL and might require it in the future. If HTTPS is used, we require
+that a valid certificate is in use.
+
+.. note:: If you use a web framework that makes use of automatic CSRF protection, this protection might prevent us
+          from calling your webhook URL. In this case, we recommend that you turn of CSRF protection selectively
+          for that route. In Django, you can do this by putting the ``@csrf_exempt`` decorator on your view. In
+          Rails, you can pass an ``except`` parameter to ``protect_from_forgery``.
+
+
+Responding to a webhook
+-----------------------
+
+If you successfully received a webhook call, your endpoint should return a HTTP status code between ``200`` and ``299``.
+If any other status code is returned, we will assume you did not receive the call. This does mean that any redirection
+or ``304 Not Modified`` response will be treated as a failure. pretix will not follow any ``301`` or ``302`` redirect
+headers and pretix will ignore all other information in your response headers or body.
+
+If we do not receive a status code in the range of ``200`` and ``299``, pretix will retry to deliver for up to three
+days with an exponential back off. Therefore, we recommend that you implement your endpoint in a way where calling it
+multiple times for the same event due to a perceived error does not do any harm.
+
+There is only one exception: If status code ``410 Gone`` is returned, we will assume the
+endpoint does not exist any more and automatically disable the webhook.
+
+.. note:: If you use a self-hosted version of pretix (i.e. not our SaaS offering at pretix.eu) and you did not
+          configure a background task queue, failed webhooks will not be retried.
+
+Debugging webhooks
+------------------
+
+If you want to debug your webhooks, you can view a log of all sent notifications and the responses of your server for
+30 days right next to your configuration.
+
+.. _Basic authentication: https://en.wikipedia.org/wiki/Basic_access_authentication
--- a/doc/development/api/customview.rst
+++ b/doc/development/api/customview.rst
@@ -64,7 +64,7 @@ Similarly, there is ``organizer_permission_required`` and ``OrganizerPermissionR
 event-related views, there is also a signal that allows you to add the view to the event navigation like this::


-    from django.core.urlresolvers import resolve, reverse
+    from django.urls import resolve, reverse
    from django.dispatch import receiver
    from django.utils.translation import ugettext_lazy as _
    from pretix.control.signals import nav_event
--- a/doc/development/api/email.rst
+++ b/doc/development/api/email.rst
@@ -0,0 +1,109 @@
+.. highlight:: python
+   :linenothreshold: 5
+
+Writing an HTML e-mail renderer plugin
+======================================
+
+An email renderer class controls how the HTML part of e-mails sent by pretix is built.
+The creation of such a plugin is very similar to creating an export output.
+
+Please read :ref:`Creating a plugin <pluginsetup>` first, if you haven't already.
+
+Output registration
+-------------------
+
+The email HTML renderer API does not make a lot of usage from signals, however, it
+does use a signal to get a list of all available email renderers. Your plugin
+should listen for this signal and return the subclass of ``pretix.base.email.BaseHTMLMailRenderer``
+that we'll provide in this plugin::
+
+    from django.dispatch import receiver
+
+    from pretix.base.signals import register_html_mail_renderers
+
+
+    @receiver(register_html_mail_renderers, dispatch_uid="renderer_custom")
+    def register_mail_renderers(sender, **kwargs):
+        from .email import MyMailRenderer
+        return MyMailRenderer
+
+
+The renderer class
+------------------
+
+.. class:: pretix.base.email.BaseHTMLMailRenderer
+
+   The central object of each email renderer is the subclass of ``BaseHTMLMailRenderer``.
+
+   .. py:attribute:: BaseHTMLMailRenderer.event
+
+      The default constructor sets this property to the event we are currently
+      working for.
+
+   .. autoattribute:: identifier
+
+      This is an abstract attribute, you **must** override this!
+
+   .. autoattribute:: verbose_name
+
+      This is an abstract attribute, you **must** override this!
+
+   .. autoattribute:: thumbnail_filename
+
+      This is an abstract attribute, you **must** override this!
+
+   .. autoattribute:: is_available
+
+   .. automethod:: render
+
+      This is an abstract method, you **must** implement this!
+
+Helper class for template-base renderers
+----------------------------------------
+
+The email renderer that ships with pretix is based on Django templates to generate HTML.
+In case you also want to render emails based on a template, we provided a ready-made base
+class ``TemplateBasedMailRenderer`` that you can re-use to perform the following steps:
+
+* Convert the body text and the signature to HTML using our markdown renderer
+
+* Render the template
+
+* Call `inlinestyler`_ to convert all ``<style>`` style sheets to inline ``style=""``
+  attributes for better compatibility
+
+To use it, you just need to implement some variables::
+
+    class ClassicMailRenderer(TemplateBasedMailRenderer):
+        verbose_name = _('pretix default')
+        identifier = 'classic'
+        thumbnail_filename = 'pretixbase/email/thumb.png'
+        template_name = 'pretixbase/email/plainwrapper.html'
+
+The template is passed the following context variables:
+
+``site``
+   Name of the pretix installation (``settings.PRETIX_INSTANCE_NAME``)
+
+``site_url``
+   Root URL of the pretix installation (``settings.SITE_URL``)
+
+``body``
+   The body as markdown (render with ``{{ body|safe }}``)
+
+``subject``
+   The email subject
+
+``color``
+   The primary color of the event
+
+``event``
+   The ``Event`` object
+
+``signature`` (optional, only if configured)
+   The body as markdown (render with ``{{ signature|safe }}``)
+
+``order`` (optional, only if applicable)
+   The ``Order`` object
+
+.. _inlinestyler: https://pypi.org/project/inlinestyler/
--- a/doc/development/api/general.rst
+++ b/doc/development/api/general.rst
@@ -12,7 +12,7 @@ Core

 .. automodule:: pretix.base.signals
   :members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types,
-      item_copy_data
+      item_copy_data, register_sales_channels, register_global_settings

 Order events
 """"""""""""
@@ -20,17 +20,13 @@ Order events
 There are multiple signals that will be sent out in the ordering cycle:

 .. automodule:: pretix.base.signals
-   :members: validate_cart, order_fee_calculation, order_paid, order_placed, order_fee_type_name, allow_ticket_download
+   :members: validate_cart, order_fee_calculation, order_paid, order_placed, order_canceled, order_expired, order_modified, order_changed, order_approved, order_denied, order_fee_type_name, allow_ticket_download

 Frontend
 --------

 .. automodule:: pretix.presale.signals
-   :members: html_head, html_footer, footer_links, front_page_top, front_page_bottom, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content
-
-
-.. automodule:: pretix.presale.signals
-   :members: order_info, order_meta_from_request
+   :members: html_head, html_footer, footer_link, front_page_top, front_page_bottom, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content, checkout_all_optional, html_page_header, sass_preamble, sass_postamble, checkout_flow_steps, order_info, order_meta_from_request

 Request flow
 """"""""""""
@@ -48,7 +44,8 @@ Backend
 -------

 .. automodule:: pretix.control.signals
-   :members: nav_event, html_head, quota_detail_html, nav_topbar, nav_global, nav_organizer, nav_event_settings, order_info, event_settings_widget, oauth_application_registered
+   :members: nav_event, html_head, html_page_start, quota_detail_html, nav_topbar, nav_global, nav_organizer, nav_event_settings,
+             order_info, event_settings_widget, oauth_application_registered, order_position_buttons


 .. automodule:: pretix.base.signals
--- a/doc/development/api/index.rst
+++ b/doc/development/api/index.rst
@@ -10,6 +10,8 @@ Contents:
   exporter
   ticketoutput
   payment
+   payment_2.0
+   email
   invoice
   shredder
   customview
--- a/doc/development/api/invoice.rst
+++ b/doc/development/api/invoice.rst
@@ -23,7 +23,7 @@ that we'll provide in this plugin::


    @receiver(register_invoice_renderers, dispatch_uid="output_custom")
-    def register_infoice_renderers(sender, **kwargs):
+    def register_invoice_renderers(sender, **kwargs):
        from .invoice import MyInvoiceRenderer
        return MyInvoiceRenderer

--- a/doc/development/api/payment.rst
+++ b/doc/development/api/payment.rst
@@ -9,6 +9,10 @@ is very similar to creating an export output.

 Please read :ref:`Creating a plugin <pluginsetup>` first, if you haven't already.

+.. warning:: We changed our payment provider API a lot in pretix 2.x. Our documentation page on :ref:`payment2.0`
+             might be insightful even if you do not have a payment provider to port, as it outlines the rationale
+             behind the current design.
+
 Provider registration
 ---------------------

@@ -31,7 +35,7 @@ that the plugin will provide::
 The provider class
 ------------------

-.. class:: pretix.base.payment.BasePaymentProvider
+.. py:class:: pretix.base.payment.BasePaymentProvider

   The central object of each payment provider is the subclass of ``BasePaymentProvider``.

@@ -54,58 +58,64 @@ The provider class

      This is an abstract attribute, you **must** override this!

-   .. autoattribute:: is_enabled
+   .. autoattribute:: public_name

-   .. automethod:: calculate_fee
+   .. autoattribute:: is_enabled

   .. autoattribute:: settings_form_fields

+   .. automethod:: settings_form_clean
+
   .. automethod:: settings_content_render

-   .. automethod:: render_invoice_text
+   .. automethod:: is_allowed

   .. automethod:: payment_form_render

   .. automethod:: payment_form

-   .. automethod:: is_allowed
-
   .. autoattribute:: payment_form_fields

-   .. automethod:: checkout_prepare
-
   .. automethod:: payment_is_valid_session

+   .. automethod:: checkout_prepare
+
   .. automethod:: checkout_confirm_render

      This is an abstract method, you **must** override this!

-   .. automethod:: payment_perform
+   .. automethod:: execute_payment
+
+   .. automethod:: calculate_fee

   .. automethod:: order_pending_mail_render

-   .. automethod:: order_pending_render
+   .. automethod:: payment_pending_render

-      This is an abstract method, you **must** override this!
+   .. autoattribute:: abort_pending_allowed
+
+   .. automethod:: render_invoice_text

   .. automethod:: order_change_allowed

-   .. automethod:: order_can_retry
+   .. automethod:: payment_prepare

-   .. automethod:: order_prepare
+   .. automethod:: payment_control_render

-   .. automethod:: order_paid_render
+   .. automethod:: payment_refund_supported

-   .. automethod:: order_control_render
+   .. automethod:: payment_partial_refund_supported

-   .. automethod:: order_control_refund_render
-
-   .. automethod:: order_control_refund_perform
-
-   .. automethod:: is_implicit
+   .. automethod:: execute_refund

   .. automethod:: shred_payment_info

+   .. autoattribute:: is_implicit
+
+   .. autoattribute:: is_meta
+
+   .. autoattribute:: test_mode_message
+

 Additional views
 ----------------
--- a/doc/development/api/payment_2.0.rst
+++ b/doc/development/api/payment_2.0.rst
@@ -0,0 +1,129 @@
+.. highlight:: python
+   :linenothreshold: 5
+
+.. _`payment2.0`:
+
+Porting a payment provider from pretix 1.x to pretix 2.x
+========================================================
+
+In pretix 2.x, we changed large parts of the payment provider API. This documentation details the changes we made
+and shows you how you can make an existing pretix 1.x payment provider compatible with pretix 2.x
+
+Conceptual overview
+-------------------
+
+In pretix 1.x, an order was always directly connected to a payment provider for the full life of an order. As long as
+an order was unpaid, this could still be changed in some cases, but once an order was paid, no changes to the payment
+provider were possible any more. Additionally, the internal state of orders allowed orders only to be fully paid or
+not paid at all. This leads to a couple of consequences:
+
+* Payment-related functions (like "execute payment" or "do a refund") always operated on full orders.
+
+* Changing the total of an order was basically impossible once an order was paid, since there was no concept of
+  partial payments or partial refunds.
+
+* Payment provider plugins needed to take complicated steps to detect cases that require human intervention, like e.g.
+
+  * An order has expired, no quota is left to revive it, but a payment has been received
+
+  * A payment has been received for a canceled order
+
+  * A payment has been received for an order that has already been paid with a different payment method
+
+  * An external payment service notified us of a refund/dispute
+
+  We noticed that we copied and repeated large portions of code in all our official payment provider plugins, just
+  to deal with some of these cases.
+
+* Sometimes, there is the need to mark an order as refunded within pretix, without automatically triggering a refund
+  with an external API. Every payment method needed to implement a user interface for this independently.
+
+* If a refund was not possible automatically, there was no way user to track which payments actually have been refunded
+  manually and which are still left to do.
+
+* When the payment with one payment provider failed and the user changed to a different payment provider, all
+  information about the first payment was lost from the order object and could only be retrieved from order log data,
+  which also made it hard to design a data shredder API to get rid of this data.
+
+In pretix 2.x, we introduced two new models, :py:class:`OrderPayment <pretix.base.models.OrderPayment>` and
+:py:class:`OrderRefund <pretix.base.models.OrderRefund>`. Each instance of these is connected to an order and
+represents one single attempt to pay or refund a specific amount of money. Each one of these has an individual state,
+can individually fail or succeed, and carries an amount variable that can differ from the order total.
+
+This has the following advantages:
+
+* The system can now detect orders that are over- or underpaid, independent of the payment providers in use.
+
+* Therefore, we can now allow partial payments, partial refunds, and changing paid orders, and automatically detect
+  the cases listed above and notify the user.
+
+Payment providers now interact with those payment and refund objects more than with orders.
+
+Your to-do list
+---------------
+
+Payment processing
+""""""""""""""""""
+
+* The method ``BasePaymentProvider.order_pending_render`` has been removed and replaced by a new
+  ``BasePaymentProvider.payment_pending_render(request, payment)`` method that is passed an ``OrderPayment``
+  object instead of an ``Order``.
+
+* The method ``BasePaymentProvider.payment_form_render`` now receives a new ``total`` parameter.
+
+* The method ``BasePaymentProvider.payment_perform`` has been removed and replaced by a new method
+  ``BasePaymentProvider.execute_payment(request, payment)`` that is passed an ``OrderPayment``
+  object instead of an ``Order``.
+
+* The function ``pretix.base.services.mark_order_paid`` has been removed, instead call ``payment.confirm()``
+  on a pending ``OrderPayment`` object. If no further payments are required for this order, this will also
+  mark the order as paid automatically. Note that ``payment.confirm()`` can still throw a ``QuotaExceededException``,
+  however it will still mark the payment as complete (not the order!), so you should catch this exception and
+  inform the user, but not abort the transaction.
+
+* A new property ``BasePaymentProvider.abort_pending_allowed`` has been introduced. Only if set, the user will
+  be able to retry a payment or switch the payment method when the order currently has a payment object in
+  state ``"pending"``. This replaces ``BasePaymentProvider.order_can_retry``, which no longer exists.
+
+* The methods ``BasePaymentProvider.retry_prepare`` and ``BasePaymentProvider.order_prepare`` have both been
+  replaced by a new method ``BasePaymentProvider.payment_prepare(request, payment)`` that is passed an ``OrderPayment``
+  object instead of an ``Order``. **Keep in mind that this payment object might have an amount property that
+  differs from the order total, if the order is already partially paid.**
+
+* The method ``BasePaymentProvider.order_paid_render`` has been removed.
+
+* The method ``BasePaymentProvider.order_control_render`` has been removed and replaced by a new method
+  ``BasePaymentProvider.payment_control_render(request, payment)`` that is passed an ``OrderPayment``
+  object instead of an ``Order``.
+
+* There's no need to manually deal with excess payments or duplicate payments anymore, just setting the ``OrderPayment``
+  methods to the correct state will do the job.
+
+Creating refunds
+""""""""""""""""
+
+* The methods ``BasePaymentProvider.order_control_refund_render`` and ``BasePaymentProvider.order_control_refund_perform``
+  have been removed.
+
+* Two new boolean methods ``BasePaymentProvider.payment_refund_supported(payment)`` and ``BasePaymentProvider.payment_partial_refund_supported(payment)``
+  have been introduced. They should be set to return ``True`` if and only if the payment API allows to *automatically*
+  transfer the money back to the customer.
+
+* A new method ``BasePaymentProvider.execute_refund(refund)`` has been introduced. This method is called using a
+  ``OrderRefund`` object in ``"created"`` state and is expected to transfer the money back and confirm success with
+  calling ``refund.done()``. This will only ever be called if either ``BasePaymentProvider.payment_refund_supported(payment)``
+  or ``BasePaymentProvider.payment_partial_refund_supported(payment)`` return ``True``.
+
+Processing external refunds
+"""""""""""""""""""""""""""
+
+* If e.g. a webhook API notifies you that a payment has been disputed or refunded with the external API, you are
+  expected to call ``OrderPayment.create_external_refund(self, amount, execution_date, info='{}')`` on this payment.
+  This will create and return an appropriate ``OrderRefund`` object and send out a notification. However, it will not
+  mark the order as refunded, but will ask the event organizer for a decision.
+
+Data shredders
+""""""""""""""
+
+* The method ``BasePaymentProvider.shred_payment_info`` is no longer passed an order, but instead **either**
+  an ``OrderPayment`` **or** an ``OrderRefund``.
--- a/doc/development/api/plugins.rst
+++ b/doc/development/api/plugins.rst
@@ -49,15 +49,19 @@ description        string               A more verbose description of what your
 visible            boolean (optional)   ``True`` by default, can hide a plugin so it cannot be normally activated.
 restricted         boolean (optional)   ``False`` by default, restricts a plugin such that it can only be enabled
                                        for an event by system administrators / superusers.
+compatibility      string               Specifier for compatible pretix versions.
 ================== ==================== ===========================================================

 A working example would be::

-    from django.apps import AppConfig
+    try:
+        from pretix.base.plugins import PluginConfig
+    except ImportError:
+        raise RuntimeError("Please use pretix 2.7 or above to run this plugin!")
    from django.utils.translation import ugettext_lazy as _


-    class PaypalApp(AppConfig):
+    class PaypalApp(PluginConfig):
        name = 'pretix_paypal'
        verbose_name = _("PayPal")

@@ -68,6 +72,7 @@ A working example would be::
            visible = True
            restricted = False
            description = _("This plugin allows you to receive payments via PayPal")
+            compatibility = "pretix>=2.7.0"


    default_app_config = 'pretix_paypal.PaypalApp'
@@ -79,6 +84,9 @@ human-readable error messages. We recommend using the ``django.utils.functional.
 decorator, as it might get called a lot. You can also implement ``compatibility_warnings``,
 those will be displayed but not block the plugin execution.

+The ``AppConfig`` class may implement a method ``is_available(event)`` that checks if a plugin
+is available for a specific event. If not, it will not be shown in the plugin list of that event.
+
 Plugin registration
 -------------------

--- a/doc/development/concepts.rst
+++ b/doc/development/concepts.rst
@@ -82,6 +82,12 @@ Orders
 ^^^^^^

 If a customer completes the checkout process, an **Order** will be created containing all the entered information.
-An order can be in one of currently five states that are listed in the diagram below:
+An order can be in one of currently four states that are listed in the diagram below:

 .. image:: /images/order_states.png
+
+There are additional "fake" states that are displayed like states but not represented as states in the system:
+
+* An order is considered **canceled (with paid fee)** if it is in **paid** status but does not include any non-cancelled positions.
+
+* An order is considered **requiring approval** if it is in **pending** status with the ``require_approval`` attribute set to ``True``.
--- a/doc/development/implementation/models.rst
+++ b/doc/development/implementation/models.rst
@@ -23,7 +23,7 @@ Organizers and events
   :members:

 .. autoclass:: pretix.base.models.Event
-   :members: get_date_from_display, get_time_from_display, get_date_to_display, get_date_range_display, presale_has_ended, presale_is_running, cache, lock, get_plugins, get_mail_backend, payment_term_last, get_payment_providers, get_invoice_renderers, active_subevents, invoice_renderer, settings
+   :members: get_date_from_display, get_time_from_display, get_date_to_display, get_date_range_display, presale_has_ended, presale_is_running, cache, lock, get_plugins, get_mail_backend, payment_term_last, get_payment_providers, get_invoice_renderers, invoice_renderer, settings

 .. autoclass:: pretix.base.models.SubEvent
   :members: get_date_from_display, get_time_from_display, get_date_to_display, get_date_range_display, presale_has_ended, presale_is_running
@@ -86,6 +86,15 @@ Carts and Orders
 .. autoclass:: pretix.base.models.OrderPosition
   :members:

+.. autoclass:: pretix.base.models.OrderFee
+   :members:
+
+.. autoclass:: pretix.base.models.OrderPayment
+   :members:
+
+.. autoclass:: pretix.base.models.OrderRefund
+   :members:
+
 .. autoclass:: pretix.base.models.CartPosition
   :members:

--- a/doc/development/setup.rst
+++ b/doc/development/setup.rst
@@ -18,7 +18,7 @@ External Dependencies
 ---------------------
 Your should install the following on your system:

-* Python 3.4 or newer
+* Python 3.5 or newer
 * ``pip`` for Python 3 (Debian package: ``python3-pip``)
 * ``python-dev`` for Python 3 (Debian package: ``python3-dev``)
 * ``libffi`` (Debian package: ``libffi-dev``)
@@ -54,10 +54,6 @@ The first thing you need are all the main application's dependencies::
    cd src/
    pip3 install -r requirements.txt -r requirements/dev.txt

-If you are working with Python 3.4, you will also need (you can skip this for Python 3.5+)::
-
-    pip3 install -r requirements/py34.txt
-
 Next, you need to copy the SCSS files from the source folder to the STATIC_ROOT directory::

    python manage.py collectstatic --noinput
--- a/doc/images/order_states.png
+++ b/doc/images/order_states.png
--- a/doc/images/order_states.puml
+++ b/doc/images/order_states.puml
@@ -4,7 +4,6 @@ Pending: Order is expecting payment\nOrder reduces quotas
 Expired: Payment period is over\nOrder does not affect quotas
 Paid: Order was successful\nOrder reduces quotas
 Canceled: Order has been canceled\nOrder does not affect quotas
-Refunded: Order has been refunded\nOrder does not affect quotas

 [*] --> Pending: customer\nplaces order
 Pending --> Paid: successful payment
@@ -12,8 +11,9 @@ Pending --> Expired: automatically\nor manually\non admin action
 Expired --> Paid: if payment is received\nonly if quota left
 Expired --> Canceled
 Expired --> Pending: manually\non admin action
-Paid --> Refunded: manually on\nadmin action\nor if an external\npayment provider\nnotifies about a\npayment refund
+Paid --> Canceled: manually on\nadmin action\nor if an external\npayment provider\nnotifies about a\npayment refund
 Pending --> Canceled: on admin or\ncustomer action
 Paid -> Pending: manually on admin action
+[*] --> Paid: customer\nplaces free order

@enduml
--- a/doc/plugins/badges.rst
+++ b/doc/plugins/badges.rst
@@ -108,3 +108,43 @@ Endpoints
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view it.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/badgeitems/
+
+   Returns a list of all assignments of items to layouts
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/democon/badgeitems/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: text/javascript
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "layout": 2,
+            "item": 3,
+          }
+        ]
+      }
+
+   :query page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of a valid event
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view it.
--- a/doc/plugins/pretixdroid.rst
+++ b/doc/plugins/pretixdroid.rst
@@ -316,7 +316,7 @@ uses to communicate with the pretix server.
        "total": 42,
        "version": 3,
        "event": {
-          "name": "Demo Converence",
+          "name": "Demo Conference",
          "slug": "democon",
          "date_from": "2016-12-27T17:00:00Z",
          "date_to": "2016-12-30T18:00:00Z",
--- a/doc/plugins/ticketoutputpdf.rst
+++ b/doc/plugins/ticketoutputpdf.rst
@@ -20,6 +20,7 @@ default                               boolean                    ``true`` if thi
 layout                                object                     Layout specification for libpretixprint
 background                            URL                        Background PDF file
 item_assignments                      list of objects            Products this layout is assigned to
+├ sales_channel                       string                     Sales channel (defaults to ``web``).
 └ item                                integer                    Item ID
 ===================================== ========================== =======================================================

@@ -27,6 +28,10 @@ item_assignments                      list of objects            Products this l

   This resource has been added.

+.. versionchanged:: 2.3
+
+   The ``item_assignments.sales_channel`` field has been added.
+

 Endpoints
 ---------
@@ -109,3 +114,44 @@ Endpoints
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view it.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/ticketlayoutitems/
+
+   Returns a list of all assignments of items to layouts
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/democon/ticketlayoutitems/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: text/javascript
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "layout": 2,
+            "item": 3,
+            "sales_channel": web
+          }
+        ]
+      }
+
+   :query page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of a valid event
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view it.
--- a/doc/screens/organizer/webhook_edit.png
+++ b/doc/screens/organizer/webhook_edit.png
--- a/doc/screens/organizer/webhook_list.png
+++ b/doc/screens/organizer/webhook_list.png
--- a/doc/spelling_wordlist.txt
+++ b/doc/spelling_wordlist.txt
@@ -1,17 +1,21 @@
 addon
 addons
+Analytics
 anonymize
 api
 auditability
 auth
 autobuild
+availabilities
 backend
 backends
 banktransfer
+Bcc
 boolean
 booleans
 cancelled
 casted
+Ceph
 checkbox
 checksum
 config
@@ -23,6 +27,7 @@ cronjob
 cryptographic
 debian
 deduplication
+deprovision
 discoverable
 django
 dockerfile
@@ -49,6 +54,7 @@ linters
 memcached
 metadata
 middleware
+Minio
 mixin
 mixins
 multi
@@ -64,6 +70,7 @@ ons
 optimizations
 overpayment
 param
+passphrase
 percental
 positionid
 pre
@@ -88,7 +95,11 @@ regex
 renderer
 renderers
 reportlab
+SaaS
+scalability
 screenshot
+scss
+searchable
 selectable
 serializers
 serializers
@@ -103,8 +114,11 @@ subdomains
 subevent
 subevents
 submodule
+subnet
 subpath
+Symfony
 systemd
+testmode
 testutils
 timestamp
 tuples
@@ -113,6 +127,7 @@ unconfigured
 unix
 unprefixed
 untrusted
+uptime
 username
 url
 versa
--- a/doc/user/events/display.rst
+++ b/doc/user/events/display.rst
@@ -21,11 +21,18 @@ Frontpage text
    your product types, give more information on the event or for other general notices.
    You can use :ref:`Markdown syntax <markdown-guide>` in this field.

+Voucher explanation
+    This text will be shown above the voucher input box. You can use it to explain how to obtain a voucher and use it.
+
 Show variations of a product expanded by default
    If this is not checked, a product with variations will be shown as one row in the show by default and will expand
    into multiple rows once it is clicked on. With this box checked, the variations will be shown as multiple rows
    right from the beginning.

+Ask search engines not to index the ticket shop
+    If this is checked, we will set a HTML meta attribute asking search engines by Google not to put this ticket shop
+    into their searchable index.
+

 The lower part of the page contains settings that you can **either** set on organizer-level for all your events **or**
 override for this single event individually. Those are:
@@ -35,6 +42,12 @@ Primary color
    customers. We suggest not choosing something to light, since text in that color should be readable on a white
    background and white text should be readable on a background of this color.

+Accent color for success
+    This color will be used for success messages. We suggest to choose a dark shade of green.
+
+Accent color for errors
+    This color will be used for error messages. We suggest to choose a dark shade of red.
+
 Font
    Choose one of multiple fonts to use for your web shop.

--- a/doc/user/events/email.rst
+++ b/doc/user/events/email.rst
@@ -8,8 +8,8 @@ event.
   :align: center
   :class: screenshot

-The page is separated into three parts: "E-mail settings", "E-mail content" and "SMTP settings". We will explain all
-of them in detail on this page.
+The page is separated into four parts: "E-mail settings", "E-mail design", "E-mail content" and "SMTP settings".
+We will explain all of them in detail on this page.

 E-mail settings
 ---------------
@@ -30,10 +30,18 @@ Signature
    This text will be appended to all e-mails in form of a signature. This might be useful e.g. to add your contact
    details or any legal information that needs to be included with the e-mails.

+Bcc address
+    This email address will receive a copy of every event-related email.
+
+E-mail design
+-------------
+
+In this part, you can choose and preview the layout of your emails. More layouts can be added by pretix plugins.
+
 E-mail content
 --------------

-The middle part of the page allows you to customize the exact texts of all e-mails sent by the system automatically.
+The next part of the page allows you to customize the exact texts of all e-mails sent by the system automatically.
 You can click on the different boxes to expand them and see the texts.

 Within the texts, you can use placeholders that will later by replaced by values depending on the event or order. Below
@@ -45,6 +53,7 @@ Placeholder                    Description
 ============================== ===============================================================================
 event                          The event name
 total                          The order's total value
+total_with_currency            The order's total value with a localized currency sign
 currency                       The currency used for the event (three-letter code)
 payment_info                   Information text specific to the payment method (e.g. banking details)
 url                            An URL pointing to the download/status page of the order
@@ -112,6 +121,22 @@ Reminder to download tickets
    attendees to download their tickets. The e-mail should include a link to the ticket download. This e-mail will only
    ever be sent if you specify a number of days.

+Order approval process
+    If you configure one of your products to "require approval", orders of that product will not immediately be confirmed
+    but only after you approved them manually. In this case, the following e-mail templates will be sent out.
+
+    Received order
+        After an order has been received, this e-mail will be sent automatically instead of the "order placed" e-mail from
+        above.
+
+    Approved order
+        This e-mail will be sent after you manually approved an order. This should include instructions to pay for the order,
+        which is why this will only be used for a paid order. For a free order, the "free order" e-mail from above will
+        be sent.
+
+    Denied order
+        This e-mail will be sent out to customers when their order has been denied.
+
 SMTP settings
 -------------

--- a/doc/user/events/invoicing.rst
+++ b/doc/user/events/invoicing.rst
@@ -11,18 +11,6 @@ The settings at "Settings" → "Invoice" allow you to specify if and how pretix

 In particular, you can configure the following things:

-Ask for invoice address
-    If this checkbox is enabled, customers will be able to enter an invoice address during checkout. If you only enable
-    this box, the invoice address will be optional to fill in.
-
-Require invoice address
-    If this checkbox is enabled, entering an invoice address will be obligatory for all customers and it will not be
-    able to create an order without entering an address.
-
-Require customer name
-    If this checkbox is enabled, the street, city, and country fields of the invoice address will still be optional but
-    the name field will be obligatory.
-
 Generate invoices
    This field controls whether pretix should generate an invoice for an order. You have the following options:

@@ -51,6 +39,51 @@ Attach invoices to emails
    "Automatically for all created orders" or to the payment confirmation e-mails if it is set to "Automatically on
    payment".

+Invoice number prefix
+    This is the prefix that will be prepended to all your invoice numbers. For example, if you set this to "Inv", your
+    invoices will be numbered Inv00001, Inv00002, etc. If you leave this field empty, your event slug will be used,
+    followed by a dash, e.g. DEMOCON-00001.
+
+    Within one organizer account, events with the same number prefix will share their number range. For example, if you
+    set this to "Inv" for all of your events, there will be only one invoice numbered Inv00007 across all your events
+    and the numbers will have gaps within one event.
+
+Generate invoices with consecutive numbers
+    If enabled, invoices will be created with numerical invoice numbers in the order of their creation, i.e.
+    PREFIX-00001, PREFIX-00002, and so on. If disabled, invoice numbers will instead be generated from the order code,
+    i.e. PREFIX-YHASD-1. When in doubt, keep this option enabled since it might be legally required in your country,
+    but disabling it has the advantage that your customers can not estimate the number of tickets sold by looking at
+    the invoice numbers.
+
+Invoice language
+    This setting allows you to configure the language of all invoices. You can either set it to one of your event
+    language or dynamically to the language used by the customer.
+
+Show free products on invoices
+    If enabled, products that do not cost anything will still show up on invoices. Note that the order needs to contain
+    at least one non-free product in order to generate an invoice.
+
+Show attendee names on invoices
+    If enabled, the attendee name will be printed on the invoice for admission tickets.
+
+Ask for invoice address
+    If this checkbox is enabled, customers will be able to enter an invoice address during checkout. If you only enable
+    this box, the invoice address will be optional to fill in.
+
+Require invoice address
+    If this checkbox is enabled, entering an invoice address will be obligatory for all customers and it will not be
+    able to create an order without entering an address.
+
+Require customer name
+    If this checkbox is enabled, the street, city, and country fields of the invoice address will still be optional but
+    the name field will be obligatory.
+
+Require a business address
+    If enabled, the invoice address form will require a company name and do not allow personal addresses.
+
+Ask for beneficiary
+    If enabled, the invoice address form will contain an additional field to input the beneficiary of the transaction.
+
 Ask for VAT ID
    If enabled, the invoice address form will not only ask for a postal address, but also for a VAT ID. The VAT ID will
    always be an optional field.
@@ -62,26 +95,13 @@ Generate invoices with consecutive numbers
    but disabling it has the advantage that your customers can not estimate the number of tickets sold by looking at
    the invoice numbers.

-Invoice number prefix
-    This is the prefix that will be prepended to all your invoice numbers. For example, if you set this to "Inv", your
-    invoices will be numbered Inv00001, Inv00002, etc. If you leave this field empty, your event slug will be used,
-    followed by a dash, e.g. DEMOCON-00001.
-
-    Within one organizer account, events with the same number prefix will share their number range. For example, if you
-    set this to "Inv" for all of your events, there will be only one invoice numbered Inv00007 across all your events
-    and the numbers will have gaps within one event.
-
-Show free products on invoices
-    If enabled, products that do not cost anything will still show up on invoices. Note that the order needs to contain
-    at least one non-free product in order to generate an invoice.
-
-Show attendee names on invoices
-    If enabled, the attendee name will be printed on the invoice for admission tickets.
-
-Your address
-    This should be set to the address of the entity issuing the invoice (read: you) and will be printed inside
+Your invoice details
+    These fields should be set to the address of the entity issuing the invoice (read: you) and will be printed inside
    the header of the invoice.

+Invoice style
+    This setting allows you to choose the design of your invoice. Additional designs can be added by pretix plugins.
+
 Introductory text
    A free custom text that will be printed above the list of products on the invoice.

--- a/doc/user/events/structureguide.rst
+++ b/doc/user/events/structureguide.rst
@@ -0,0 +1,260 @@
+Product structure guide
+=======================
+
+Between products, categories, variations, add-ons, bundles, and quotas, pretix provides a wide range of features that allow you to set up your event in the way you want it.
+However, it is easy to get lost in the process or to get started with building your event right.
+Often times, there are multiple ways to do something that come with different advantages and disadvantages.
+This guide will walk you through a number of typical examples of pretix event structures and will explain how to set them up – feel free to just skip ahead to a section relevant for you.
+
+Terminology
+-----------
+
+Products
+    A product is a basic entity that can be bought. You can think of it as a ticket type, but it can be more things than just a ticket, it can also be a piece of merchandise, a parking slot, etc.
+    You might find some places where they are called "items" instead, but we're trying to get rid of that.
+
+Product categories
+    Products can be sorted into categories. Each product can only be in one category. Category are mostly used for grouping related products together to make your event page easier to read for buyers. However, we'll need categories as well to set up some of the structures outlined below.
+
+Product variations
+    During creation of a product, you can decide that your product should have multiple variations. Variations of a product can differ in price, description, and availability, but are otherwise the same. You could use this e.g. for differentiating between a regular ticket and a discounted ticket for students, or when selling merchandise to differentiate the different sizes of a t-shirt.
+
+Product add-ons
+    Add-ons are products that are sold together with another product (which we will call the base product in this case). For example, you could have a base product "Conference ticket" and then define multiple workshops that can be chosen as an add-on.
+
+Product bundles
+    Bundles work very similarly to add-ons, but are different in the way that they are always automatically included with the base product and cannot be optional. In contrast to add-on products, the same product can be included multiple times in a bundle.
+
+Quotas
+    Quotas define the availability of products. A quota has a size (i.e. the number of products in the inventory) and is mapped to one or multiple products or variations.
+
+Questions
+    Questions are user-defined form fields that buyers will need to fill out when purchasing a product.
+
+Use case: Multiple price levels
+-------------------------------
+
+Imagine you're running a concert with general admission that sells a total of 200 tickets for two prices:
+
+* Regular: € 25.00
+* Students: € 19.00
+
+You can either set up two different products called e.g. "Regular ticket" and "Student ticket" with the respective prices, or two variations within the same product. In this simple case, it really doesn't matter.
+
+In addition, you will need quotas. If you do not care how many of your tickets are sold to students, you should set up just **one quota** of 200 called e.g. "General admission" that you link to **both products**.
+
+If you want to limit the number of student tickets to 50 to ensure a certain minimum revenue, but do not want to limit the number of regular tickets artificially, we suggest you to create the same quota of 200 that is linked to both products, and then create a **second quota** of 50 that is only linked to the student ticket. This way, the system will reduce both quotas whenever a student ticket is sold and only the larger quota when a regular ticket is sold.
+
+Use case: Early-bird tiers
+--------------------------
+
+Let's say you run a conference that has the following pricing scheme:
+
+* 12 to 6 months before the event: € 450
+* 6 to 3 months before the event: € 550
+* closer than 3 months to the event: € 650
+
+Of course, you could just set up one product and change its price at the given dates manually, but if you want to set this up automatically, here's how:
+
+Create three products (e.g. "super early bird", "early bird", "regular ticket") with the respective prices and one shared quota of your total event capacity. Then, set the **available from** and **available until** configuration fields of the products to automatically turn them on and off based on the current date.
+
+.. note::
+
+   pretix currently can't do early-bird tiers based on **ticket number** instead of time. We're planning this feature for later in 2019. For now, you'll need to monitor that manually.
+
+Use case: Up-selling of ticket extras
+-------------------------------------
+
+Let's assume you're putting up a great music festival, and to save trouble with handling payments on-site, you want to sell parking spaces together with your ticket. By using our add-on feature, you can prompt all users to book the parking space (to make sure they see it) and ensure that only people with a ticket can book a parking space. You can set it up like this:
+
+* Create a base product "Festival admission"
+* Create a quota for the base product
+* Create a category "Ticket extras" and check "Products in this category are add-on products"
+* Create a product "Parking space" within that category
+* Create a quota for the parking space product
+* Go to the base product and select the tab "Add-Ons" at the top. Click "Add a new add-on" and choose the "Ticket extras" category. You can keep the numbers at 0 and 1.
+
+During checkout, all buyers of the base product will now be prompted if they want to add the parking space.
+
+.. tip::
+
+   You can also use add-on products for free things, just to keep tabs on capacity.
+
+Use case: Conference with workshops
+-----------------------------------
+
+When running a conference, you might also organize a number of workshops with smaller capacity. To be able to plan, it would be great to know which workshops an attendee plans to attend.
+
+Your first and simplest option is to just create a multiple-choice question. This has the upside of making it easy for users to change their mind later on, but will not allow you to restrict the number of attendees signing up for a given workshop – or even charge extra for a given workshop.
+
+The usually better option is to go with add-on products. Let's take for example the following conference schedule, in which the lecture can be attended by anyone, but the workshops only have space for 20 persons each:
+
+==================== =================================== ===================================
+Time                 Room A                              Room B
+==================== =================================== ===================================
+Wednesday morning    Lecture
+Wednesday afternoon  Workshop A                          Workshop B
+Thursday morning     Workshop C                          Workshop D (20 € extra charge)
+==================== =================================== ===================================
+
+Assuming you already created one or more products for your general conference admission, we suggest that you additionally create:
+
+* A category called "Workshops" with the checkbox "Products in this category are add-on products" activated
+
+* A free product called "Wednesday afternoon" within the category "Workshops" and with two variations:
+
+    * Workshop A
+
+    * Workshop B
+
+* A free product called "Thursday morning" within the category "Workshops" and with two variations:
+
+    * Workshop C
+
+    * Workshop D with a price of 20 €
+
+* Four quotas for each of the workshops
+
+* One add-on configuration on your base product that allows users to choose between 0 and 2 products from the category "Workshops"
+
+Use case: Discounted packages
+-----------------------------
+
+Imagine you run a trade show that opens on three consecutive days and you want to have the following pricing:
+
+* Single day: € 10
+* Any two days: € 17
+* All three days:  € 25
+
+In this case, there are multiple different ways you could set this up with pretix.
+
+Option A: Combination products
+""""""""""""""""""""""""""""""
+
+With this option, you just set up all the different combinations someone could by as a separate product. In this case, you would need 7 products:
+
+* Day 1 pass
+* Day 2 pass
+* Day 3 pass
+* Day 1+2 pass
+* Day 2+3 pass
+* Day 1+3 pass
+* All-day pass
+
+Then, you create three quotas, each one with the maximum capacity of your venue on any given day:
+
+* Day 1 quota, linked to "Day 1 pass", "Day 1+2 pass", "Day 1+3 pass", and "All-day pass"
+* Day 2 quota, linked to "Day 2 pass", "Day 1+2 pass", "Day 2+3 pass", and "All-day pass"
+* Day 3 quota, linked to "Day 3 pass", "Day 2+3 pass", "Day 1+3 pass", and "All-day pass"
+
+This way, every person gets exactly one ticket that they can use for all days that they attend. You can later set up check-in lists appropriately to make sure only tickets valid for a certain day can be scanned on that day.
+
+The benefit of this option is that your product structure and order structure stays very simple. However, the two-day packages scale badly when you need many products.
+
+We recommend this setup for most setups in which the number of possible combinations does not exceed the number of parts (here: number of days) by much.
+
+Option B: Add-ons and bundles
+"""""""""""""""""""""""""""""
+
+We can combine the two features "product add-ons" and "product bundles" to set this up in a different way. Here, you would create the following five products:
+
+* Day 1 pass in a category called "Day passes"
+* Day 2 pass in a category called "Day passes"
+* Day 3 pass in a category called "Day passes"
+* Two-day pass
+* All-day pass
+
+This time, you will need five quotas:
+
+* Day 1 quota, linked to "Day 1 pass"
+* Day 2 quota, linked to "Day 2 pass"
+* Day 3 quota, linked to "Day 3 pass"
+* Two-day pass quota, linked to "Two-day pass" (can be unlimited)
+* All-day pass quota, linked to "All-day pass" (can be unlimited)
+
+Then, you open the "Add-On" tab in the settings of the **Two-day pass** product and create a new add-on configuration specifying the following options:
+
+* Category: "Day passes"
+* Minimum number: 2
+* Maximum number: 2
+* Add-Ons are included in the price: Yes
+
+This way, when buying a two-day pass, the user will be able to select *exactly* two days for free, which will then be added to the cart. Depending on your specific configuration, the user will now receive *two separate* tickets, one for each day.
+
+For the all-day pass, you open the "Bundled products" tab in the settings of the **All-day pass** product and add **three** new bundled items with the following options:
+
+* Bundled product: "Day 1/2/3"
+* Bundled variation: None
+* Count: 1
+* Designated price: 0
+
+This way, when buying an all-day pass, three free day passes will *automatically* be added to the cart. Depending on your specific configuration, the user will now receive *three separate* tickets, one for each day.
+
+This approach makes your order data more complicated, since e.g. someone who buys an all-day pass now technically bought **four products**. However, this option allows for more flexibility when you have lots of options to choose from.
+
+.. tip::
+
+   Depending on the packages you offer, you **might not need both the add-on and the bundle feature**, i.e. you only need the add-on feature for the two-day pass and only the bundle feature for the all-day pass. You could also set up the two-day pass like we showed here, but the all-day pass like in option A!
+
+Use case: Group discounts
+-------------------------
+
+Often times, you want to give discounts for whole groups attending your event. pretix can't automatically discount based on volume, but there's still some ways you can set up group tickets.
+
+Flexible group sizes
+""""""""""""""""""""
+
+If you want to give out discounted tickets to groups starting at a given size, but still billed per person, you can do so by creating a special **Group ticket** at the per-person price and set the **Minimum amount per order** option of the ticket to the minimal group size.
+
+This way, your ticket can be bought an arbitrary number of times – but no less than the given minimal amount per order.
+
+Fixed group sizes
+"""""""""""""""""
+
+If you want to sell group tickets in fixed sizes, e.g. a table of eight at your gala dinner, you can use product bundles. Assuming you already set up a ticket for admission of single persons, you then set up a second product **Table (8 persons)** with a discounted full price. Then, head to the **Bundled products** tab of that product and add one bundle configuration to include the single admission product **eight times**. Next, create an unlimited quota mapped to the new product.
+
+This way, the purchase of a table will automatically create eight tickets, leading to a correct calculation of your total quota and, as expected, eight persons on your check-in list. You can even ask for the individual names of the persons during checkout.
+
+Use case: Restricted audience
+-----------------------------
+
+Not all events are for everyone. Sometimes, there is a good reason to restrict access to your event or parts of your event only to a specific, invited group. There's two ways to implement this with pretix:
+
+Option A: Required voucher codes
+""""""""""""""""""""""""""""""""
+
+If you check the option "**This product can only be bought using a voucher**" of one or multiple products, only people holding an applicable voucher code will be able to buy the product.
+
+You can then generate voucher codes for the respective product and send them out to the group of possible attendees. If the recipients should still be able to choose between different products, you can create an additional quota and map the voucher to that quota instead of the products themselves.
+
+There's also the second option "**This product will only be shown if a voucher matching the product is redeemed**". In this case, the existence of the product won't even be shown before a voucher code is entered – useful for a VIP option in a shop where you also sell other products to the general public. Please note that this option does **not** work with vouchers assigned to a quota, only with vouchers assigned directly to the product.
+
+This option is appropriate if you know the group of people beforehand, e.g. members of a club, and you can mail them their access codes.
+
+Option B: Order approvals
+"""""""""""""""""""""""""
+
+If you do not know your audience already, but still want to restrict it to a certain group, e.g. people with a given profession, you can check the "**Buying this product requires approval**" in the settings of your product. If a customer tries to buy such a product, they will be able to place their order but can not proceed to payment. Instead, you will be asked to approve or deny the order and only if you approve it, we will send a payment link to the customer.
+
+This requires the customer to interact with the ticket shop twice (once for the order, once for the payment) which adds a little more friction, but gives you full control over who attends the event.
+
+Use case: Mixed taxation
+------------------------
+
+Let's say you are a charitable organization in Germany and are allowed to charge a reduced tax rate of 7% for your educational event. However, your event includes a significant amount of food, you might need to charge a 19% tax rate on that portion. For example, your desired tax structure might then look like this:
+
+* Conference ticket price: € 450 (incl. € 150 for food)
+
+    * incl. € 19.63 VAT at 7%
+    * incl. € 23.95 VAT at 19%
+
+You can implement this in pretix using product bundles. In order to do so, you should create the following two products:
+
+* Conference ticket at € 450 with a 7% tax rule
+* Conference food at € 150 with a 19% tax rule and the option "**Only sell this product as part of a bundle**" set
+
+In addition to your normal conference quota, you need to create an unlimited quota for the food product.
+
+Then, head to the **Bundled products** tab of the "conference ticket" and add the "conference food" as a bundled product with a **designated price** of € 150.
+
+Once a customer tries to buy the € 450 conference ticket, a sub-product will be added and the price will automatically be split into the two components, leading to a correct computation of taxes.
--- a/doc/user/events/tickets.rst
+++ b/doc/user/events/tickets.rst
@@ -25,6 +25,10 @@ Generate tickets for non-admission products
  By default, tickets will only be generated for products that are marked as admission products. Enable this option to
  generate tickets for all products instead.

+Offer to download tickets even before an order is paid
+  By default, ticket download is only possible for paid orders. If you run an event where people usually pay only after
+  the event, you can check this box to enable ticket download even before.
+
 Below these settings, the detail settings for the various ticket file formats are offered. They differ from format to
 format and only share the common "Enable" setting that can be used to turn them on. By default, pretix ships with
 a PDF output plugin that you can configure through a visual design editor.
--- a/doc/user/events/widget.rst
+++ b/doc/user/events/widget.rst
@@ -107,6 +107,42 @@ voucher's settings.
        </div>
    </noscript>

+Disabling the voucher input
+---------------------------
+
+If you want to disable voucher input in the widget, you can pass the ``disable-vouchers`` attribute::
+
+   <pretix-widget event="https://pretix.eu/demo/democon/" disable-vouchers></pretix-widget>
+
+Multi-event selection
+---------------------
+
+If you want to embed multiple events in a single widget, you can do so. If it's multiple dates of an event series, just leave off the ``series`` attribute::
+
+   <pretix-widget event="https://pretix.eu/demo/series/"></pretix-widget>
+
+If you want to include all your public events, you can just reference your organizer::
+
+   <pretix-widget event="https://pretix.eu/demo/"></pretix-widget>
+
+There is an optional ``style`` parameter that let's you choose between a calendar view and a list view. If you do not set it, the choice will be taken from your organizer settings::
+
+   <pretix-widget event="https://pretix.eu/demo/series/" style="list"></pretix-widget>
+   <pretix-widget event="https://pretix.eu/demo/series/" style="calendar"></pretix-widget>
+
+You can see an example here:
+
+.. raw:: html
+
+    <pretix-widget event="https://pretix.eu/demo/series/" style="calendar"></pretix-widget>
+    <noscript>
+       <div class="pretix-widget">
+            <div class="pretix-widget-info-message">
+                JavaScript is disabled in your browser. To access our ticket shop without javascript, please <a target="_blank" href="https://pretix.eu/demo/series/">click here</a>.
+            </div>
+        </div>
+    </noscript>
+
 pretix Button
 -------------

@@ -136,14 +172,107 @@ resources. Then, instead of the ``pretix-widget`` tag, use the ``pretix-button``
 As you can see, the ``pretix-button`` element takes an additional ``items`` attribute that specifies the items that
 should be added to the cart. The syntax of this attribute is ``item_ITEMID=1,item_ITEMID=2,variation_ITEMID_VARID=4``
 where ``ITEMID`` are the internal IDs of items to be added and ``VARID`` are the internal IDs of variations of those
-items, if the items have variations.
+items, if the items have variations. If you omit the ``items`` attribute, the general start page will be presented.

 Just as the widget, the button supports the optional attributes ``voucher`` and ``skip-ssl-check``.

 You can style the button using the ``pretix-button`` CSS class.

-.. versionchanged:: 1.13
+Dynamically loading the widget
+------------------------------

-   The pretix Button has been added in version 1.13.
+If you need to control the way or timing the widget loads, for example because you want to modify user data (see
+below) dynamically via JavaScript, you can register a listener that we will call before creating the widget::
+
+    <script type="text/javascript">
+    window.pretixWidgetCallback = function () {
+        // Will be run before we create the widget.
+    }
+    </script>
+
+If you want, you can suppress us loading the widget and/or modify the user data passed to the widget::
+
+    <script type="text/javascript">
+    window.pretixWidgetCallback = function () {
+        window.PretixWidget.build_widgets = false;
+        window.PretixWidget.widget_data["email"] = "test@example.org";
+    }
+    </script>
+
+If you then later want to trigger loading the widgets, just call ``window.PretixWidget.buildWidgets()``.
+
+
+Passing user data to the widget
+-------------------------------
+
+If you display the widget in a restricted area of your website and you want to pre-fill fields in the checkout process
+with known user data to save your users some typing and increase conversions, you can pass additional data attributes
+with that information::
+
+    <pretix-widget event="https://pretix.eu/demo/democon/"
+        data-attendee-name-given-name="John"
+        data-attendee-name-family-name="Doe"
+        data-invoice-address-name-given-name="John"
+        data-invoice-address-name-family-name="Doe"
+        data-email="test@example.org"
+        data-question-L9G8NG9M="Foobar">
+    </pretix-widget>
+
+This works for the pretix Button as well. Currently, the following attributes are understood by pretix itself:
+
+* ``data-email`` will pre-fill the order email field as well as the attendee email field (if enabled).
+
+* ``data-question-IDENTIFIER`` will pre-fill the answer for the question with the given identifier. You can view and set
+  identifiers in the *Questions* section of the backend.
+
+* Depending on the person name scheme configured in your event settings, you can pass one or more of
+  ``data-attendee-name-full-name``, ``data-attendee-name-given-name``, ``data-attendee-name-family-name``,
+  ``data-attendee-name-middle-name``, ``data-attendee-name-title``, ``data-attendee-name-calling-name``,
+  ``data-attendee-name-latin-transcription``. If you don't know or don't care, you can also just pass a string as
+  ``data-attendee-name``, which will pre-fill the last part of the name, whatever that is.
+
+* ``data-invoice-address-FIELD`` will  pre-fill the corresponding field of the invoice address. Possible values for
+  ``FIELD`` are ``company``, ``street``, ``zipcode``, ``city`` and ``country``, as well as fields specified by the
+  naming scheme such as ``name-title`` or ``name-given-name`` (see above). ``country`` expects a two-character
+  country code.
+
+Any configured pretix plugins might understand more data fields. For example, if the appropriate plugins on pretix
+Hosted or pretix Enterprise are active, you can pass the following fields:
+
+* If you use the campaigns plugin, you can pass a campaign ID as a value to ``data-campaign``. This way, all orders
+  made through this widget will be counted towards this campaign.
+
+* If you use the tracking plugin, you can pass a Google Analytics User ID to enable cross-domain tracking. This will
+  require you to dynamically load the widget, like this::
+
+    <script>
+        (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+        })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
+
+        ga('create', 'UA-XXXXXX-1', 'auto');
+        ga('send', 'pageview');
+
+        window.pretixWidgetCallback = function () {
+            window.PretixWidget.build_widgets = false;
+            window.addEventListener('load', function() { // Wait for GA to be loaded
+                if(window.ga && ga.create) {
+                    ga(function(tracker) {
+                        window.PretixWidget.widget_data["tracking-ga-id"] = tracker.get('clientId');
+                        window.PretixWidget.buildWidgets()
+                    });
+                } else { // Tracking is probably blocked
+                       window.PretixWidget.buildWidgets()
+                }
+            });
+        };
+    </script>
+
+
+.. versionchanged:: 2.3
+
+   Data passing options have been added in pretix 2.3. If you use a self-hosted version of pretix, they only work
+   fully if you configured a redis server.

 .. _Let's Encrypt: https://letsencrypt.org/
--- a/doc/user/faq.rst
+++ b/doc/user/faq.rst
@@ -4,22 +4,10 @@ FAQ and Troubleshooting
 How can I test my shop before taking it live?
 ---------------------------------------------

-There are multiple ways to do this.
-
-First, you could just create some orders in your real shop and cancel/refund them later. If you don't want to process
-real payments for the tests, you can either use a "manual" payment method like bank transfer and just mark the orders
-as paid with the button in the backend, or if you want to use e.g. Stripe, you can configure pretix to use your keys
-for the Stripe test system and use their test credit cars. Read our :ref:`Stripe documentation <stripe>` for more
-information.
-
-Second, you could create a separate event, just for testing. In the last step of the :ref:`event creation process <event_create>`,
-you can specify that you want to copy all settings from your real event, so you don't have to do all of it twice.
-
-We are planning to add a dedicated test mode in a later version of pretix.
-
-If you are using the hosted service at pretix.eu and want to get rid of the test orders completely, contact us at
-support@pretix.eu and we can remove them for you. Please note that we only are able to do that *before* you have
-received any real orders (i.e. taken the shop public). We won't charge any fees for test orders or test events.
+On your event dashboard, click on the first tile that shows your shop status. On the lower part of this page, you can
+place your event into "test mode". In "test mode", everything behaves the same, but orders created during test mode can
+later be fully deleted. Be sure to actually delete them when or after you turn off test mode, since test mode orders
+still count toward your quotas and are included in your reports.

 How do I delete an event?
 -------------------------
--- a/doc/user/index.rst
+++ b/doc/user/index.rst
@@ -10,6 +10,7 @@ wanting to use pretix to sell tickets.
   organizers/index
   events/create
   events/settings
+   events/structureguide
   events/widget
   faq
   markdown
--- a/doc/user/payments/paypal.rst
+++ b/doc/user/payments/paypal.rst
@@ -3,6 +3,13 @@
 PayPal
 ======

+.. note::
+
+   If you use pretix Hosted, you do not longer need to go through this tedious process! You can
+   just open the PayPal settings in the payment section of your event, click "Connect to PayPal"
+   and log in to your PayPal account. The following guide is only required for self-hosted
+   versions of pretix.
+
 To integrate PayPal with pretix, you first need to have an active PayPal merchant account. If you do not already have a
 PayPal account, you can create one on `paypal.com`_.
 If you look into pretix' settings, you are required to fill in two keys:
--- a/readthedocs.yml
+++ b/readthedocs.yml
@@ -0,0 +1,6 @@
+
+build:
+  image: latest
+
+python:
+  version: 3.6
--- a/src/.coveragerc
+++ b/src/.coveragerc
@@ -1,12 +0,0 @@
-[run]
-source = pretix
-omit = */migrations/*,*/urls.py,*/tests/*,*/testdummy/*,*/admin.py,pretix/wsgi.py,pretix/settings.py
-
-[report]
-exclude_lines =
-	pragma: no cover
-	def __str__
-	der __repr__
-	if settings.DEBUG
-	NOQA
-	NotImplementedError
--- a/src/.update-locales
+++ b/src/.update-locales
@@ -34,4 +34,5 @@ git push
 # Unlock Weblate
 for c in $COMPONENTS; do
 	wlc unlock $c;
+	wlc pull $c;
 done
--- a/src/MANIFEST.in
+++ b/src/MANIFEST.in
@@ -8,6 +8,8 @@ recursive-include pretix/control/templates *
 recursive-include pretix/presale/templates *
 recursive-include pretix/plugins/banktransfer/templates *
 recursive-include pretix/plugins/banktransfer/static *
+recursive-include pretix/plugins/manualpayment/templates *
+recursive-include pretix/plugins/manualpayment/static *
 recursive-include pretix/plugins/paypal/templates *
 recursive-include pretix/plugins/pretixdroid/templates *
 recursive-include pretix/plugins/pretixdroid/static *
--- a/src/pretix/init.py
+++ b/src/pretix/init.py
@@ -1 +1 @@
-__version__ = "2.0.0.dev0"
+__version__ = "2.7.0"
--- a/src/pretix/api/init.py
+++ b/src/pretix/api/init.py
@@ -5,5 +5,8 @@ class PretixApiConfig(AppConfig):
    name = 'pretix.api'
    label = 'pretixapi'

+    def ready(self):
+        from . import signals, webhooks  # noqa
+

 default_app_config = 'pretix.api.PretixApiConfig'
--- a/src/pretix/api/auth/device.py
+++ b/src/pretix/api/auth/device.py
@@ -0,0 +1,25 @@
+from django.contrib.auth.models import AnonymousUser
+from rest_framework import exceptions
+from rest_framework.authentication import TokenAuthentication
+
+from pretix.base.models import Device
+
+
+class DeviceTokenAuthentication(TokenAuthentication):
+    model = Device
+    keyword = 'Device'
+
+    def authenticate_credentials(self, key):
+        model = self.get_model()
+        try:
+            device = model.objects.select_related('organizer').get(api_token=key)
+        except model.DoesNotExist:
+            raise exceptions.AuthenticationFailed('Invalid token.')
+
+        if not device.initialized:
+            raise exceptions.AuthenticationFailed('Device has not been initialized.')
+
+        if device.revoked:
+            raise exceptions.AuthenticationFailed('Device access has been revoked.')
+
+        return AnonymousUser(), device
--- a/src/pretix/api/auth/permission.py
+++ b/src/pretix/api/auth/permission.py
@@ -1,7 +1,8 @@
 from rest_framework.permissions import SAFE_METHODS, BasePermission

 from pretix.api.models import OAuthAccessToken
-from pretix.base.models import Event
+from pretix.base.models import Device, Event, User
+from pretix.base.models.auth import SuperuserPermissionSet
 from pretix.base.models.organizer import Organizer, TeamAPIToken
 from pretix.helpers.security import (
    SessionInvalid, SessionReauthRequired, assert_session_valid,
@@ -9,10 +10,9 @@ from pretix.helpers.security import (


 class EventPermission(BasePermission):
-    model = TeamAPIToken

    def has_permission(self, request, view):
-        if not request.user.is_authenticated and not isinstance(request.auth, TeamAPIToken):
+        if not request.user.is_authenticated and not isinstance(request.auth, (Device, TeamAPIToken)):
            return False

        if request.method not in SAFE_METHODS and hasattr(view, 'write_permission'):
@@ -31,17 +31,20 @@ class EventPermission(BasePermission):
            except SessionReauthRequired:
                return False

-        perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken)
+        perm_holder = (request.auth if isinstance(request.auth, (Device, TeamAPIToken))
                       else request.user)
        if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs:
            request.event = Event.objects.filter(
                slug=request.resolver_match.kwargs['event'],
                organizer__slug=request.resolver_match.kwargs['organizer'],
            ).select_related('organizer').first()
-            if not request.event or not perm_holder.has_event_permission(request.event.organizer, request.event):
+            if not request.event or not perm_holder.has_event_permission(request.event.organizer, request.event, request=request):
                return False
            request.organizer = request.event.organizer
-            request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event)
+            if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key):
+                request.eventpermset = SuperuserPermissionSet()
+            else:
+                request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event)

            if required_permission and required_permission not in request.eventpermset:
                return False
@@ -50,9 +53,12 @@ class EventPermission(BasePermission):
            request.organizer = Organizer.objects.filter(
                slug=request.resolver_match.kwargs['organizer'],
            ).first()
-            if not request.organizer or not perm_holder.has_organizer_permission(request.organizer):
+            if not request.organizer or not perm_holder.has_organizer_permission(request.organizer, request=request):
                return False
-            request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer)
+            if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key):
+                request.orgapermset = SuperuserPermissionSet()
+            else:
+                request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer)

            if required_permission and required_permission not in request.orgapermset:
                return False
@@ -76,7 +82,7 @@ class EventCRUDPermission(EventPermission):
            return False
        elif view.action == 'destroy' and 'can_change_event_settings' not in request.eventpermset:
            return False
-        elif view.action in ['retrieve', 'update', 'partial_update'] \
+        elif view.action in ['update', 'partial_update'] \
                and 'can_change_event_settings' not in request.eventpermset:
            return False

--- a/src/pretix/api/exception.py
+++ b/src/pretix/api/exception.py
@@ -10,7 +10,10 @@ def custom_exception_handler(exc, context):
    if isinstance(exc, LockTimeoutException):
        response = Response(
            {'detail': 'The server was too busy to process your request. Please try again.'},
-            status=status.HTTP_409_CONFLICT
+            status=status.HTTP_409_CONFLICT,
+            headers={
+                'Retry-After': 5
+            }
        )

    return response
--- a/src/pretix/api/middleware.py
+++ b/src/pretix/api/middleware.py
@@ -0,0 +1,91 @@
+import json
+from hashlib import sha1
+
+from django.conf import settings
+from django.db import transaction
+from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.utils.timezone import now
+from rest_framework import status
+
+from pretix.api.models import ApiCall
+
+
+class IdempotencyMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request: HttpRequest):
+        if request.method in ('GET', 'HEAD', 'OPTIONS'):
+            return self.get_response(request)
+
+        if not request.path.startswith('/api/'):
+            return self.get_response(request)
+
+        if not request.headers.get('X-Idempotency-Key'):
+            return self.get_response(request)
+
+        auth_hash_parts = '{}:{}'.format(
+            request.headers.get('Authorization', ''),
+            request.COOKIES.get(settings.SESSION_COOKIE_NAME, '')
+        )
+        auth_hash = sha1(auth_hash_parts.encode()).hexdigest()
+        idempotency_key = request.headers.get('X-Idempotency-Key', '')
+
+        with transaction.atomic():
+            call, created = ApiCall.objects.select_for_update().get_or_create(
+                auth_hash=auth_hash,
+                idempotency_key=idempotency_key,
+                defaults={
+                    'locked': now(),
+                    'request_method': request.method,
+                    'request_path': request.path,
+                    'response_code': 0,
+                    'response_headers': '{}',
+                    'response_body': b''
+                }
+            )
+
+        if created:
+            resp = self.get_response(request)
+            with transaction.atomic():
+                if resp.status_code in (409, 429, 503):
+                    # This is the exception: These calls are *meant* to be retried!
+                    call.delete()
+                else:
+                    call.response_code = resp.status_code
+                    if isinstance(resp.content, str):
+                        call.response_body = resp.content.encode()
+                    elif isinstance(resp.content, memoryview):
+                        call.response_body = resp.content.tobytes()
+                    elif isinstance(resp.content, bytes):
+                        call.response_body = resp.content
+                    elif hasattr(resp.content, 'read'):
+                        call.response_body = resp.read()
+                    elif hasattr(resp, 'data'):
+                        call.response_body = json.dumps(resp.data)
+                    else:
+                        call.response_body = repr(resp).encode()
+                    call.response_headers = json.dumps(resp._headers)
+                    call.locked = None
+                    call.save(update_fields=['locked', 'response_code', 'response_headers',
+                                             'response_body'])
+            return resp
+        else:
+            if call.locked:
+                r = JsonResponse(
+                    {'detail': 'Concurrent request with idempotency key.'},
+                    status=status.HTTP_409_CONFLICT,
+                )
+                r['Retry-After'] = 5
+                return r
+
+            content = call.response_body
+            if isinstance(content, memoryview):
+                content = content.tobytes()
+            r = HttpResponse(
+                content=content,
+                status=call.response_code,
+            )
+            for k, v in json.loads(call.response_headers).values():
+                r[k] = v
+            return r
--- a/src/pretix/api/migrations/0001_initial.py
+++ b/src/pretix/api/migrations/0001_initial.py
@@ -46,7 +46,7 @@ class Migration(migrations.Migration):
                ('updated', models.DateTimeField(auto_now=True)),
                ('name', models.CharField(max_length=255, verbose_name='Application name')),
                ('redirect_uris', models.TextField(help_text='Allowed URIs list, space separated',
-                                                   validators=[oauth2_provider.validators.validate_uris],
+                                                   validators=[oauth2_provider.validators.URIValidator],
                                                   verbose_name='Redirection URIs')),
                ('client_id',
                 models.CharField(db_index=True, default=oauth2_provider.generators.generate_client_id, max_length=100,
--- a/src/pretix/api/migrations/0003_webhook_webhookcall_webhookeventlistener.py
+++ b/src/pretix/api/migrations/0003_webhook_webhookcall_webhookeventlistener.py
@@ -0,0 +1,79 @@
+# Generated by Django 2.1.1 on 2018-11-07 10:46
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0102_auto_20181017_0024'),
+        ('pretixapi', '0002_auto_20180604_1120'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='WebHook',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('enabled', models.BooleanField(default=True, verbose_name='Enable webhook')),
+                ('target_url', models.URLField(verbose_name='Target URL')),
+                ('all_events', models.BooleanField(default=False, verbose_name='All events (including newly created ones)')),
+                ('limit_events', models.ManyToManyField(blank=True, to='pretixbase.Event', verbose_name='Limit to events')),
+                ('organizer', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='pretixbase.Organizer')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='WebHookCall',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('datetime', models.DateTimeField(auto_now_add=True)),
+                ('target_url', models.URLField()),
+                ('is_retry', models.BooleanField(default=False)),
+                ('execution_time', models.FloatField(null=True)),
+                ('return_code', models.PositiveIntegerField(default=0)),
+                ('payload', models.TextField()),
+                ('response_body', models.TextField()),
+                ('webhook', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='pretixapi.WebHook')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='WebHookEventListener',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('action_type', models.CharField(max_length=255)),
+                ('webhook', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='pretixapi.WebHook')),
+            ],
+        ),
+        migrations.AddField(
+            model_name='webhookcall',
+            name='success',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AlterField(
+            model_name='webhook',
+            name='all_events',
+            field=models.BooleanField(default=True, verbose_name='All events (including newly created ones)'),
+        ),
+        migrations.AlterField(
+            model_name='webhook',
+            name='organizer',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='webhooks', to='pretixbase.Organizer'),
+        ),
+        migrations.AlterField(
+            model_name='webhookcall',
+            name='webhook',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='calls', to='pretixapi.WebHook'),
+        ),
+        migrations.AlterField(
+            model_name='webhookeventlistener',
+            name='webhook',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='listeners', to='pretixapi.WebHook'),
+        ),
+        migrations.AddField(
+            model_name='webhookcall',
+            name='action_type',
+            field=models.CharField(default='', max_length=255),
+            preserve_default=False,
+        ),
+    ]
--- a/src/pretix/api/migrations/0004_auto_20190405_1048.py
+++ b/src/pretix/api/migrations/0004_auto_20190405_1048.py
@@ -0,0 +1,44 @@
+# Generated by Django 2.1.5 on 2019-04-05 10:48
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('pretixbase', '0116_auto_20190402_0722'),
+        ('pretixapi', '0003_webhook_webhookcall_webhookeventlistener'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ApiCall',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('idempotency_key', models.CharField(db_index=True, max_length=190)),
+                ('auth_hash', models.CharField(db_index=True, max_length=190)),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('locked', models.DateTimeField(null=True)),
+                ('request_method', models.CharField(max_length=20)),
+                ('request_path', models.CharField(max_length=255)),
+                ('response_code', models.PositiveIntegerField()),
+                ('response_headers', models.TextField()),
+                ('response_body', models.BinaryField()),
+            ],
+        ),
+        migrations.AlterModelOptions(
+            name='webhookcall',
+            options={'ordering': ('-datetime',)},
+        ),
+        migrations.AlterModelOptions(
+            name='webhookeventlistener',
+            options={'ordering': ('action_type',)},
+        ),
+        migrations.AlterUniqueTogether(
+            name='apicall',
+            unique_together={('idempotency_key', 'auth_hash')},
+        ),
+    ]
--- a/src/pretix/api/models.py
+++ b/src/pretix/api/models.py
@@ -11,13 +11,13 @@ from oauth2_provider.models import (
    AbstractAccessToken, AbstractApplication, AbstractGrant,
    AbstractRefreshToken,
 )
-from oauth2_provider.validators import validate_uris
+from oauth2_provider.validators import URIValidator


 class OAuthApplication(AbstractApplication):
    name = models.CharField(verbose_name=_("Application name"), max_length=255, blank=False)
    redirect_uris = models.TextField(
-        blank=False, validators=[validate_uris],
+        blank=False, validators=[URIValidator],
        verbose_name=_("Redirection URIs"),
        help_text=_("Allowed URIs list, space separated")
    )
@@ -68,3 +68,61 @@ class OAuthRefreshToken(AbstractRefreshToken):
        OAuthAccessToken, on_delete=models.SET_NULL, blank=True, null=True,
        related_name="refresh_token"
    )
+
+
+class WebHook(models.Model):
+    organizer = models.ForeignKey('pretixbase.Organizer', on_delete=models.CASCADE, related_name='webhooks')
+    enabled = models.BooleanField(default=True, verbose_name=_("Enable webhook"))
+    target_url = models.URLField(verbose_name=_("Target URL"))
+    all_events = models.BooleanField(default=True, verbose_name=_("All events (including newly created ones)"))
+    limit_events = models.ManyToManyField('pretixbase.Event', verbose_name=_("Limit to events"), blank=True)
+
+    class Meta:
+        ordering = ('id',)
+
+    @property
+    def action_types(self):
+        return [
+            l.action_type for l in self.listeners.all()
+        ]
+
+
+class WebHookEventListener(models.Model):
+    webhook = models.ForeignKey('WebHook', on_delete=models.CASCADE, related_name='listeners')
+    action_type = models.CharField(max_length=255)
+
+    class Meta:
+        ordering = ("action_type",)
+
+
+class WebHookCall(models.Model):
+    webhook = models.ForeignKey('WebHook', on_delete=models.CASCADE, related_name='calls')
+    datetime = models.DateTimeField(auto_now_add=True)
+    target_url = models.URLField()
+    action_type = models.CharField(max_length=255)
+    is_retry = models.BooleanField(default=False)
+    execution_time = models.FloatField(null=True)
+    return_code = models.PositiveIntegerField(default=0)
+    success = models.BooleanField(default=False)
+    payload = models.TextField()
+    response_body = models.TextField()
+
+    class Meta:
+        ordering = ("-datetime",)
+
+
+class ApiCall(models.Model):
+    idempotency_key = models.CharField(max_length=190, db_index=True)
+    auth_hash = models.CharField(max_length=190, db_index=True)
+    created = models.DateTimeField(auto_now_add=True)
+    locked = models.DateTimeField(null=True)
+
+    request_method = models.CharField(max_length=20)
+    request_path = models.CharField(max_length=255)
+
+    response_code = models.PositiveIntegerField()
+    response_headers = models.TextField()
+    response_body = models.BinaryField()
+
+    class Meta:
+        unique_together = (('idempotency_key', 'auth_hash'),)
--- a/src/pretix/api/serializers/cart.py
+++ b/src/pretix/api/serializers/cart.py
@@ -19,18 +19,19 @@ class CartPositionSerializer(I18nAwareModelSerializer):

    class Meta:
        model = CartPosition
-        fields = ('id', 'cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_email',
-                  'voucher', 'addon_to', 'subevent', 'datetime', 'expires', 'includes_tax',
+        fields = ('id', 'cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts',
+                  'attendee_email', 'voucher', 'addon_to', 'subevent', 'datetime', 'expires', 'includes_tax',
                  'answers',)


 class CartPositionCreateSerializer(I18nAwareModelSerializer):
    answers = AnswerCreateSerializer(many=True, required=False)
    expires = serializers.DateTimeField(required=False)
+    attendee_name = serializers.CharField(required=False, allow_null=True)

    class Meta:
        model = CartPosition
-        fields = ('cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_email',
+        fields = ('cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts', 'attendee_email',
                  'subevent', 'expires', 'includes_tax', 'answers',)

    def create(self, validated_data):
@@ -65,6 +66,11 @@ class CartPositionCreateSerializer(I18nAwareModelSerializer):
                            quota.name
                        )
                    )
+            attendee_name = validated_data.pop('attendee_name', '')
+            if attendee_name and not validated_data.get('attendee_name_parts'):
+                validated_data['attendee_name_parts'] = {
+                    '_legacy': attendee_name
+                }
            cp = CartPosition.objects.create(event=self.context['event'], **validated_data)

        for answ_data in answers_data:
@@ -118,4 +124,8 @@ class CartPositionCreateSerializer(I18nAwareModelSerializer):
                raise ValidationError(
                    'You cannot specify a variation for this item.'
                )
+        if data.get('attendee_name') and data.get('attendee_name_parts'):
+            raise ValidationError(
+                {'attendee_name': ['Do not specify attendee_name if you specified attendee_name_parts.']}
+            )
        return data
--- a/src/pretix/api/serializers/event.py
+++ b/src/pretix/api/serializers/event.py
@@ -1,9 +1,11 @@
+from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.db import transaction
 from django.utils.functional import cached_property
 from django.utils.translation import ugettext as _
 from django_countries.serializers import CountryFieldMixin
 from rest_framework.fields import Field
+from rest_framework.relations import SlugRelatedField

 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.models import Event, TaxRule
@@ -29,10 +31,10 @@ class PluginsField(Field):
    def to_representation(self, obj):
        from pretix.base.plugins import get_all_plugins

-        return {
+        return sorted([
            p.module for p in get_all_plugins()
            if not p.name.startswith('.') and getattr(p, 'visible', True) and p.module in obj.get_plugins()
-        }
+        ])

    def to_internal_value(self, data):
        return {
@@ -46,7 +48,7 @@ class EventSerializer(I18nAwareModelSerializer):

    class Meta:
        model = Event
-        fields = ('name', 'slug', 'live', 'currency', 'date_from',
+        fields = ('name', 'slug', 'live', 'testmode', 'currency', 'date_from',
                  'date_to', 'date_admission', 'is_public', 'presale_start',
                  'presale_end', 'location', 'has_subevents', 'meta_data', 'plugins')

@@ -94,7 +96,7 @@ class EventSerializer(I18nAwareModelSerializer):
        from pretix.base.plugins import get_all_plugins

        plugins_available = {
-            p.module for p in get_all_plugins()
+            p.module for p in get_all_plugins(self.instance)
            if not p.name.startswith('.') and getattr(p, 'visible', True)
        }

@@ -107,7 +109,7 @@ class EventSerializer(I18nAwareModelSerializer):
    @transaction.atomic
    def create(self, validated_data):
        meta_data = validated_data.pop('meta_data', None)
-        plugins = validated_data.pop('plugins', None)
+        plugins = validated_data.pop('plugins', settings.PRETIX_PLUGINS_DEFAULT.split(','))
        event = super().create(validated_data)

        # Meta data
@@ -121,6 +123,7 @@ class EventSerializer(I18nAwareModelSerializer):
        # Plugins
        if plugins is not None:
            event.set_active_plugins(plugins)
+        event.save(update_fields=['plugins'])

        return event

@@ -188,16 +191,114 @@ class SubEventItemVariationSerializer(I18nAwareModelSerializer):


 class SubEventSerializer(I18nAwareModelSerializer):
-    item_price_overrides = SubEventItemSerializer(source='subeventitem_set', many=True)
-    variation_price_overrides = SubEventItemVariationSerializer(source='subeventitemvariation_set', many=True)
+    item_price_overrides = SubEventItemSerializer(source='subeventitem_set', many=True, required=False)
+    variation_price_overrides = SubEventItemVariationSerializer(source='subeventitemvariation_set', many=True, required=False)
+    event = SlugRelatedField(slug_field='slug', read_only=True)
    meta_data = MetaDataField(source='*')

    class Meta:
        model = SubEvent
        fields = ('id', 'name', 'date_from', 'date_to', 'active', 'date_admission',
-                  'presale_start', 'presale_end', 'location',
+                  'presale_start', 'presale_end', 'location', 'event', 'is_public',
                  'item_price_overrides', 'variation_price_overrides', 'meta_data')

+    def validate(self, data):
+        data = super().validate(data)
+        event = self.context['request'].event
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        Event.clean_dates(data.get('date_from'), data.get('date_to'))
+        Event.clean_presale(data.get('presale_start'), data.get('presale_end'))
+
+        SubEvent.clean_items(event, [item['item'] for item in full_data.get('subeventitem_set', [])])
+        SubEvent.clean_variations(event, [item['variation'] for item in full_data.get('subeventitemvariation_set', [])])
+        return data
+
+    def validate_item_price_overrides(self, data):
+        return list(filter(lambda i: 'item' in i, data))
+
+    def validate_variation_price_overrides(self, data):
+        return list(filter(lambda i: 'variation' in i, data))
+
+    @cached_property
+    def meta_properties(self):
+        return {
+            p.name: p for p in self.context['request'].organizer.meta_properties.all()
+        }
+
+    def validate_meta_data(self, value):
+        for key in value['meta_data'].keys():
+            if key not in self.meta_properties:
+                raise ValidationError(_('Meta data property \'{name}\' does not exist.').format(name=key))
+        return value
+
+    @transaction.atomic
+    def create(self, validated_data):
+        item_price_overrides_data = validated_data.pop('subeventitem_set') if 'subeventitem_set' in validated_data else {}
+        variation_price_overrides_data = validated_data.pop('subeventitemvariation_set') if 'subeventitemvariation_set' in validated_data else {}
+        meta_data = validated_data.pop('meta_data', None)
+        subevent = super().create(validated_data)
+
+        for item_price_override_data in item_price_overrides_data:
+            SubEventItem.objects.create(subevent=subevent, **item_price_override_data)
+        for variation_price_override_data in variation_price_overrides_data:
+            SubEventItemVariation.objects.create(subevent=subevent, **variation_price_override_data)
+
+        # Meta data
+        if meta_data is not None:
+            for key, value in meta_data.items():
+                subevent.meta_values.create(
+                    property=self.meta_properties.get(key),
+                    value=value
+                )
+
+        return subevent
+
+    @transaction.atomic
+    def update(self, instance, validated_data):
+        item_price_overrides_data = validated_data.pop('subeventitem_set') if 'subeventitem_set' in validated_data else {}
+        variation_price_overrides_data = validated_data.pop('subeventitemvariation_set') if 'subeventitemvariation_set' in validated_data else {}
+        meta_data = validated_data.pop('meta_data', None)
+        subevent = super().update(instance, validated_data)
+
+        existing_item_overrides = {item.item: item.id for item in SubEventItem.objects.filter(subevent=subevent)}
+
+        for item_price_override_data in item_price_overrides_data:
+            id = existing_item_overrides.pop(item_price_override_data['item'], None)
+            SubEventItem(id=id, subevent=subevent, **item_price_override_data).save()
+
+        SubEventItem.objects.filter(id__in=existing_item_overrides.values()).delete()
+
+        existing_variation_overrides = {item.variation: item.id for item in SubEventItemVariation.objects.filter(subevent=subevent)}
+
+        for variation_price_override_data in variation_price_overrides_data:
+            id = existing_variation_overrides.pop(variation_price_override_data['variation'], None)
+            SubEventItemVariation(id=id, subevent=subevent, **variation_price_override_data).save()
+
+        SubEventItemVariation.objects.filter(id__in=existing_variation_overrides.values()).delete()
+
+        # Meta data
+        if meta_data is not None:
+            current = {mv.property: mv for mv in subevent.meta_values.select_related('property')}
+            for key, value in meta_data.items():
+                prop = self.meta_properties.get(key)
+                if prop in current:
+                    current[prop].value = value
+                    current[prop].save()
+                else:
+                    subevent.meta_values.create(
+                        property=self.meta_properties.get(key),
+                        value=value
+                    )
+
+            for prop, current_object in current.items():
+                if prop.name not in meta_data:
+                    current_object.delete()
+
+        return subevent
+

 class TaxRuleSerializer(CountryFieldMixin, I18nAwareModelSerializer):
    class Meta:
--- a/src/pretix/api/serializers/i18n.py
+++ b/src/pretix/api/serializers/i18n.py
@@ -15,13 +15,20 @@ class I18nField(Field):
        super().__init__(**kwargs)

    def to_representation(self, value):
-        if value is None or value.data is None:
+        if hasattr(value, 'data'):
+            if isinstance(value.data, dict):
+                return value.data
+            elif value.data is None:
+                return None
+            else:
+                return {
+                    settings.LANGUAGE_CODE: str(value.data)
+                }
+        elif value is None:
            return None
-        if isinstance(value.data, dict):
-            return value.data
        else:
            return {
-                settings.LANGUAGE_CODE: str(value.data)
+                settings.LANGUAGE_CODE: str(value)
            }

    def to_internal_value(self, data):
--- a/src/pretix/api/serializers/item.py
+++ b/src/pretix/api/serializers/item.py
@@ -7,23 +7,36 @@ from rest_framework import serializers

 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.models import (
-    Item, ItemAddOn, ItemCategory, ItemVariation, Question, QuestionOption,
-    Quota,
+    Item, ItemAddOn, ItemBundle, ItemCategory, ItemVariation, Question,
+    QuestionOption, Quota,
 )


 class InlineItemVariationSerializer(I18nAwareModelSerializer):
+    price = serializers.DecimalField(read_only=True, decimal_places=2, max_digits=10,
+                                     coerce_to_string=True)
+
    class Meta:
        model = ItemVariation
        fields = ('id', 'value', 'active', 'description',
-                  'position', 'default_price', 'price')
+                  'position', 'default_price', 'price', 'original_price')


 class ItemVariationSerializer(I18nAwareModelSerializer):
+    price = serializers.DecimalField(read_only=True, decimal_places=2, max_digits=10,
+                                     coerce_to_string=True)
+
    class Meta:
        model = ItemVariation
        fields = ('id', 'value', 'active', 'description',
-                  'position', 'default_price', 'price')
+                  'position', 'default_price', 'price', 'original_price')
+
+
+class InlineItemBundleSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = ItemBundle
+        fields = ('bundled_item', 'bundled_variation', 'count',
+                  'designated_price')


 class InlineItemAddOnSerializer(serializers.ModelSerializer):
@@ -33,6 +46,31 @@ class InlineItemAddOnSerializer(serializers.ModelSerializer):
                  'position', 'price_included')


+class ItemBundleSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = ItemBundle
+        fields = ('id', 'bundled_item', 'bundled_variation', 'count',
+                  'designated_price')
+
+    def validate(self, data):
+        data = super().validate(data)
+        event = self.context['event']
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        ItemBundle.clean_itemvar(event, full_data.get('bundled_item'), full_data.get('bundled_variation'))
+
+        item = self.context['item']
+        if item == full_data.get('bundled_item'):
+            raise ValidationError(_("The bundled item must not be the same item as the bundling one."))
+        if full_data.get('bundled_item'):
+            if full_data['bundled_item'].bundles.exists():
+                raise ValidationError(_("The bundled item must not have bundles on its own."))
+
+        return data
+
+
 class ItemAddOnSerializer(serializers.ModelSerializer):
    class Meta:
        model = ItemAddOn
@@ -69,17 +107,18 @@ class ItemTaxRateField(serializers.Field):

 class ItemSerializer(I18nAwareModelSerializer):
    addons = InlineItemAddOnSerializer(many=True, required=False)
+    bundles = InlineItemBundleSerializer(many=True, required=False)
    variations = InlineItemVariationSerializer(many=True, required=False)
    tax_rate = ItemTaxRateField(source='*', read_only=True)

    class Meta:
        model = Item
-        fields = ('id', 'category', 'name', 'internal_name', 'active', 'description',
+        fields = ('id', 'category', 'name', 'internal_name', 'active', 'sales_channels', 'description',
                  'default_price', 'free_price', 'tax_rate', 'tax_rule', 'admission',
                  'position', 'picture', 'available_from', 'available_until',
-                  'require_voucher', 'hide_without_voucher', 'allow_cancel',
-                  'min_per_order', 'max_per_order', 'checkin_attention', 'has_variations',
-                  'variations', 'addons', 'original_price')
+                  'require_voucher', 'hide_without_voucher', 'allow_cancel', 'require_bundling',
+                  'min_per_order', 'max_per_order', 'checkin_attention', 'has_variations', 'variations',
+                  'addons', 'bundles', 'original_price', 'require_approval', 'generate_tickets')
        read_only_fields = ('has_variations', 'picture')

    def get_serializer_context(self):
@@ -87,8 +126,8 @@ class ItemSerializer(I18nAwareModelSerializer):

    def validate(self, data):
        data = super().validate(data)
-        if self.instance and ('addons' in data or 'variations' in data):
-            raise ValidationError(_('Updating add-ons or variations via PATCH/PUT is not supported. Please use the '
+        if self.instance and ('addons' in data or 'variations' in data or 'bundles' in data):
+            raise ValidationError(_('Updating add-ons, bundles, or variations via PATCH/PUT is not supported. Please use the '
                                    'dedicated nested endpoint.'))

        Item.clean_per_order(data.get('min_per_order'), data.get('max_per_order'))
@@ -104,6 +143,12 @@ class ItemSerializer(I18nAwareModelSerializer):
        Item.clean_tax_rule(value, self.context['event'])
        return value

+    def validate_bundles(self, value):
+        if not self.instance:
+            for b_data in value:
+                ItemBundle.clean_itemvar(self.context['event'], b_data['bundled_item'], b_data['bundled_variation'])
+        return value
+
    def validate_addons(self, value):
        if not self.instance:
            for addon_data in value:
@@ -117,11 +162,14 @@ class ItemSerializer(I18nAwareModelSerializer):
    def create(self, validated_data):
        variations_data = validated_data.pop('variations') if 'variations' in validated_data else {}
        addons_data = validated_data.pop('addons') if 'addons' in validated_data else {}
+        bundles_data = validated_data.pop('bundles') if 'bundles' in validated_data else {}
        item = Item.objects.create(**validated_data)
        for variation_data in variations_data:
            ItemVariation.objects.create(item=item, **variation_data)
        for addon_data in addons_data:
            ItemAddOn.objects.create(base_item=item, **addon_data)
+        for bundle_data in bundles_data:
+            ItemBundle.objects.create(base_item=item, **bundle_data)
        return item


@@ -159,12 +207,21 @@ class QuestionSerializer(I18nAwareModelSerializer):
    class Meta:
        model = Question
        fields = ('id', 'question', 'type', 'required', 'items', 'options', 'position',
-                  'ask_during_checkin', 'identifier')
+                  'ask_during_checkin', 'identifier', 'dependency_question', 'dependency_value',
+                  'hidden')

    def validate_identifier(self, value):
        Question._clean_identifier(self.context['event'], value, self.instance)
        return value

+    def validate_dependency_question(self, value):
+        if value:
+            if value.type not in (Question.TYPE_CHOICE, Question.TYPE_BOOLEAN, Question.TYPE_CHOICE_MULTIPLE):
+                raise ValidationError('Question dependencies can only be set to boolean or choice questions.')
+        if value == self.instance:
+            raise ValidationError('A question cannot depend on itself.')
+        return value
+
    def validate(self, data):
        data = super().validate(data)
        if self.instance and 'options' in data:
@@ -176,6 +233,18 @@ class QuestionSerializer(I18nAwareModelSerializer):
        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
        full_data.update(data)

+        if full_data.get('ask_during_checkin') and full_data.get('dependency_question'):
+            raise ValidationError('Dependencies are not supported during check-in.')
+
+        dep = full_data.get('dependency_question')
+        if dep:
+            seen_ids = {self.instance.pk} if self.instance else set()
+            while dep:
+                if dep.pk in seen_ids:
+                    raise ValidationError(_('Circular dependency between questions detected.'))
+                seen_ids.add(dep.pk)
+                dep = dep.dependency_question
+
        Question.clean_items(event, full_data.get('items'))
        return data

--- a/src/pretix/api/serializers/order.py
+++ b/src/pretix/api/serializers/order.py
@@ -7,14 +7,19 @@ from django.utils.translation import ugettext_lazy
 from django_countries.fields import Country
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
+from rest_framework.relations import SlugRelatedField
 from rest_framework.reverse import reverse

 from pretix.api.serializers.i18n import I18nAwareModelSerializer
+from pretix.base.channels import get_all_sales_channels
+from pretix.base.i18n import language
 from pretix.base.models import (
-    Checkin, Invoice, InvoiceAddress, InvoiceLine, Order, OrderPosition,
-    Question, QuestionAnswer,
+    Checkin, Invoice, InvoiceAddress, InvoiceLine, Item, ItemVariation, Order,
+    OrderPosition, Question, QuestionAnswer, SubEvent,
+)
+from pretix.base.models.orders import (
+    CartPosition, OrderFee, OrderPayment, OrderRefund,
 )
-from pretix.base.models.orders import CartPosition, OrderFee
 from pretix.base.pdf import get_variables
 from pretix.base.signals import register_ticket_outputs

@@ -32,11 +37,12 @@ class CompatibleCountryField(serializers.Field):

 class InvoiceAddressSerializer(I18nAwareModelSerializer):
    country = CompatibleCountryField(source='*')
+    name = serializers.CharField(required=False)

    class Meta:
        model = InvoiceAddress
-        fields = ('last_modified', 'is_business', 'company', 'name', 'street', 'zipcode', 'city', 'country', 'vat_id',
-                  'vat_id_validated', 'internal_reference')
+        fields = ('last_modified', 'is_business', 'company', 'name', 'name_parts', 'street', 'zipcode', 'city', 'country',
+                  'vat_id', 'vat_id_validated', 'internal_reference')
        read_only_fields = ('last_modified', 'vat_id_validated')

    def __init__(self, *args, **kwargs):
@@ -45,6 +51,15 @@ class InvoiceAddressSerializer(I18nAwareModelSerializer):
            v.required = False
            v.allow_blank = True

+    def validate(self, data):
+        if data.get('name') and data.get('name_parts'):
+            raise ValidationError(
+                {'name': ['Do not specify name if you specified name_parts.']}
+            )
+        if data.get('name_parts') and '_scheme' not in data.get('name_parts'):
+            data['name_parts']['_scheme'] = self.context['request'].event.settings.name_scheme
+        return data
+

 class AnswerQuestionIdentifierField(serializers.Field):
    def to_representation(self, instance: QuestionAnswer):
@@ -74,7 +89,8 @@ class CheckinSerializer(I18nAwareModelSerializer):
 class OrderDownloadsField(serializers.Field):
    def to_representation(self, instance: Order):
        if instance.status != Order.STATUS_PAID:
-            return []
+            if instance.status != Order.STATUS_PENDING or instance.require_approval or not instance.event.settings.ticket_download_pending:
+                return []

        request = self.context['request']
        res = []
@@ -97,10 +113,9 @@ class OrderDownloadsField(serializers.Field):
 class PositionDownloadsField(serializers.Field):
    def to_representation(self, instance: OrderPosition):
        if instance.order.status != Order.STATUS_PAID:
-            return []
-        if instance.addon_to_id and not instance.order.event.settings.ticket_download_addons:
-            return []
-        if not instance.item.admission and not instance.order.event.settings.ticket_download_nonadm:
+            if instance.order.status != Order.STATUS_PENDING or instance.order.require_approval or not instance.order.event.settings.ticket_download_pending:
+                return []
+        if not instance.generate_ticket:
            return []

        request = self.context['request']
@@ -126,13 +141,21 @@ class PdfDataSerializer(serializers.Field):
        res = {}

        ev = instance.subevent or instance.order.event
+        with language(instance.order.locale):
+            # This needs to have some extra performance improvements to avoid creating hundreds of queries when
+            # we serialize a list.

-        pdfvars = get_variables(instance.order.event)
-        for k, f in pdfvars.items():
-            res[k] = f['evaluate'](instance, instance.order, ev)
+            if 'vars' not in self.context:
+                self.context['vars'] = get_variables(self.context['request'].event)

-        for k, v in ev.meta_data.items():
-            res['meta:' + k] = v
+            for k, f in self.context['vars'].items():
+                res[k] = f['evaluate'](instance, instance.order, ev)
+
+            if not hasattr(ev, '_cached_meta_data'):
+                ev._cached_meta_data = ev.meta_data
+
+            for k, v in ev._cached_meta_data.items():
+                res['meta:' + k] = v

        return res

@@ -146,9 +169,9 @@ class OrderPositionSerializer(I18nAwareModelSerializer):

    class Meta:
        model = OrderPosition
-        fields = ('id', 'order', 'positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_email',
-                  'voucher', 'tax_rate', 'tax_value', 'secret', 'addon_to', 'subevent', 'checkins', 'downloads',
-                  'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data')
+        fields = ('id', 'order', 'positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts',
+                  'attendee_email', 'voucher', 'tax_rate', 'tax_value', 'secret', 'addon_to', 'subevent', 'checkins',
+                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data')

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
@@ -156,29 +179,180 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
            self.fields.pop('pdf_data')


+class RequireAttentionField(serializers.Field):
+    def to_representation(self, instance: OrderPosition):
+        return instance.order.checkin_attention or instance.item.checkin_attention
+
+
+class AttendeeNameField(serializers.Field):
+    def to_representation(self, instance: OrderPosition):
+        an = instance.attendee_name
+        if not an:
+            if instance.addon_to_id:
+                an = instance.addon_to.attendee_name
+        if not an:
+            try:
+                an = instance.order.invoice_address.name
+            except InvoiceAddress.DoesNotExist:
+                pass
+        return an
+
+
+class AttendeeNamePartsField(serializers.Field):
+    def to_representation(self, instance: OrderPosition):
+        an = instance.attendee_name
+        p = instance.attendee_name_parts
+        if not an:
+            if instance.addon_to_id:
+                an = instance.addon_to.attendee_name
+                p = instance.addon_to.attendee_name_parts
+        if not an:
+            try:
+                p = instance.order.invoice_address.name_parts
+            except InvoiceAddress.DoesNotExist:
+                pass
+        return p
+
+
+class CheckinListOrderPositionSerializer(OrderPositionSerializer):
+    require_attention = RequireAttentionField(source='*')
+    attendee_name = AttendeeNameField(source='*')
+    attendee_name_parts = AttendeeNamePartsField(source='*')
+    order__status = serializers.SlugRelatedField(read_only=True, slug_field='status', source='order')
+
+    class Meta:
+        model = OrderPosition
+        fields = ('id', 'order', 'positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts',
+                  'attendee_email', 'voucher', 'tax_rate', 'tax_value', 'secret', 'addon_to', 'subevent', 'checkins',
+                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data', 'require_attention',
+                  'order__status')
+
+
+class OrderPaymentTypeField(serializers.Field):
+    # TODO: Remove after pretix 2.2
+    def to_representation(self, instance: Order):
+        t = None
+        for p in instance.payments.all():
+            t = p.provider
+        return t
+
+
+class OrderPaymentDateField(serializers.DateField):
+    # TODO: Remove after pretix 2.2
+    def to_representation(self, instance: Order):
+        t = None
+        for p in instance.payments.all():
+            t = p.payment_date or t
+        if t:
+
+            return super().to_representation(t.date())
+
+
 class OrderFeeSerializer(I18nAwareModelSerializer):
    class Meta:
        model = OrderFee
        fields = ('fee_type', 'value', 'description', 'internal_type', 'tax_rate', 'tax_value', 'tax_rule')


+class OrderPaymentSerializer(I18nAwareModelSerializer):
+    class Meta:
+        model = OrderPayment
+        fields = ('local_id', 'state', 'amount', 'created', 'payment_date', 'provider')
+
+
+class OrderRefundSerializer(I18nAwareModelSerializer):
+    payment = SlugRelatedField(slug_field='local_id', read_only=True)
+
+    class Meta:
+        model = OrderRefund
+        fields = ('local_id', 'state', 'source', 'amount', 'payment', 'created', 'execution_date', 'provider')
+
+
 class OrderSerializer(I18nAwareModelSerializer):
-    invoice_address = InvoiceAddressSerializer()
-    positions = OrderPositionSerializer(many=True)
-    fees = OrderFeeSerializer(many=True)
-    downloads = OrderDownloadsField(source='*')
+    invoice_address = InvoiceAddressSerializer(allow_null=True)
+    positions = OrderPositionSerializer(many=True, read_only=True)
+    fees = OrderFeeSerializer(many=True, read_only=True)
+    downloads = OrderDownloadsField(source='*', read_only=True)
+    payments = OrderPaymentSerializer(many=True, read_only=True)
+    refunds = OrderRefundSerializer(many=True, read_only=True)
+    payment_date = OrderPaymentDateField(source='*', read_only=True)
+    payment_provider = OrderPaymentTypeField(source='*', read_only=True)

    class Meta:
        model = Order
-        fields = ('code', 'status', 'secret', 'email', 'locale', 'datetime', 'expires', 'payment_date',
-                  'payment_provider', 'fees', 'total', 'comment', 'invoice_address', 'positions', 'downloads',
-                  'checkin_attention', 'last_modified')
+        fields = (
+            'code', 'status', 'testmode', 'secret', 'email', 'locale', 'datetime', 'expires', 'payment_date',
+            'payment_provider', 'fees', 'total', 'comment', 'invoice_address', 'positions', 'downloads',
+            'checkin_attention', 'last_modified', 'payments', 'refunds', 'require_approval', 'sales_channel'
+        )
+        read_only_fields = (
+            'code', 'status', 'testmode', 'secret', 'datetime', 'expires', 'payment_date',
+            'payment_provider', 'fees', 'total', 'positions', 'downloads',
+            'last_modified', 'payments', 'refunds', 'require_approval', 'sales_channel'
+        )

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        if not self.context['request'].query_params.get('pdf_data', 'false') == 'true':
            self.fields['positions'].child.fields.pop('pdf_data')

+    def validate_locale(self, l):
+        if l not in set(k for k in self.instance.event.settings.locales):
+            raise ValidationError('"{}" is not a supported locale for this event.'.format(l))
+        return l
+
+    def update(self, instance, validated_data):
+        # Even though all fields that shouldn't be edited are marked as read_only in the serializer
+        # (hopefully), we'll be extra careful here and be explicit about the model fields we update.
+        update_fields = ['comment', 'checkin_attention', 'email', 'locale']
+        print(validated_data)
+
+        if 'invoice_address' in validated_data:
+            iadata = validated_data.pop('invoice_address')
+
+            if not iadata:
+                try:
+                    instance.invoice_address.delete()
+                except InvoiceAddress.DoesNotExist:
+                    pass
+            else:
+                name = iadata.pop('name', '')
+                if name and not iadata.get('name_parts'):
+                    iadata['name_parts'] = {
+                        '_legacy': name
+                    }
+                try:
+                    ia = instance.invoice_address
+                    if iadata.get('vat_id') != ia.vat_id:
+                        ia.vat_id_validated = False
+                    self.fields['invoice_address'].update(ia, iadata)
+                except InvoiceAddress.DoesNotExist:
+                    InvoiceAddress.objects.create(order=instance, **iadata)
+
+        for attr, value in validated_data.items():
+            if attr in update_fields:
+                setattr(instance, attr, value)
+
+        instance.save(update_fields=update_fields)
+        return instance
+
+
+class PriceCalcSerializer(serializers.Serializer):
+    item = serializers.PrimaryKeyRelatedField(queryset=Item.objects.none(), required=False, allow_null=True)
+    variation = serializers.PrimaryKeyRelatedField(queryset=ItemVariation.objects.none(), required=False, allow_null=True)
+    subevent = serializers.PrimaryKeyRelatedField(queryset=SubEvent.objects.none(), required=False, allow_null=True)
+    locale = serializers.CharField(allow_null=True, required=False)
+
+    def __init__(self, *args, **kwargs):
+        event = kwargs.pop('event')
+        super().__init__(*args, **kwargs)
+        self.fields['item'].queryset = event.items.all()
+        self.fields['variation'].queryset = ItemVariation.objects.filter(item__event=event)
+        if event.has_subevents:
+            self.fields['subevent'].queryset = event.subevents.all()
+        else:
+            del self.fields['subevent']
+

 class AnswerCreateSerializer(I18nAwareModelSerializer):

@@ -255,14 +429,15 @@ class OrderPositionCreateSerializer(I18nAwareModelSerializer):
    answers = AnswerCreateSerializer(many=True, required=False)
    addon_to = serializers.IntegerField(required=False, allow_null=True)
    secret = serializers.CharField(required=False)
+    attendee_name = serializers.CharField(required=False, allow_null=True)

    class Meta:
        model = OrderPosition
-        fields = ('positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_email',
+        fields = ('positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts', 'attendee_email',
                  'secret', 'addon_to', 'subevent', 'answers')

    def validate_secret(self, secret):
-        if secret and OrderPosition.objects.filter(order__event=self.context['event'], secret=secret).exists():
+        if secret and OrderPosition.all.filter(order__event=self.context['event'], secret=secret).exists():
            raise ValidationError(
                'You cannot assign a position secret that already exists.'
            )
@@ -309,6 +484,12 @@ class OrderPositionCreateSerializer(I18nAwareModelSerializer):
                raise ValidationError(
                    {'variation': ['You cannot specify a variation for this item.']}
                )
+        if data.get('attendee_name') and data.get('attendee_name_parts'):
+            raise ValidationError(
+                {'attendee_name': ['Do not specify attendee_name if you specified attendee_name_parts.']}
+            )
+        if data.get('attendee_name_parts') and '_scheme' not in data.get('attendee_name_parts'):
+            data['attendee_name_parts']['_scheme'] = self.context['request'].event.settings.name_scheme
        return data


@@ -342,17 +523,24 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
    payment_provider = serializers.CharField(required=True)
    payment_info = CompatibleJSONField(required=False)
    consume_carts = serializers.ListField(child=serializers.CharField(), required=False)
+    force = serializers.BooleanField(default=False, required=False)
+    payment_date = serializers.DateTimeField(required=False, allow_null=True)

    class Meta:
        model = Order
-        fields = ('code', 'status', 'email', 'locale', 'payment_provider', 'fees', 'comment',
-                  'invoice_address', 'positions', 'checkin_attention', 'payment_info', 'consume_carts')
+        fields = ('code', 'status', 'testmode', 'email', 'locale', 'payment_provider', 'fees', 'comment', 'sales_channel',
+                  'invoice_address', 'positions', 'checkin_attention', 'payment_info', 'payment_date', 'consume_carts', 'force')

    def validate_payment_provider(self, pp):
        if pp not in self.context['event'].get_payment_providers():
            raise ValidationError('The given payment provider is not known.')
        return pp

+    def validate_sales_channel(self, channel):
+        if channel not in get_all_sales_channels():
+            raise ValidationError('Unknown sales channel.')
+        return channel
+
    def validate_code(self, code):
        if code and Order.objects.filter(event__organizer=self.context['event'].organizer, code=code).exists():
            raise ValidationError(
@@ -410,8 +598,19 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
    def create(self, validated_data):
        fees_data = validated_data.pop('fees') if 'fees' in validated_data else []
        positions_data = validated_data.pop('positions') if 'positions' in validated_data else []
+        payment_provider = validated_data.pop('payment_provider')
+        payment_info = validated_data.pop('payment_info', '{}')
+        payment_date = validated_data.pop('payment_date', now())
+        force = validated_data.pop('force', False)
+
        if 'invoice_address' in validated_data:
-            ia = InvoiceAddress(**validated_data.pop('invoice_address'))
+            iadata = validated_data.pop('invoice_address')
+            name = iadata.pop('name', '')
+            if name and not iadata.get('name_parts'):
+                iadata['name_parts'] = {
+                    '_legacy': name
+                }
+            ia = InvoiceAddress(**iadata)
        else:
            ia = None

@@ -436,52 +635,79 @@ class OrderCreateSerializer(I18nAwareModelSerializer):

            errs = [{} for p in positions_data]

-            for i, pos_data in enumerate(positions_data):
-                new_quotas = (pos_data.get('variation').quotas.filter(subevent=pos_data.get('subevent'))
-                              if pos_data.get('variation')
-                              else pos_data.get('item').quotas.filter(subevent=pos_data.get('subevent')))
-                if len(new_quotas) == 0:
-                    errs[i]['item'] = [ugettext_lazy('The product "{}" is not assigned to a quota.').format(
-                        str(pos_data.get('item'))
-                    )]
-                else:
-                    for quota in new_quotas:
-                        if quota not in quota_avail_cache:
-                            quota_avail_cache[quota] = list(quota.availability())
+            if not force:
+                for i, pos_data in enumerate(positions_data):
+                    new_quotas = (pos_data.get('variation').quotas.filter(subevent=pos_data.get('subevent'))
+                                  if pos_data.get('variation')
+                                  else pos_data.get('item').quotas.filter(subevent=pos_data.get('subevent')))
+                    if len(new_quotas) == 0:
+                        errs[i]['item'] = [ugettext_lazy('The product "{}" is not assigned to a quota.').format(
+                            str(pos_data.get('item'))
+                        )]
+                    else:
+                        for quota in new_quotas:
+                            if quota not in quota_avail_cache:
+                                quota_avail_cache[quota] = list(quota.availability())

-                        if quota_avail_cache[quota][1] is not None:
-                            quota_avail_cache[quota][1] -= 1
-                            if quota_avail_cache[quota][1] < 0:
-                                errs[i]['item'] = [
-                                    ugettext_lazy('There is not enough quota available on quota "{}" to perform the operation.').format(
-                                        quota.name
-                                    )
-                                ]
+                            if quota_avail_cache[quota][1] is not None:
+                                quota_avail_cache[quota][1] -= 1
+                                if quota_avail_cache[quota][1] < 0:
+                                    errs[i]['item'] = [
+                                        ugettext_lazy('There is not enough quota available on quota "{}" to perform the operation.').format(
+                                            quota.name
+                                        )
+                                    ]

-                quotadiff.update(new_quotas)
+                    quotadiff.update(new_quotas)

            if any(errs):
                raise ValidationError({'positions': errs})

+            if validated_data.get('locale', None) is None:
+                validated_data['locale'] = self.context['event'].settings.locale
            order = Order(event=self.context['event'], **validated_data)
-            order.set_expires(subevents=[p['subevent'] for p in positions_data])
+            order.set_expires(subevents=[p.get('subevent') for p in positions_data])
            order.total = sum([p['price'] for p in positions_data]) + sum([f['value'] for f in fees_data], Decimal('0.00'))
            order.meta_info = "{}"
-            if order.total == Decimal('0.00') and validated_data.get('status') != Order.STATUS_PAID:
-                order.payment_provider = 'free'
-                order.status = Order.STATUS_PAID
-            elif order.payment_provider == "free" and order.total != Decimal('0.00'):
-                raise ValidationError('You cannot use the "free" payment provider for non-free orders.')
-            if validated_data.get('status') == Order.STATUS_PAID:
-                order.payment_date = now()
            order.save()
+
+            if order.total == Decimal('0.00') and validated_data.get('status') != Order.STATUS_PAID:
+                order.status = Order.STATUS_PAID
+                order.save()
+                order.payments.create(
+                    amount=order.total, provider='free', state=OrderPayment.PAYMENT_STATE_CONFIRMED,
+                    payment_date=now()
+                )
+            elif payment_provider == "free" and order.total != Decimal('0.00'):
+                raise ValidationError('You cannot use the "free" payment provider for non-free orders.')
+            elif validated_data.get('status') == Order.STATUS_PAID:
+                order.payments.create(
+                    amount=order.total,
+                    provider=payment_provider,
+                    info=payment_info,
+                    payment_date=payment_date,
+                    state=OrderPayment.PAYMENT_STATE_CONFIRMED
+                )
+            elif payment_provider:
+                order.payments.create(
+                    amount=order.total,
+                    provider=payment_provider,
+                    info=payment_info,
+                    state=OrderPayment.PAYMENT_STATE_CREATED
+                )
+
            if ia:
                ia.order = order
                ia.save()
            pos_map = {}
            for pos_data in positions_data:
-                answers_data = pos_data.pop('answers')
-                addon_to = pos_data.pop('addon_to')
+                answers_data = pos_data.pop('answers', [])
+                addon_to = pos_data.pop('addon_to', None)
+                attendee_name = pos_data.pop('attendee_name', '')
+                if attendee_name and not pos_data.get('attendee_name_parts'):
+                    pos_data['attendee_name_parts'] = {
+                        '_legacy': attendee_name
+                    }
                pos = OrderPosition(**pos_data)
                pos.order = order
                pos._calculate_tax()
@@ -490,7 +716,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                pos.save()
                pos_map[pos.positionid] = pos
                for answ_data in answers_data:
-                    options = answ_data.pop('options')
+                    options = answ_data.pop('options', [])
                    answ = pos.answers.create(**answ_data)
                    answ.options.add(*options)

@@ -522,3 +748,27 @@ class InvoiceSerializer(I18nAwareModelSerializer):
                  'introductory_text', 'additional_text', 'payment_provider_text', 'footer_text', 'lines',
                  'foreign_currency_display', 'foreign_currency_rate', 'foreign_currency_rate_date',
                  'internal_reference')
+
+
+class OrderRefundCreateSerializer(I18nAwareModelSerializer):
+    payment = serializers.IntegerField(required=False, allow_null=True)
+    provider = serializers.CharField(required=True, allow_null=False, allow_blank=False)
+    info = CompatibleJSONField(required=False)
+
+    class Meta:
+        model = OrderRefund
+        fields = ('state', 'source', 'amount', 'payment', 'execution_date', 'provider', 'info')
+
+    def create(self, validated_data):
+        pid = validated_data.pop('payment', None)
+        if pid:
+            try:
+                p = self.context['order'].payments.get(local_id=pid)
+            except OrderPayment.DoesNotExist:
+                raise ValidationError('Unknown payment ID.')
+        else:
+            p = None
+
+        order = OrderRefund(order=self.context['order'], payment=p, **validated_data)
+        order.save()
+        return order
--- a/src/pretix/api/serializers/voucher.py
+++ b/src/pretix/api/serializers/voucher.py
@@ -1,7 +1,27 @@
+from rest_framework import serializers
+from rest_framework.exceptions import ValidationError
+
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.models import Voucher


+class VoucherListSerializer(serializers.ListSerializer):
+    def create(self, validated_data):
+        codes = set()
+        errs = []
+        err = False
+        for voucher_data in validated_data:
+            if voucher_data['code'] in codes:
+                err = True
+                errs.append({'code': ['Duplicate voucher code in request.']})
+            else:
+                codes.add(voucher_data['code'])
+                errs.append({})
+        if err:
+            raise ValidationError(errs)
+        return super().create(validated_data)
+
+
 class VoucherSerializer(I18nAwareModelSerializer):
    class Meta:
        model = Voucher
@@ -9,6 +29,7 @@ class VoucherSerializer(I18nAwareModelSerializer):
                  'allow_ignore_quota', 'price_mode', 'value', 'item', 'variation', 'quota',
                  'tag', 'comment', 'subevent')
        read_only_fields = ('id', 'redeemed')
+        list_serializer_class = VoucherListSerializer

    def validate(self, data):
        data = super().validate(data)
--- a/src/pretix/api/serializers/waitinglist.py
+++ b/src/pretix/api/serializers/waitinglist.py
@@ -8,7 +8,7 @@ class WaitingListSerializer(I18nAwareModelSerializer):

    class Meta:
        model = WaitingListEntry
-        fields = ('id', 'created', 'email', 'voucher', 'item', 'variation', 'locale', 'subevent')
+        fields = ('id', 'created', 'email', 'voucher', 'item', 'variation', 'locale', 'subevent', 'priority')
        read_only_fields = ('id', 'created', 'voucher')

    def validate(self, data):
--- a/src/pretix/api/serializers/webhooks.py
+++ b/src/pretix/api/serializers/webhooks.py
@@ -0,0 +1,71 @@
+from django.core.exceptions import ValidationError
+from rest_framework import serializers
+
+from pretix.api.models import WebHook
+from pretix.api.serializers.i18n import I18nAwareModelSerializer
+from pretix.api.webhooks import get_all_webhook_events
+from pretix.base.models import Event
+
+
+class EventRelatedField(serializers.SlugRelatedField):
+    def get_queryset(self):
+        return self.context['organizer'].events.all()
+
+
+class ActionTypesField(serializers.Field):
+    def to_representation(self, instance: WebHook):
+        return instance.action_types
+
+    def to_internal_value(self, data):
+        types = get_all_webhook_events()
+        for d in data:
+            if d not in types:
+                raise ValidationError('Invalid action type "%s".' % d)
+        return {'action_types': data}
+
+
+class WebHookSerializer(I18nAwareModelSerializer):
+    limit_events = EventRelatedField(
+        slug_field='slug',
+        queryset=Event.objects.none(),
+        many=True
+    )
+    action_types = ActionTypesField(source='*')
+
+    class Meta:
+        model = WebHook
+        fields = ('id', 'enabled', 'target_url', 'all_events', 'limit_events', 'action_types')
+
+    def validate(self, data):
+        data = super().validate(data)
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        for event in full_data.get('limit_events'):
+            if self.context['organizer'] != event.organizer:
+                raise ValidationError('One or more events do not belong to this organizer.')
+
+        if full_data.get('limit_events') and full_data.get('all_events'):
+            raise ValidationError('You can set either limit_events or all_events.')
+
+        return data
+
+    def create(self, validated_data):
+        action_types = validated_data.pop('action_types')
+        inst = super().create(validated_data)
+        for l in action_types:
+            inst.listeners.create(action_type=l)
+        return inst
+
+    def update(self, instance, validated_data):
+        action_types = validated_data.pop('action_types', None)
+        instance = super().update(instance, validated_data)
+        if action_types is not None:
+            current_listeners = set(instance.listeners.values_list('action_type', flat=True))
+            new_listeners = set(action_types)
+            for l in current_listeners - new_listeners:
+                instance.listeners.filter(action_type=l).delete()
+            for l in new_listeners - current_listeners:
+                instance.listeners.create(action_type=l)
+        return instance
--- a/src/pretix/api/signals.py
+++ b/src/pretix/api/signals.py
@@ -0,0 +1,26 @@
+from datetime import timedelta
+
+from django.dispatch import Signal, receiver
+from django.utils.timezone import now
+
+from pretix.api.models import ApiCall, WebHookCall
+from pretix.base.signals import periodic_task
+
+register_webhook_events = Signal(
+    providing_args=[]
+)
+"""
+This signal is sent out to get all known webhook events. Receivers should return an
+instance of a subclass of pretix.api.webhooks.WebhookEvent or a list of such
+instances.
+"""
+
+
+@receiver(periodic_task)
+def cleanup_webhook_logs(sender, **kwargs):
+    WebHookCall.objects.filter(datetime__lte=now() - timedelta(days=30)).delete()
+
+
+@receiver(periodic_task)
+def cleanup_api_logs(sender, **kwargs):
+    ApiCall.objects.filter(created__lte=now() - timedelta(hours=24)).delete()
--- a/src/pretix/api/urls.py
+++ b/src/pretix/api/urls.py
@@ -7,7 +7,8 @@ from rest_framework import routers
 from pretix.api.views import cart

 from .views import (
-    checkin, event, item, oauth, order, organizer, voucher, waitinglist,
+    checkin, device, event, item, oauth, order, organizer, user, voucher,
+    waitinglist, webhooks,
 )

 router = routers.DefaultRouter()
@@ -15,6 +16,8 @@ router.register(r'organizers', organizer.OrganizerViewSet)

 orga_router = routers.DefaultRouter()
 orga_router.register(r'events', event.EventViewSet)
+orga_router.register(r'subevents', event.SubEventViewSet)
+orga_router.register(r'webhooks', webhooks.WebHookViewSet)

 event_router = routers.DefaultRouter()
 event_router.register(r'subevents', event.SubEventViewSet)
@@ -41,6 +44,11 @@ question_router.register(r'options', item.QuestionOptionViewSet)
 item_router = routers.DefaultRouter()
 item_router.register(r'variations', item.ItemVariationViewSet)
 item_router.register(r'addons', item.ItemAddOnViewSet)
+item_router.register(r'bundles', item.ItemBundleViewSet)
+
+order_router = routers.DefaultRouter()
+order_router.register(r'payments', order.PaymentViewSet)
+order_router.register(r'refunds', order.RefundViewSet)

 # Force import of all plugins to give them a chance to register URLs with the router
 for app in apps.get_app_configs():
@@ -57,7 +65,13 @@ urlpatterns = [
        include(question_router.urls)),
    url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/checkinlists/(?P<list>[^/]+)/',
        include(checkinlist_router.urls)),
+    url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/orders/(?P<order>[^/]+)/', include(order_router.urls)),
    url(r"^oauth/authorize$", oauth.AuthorizationView.as_view(), name="authorize"),
    url(r"^oauth/token$", oauth.TokenView.as_view(), name="token"),
    url(r"^oauth/revoke_token$", oauth.RevokeTokenView.as_view(), name="revoke-token"),
+    url(r"^device/initialize$", device.InitializeView.as_view(), name="device.initialize"),
+    url(r"^device/update$", device.UpdateView.as_view(), name="device.update"),
+    url(r"^device/roll$", device.RollKeyView.as_view(), name="device.roll"),
+    url(r"^device/revoke$", device.RevokeKeyView.as_view(), name="device.revoke"),
+    url(r"^me$", user.MeView.as_view(), name="user.me"),
 ]
--- a/src/pretix/api/views/init.py
+++ b/src/pretix/api/views/init.py
@@ -31,12 +31,15 @@ class RichOrderingFilter(OrderingFilter):
 class ConditionalListView:

    def list(self, request, **kwargs):
-        if_modified_since = request.META.get('HTTP_IF_MODIFIED_SINCE')
+        if_modified_since = request.headers.get('If-Modified-Since')
        if if_modified_since:
            if_modified_since = parse_http_date_safe(if_modified_since)
-        if_unmodified_since = request.META.get('HTTP_IF_UNMODIFIED_SINCE')
+        if_unmodified_since = request.headers.get('If-Unmodified-Since')
        if if_unmodified_since:
            if_unmodified_since = parse_http_date_safe(if_unmodified_since)
+        if not hasattr(request, 'event'):
+            return super().list(request, **kwargs)
+
        lmd = request.event.logentry_set.filter(
            content_type__model=self.queryset.model._meta.model_name,
            content_type__app_label=self.queryset.model._meta.app_label,
--- a/src/pretix/api/views/checkin.py
+++ b/src/pretix/api/views/checkin.py
@@ -1,21 +1,24 @@
 from django.core.exceptions import ValidationError
-from django.db.models import Count, F, Max, OuterRef, Prefetch, Subquery
+from django.db.models import Count, F, Max, OuterRef, Prefetch, Q, Subquery
 from django.db.models.functions import Coalesce
+from django.http import Http404
 from django.shortcuts import get_object_or_404
 from django.utils.functional import cached_property
 from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import viewsets
-from rest_framework.decorators import detail_route
+from rest_framework.decorators import action
 from rest_framework.fields import DateTimeField
 from rest_framework.response import Response

 from pretix.api.serializers.checkin import CheckinListSerializer
 from pretix.api.serializers.item import QuestionSerializer
-from pretix.api.serializers.order import OrderPositionSerializer
+from pretix.api.serializers.order import CheckinListOrderPositionSerializer
 from pretix.api.views import RichOrderingFilter
 from pretix.api.views.order import OrderPositionFilter
-from pretix.base.models import Checkin, CheckinList, Order, OrderPosition
+from pretix.base.models import (
+    Checkin, CheckinList, Event, Order, OrderPosition,
+)
 from pretix.base.services.checkin import (
    CheckInError, RequiredQuestionsError, perform_checkin,
 )
@@ -32,7 +35,7 @@ class CheckinListViewSet(viewsets.ModelViewSet):
    serializer_class = CheckinListSerializer
    queryset = CheckinList.objects.none()
    filter_backends = (DjangoFilterBackend,)
-    filter_class = CheckinListFilter
+    filterset_class = CheckinListFilter
    permission = 'can_view_orders'
    write_permission = 'can_change_event_settings'

@@ -74,7 +77,7 @@ class CheckinListViewSet(viewsets.ModelViewSet):
        )
        super().perform_destroy(instance)

-    @detail_route(methods=['GET'])
+    @action(detail=True, methods=['GET'])
    def status(self, *args, **kwargs):
        clist = self.get_object()
        cqs = Checkin.objects.filter(
@@ -150,10 +153,10 @@ class CheckinOrderPositionFilter(OrderPositionFilter):


 class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
-    serializer_class = OrderPositionSerializer
+    serializer_class = CheckinListOrderPositionSerializer
    queryset = OrderPosition.objects.none()
    filter_backends = (DjangoFilterBackend, RichOrderingFilter)
-    ordering = ('attendee_name', 'positionid')
+    ordering = ('attendee_name_cached', 'positionid')
    ordering_fields = (
        'order__code', 'order__datetime', 'positionid', 'attendee_name',
        'last_checked_in', 'order__email',
@@ -161,11 +164,11 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
    ordering_custom = {
        'attendee_name': {
            '_order': F('display_name').asc(nulls_first=True),
-            'display_name': Coalesce('attendee_name', 'addon_to__attendee_name')
+            'display_name': Coalesce('attendee_name_cached', 'addon_to__attendee_name_cached')
        },
        '-attendee_name': {
            '_order': F('display_name').desc(nulls_last=True),
-            'display_name': Coalesce('attendee_name', 'addon_to__attendee_name')
+            'display_name': Coalesce('attendee_name_cached', 'addon_to__attendee_name_cached')
        },
        'last_checked_in': {
            '_order': FixedOrderBy(F('last_checked_in'), nulls_first=True),
@@ -175,15 +178,18 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
        },
    }

-    filter_class = CheckinOrderPositionFilter
+    filterset_class = CheckinOrderPositionFilter
    permission = 'can_view_orders'
    write_permission = 'can_change_orders'

    @cached_property
    def checkinlist(self):
-        return get_object_or_404(CheckinList, event=self.request.event, pk=self.kwargs.get("list"))
+        try:
+            return get_object_or_404(CheckinList, event=self.request.event, pk=self.kwargs.get("list"))
+        except ValueError:
+            raise Http404()

-    def get_queryset(self):
+    def get_queryset(self, ignore_status=False):
        cqs = Checkin.objects.filter(
            position_id=OuterRef('pk'),
            list_id=self.checkinlist.pk
@@ -193,28 +199,59 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):

        qs = OrderPosition.objects.filter(
            order__event=self.request.event,
-            order__status__in=[Order.STATUS_PAID, Order.STATUS_PENDING] if self.checkinlist.include_pending else [Order.STATUS_PAID],
            subevent=self.checkinlist.subevent
        ).annotate(
            last_checked_in=Subquery(cqs)
-        ).prefetch_related(
-            Prefetch(
-                lookup='checkins',
-                queryset=Checkin.objects.filter(list_id=self.checkinlist.pk)
+        )
+
+        if self.request.query_params.get('ignore_status', 'false') != 'true' and not ignore_status:
+            qs = qs.filter(
+                order__status__in=[Order.STATUS_PAID, Order.STATUS_PENDING] if self.checkinlist.include_pending else [Order.STATUS_PAID]
            )
-        ).select_related('item', 'variation', 'order', 'addon_to')
+        if self.request.query_params.get('pdf_data', 'false') == 'true':
+            qs = qs.prefetch_related(
+                Prefetch(
+                    lookup='checkins',
+                    queryset=Checkin.objects.filter(list_id=self.checkinlist.pk)
+                ),
+                'checkins', 'answers', 'answers__options', 'answers__question',
+                Prefetch('addons', OrderPosition.objects.select_related('item', 'variation')),
+                Prefetch('order', Order.objects.select_related('invoice_address').prefetch_related(
+                    Prefetch(
+                        'event',
+                        Event.objects.select_related('organizer')
+                    ),
+                    Prefetch(
+                        'positions',
+                        OrderPosition.objects.prefetch_related(
+                            'checkins', 'item', 'variation', 'answers', 'answers__options', 'answers__question',
+                        )
+                    )
+                ))
+            ).select_related(
+                'item', 'variation', 'item__category', 'addon_to', 'order', 'order__invoice_address'
+            )
+        else:
+            qs = qs.prefetch_related(
+                Prefetch(
+                    lookup='checkins',
+                    queryset=Checkin.objects.filter(list_id=self.checkinlist.pk)
+                ),
+                'answers', 'answers__options', 'answers__question',
+                Prefetch('addons', OrderPosition.objects.select_related('item', 'variation'))
+            ).select_related('item', 'variation', 'order', 'addon_to', 'order__invoice_address', 'order')

        if not self.checkinlist.all_products:
            qs = qs.filter(item__in=self.checkinlist.limit_products.values_list('id', flat=True))

        return qs

-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
    def redeem(self, *args, **kwargs):
        force = bool(self.request.data.get('force', False))
        ignore_unpaid = bool(self.request.data.get('ignore_unpaid', False))
        nonce = self.request.data.get('nonce')
-        op = self.get_object()
+        op = self.get_object(ignore_status=True)

        if 'datetime' in self.request.data:
            dt = DateTimeField().to_internal_value(self.request.data.get('datetime'))
@@ -240,11 +277,15 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
                ignore_unpaid=ignore_unpaid,
                nonce=nonce,
                datetime=dt,
-                questions_supported=self.request.data.get('questions_supported', True)
+                questions_supported=self.request.data.get('questions_supported', True),
+                user=self.request.user,
+                auth=self.request.auth,
            )
        except RequiredQuestionsError as e:
            return Response({
                'status': 'incomplete',
+                'require_attention': op.item.checkin_attention or op.order.checkin_attention,
+                'position': CheckinListOrderPositionSerializer(op, context=self.get_serializer_context()).data,
                'questions': [
                    QuestionSerializer(q).data for q in e.questions
                ]
@@ -252,9 +293,21 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
        except CheckInError as e:
            return Response({
                'status': 'error',
-                'reason': e.code
+                'reason': e.code,
+                'require_attention': op.item.checkin_attention or op.order.checkin_attention,
+                'position': CheckinListOrderPositionSerializer(op, context=self.get_serializer_context()).data
            }, status=400)
        else:
            return Response({
                'status': 'ok',
+                'require_attention': op.item.checkin_attention or op.order.checkin_attention,
+                'position': CheckinListOrderPositionSerializer(op, context=self.get_serializer_context()).data
            }, status=201)
+
+    def get_object(self, ignore_status=False):
+        queryset = self.filter_queryset(self.get_queryset(ignore_status=ignore_status))
+        if self.kwargs['pk'].isnumeric():
+            obj = get_object_or_404(queryset, Q(pk=self.kwargs['pk']) | Q(secret=self.kwargs['pk']))
+        else:
+            obj = get_object_or_404(queryset, secret=self.kwargs['pk'])
+        return obj
--- a/src/pretix/api/views/device.py
+++ b/src/pretix/api/views/device.py
@@ -0,0 +1,113 @@
+import logging
+
+from django.utils.timezone import now
+from rest_framework import serializers
+from rest_framework.exceptions import ValidationError
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from pretix.api.auth.device import DeviceTokenAuthentication
+from pretix.base.models import Device
+from pretix.base.models.devices import generate_api_token
+
+logger = logging.getLogger(__name__)
+
+
+class InitializationRequestSerializer(serializers.Serializer):
+    token = serializers.CharField(max_length=190)
+    hardware_brand = serializers.CharField(max_length=190)
+    hardware_model = serializers.CharField(max_length=190)
+    software_brand = serializers.CharField(max_length=190)
+    software_version = serializers.CharField(max_length=190)
+
+
+class UpdateRequestSerializer(serializers.Serializer):
+    hardware_brand = serializers.CharField(max_length=190)
+    hardware_model = serializers.CharField(max_length=190)
+    software_brand = serializers.CharField(max_length=190)
+    software_version = serializers.CharField(max_length=190)
+
+
+class DeviceSerializer(serializers.ModelSerializer):
+    organizer = serializers.SlugRelatedField(slug_field='slug', read_only=True)
+
+    class Meta:
+        model = Device
+        fields = [
+            'organizer', 'device_id', 'unique_serial', 'api_token',
+            'name'
+        ]
+
+
+class InitializeView(APIView):
+    authentication_classes = tuple()
+    permission_classes = tuple()
+
+    def post(self, request, format=None):
+        serializer = InitializationRequestSerializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+
+        try:
+            device = Device.objects.get(initialization_token=serializer.validated_data.get('token'))
+        except Device.DoesNotExist:
+            raise ValidationError({'token': ['Unknown initialization token.']})
+
+        if device.initialized:
+            raise ValidationError({'token': ['This initialization token has already been used.']})
+
+        device.initialized = now()
+        device.hardware_brand = serializer.validated_data.get('hardware_brand')
+        device.hardware_model = serializer.validated_data.get('hardware_model')
+        device.software_brand = serializer.validated_data.get('software_brand')
+        device.software_version = serializer.validated_data.get('software_version')
+        device.api_token = generate_api_token()
+        device.save()
+
+        device.log_action('pretix.device.initialized', data=serializer.validated_data, auth=device)
+
+        serializer = DeviceSerializer(device)
+        return Response(serializer.data)
+
+
+class UpdateView(APIView):
+    authentication_classes = (DeviceTokenAuthentication,)
+
+    def post(self, request, format=None):
+        serializer = UpdateRequestSerializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        device = request.auth
+        device.hardware_brand = serializer.validated_data.get('hardware_brand')
+        device.hardware_model = serializer.validated_data.get('hardware_model')
+        device.software_brand = serializer.validated_data.get('software_brand')
+        device.software_version = serializer.validated_data.get('software_version')
+        device.save()
+        device.log_action('pretix.device.updated', data=serializer.validated_data, auth=device)
+
+        serializer = DeviceSerializer(device)
+        return Response(serializer.data)
+
+
+class RollKeyView(APIView):
+    authentication_classes = (DeviceTokenAuthentication,)
+
+    def post(self, request, format=None):
+        device = request.auth
+        device.api_token = generate_api_token()
+        device.save()
+        device.log_action('pretix.device.keyroll', auth=device)
+
+        serializer = DeviceSerializer(device)
+        return Response(serializer.data)
+
+
+class RevokeKeyView(APIView):
+    authentication_classes = (DeviceTokenAuthentication,)
+
+    def post(self, request, format=None):
+        device = request.auth
+        device.revoked = True
+        device.save()
+        device.log_action('pretix.device.revoked', auth=device)
+
+        serializer = DeviceSerializer(device)
+        return Response(serializer.data)
--- a/src/pretix/api/views/event.py
+++ b/src/pretix/api/views/event.py
@@ -1,5 +1,7 @@
+import django_filters
 from django.db import transaction
-from django.db.models import ProtectedError
+from django.db.models import ProtectedError, Q
+from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import filters, viewsets
 from rest_framework.exceptions import PermissionDenied
@@ -10,20 +12,79 @@ from pretix.api.serializers.event import (
    TaxRuleSerializer,
 )
 from pretix.api.views import ConditionalListView
-from pretix.base.models import Event, ItemCategory, TaxRule
+from pretix.base.models import (
+    CartPosition, Device, Event, ItemCategory, TaxRule, TeamAPIToken,
+)
 from pretix.base.models.event import SubEvent
 from pretix.helpers.dicts import merge_dicts


+class EventFilter(FilterSet):
+    is_past = django_filters.rest_framework.BooleanFilter(method='is_past_qs')
+    is_future = django_filters.rest_framework.BooleanFilter(method='is_future_qs')
+    ends_after = django_filters.rest_framework.IsoDateTimeFilter(method='ends_after_qs')
+
+    class Meta:
+        model = Event
+        fields = ['is_public', 'live', 'has_subevents']
+
+    def ends_after_qs(self, queryset, name, value):
+        expr = (
+            Q(has_subevents=False) &
+            Q(
+                Q(Q(date_to__isnull=True) & Q(date_from__gte=value))
+                | Q(Q(date_to__isnull=False) & Q(date_to__gte=value))
+            )
+        )
+        return queryset.filter(expr)
+
+    def is_past_qs(self, queryset, name, value):
+        expr = (
+            Q(has_subevents=False) &
+            Q(
+                Q(Q(date_to__isnull=True) & Q(date_from__lt=now()))
+                | Q(Q(date_to__isnull=False) & Q(date_to__lt=now()))
+            )
+        )
+        if value:
+            return queryset.filter(expr)
+        else:
+            return queryset.exclude(expr)
+
+    def is_future_qs(self, queryset, name, value):
+        expr = (
+            Q(has_subevents=False) &
+            Q(
+                Q(Q(date_to__isnull=True) & Q(date_from__gte=now()))
+                | Q(Q(date_to__isnull=False) & Q(date_to__gte=now()))
+            )
+        )
+        if value:
+            return queryset.filter(expr)
+        else:
+            return queryset.exclude(expr)
+
+
 class EventViewSet(viewsets.ModelViewSet):
    serializer_class = EventSerializer
    queryset = Event.objects.none()
    lookup_field = 'slug'
    lookup_url_kwarg = 'event'
    permission_classes = (EventCRUDPermission,)
+    filter_backends = (DjangoFilterBackend, filters.OrderingFilter)
+    filterset_class = EventFilter

    def get_queryset(self):
-        return self.request.organizer.events.prefetch_related('meta_values', 'meta_values__property')
+        if isinstance(self.request.auth, (TeamAPIToken, Device)):
+            qs = self.request.auth.get_events_with_any_permission()
+        elif self.request.user.is_authenticated:
+            qs = self.request.user.get_events_with_any_permission(self.request).filter(
+                organizer=self.request.organizer
+            )
+
+        return qs.prefetch_related(
+            'meta_values', 'meta_values__property'
+        )

    def perform_update(self, serializer):
        current_live_value = serializer.instance.live
@@ -120,22 +181,104 @@ class CloneEventViewSet(viewsets.ModelViewSet):


 class SubEventFilter(FilterSet):
+    is_past = django_filters.rest_framework.BooleanFilter(method='is_past_qs')
+    is_future = django_filters.rest_framework.BooleanFilter(method='is_future_qs')
+    ends_after = django_filters.rest_framework.IsoDateTimeFilter(method='ends_after_qs')
+
    class Meta:
        model = SubEvent
-        fields = ['active']
+        fields = ['active', 'event__live']
+
+    def ends_after_qs(self, queryset, name, value):
+        expr = Q(
+            Q(Q(date_to__isnull=True) & Q(date_from__gte=value))
+            | Q(Q(date_to__isnull=False) & Q(date_to__gte=value))
+        )
+        return queryset.filter(expr)
+
+    def is_past_qs(self, queryset, name, value):
+        expr = Q(
+            Q(Q(date_to__isnull=True) & Q(date_from__lt=now()))
+            | Q(Q(date_to__isnull=False) & Q(date_to__lt=now()))
+        )
+        if value:
+            return queryset.filter(expr)
+        else:
+            return queryset.exclude(expr)
+
+    def is_future_qs(self, queryset, name, value):
+        expr = Q(
+            Q(Q(date_to__isnull=True) & Q(date_from__gte=now()))
+            | Q(Q(date_to__isnull=False) & Q(date_to__gte=now()))
+        )
+        if value:
+            return queryset.filter(expr)
+        else:
+            return queryset.exclude(expr)


-class SubEventViewSet(ConditionalListView, viewsets.ReadOnlyModelViewSet):
+class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
    serializer_class = SubEventSerializer
    queryset = ItemCategory.objects.none()
+    write_permission = 'can_change_event_settings'
    filter_backends = (DjangoFilterBackend, filters.OrderingFilter)
-    filter_class = SubEventFilter
+    filterset_class = SubEventFilter

    def get_queryset(self):
-        return self.request.event.subevents.prefetch_related(
+        if getattr(self.request, 'event', None):
+            qs = self.request.event.subevents
+        elif isinstance(self.request.auth, (TeamAPIToken, Device)):
+            qs = SubEvent.objects.filter(
+                event__organizer=self.request.organizer,
+                event__in=self.request.auth.get_events_with_any_permission()
+            )
+        elif self.request.user.is_authenticated:
+            qs = SubEvent.objects.filter(
+                event__organizer=self.request.organizer,
+                event__in=self.request.user.get_events_with_any_permission()
+            )
+        return qs.prefetch_related(
            'subeventitem_set', 'subeventitemvariation_set'
        )

+    def perform_update(self, serializer):
+        super().perform_update(serializer)
+
+        serializer.instance.log_action(
+            'pretix.subevent.changed',
+            user=self.request.user,
+            auth=self.request.auth,
+            data=self.request.data
+        )
+
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.subevent.added',
+            user=self.request.user,
+            auth=self.request.auth,
+            data=self.request.data
+        )
+
+    def perform_destroy(self, instance):
+        if not instance.allow_delete():
+            raise PermissionDenied('The sub-event can not be deleted as it has already been used in orders. Please set'
+                                   ' \'active\' to false instead to hide it from users.')
+        try:
+            with transaction.atomic():
+                instance.log_action(
+                    'pretix.subevent.deleted',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data=self.request.data
+                )
+                CartPosition.objects.filter(addon_to__subevent=instance).delete()
+                instance.cartposition_set.all().delete()
+                super().perform_destroy(instance)
+        except ProtectedError:
+            raise PermissionDenied('The sub-event could not be deleted as some constraints (e.g. data created by '
+                                   'plug-ins) do not allow it.')
+

 class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet):
    serializer_class = TaxRuleSerializer
--- a/src/pretix/api/views/item.py
+++ b/src/pretix/api/views/item.py
@@ -1,22 +1,23 @@
 import django_filters
 from django.db.models import Q
 from django.shortcuts import get_object_or_404
+from django.utils.functional import cached_property
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import viewsets
-from rest_framework.decorators import detail_route
+from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.filters import OrderingFilter
 from rest_framework.response import Response

 from pretix.api.serializers.item import (
-    ItemAddOnSerializer, ItemCategorySerializer, ItemSerializer,
-    ItemVariationSerializer, QuestionOptionSerializer, QuestionSerializer,
-    QuotaSerializer,
+    ItemAddOnSerializer, ItemBundleSerializer, ItemCategorySerializer,
+    ItemSerializer, ItemVariationSerializer, QuestionOptionSerializer,
+    QuestionSerializer, QuotaSerializer,
 )
 from pretix.api.views import ConditionalListView
 from pretix.base.models import (
-    Item, ItemAddOn, ItemCategory, ItemVariation, Question, QuestionOption,
-    Quota,
+    CartPosition, Item, ItemAddOn, ItemBundle, ItemCategory, ItemVariation,
+    Question, QuestionOption, Quota,
 )
 from pretix.helpers.dicts import merge_dicts

@@ -41,12 +42,12 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
    filter_backends = (DjangoFilterBackend, OrderingFilter)
    ordering_fields = ('id', 'position')
    ordering = ('position', 'id')
-    filter_class = ItemFilter
-    permission = 'can_change_items'
+    filterset_class = ItemFilter
+    permission = None
    write_permission = 'can_change_items'

    def get_queryset(self):
-        return self.request.event.items.select_related('tax_rule').prefetch_related('variations', 'addons').all()
+        return self.request.event.items.select_related('tax_rule').prefetch_related('variations', 'addons', 'bundles').all()

    def perform_create(self, serializer):
        serializer.save(event=self.request.event)
@@ -83,6 +84,8 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
            user=self.request.user,
            auth=self.request.auth,
        )
+        CartPosition.objects.filter(addon_to__item=instance).delete()
+        instance.cartposition_set.all().delete()
        super().perform_destroy(instance)


@@ -92,20 +95,23 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
    filter_backends = (DjangoFilterBackend, OrderingFilter,)
    ordering_fields = ('id', 'position')
    ordering = ('id',)
-    permission = 'can_change_items'
+    permission = None
    write_permission = 'can_change_items'

+    @cached_property
+    def item(self):
+        return get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+
    def get_queryset(self):
-        item = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
-        return item.variations.all()
+        return self.item.variations.all()

    def get_serializer_context(self):
        ctx = super().get_serializer_context()
-        ctx['item'] = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        ctx['item'] = self.item
        return ctx

    def perform_create(self, serializer):
-        item = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        item = self.item
        if not item.has_variations:
            raise PermissionDenied('This variation cannot be created because the item does not have variations. '
                                   'Changing a product without variations to a product with variations is not allowed.')
@@ -148,27 +154,82 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
        )


+class ItemBundleViewSet(viewsets.ModelViewSet):
+    serializer_class = ItemBundleSerializer
+    queryset = ItemBundle.objects.none()
+    filter_backends = (DjangoFilterBackend, OrderingFilter,)
+    ordering_fields = ('id',)
+    ordering = ('id',)
+    permission = None
+    write_permission = 'can_change_items'
+
+    @cached_property
+    def item(self):
+        return get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+
+    def get_queryset(self):
+        return self.item.bundles.all()
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        ctx['item'] = self.item
+        return ctx
+
+    def perform_create(self, serializer):
+        item = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        serializer.save(base_item=item)
+        item.log_action(
+            'pretix.event.item.bundles.added',
+            user=self.request.user,
+            auth=self.request.auth,
+            data=merge_dicts(self.request.data, {'id': serializer.instance.pk})
+        )
+
+    def perform_update(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.base_item.log_action(
+            'pretix.event.item.bundles.changed',
+            user=self.request.user,
+            auth=self.request.auth,
+            data=merge_dicts(self.request.data, {'id': serializer.instance.pk})
+        )
+
+    def perform_destroy(self, instance):
+        super().perform_destroy(instance)
+        instance.base_item.log_action(
+            'pretix.event.item.bundles.removed',
+            user=self.request.user,
+            auth=self.request.auth,
+            data={'bundled_item': instance.bundled_item.pk, 'bundled_variation': instance.bundled_variation.pk if instance.bundled_variation else None,
+                  'count': instance.count, 'designated_price': instance.designated_price}
+        )
+
+
 class ItemAddOnViewSet(viewsets.ModelViewSet):
    serializer_class = ItemAddOnSerializer
    queryset = ItemAddOn.objects.none()
    filter_backends = (DjangoFilterBackend, OrderingFilter,)
    ordering_fields = ('id', 'position')
    ordering = ('id',)
-    permission = 'can_change_items'
+    permission = None
    write_permission = 'can_change_items'

+    @cached_property
+    def item(self):
+        return get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+
    def get_queryset(self):
-        item = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
-        return item.addons.all()
+        return self.item.addons.all()

    def get_serializer_context(self):
        ctx = super().get_serializer_context()
        ctx['event'] = self.request.event
-        ctx['item'] = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        ctx['item'] = self.item
        return ctx

    def perform_create(self, serializer):
-        item = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        item = self.item
        category = get_object_or_404(ItemCategory, pk=self.request.data['addon_category'])
        serializer.save(base_item=item, addon_category=category)
        item.log_action(
@@ -207,10 +268,10 @@ class ItemCategoryViewSet(ConditionalListView, viewsets.ModelViewSet):
    serializer_class = ItemCategorySerializer
    queryset = ItemCategory.objects.none()
    filter_backends = (DjangoFilterBackend, OrderingFilter)
-    filter_class = ItemCategoryFilter
+    filterset_class = ItemCategoryFilter
    ordering_fields = ('id', 'position')
    ordering = ('position', 'id')
-    permission = 'can_change_items'
+    permission = None
    write_permission = 'can_change_items'

    def get_queryset(self):
@@ -261,10 +322,11 @@ class QuestionViewSet(ConditionalListView, viewsets.ModelViewSet):
    serializer_class = QuestionSerializer
    queryset = Question.objects.none()
    filter_backends = (DjangoFilterBackend, OrderingFilter)
-    filter_class = QuestionFilter
+    filterset_class = QuestionFilter
    ordering_fields = ('id', 'position')
    ordering = ('position', 'id')
-    permission = 'can_change_items'
+    permission = None
+    write_permission = 'can_change_items'

    def get_queryset(self):
        return self.request.event.questions.prefetch_related('options').all()
@@ -307,7 +369,7 @@ class QuestionOptionViewSet(viewsets.ModelViewSet):
    filter_backends = (DjangoFilterBackend, OrderingFilter,)
    ordering_fields = ('id', 'position')
    ordering = ('position',)
-    permission = 'can_change_items'
+    permission = None
    write_permission = 'can_change_items'

    def get_queryset(self):
@@ -359,10 +421,10 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
    serializer_class = QuotaSerializer
    queryset = Quota.objects.none()
    filter_backends = (DjangoFilterBackend, OrderingFilter,)
-    filter_class = QuotaFilter
+    filterset_class = QuotaFilter
    ordering_fields = ('id', 'size')
    ordering = ('id',)
-    permission = 'can_change_items'
+    permission = None
    write_permission = 'can_change_items'

    def get_queryset(self):
@@ -437,7 +499,7 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
            )
        super().perform_destroy(instance)

-    @detail_route(methods=['get'])
+    @action(detail=True, methods=['get'])
    def availability(self, request, *args, **kwargs):
        quota = self.get_object()

--- a/src/pretix/api/views/order.py
+++ b/src/pretix/api/views/order.py
@@ -1,15 +1,18 @@
 import datetime
+from decimal import Decimal

 import django_filters
 import pytz
 from django.db import transaction
-from django.db.models import Q
-from django.db.models.functions import Concat
+from django.db.models import F, Prefetch, Q
+from django.db.models.functions import Coalesce, Concat
 from django.http import FileResponse
+from django.shortcuts import get_object_or_404
 from django.utils.timezone import make_aware, now
+from django.utils.translation import ugettext as _
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
-from rest_framework import serializers, status, viewsets
-from rest_framework.decorators import detail_route
+from rest_framework import mixins, serializers, status, viewsets
+from rest_framework.decorators import action
 from rest_framework.exceptions import (
    APIException, NotFound, PermissionDenied, ValidationError,
 )
@@ -19,45 +22,54 @@ from rest_framework.response import Response

 from pretix.api.models import OAuthAccessToken
 from pretix.api.serializers.order import (
-    InvoiceSerializer, OrderCreateSerializer, OrderPositionSerializer,
-    OrderSerializer,
+    InvoiceSerializer, OrderCreateSerializer, OrderPaymentSerializer,
+    OrderPositionSerializer, OrderRefundCreateSerializer,
+    OrderRefundSerializer, OrderSerializer, PriceCalcSerializer,
 )
+from pretix.base.i18n import language
 from pretix.base.models import (
-    Invoice, Order, OrderPosition, Quota, TeamAPIToken,
+    CachedCombinedTicket, CachedTicket, Device, Event, Invoice, InvoiceAddress,
+    Order, OrderPayment, OrderPosition, OrderRefund, Quota, TeamAPIToken,
+    generate_position_secret, generate_secret,
 )
+from pretix.base.payment import PaymentException
+from pretix.base.services import tickets
 from pretix.base.services.invoices import (
    generate_cancellation, generate_invoice, invoice_pdf, invoice_qualified,
    regenerate_invoice,
 )
 from pretix.base.services.mail import SendMailException
 from pretix.base.services.orders import (
-    OrderError, cancel_order, extend_order, mark_order_expired,
-    mark_order_paid, mark_order_refunded,
+    OrderChangeManager, OrderError, approve_order, cancel_order, deny_order,
+    extend_order, mark_order_expired, mark_order_refunded,
 )
-from pretix.base.services.tickets import (
-    get_cachedticket_for_order, get_cachedticket_for_position,
+from pretix.base.services.pricing import get_price
+from pretix.base.services.tickets import generate
+from pretix.base.signals import (
+    order_modified, order_placed, register_ticket_outputs,
 )
-from pretix.base.signals import order_placed, register_ticket_outputs
+from pretix.base.templatetags.money import money_filter


 class OrderFilter(FilterSet):
-    email = django_filters.CharFilter(name='email', lookup_expr='iexact')
-    code = django_filters.CharFilter(name='code', lookup_expr='iexact')
-    status = django_filters.CharFilter(name='status', lookup_expr='iexact')
-    modified_since = django_filters.IsoDateTimeFilter(name='last_modified', lookup_expr='gte')
+    email = django_filters.CharFilter(field_name='email', lookup_expr='iexact')
+    code = django_filters.CharFilter(field_name='code', lookup_expr='iexact')
+    status = django_filters.CharFilter(field_name='status', lookup_expr='iexact')
+    modified_since = django_filters.IsoDateTimeFilter(field_name='last_modified', lookup_expr='gte')
+    created_since = django_filters.IsoDateTimeFilter(field_name='datetime', lookup_expr='gte')

    class Meta:
        model = Order
-        fields = ['code', 'status', 'email', 'locale']
+        fields = ['code', 'status', 'email', 'locale', 'testmode', 'require_approval']


-class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
+class OrderViewSet(viewsets.ModelViewSet):
    serializer_class = OrderSerializer
    queryset = Order.objects.none()
    filter_backends = (DjangoFilterBackend, OrderingFilter)
    ordering = ('datetime',)
-    ordering_fields = ('datetime', 'code', 'status')
-    filter_class = OrderFilter
+    ordering_fields = ('datetime', 'code', 'status', 'last_modified')
+    filterset_class = OrderFilter
    lookup_field = 'code'
    permission = 'can_view_orders'
    write_permission = 'can_change_orders'
@@ -68,13 +80,35 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        return ctx

    def get_queryset(self):
-        return self.request.event.orders.prefetch_related(
-            'positions', 'positions__checkins', 'positions__item', 'positions__answers', 'positions__answers__options',
-            'positions__answers__question', 'fees'
+        qs = self.request.event.orders.prefetch_related(
+            'fees', 'payments', 'refunds', 'refunds__payment'
        ).select_related(
            'invoice_address'
        )

+        if self.request.query_params.get('pdf_data', 'false') == 'true':
+            qs = qs.prefetch_related(
+                Prefetch(
+                    'positions',
+                    OrderPosition.objects.all().prefetch_related(
+                        'checkins', 'item', 'variation', 'answers', 'answers__options', 'answers__question',
+                        'item__category', 'addon_to',
+                        Prefetch('addons', OrderPosition.objects.select_related('item', 'variation'))
+                    )
+                )
+            )
+        else:
+            qs = qs.prefetch_related(
+                Prefetch(
+                    'positions',
+                    OrderPosition.objects.all().prefetch_related(
+                        'checkins', 'item', 'variation', 'answers', 'answers__options', 'answers__question',
+                    )
+                )
+            )
+
+        return qs
+
    def _get_output_provider(self, identifier):
        responses = register_ticket_outputs.send(self.request.event)
        for receiver, response in responses:
@@ -97,7 +131,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        serializer = self.get_serializer(queryset, many=True)
        return Response(serializer.data, headers={'X-Page-Generated': date})

-    @detail_route(url_name='download', url_path='download/(?P<output>[^/]+)')
+    @action(detail=True, url_name='download', url_path='download/(?P<output>[^/]+)')
    def download(self, request, output, **kwargs):
        provider = self._get_output_provider(output)
        order = self.get_object()
@@ -105,9 +139,11 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        if order.status != Order.STATUS_PAID:
            raise PermissionDenied("Downloads are not available for unpaid orders.")

-        ct = get_cachedticket_for_order(order, provider.identifier)
-
-        if not ct.file:
+        ct = CachedCombinedTicket.objects.filter(
+            order=order, provider=provider.identifier, file__isnull=False
+        ).last()
+        if not ct or not ct.file:
+            generate.apply_async(args=('order', order.pk, provider.identifier))
            raise RetryException()
        else:
            resp = FileResponse(ct.file.file, content_type=ct.type)
@@ -117,19 +153,38 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
            )
            return resp

-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
    def mark_paid(self, request, **kwargs):
        order = self.get_object()

        if order.status in (Order.STATUS_PENDING, Order.STATUS_EXPIRED):
+
+            ps = order.pending_sum
            try:
-                mark_order_paid(
-                    order, manual=True,
-                    user=request.user if request.user.is_authenticated else None,
-                    auth=request.auth,
+                p = order.payments.get(
+                    state__in=(OrderPayment.PAYMENT_STATE_PENDING, OrderPayment.PAYMENT_STATE_CREATED),
+                    provider='manual',
+                    amount=ps
                )
+            except OrderPayment.DoesNotExist:
+                order.payments.filter(state__in=(OrderPayment.PAYMENT_STATE_PENDING,
+                                                 OrderPayment.PAYMENT_STATE_CREATED)) \
+                    .update(state=OrderPayment.PAYMENT_STATE_CANCELED)
+                p = order.payments.create(
+                    state=OrderPayment.PAYMENT_STATE_CREATED,
+                    provider='manual',
+                    amount=ps,
+                    fee=None
+                )
+
+            try:
+                p.confirm(auth=self.request.auth,
+                          user=self.request.user if request.user.is_authenticated else None,
+                          count_waitinglist=False)
            except Quota.QuotaExceededException as e:
                return Response({'detail': str(e)}, status=status.HTTP_400_BAD_REQUEST)
+            except PaymentException as e:
+                return Response({'detail': str(e)}, status=status.HTTP_400_BAD_REQUEST)
            except SendMailException:
                pass

@@ -139,9 +194,15 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
            status=status.HTTP_400_BAD_REQUEST
        )

-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
    def mark_canceled(self, request, **kwargs):
        send_mail = request.data.get('send_email', True)
+        cancellation_fee = request.data.get('cancellation_fee', None)
+        if cancellation_fee:
+            try:
+                cancellation_fee = float(Decimal(cancellation_fee))
+            except:
+                cancellation_fee = None

        order = self.get_object()
        if not order.cancel_allowed():
@@ -150,16 +211,60 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
                status=status.HTTP_400_BAD_REQUEST
            )

-        cancel_order(
-            order,
-            user=request.user if request.user.is_authenticated else None,
-            api_token=request.auth if isinstance(request.auth, TeamAPIToken) else None,
-            oauth_application=request.auth.application if isinstance(request.auth, OAuthAccessToken) else None,
-            send_mail=send_mail
-        )
+        try:
+            cancel_order(
+                order,
+                user=request.user if request.user.is_authenticated else None,
+                api_token=request.auth if isinstance(request.auth, TeamAPIToken) else None,
+                device=request.auth if isinstance(request.auth, Device) else None,
+                oauth_application=request.auth.application if isinstance(request.auth, OAuthAccessToken) else None,
+                send_mail=send_mail,
+                cancellation_fee=cancellation_fee
+            )
+        except OrderError as e:
+            return Response(
+                {'detail': str(e)},
+                status=status.HTTP_400_BAD_REQUEST
+            )
        return self.retrieve(request, [], **kwargs)

-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
+    def approve(self, request, **kwargs):
+        send_mail = request.data.get('send_email', True)
+
+        order = self.get_object()
+        try:
+            approve_order(
+                order,
+                user=request.user if request.user.is_authenticated else None,
+                auth=request.auth if isinstance(request.auth, (Device, TeamAPIToken, OAuthAccessToken)) else None,
+                send_mail=send_mail,
+            )
+        except Quota.QuotaExceededException as e:
+            return Response({'detail': str(e)}, status=status.HTTP_400_BAD_REQUEST)
+        except OrderError as e:
+            return Response({'detail': str(e)}, status=status.HTTP_400_BAD_REQUEST)
+        return self.retrieve(request, [], **kwargs)
+
+    @action(detail=True, methods=['POST'])
+    def deny(self, request, **kwargs):
+        send_mail = request.data.get('send_email', True)
+        comment = request.data.get('comment', '')
+
+        order = self.get_object()
+        try:
+            deny_order(
+                order,
+                user=request.user if request.user.is_authenticated else None,
+                auth=request.auth if isinstance(request.auth, (Device, TeamAPIToken, OAuthAccessToken)) else None,
+                send_mail=send_mail,
+                comment=comment,
+            )
+        except OrderError as e:
+            return Response({'detail': str(e)}, status=status.HTTP_400_BAD_REQUEST)
+        return self.retrieve(request, [], **kwargs)
+
+    @action(detail=True, methods=['POST'])
    def mark_pending(self, request, **kwargs):
        order = self.get_object()

@@ -170,8 +275,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
            )

        order.status = Order.STATUS_PENDING
-        order.payment_manual = True
-        order.save()
+        order.save(update_fields=['status'])
        order.log_action(
            'pretix.event.order.unpaid',
            user=request.user if request.user.is_authenticated else None,
@@ -179,7 +283,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        )
        return self.retrieve(request, [], **kwargs)

-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
    def mark_expired(self, request, **kwargs):
        order = self.get_object()

@@ -196,7 +300,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        )
        return self.retrieve(request, [], **kwargs)

-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
    def mark_refunded(self, request, **kwargs):
        order = self.get_object()

@@ -209,11 +313,77 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        mark_order_refunded(
            order,
            user=request.user if request.user.is_authenticated else None,
-            api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+            auth=(request.auth if isinstance(request.auth, (TeamAPIToken, OAuthAccessToken, Device)) else None),
        )
        return self.retrieve(request, [], **kwargs)

-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
+    def create_invoice(self, request, **kwargs):
+        order = self.get_object()
+        has_inv = order.invoices.exists() and not (
+            order.status in (Order.STATUS_PAID, Order.STATUS_PENDING)
+            and order.invoices.filter(is_cancellation=True).count() >= order.invoices.filter(is_cancellation=False).count()
+        )
+        if self.request.event.settings.get('invoice_generate') not in ('admin', 'user', 'paid', 'True') or not invoice_qualified(order):
+            return Response(
+                {'detail': _('You cannot generate an invoice for this order.')},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+        elif has_inv:
+            return Response(
+                {'detail': _('An invoice for this order already exists.')},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
+        inv = generate_invoice(order)
+        order.log_action(
+            'pretix.event.order.invoice.generated',
+            user=self.request.user,
+            auth=self.request.auth,
+            data={
+                'invoice': inv.pk
+            }
+        )
+        return Response(
+            InvoiceSerializer(inv).data,
+            status=status.HTTP_201_CREATED
+        )
+
+    @action(detail=True, methods=['POST'])
+    def resend_link(self, request, **kwargs):
+        order = self.get_object()
+        if not order.email:
+            return Response({'detail': 'There is no email address associated with this order.'}, status=status.HTTP_400_BAD_REQUEST)
+        try:
+            order.resend_link(user=self.request.user, auth=self.request.auth)
+        except SendMailException:
+            return Response({'detail': _('There was an error sending the mail. Please try again later.')}, status=status.HTTP_503_SERVICE_UNAVAILABLE)
+
+        return Response(
+            status=status.HTTP_204_NO_CONTENT
+        )
+
+    @action(detail=True, methods=['POST'])
+    @transaction.atomic
+    def regenerate_secrets(self, request, **kwargs):
+        order = self.get_object()
+        order.secret = generate_secret()
+        for op in order.all_positions.all():
+            op.secret = generate_position_secret()
+            op.save()
+        order.save(update_fields=['secret'])
+        CachedTicket.objects.filter(order_position__order=order).delete()
+        CachedCombinedTicket.objects.filter(order=order).delete()
+        tickets.invalidate_cache.apply_async(kwargs={'event': self.request.event.pk,
+                                                     'order': order.pk})
+        order.log_action(
+            'pretix.event.order.secret.changed',
+            user=self.request.user,
+            auth=self.request.auth,
+        )
+        return self.retrieve(request, [], **kwargs)
+
+    @action(detail=True, methods=['POST'])
    def extend(self, request, **kwargs):
        new_date = request.data.get('expires', None)
        force = request.data.get('force', False)
@@ -280,12 +450,88 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        headers = self.get_success_headers(serializer.data)
        return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)

+    def update(self, request, *args, **kwargs):
+        partial = kwargs.get('partial', False)
+        if not partial:
+            return Response(
+                {"detail": "Method \"PUT\" not allowed."},
+                status=status.HTTP_405_METHOD_NOT_ALLOWED,
+            )
+        return super().update(request, *args, **kwargs)
+
+    def perform_update(self, serializer):
+        with transaction.atomic():
+            if 'comment' in self.request.data and serializer.instance.comment != self.request.data.get('comment'):
+                serializer.instance.log_action(
+                    'pretix.event.order.comment',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data={
+                        'new_comment': self.request.data.get('comment')
+                    }
+                )
+
+            if 'checkin_attention' in self.request.data and serializer.instance.checkin_attention != self.request.data.get('checkin_attention'):
+                serializer.instance.log_action(
+                    'pretix.event.order.checkin_attention',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data={
+                        'new_value': self.request.data.get('checkin_attention')
+                    }
+                )
+
+            if 'email' in self.request.data and serializer.instance.email != self.request.data.get('email'):
+                serializer.instance.log_action(
+                    'pretix.event.order.contact.changed',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data={
+                        'old_email': serializer.instance.email,
+                        'new_email': self.request.data.get('email'),
+                    }
+                )
+
+            if 'locale' in self.request.data and serializer.instance.locale != self.request.data.get('locale'):
+                serializer.instance.log_action(
+                    'pretix.event.order.locale.changed',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data={
+                        'old_locale': serializer.instance.locale,
+                        'new_locale': self.request.data.get('locale'),
+                    }
+                )
+
+            if 'invoice_address' in self.request.data:
+                serializer.instance.log_action(
+                    'pretix.event.order.modified',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data={
+                        'invoice_data': self.request.data.get('invoice_address'),
+                    }
+                )
+
+            serializer.save()
+            tickets.invalidate_cache.apply_async(kwargs={'event': serializer.instance.event.pk, 'order': serializer.instance.pk})
+
+        if 'invoice_address' in self.request.data:
+            order_modified.send(sender=serializer.instance.event, order=serializer.instance)
+
    def perform_create(self, serializer):
        serializer.save()

+    def perform_destroy(self, instance):
+        if not instance.testmode:
+            raise PermissionDenied('Only test mode orders can be deleted.')
+
+        with transaction.atomic():
+            self.get_object().gracefully_delete(user=self.request.user if self.request.user.is_authenticated else None, auth=self.request.auth)
+

 class OrderPositionFilter(FilterSet):
-    order = django_filters.CharFilter(name='order', lookup_expr='code__iexact')
+    order = django_filters.CharFilter(field_name='order', lookup_expr='code__iexact')
    has_checkin = django_filters.rest_framework.BooleanFilter(method='has_checkin_qs')
    attendee_name = django_filters.CharFilter(method='attendee_name_qs')
    search = django_filters.CharFilter(method='search_qs')
@@ -293,17 +539,20 @@ class OrderPositionFilter(FilterSet):
    def search_qs(self, queryset, name, value):
        return queryset.filter(
            Q(secret__istartswith=value)
-            | Q(attendee_name__icontains=value)
-            | Q(addon_to__attendee_name__icontains=value)
+            | Q(attendee_name_cached__icontains=value)
+            | Q(addon_to__attendee_name_cached__icontains=value)
+            | Q(attendee_email__icontains=value)
+            | Q(addon_to__attendee_email__icontains=value)
            | Q(order__code__istartswith=value)
-            | Q(order__invoice_address__name__icontains=value)
+            | Q(order__invoice_address__name_cached__icontains=value)
+            | Q(order__email__icontains=value)
        )

    def has_checkin_qs(self, queryset, name, value):
        return queryset.filter(checkins__isnull=not value)

    def attendee_name_qs(self, queryset, name, value):
-        return queryset.filter(Q(attendee_name__iexact=value) | Q(addon_to__attendee_name__iexact=value))
+        return queryset.filter(Q(attendee_name_cached__iexact=value) | Q(addon_to__attendee_name_cached__iexact=value))

    class Meta:
        model = OrderPosition
@@ -313,25 +562,61 @@ class OrderPositionFilter(FilterSet):
            'secret': ['exact'],
            'order__status': ['exact', 'in'],
            'addon_to': ['exact', 'in'],
-            'subevent': ['exact', 'in']
+            'subevent': ['exact', 'in'],
+            'pseudonymization_id': ['exact'],
+            'voucher__code': ['exact'],
+            'voucher': ['exact'],
        }


-class OrderPositionViewSet(viewsets.ReadOnlyModelViewSet):
+class OrderPositionViewSet(mixins.DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
    serializer_class = OrderPositionSerializer
    queryset = OrderPosition.objects.none()
    filter_backends = (DjangoFilterBackend, OrderingFilter)
    ordering = ('order__datetime', 'positionid')
    ordering_fields = ('order__code', 'order__datetime', 'positionid', 'attendee_name', 'order__status',)
-    filter_class = OrderPositionFilter
+    filterset_class = OrderPositionFilter
    permission = 'can_view_orders'
+    write_permission = 'can_change_orders'
+    ordering_custom = {
+        'attendee_name': {
+            '_order': F('display_name').asc(nulls_first=True),
+            'display_name': Coalesce('attendee_name_cached', 'addon_to__attendee_name_cached')
+        },
+        '-attendee_name': {
+            '_order': F('display_name').asc(nulls_last=True),
+            'display_name': Coalesce('attendee_name_cached', 'addon_to__attendee_name_cached')
+        },
+    }

    def get_queryset(self):
-        return OrderPosition.objects.filter(order__event=self.request.event).prefetch_related(
-            'checkins', 'answers', 'answers__options', 'answers__question'
-        ).select_related(
-            'item', 'order', 'order__event', 'order__event__organizer'
-        )
+        qs = OrderPosition.objects.filter(order__event=self.request.event)
+        if self.request.query_params.get('pdf_data', 'false') == 'true':
+            qs = qs.prefetch_related(
+                'checkins', 'answers', 'answers__options', 'answers__question',
+                Prefetch('addons', OrderPosition.objects.select_related('item', 'variation')),
+                Prefetch('order', Order.objects.select_related('invoice_address').prefetch_related(
+                    Prefetch(
+                        'event',
+                        Event.objects.select_related('organizer')
+                    ),
+                    Prefetch(
+                        'positions',
+                        OrderPosition.objects.prefetch_related(
+                            'checkins', 'item', 'variation', 'answers', 'answers__options', 'answers__question',
+                        )
+                    )
+                ))
+            ).select_related(
+                'item', 'variation', 'item__category', 'addon_to'
+            )
+        else:
+            qs = qs.prefetch_related(
+                'checkins', 'answers', 'answers__options', 'answers__question'
+            ).select_related(
+                'item', 'order', 'order__event', 'order__event__organizer'
+            )
+        return qs

    def _get_output_provider(self, identifier):
        responses = register_ticket_outputs.send(self.request.event)
@@ -341,21 +626,98 @@ class OrderPositionViewSet(viewsets.ReadOnlyModelViewSet):
                return prov
        raise NotFound('Unknown output provider.')

-    @detail_route(url_name='download', url_path='download/(?P<output>[^/]+)')
+    @action(detail=True, methods=['POST'], url_name='price_calc')
+    def price_calc(self, request, *args, **kwargs):
+        """
+        This calculates the price assuming a change of product or subevent. This endpoint
+        is deliberately not documented and considered a private API, only to be used by
+        pretix' web interface.
+
+        Sample input:
+
+        {
+            "item": 2,
+            "variation": null,
+            "subevent": 3
+        }
+
+        Sample output:
+
+        {
+            "gross": "2.34",
+            "gross_formatted": "2,34",
+            "net": "2.34",
+            "tax": "0.00",
+            "rate": "0.00",
+            "name": "VAT"
+        }
+        """
+        serializer = PriceCalcSerializer(data=request.data, event=request.event)
+        serializer.is_valid(raise_exception=True)
+        data = serializer.validated_data
+        pos = self.get_object()
+
+        try:
+            ia = pos.order.invoice_address
+        except InvoiceAddress.DoesNotExist:
+            ia = InvoiceAddress()
+
+        kwargs = {
+            'item': pos.item,
+            'variation': pos.variation,
+            'voucher': pos.voucher,
+            'subevent': pos.subevent,
+            'addon_to': pos.addon_to,
+            'invoice_address': ia,
+        }
+
+        if data.get('item'):
+            item = data.get('item')
+            kwargs['item'] = item
+
+            if item.has_variations:
+                variation = data.get('variation') or pos.variation
+                if not variation:
+                    raise ValidationError('No variation given')
+                if variation.item != item:
+                    raise ValidationError('Variation does not belong to item')
+                kwargs['variation'] = variation
+            else:
+                variation = None
+                kwargs['variation'] = None
+
+            if pos.voucher and not pos.voucher.applies_to(item, variation):
+                kwargs['voucher'] = None
+
+        if data.get('subevent'):
+            kwargs['subevent'] = data.get('subevent')
+
+        price = get_price(**kwargs)
+        with language(data.get('locale') or self.request.event.settings.locale):
+            return Response({
+                'gross': price.gross,
+                'gross_formatted': money_filter(price.gross, self.request.event.currency, hide_currency=True),
+                'net': price.net,
+                'rate': price.rate,
+                'name': str(price.name),
+                'tax': price.tax,
+            })
+
+    @action(detail=True, url_name='download', url_path='download/(?P<output>[^/]+)')
    def download(self, request, output, **kwargs):
        provider = self._get_output_provider(output)
        pos = self.get_object()

        if pos.order.status != Order.STATUS_PAID:
            raise PermissionDenied("Downloads are not available for unpaid orders.")
-        if pos.addon_to_id and not request.event.settings.ticket_download_addons:
-            raise PermissionDenied("Downloads are not enabled for add-on products.")
-        if not pos.item.admission and not request.event.settings.ticket_download_nonadm:
-            raise PermissionDenied("Downloads are not enabled for non-admission products.")
+        if not pos.generate_ticket:
+            raise PermissionDenied("Downloads are not enabled for this product.")

-        ct = get_cachedticket_for_position(pos, provider.identifier)
-
-        if not ct.file:
+        ct = CachedTicket.objects.filter(
+            order_position=pos, provider=provider.identifier, file__isnull=False
+        ).last()
+        if not ct or not ct.file:
+            generate.apply_async(args=('orderposition', pos.pk, provider.identifier))
            raise RetryException()
        else:
            resp = FileResponse(ct.file.file, content_type=ct.type)
@@ -365,11 +727,242 @@ class OrderPositionViewSet(viewsets.ReadOnlyModelViewSet):
            )
            return resp

+    def perform_destroy(self, instance):
+        try:
+            ocm = OrderChangeManager(
+                instance.order,
+                user=self.request.user if self.request.user.is_authenticated else None,
+                auth=self.request.auth,
+                notify=False
+            )
+            ocm.cancel(instance)
+            ocm.commit()
+        except OrderError as e:
+            raise ValidationError(str(e))
+        except Quota.QuotaExceededException as e:
+            raise ValidationError(str(e))
+
+
+class PaymentViewSet(viewsets.ReadOnlyModelViewSet):
+    serializer_class = OrderPaymentSerializer
+    queryset = OrderPayment.objects.none()
+    permission = 'can_view_orders'
+    write_permission = 'can_change_orders'
+    lookup_field = 'local_id'
+
+    def get_queryset(self):
+        order = get_object_or_404(Order, code=self.kwargs['order'], event=self.request.event)
+        return order.payments.all()
+
+    @action(detail=True, methods=['POST'])
+    def confirm(self, request, **kwargs):
+        payment = self.get_object()
+        force = request.data.get('force', False)
+
+        if payment.state not in (OrderPayment.PAYMENT_STATE_PENDING, OrderPayment.PAYMENT_STATE_CREATED):
+            return Response({'detail': 'Invalid state of payment'}, status=status.HTTP_400_BAD_REQUEST)
+
+        try:
+            payment.confirm(user=self.request.user if self.request.user.is_authenticated else None,
+                            auth=self.request.auth,
+                            count_waitinglist=False,
+                            force=force)
+        except Quota.QuotaExceededException as e:
+            return Response({'detail': str(e)}, status=status.HTTP_400_BAD_REQUEST)
+        except PaymentException as e:
+            return Response({'detail': str(e)}, status=status.HTTP_400_BAD_REQUEST)
+        except SendMailException:
+            pass
+        return self.retrieve(request, [], **kwargs)
+
+    @action(detail=True, methods=['POST'])
+    def refund(self, request, **kwargs):
+        payment = self.get_object()
+        amount = serializers.DecimalField(max_digits=10, decimal_places=2).to_internal_value(
+            request.data.get('amount', str(payment.amount))
+        )
+        if 'mark_refunded' in request.data:
+            mark_refunded = request.data.get('mark_refunded', False)
+        else:
+            mark_refunded = request.data.get('mark_canceled', False)
+
+        if payment.state != OrderPayment.PAYMENT_STATE_CONFIRMED:
+            return Response({'detail': 'Invalid state of payment.'}, status=status.HTTP_400_BAD_REQUEST)
+
+        full_refund_possible = payment.payment_provider.payment_refund_supported(payment)
+        partial_refund_possible = payment.payment_provider.payment_partial_refund_supported(payment)
+        available_amount = payment.amount - payment.refunded_amount
+
+        if amount <= 0:
+            return Response({'amount': ['Invalid refund amount.']}, status=status.HTTP_400_BAD_REQUEST)
+        if amount > available_amount:
+            return Response(
+                {'amount': ['Invalid refund amount, only {} are available to refund.'.format(available_amount)]},
+                status=status.HTTP_400_BAD_REQUEST)
+        if amount != payment.amount and not partial_refund_possible:
+            return Response({'amount': ['Partial refund not available for this payment method.']},
+                            status=status.HTTP_400_BAD_REQUEST)
+        if amount == payment.amount and not full_refund_possible:
+            return Response({'amount': ['Full refund not available for this payment method.']},
+                            status=status.HTTP_400_BAD_REQUEST)
+        r = payment.order.refunds.create(
+            payment=payment,
+            source=OrderRefund.REFUND_SOURCE_ADMIN,
+            state=OrderRefund.REFUND_STATE_CREATED,
+            amount=amount,
+            provider=payment.provider
+        )
+
+        try:
+            r.payment_provider.execute_refund(r)
+        except PaymentException as e:
+            r.state = OrderRefund.REFUND_STATE_FAILED
+            r.save()
+            return Response({'detail': 'External error: {}'.format(str(e))},
+                            status=status.HTTP_400_BAD_REQUEST)
+        else:
+            payment.order.log_action('pretix.event.order.refund.created', {
+                'local_id': r.local_id,
+                'provider': r.provider,
+            }, user=self.request.user if self.request.user.is_authenticated else None, auth=self.request.auth)
+            if payment.order.pending_sum > 0:
+                if mark_refunded:
+                    mark_order_refunded(payment.order,
+                                        user=self.request.user if self.request.user.is_authenticated else None,
+                                        auth=self.request.auth)
+                else:
+                    payment.order.status = Order.STATUS_PENDING
+                    payment.order.set_expires(
+                        now(),
+                        payment.order.event.subevents.filter(
+                            id__in=payment.order.positions.values_list('subevent_id', flat=True))
+                    )
+                    payment.order.save(update_fields=['status', 'expires'])
+            return Response(OrderRefundSerializer(r).data, status=status.HTTP_200_OK)
+
+    @action(detail=True, methods=['POST'])
+    def cancel(self, request, **kwargs):
+        payment = self.get_object()
+
+        if payment.state not in (OrderPayment.PAYMENT_STATE_PENDING, OrderPayment.PAYMENT_STATE_CREATED):
+            return Response({'detail': 'Invalid state of payment'}, status=status.HTTP_400_BAD_REQUEST)
+
+        with transaction.atomic():
+            payment.state = OrderPayment.PAYMENT_STATE_CANCELED
+            payment.save()
+            payment.order.log_action('pretix.event.order.payment.canceled', {
+                'local_id': payment.local_id,
+                'provider': payment.provider,
+            }, user=self.request.user if self.request.user.is_authenticated else None, auth=self.request.auth)
+        return self.retrieve(request, [], **kwargs)
+
+
+class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
+    serializer_class = OrderRefundSerializer
+    queryset = OrderRefund.objects.none()
+    permission = 'can_view_orders'
+    write_permission = 'can_change_orders'
+    lookup_field = 'local_id'
+
+    def get_queryset(self):
+        order = get_object_or_404(Order, code=self.kwargs['order'], event=self.request.event)
+        return order.refunds.all()
+
+    @action(detail=True, methods=['POST'])
+    def cancel(self, request, **kwargs):
+        refund = self.get_object()
+
+        if refund.state not in (OrderRefund.REFUND_STATE_CREATED, OrderRefund.REFUND_STATE_TRANSIT,
+                                OrderRefund.REFUND_STATE_EXTERNAL):
+            return Response({'detail': 'Invalid state of refund'}, status=status.HTTP_400_BAD_REQUEST)
+
+        with transaction.atomic():
+            refund.state = OrderRefund.REFUND_STATE_CANCELED
+            refund.save()
+            refund.order.log_action('pretix.event.order.refund.canceled', {
+                'local_id': refund.local_id,
+                'provider': refund.provider,
+            }, user=self.request.user if self.request.user.is_authenticated else None, auth=self.request.auth)
+        return self.retrieve(request, [], **kwargs)
+
+    @action(detail=True, methods=['POST'])
+    def process(self, request, **kwargs):
+        refund = self.get_object()
+
+        if refund.state != OrderRefund.REFUND_STATE_EXTERNAL:
+            return Response({'detail': 'Invalid state of refund'}, status=status.HTTP_400_BAD_REQUEST)
+
+        refund.done(user=self.request.user if self.request.user.is_authenticated else None, auth=self.request.auth)
+        if 'mark_refunded' in request.data:
+            mark_refunded = request.data.get('mark_refunded', False)
+        else:
+            mark_refunded = request.data.get('mark_canceled', False)
+        if mark_refunded:
+            mark_order_refunded(refund.order, user=self.request.user if self.request.user.is_authenticated else None,
+                                auth=self.request.auth)
+        elif not (refund.order.status == Order.STATUS_PAID and refund.order.pending_sum <= 0):
+            refund.order.status = Order.STATUS_PENDING
+            refund.order.set_expires(
+                now(),
+                refund.order.event.subevents.filter(
+                    id__in=refund.order.positions.values_list('subevent_id', flat=True))
+            )
+            refund.order.save(update_fields=['status', 'expires'])
+        return self.retrieve(request, [], **kwargs)
+
+    @action(detail=True, methods=['POST'])
+    def done(self, request, **kwargs):
+        refund = self.get_object()
+
+        if refund.state not in (OrderRefund.REFUND_STATE_CREATED, OrderRefund.REFUND_STATE_TRANSIT):
+            return Response({'detail': 'Invalid state of refund'}, status=status.HTTP_400_BAD_REQUEST)
+
+        refund.done(user=self.request.user if self.request.user.is_authenticated else None, auth=self.request.auth)
+        return self.retrieve(request, [], **kwargs)
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['order'] = get_object_or_404(Order, code=self.kwargs['order'], event=self.request.event)
+        return ctx
+
+    def create(self, request, *args, **kwargs):
+        if 'mark_refunded' in request.data:
+            mark_refunded = request.data.pop('mark_refunded', False)
+        else:
+            mark_refunded = request.data.pop('mark_canceled', False)
+        serializer = OrderRefundCreateSerializer(data=request.data, context=self.get_serializer_context())
+        serializer.is_valid(raise_exception=True)
+        with transaction.atomic():
+            self.perform_create(serializer)
+            r = serializer.instance
+            serializer = OrderRefundSerializer(r, context=serializer.context)
+
+            r.order.log_action(
+                'pretix.event.order.refund.created', {
+                    'local_id': r.local_id,
+                    'provider': r.provider,
+                },
+                user=request.user if request.user.is_authenticated else None,
+                auth=request.auth
+            )
+            if mark_refunded:
+                mark_order_refunded(
+                    r.order,
+                    user=request.user if request.user.is_authenticated else None,
+                    auth=(request.auth if request.auth else None),
+                )
+
+        headers = self.get_success_headers(serializer.data)
+        return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)
+
+    def perform_create(self, serializer):
+        serializer.save()
+

 class InvoiceFilter(FilterSet):
    refers = django_filters.CharFilter(method='refers_qs')
    number = django_filters.CharFilter(method='nr_qs')
-    order = django_filters.CharFilter(name='order', lookup_expr='code__iexact')
+    order = django_filters.CharFilter(field_name='order', lookup_expr='code__iexact')

    def refers_qs(self, queryset, name, value):
        return queryset.annotate(
@@ -396,7 +989,7 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
    filter_backends = (DjangoFilterBackend, OrderingFilter)
    ordering = ('nr',)
    ordering_fields = ('nr', 'date')
-    filter_class = InvoiceFilter
+    filterset_class = InvoiceFilter
    permission = 'can_view_orders'
    lookup_url_kwarg = 'number'
    lookup_field = 'nr'
@@ -407,7 +1000,7 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
            nr=Concat('prefix', 'invoice_no')
        )

-    @detail_route()
+    @action(detail=True, )
    def download(self, request, **kwargs):
        invoice = self.get_object()

@@ -425,7 +1018,7 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
        resp['Content-Disposition'] = 'attachment; filename="{}.pdf"'.format(invoice.number)
        return resp

-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
    def regenerate(self, request, **kwarts):
        inv = self.get_object()
        if inv.canceled:
@@ -444,7 +1037,7 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
            )
            return Response(status=204)

-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
    def reissue(self, request, **kwarts):
        inv = self.get_object()
        if inv.canceled:
@@ -453,7 +1046,7 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
            raise PermissionDenied('The invoice file is no longer stored on the server.')
        else:
            c = generate_cancellation(inv)
-            if inv.order.status not in (Order.STATUS_CANCELED, Order.STATUS_REFUNDED):
+            if inv.order.status != Order.STATUS_CANCELED:
                inv = generate_invoice(inv.order)
            else:
                inv = c
--- a/src/pretix/api/views/organizer.py
+++ b/src/pretix/api/views/organizer.py
@@ -12,7 +12,7 @@ class OrganizerViewSet(viewsets.ReadOnlyModelViewSet):
    lookup_url_kwarg = 'organizer'

    def get_queryset(self):
-        if self.request.user.is_authenticated():
+        if self.request.user.is_authenticated:
            if self.request.user.has_active_staff_session(self.request.session.session_key):
                return Organizer.objects.all()
            elif isinstance(self.request.auth, OAuthAccessToken):
@@ -23,5 +23,7 @@ class OrganizerViewSet(viewsets.ReadOnlyModelViewSet):
                )
            else:
                return Organizer.objects.filter(pk__in=self.request.user.teams.values_list('organizer', flat=True))
+        elif hasattr(self.request.auth, 'organizer_id'):
+            return Organizer.objects.filter(pk=self.request.auth.organizer_id)
        else:
            return Organizer.objects.filter(pk=self.request.auth.team.organizer_id)
--- a/src/pretix/api/views/user.py
+++ b/src/pretix/api/views/user.py
@@ -0,0 +1,16 @@
+from oauth2_provider.contrib.rest_framework import OAuth2Authentication
+from rest_framework.authentication import SessionAuthentication
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+
+class MeView(APIView):
+    authentication_classes = (SessionAuthentication, OAuth2Authentication)
+
+    def get(self, request, format=None):
+        return Response({
+            'email': request.user.email,
+            'fullname': request.user.fullname,
+            'locale': request.user.locale,
+            'timezone': request.user.timezone
+        })
--- a/src/pretix/api/views/voucher.py
+++ b/src/pretix/api/views/voucher.py
@@ -1,11 +1,16 @@
+import contextlib
+
+from django.db import transaction
 from django.db.models import F, Q
 from django.utils.timezone import now
 from django_filters.rest_framework import (
    BooleanFilter, DjangoFilterBackend, FilterSet,
 )
-from rest_framework import viewsets
+from rest_framework import status, viewsets
+from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.filters import OrderingFilter
+from rest_framework.response import Response

 from pretix.api.serializers.voucher import VoucherSerializer
 from pretix.base.models import Voucher
@@ -34,15 +39,36 @@ class VoucherViewSet(viewsets.ModelViewSet):
    filter_backends = (DjangoFilterBackend, OrderingFilter)
    ordering = ('id',)
    ordering_fields = ('id', 'code', 'max_usages', 'valid_until', 'value')
-    filter_class = VoucherFilter
+    filterset_class = VoucherFilter
    permission = 'can_view_vouchers'
    write_permission = 'can_change_vouchers'

    def get_queryset(self):
        return self.request.event.vouchers.all()

+    def _predict_quota_check(self, data, instance):
+        # This method predicts if Voucher.clean_quota_needs_checking
+        # *migh* later require a quota check. It is only approximate
+        # and returns True a little too often. The point is to avoid
+        # locks when we know we won't need them.
+        if 'allow_ignore_quota' in data and data.get('allow_ignore_quota'):
+            return False
+        if instance and 'allow_ignore_quota' not in data and instance.allow_ignore_quota:
+            return False
+
+        if 'block_quota' in data and not data.get('block_quota'):
+            return False
+        if instance and 'block_quota' not in data and not instance.block_quota:
+            return False
+
+        return True
+
    def create(self, request, *args, **kwargs):
-        with request.event.lock():
+        if self._predict_quota_check(request.data, None):
+            lockfn = request.event.lock
+        else:
+            lockfn = contextlib.suppress  # noop context manager
+        with lockfn():
            return super().create(request, *args, **kwargs)

    def perform_create(self, serializer):
@@ -60,7 +86,11 @@ class VoucherViewSet(viewsets.ModelViewSet):
        return ctx

    def update(self, request, *args, **kwargs):
-        with request.event.lock():
+        if self._predict_quota_check(request.data, self.get_object()):
+            lockfn = request.event.lock
+        else:
+            lockfn = contextlib.suppress  # noop context manager
+        with lockfn():
            return super().update(request, *args, **kwargs)

    def perform_update(self, serializer):
@@ -81,4 +111,28 @@ class VoucherViewSet(viewsets.ModelViewSet):
            user=self.request.user,
            auth=self.request.auth,
        )
-        super().perform_destroy(instance)
+        with transaction.atomic():
+            instance.cartposition_set.filter(addon_to__isnull=False).delete()
+            instance.cartposition_set.all().delete()
+            super().perform_destroy(instance)
+
+    @action(detail=False, methods=['POST'])
+    def batch_create(self, request, *args, **kwargs):
+        if any(self._predict_quota_check(d, None) for d in request.data):
+            lockfn = request.event.lock
+        else:
+            lockfn = contextlib.suppress  # noop context manager
+        with lockfn():
+            serializer = self.get_serializer(data=request.data, many=True)
+            serializer.is_valid(raise_exception=True)
+            with transaction.atomic():
+                serializer.save(event=self.request.event)
+                for i, v in enumerate(serializer.instance):
+                    v.log_action(
+                        'pretix.voucher.added',
+                        user=self.request.user,
+                        auth=self.request.auth,
+                        data=self.request.data[i]
+                    )
+        headers = self.get_success_headers(serializer.data)
+        return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)
--- a/src/pretix/api/views/waitinglist.py
+++ b/src/pretix/api/views/waitinglist.py
@@ -1,7 +1,7 @@
 import django_filters
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import viewsets
-from rest_framework.decorators import detail_route
+from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.filters import OrderingFilter
 from rest_framework.response import Response
@@ -28,7 +28,7 @@ class WaitingListViewSet(viewsets.ModelViewSet):
    filter_backends = (DjangoFilterBackend, OrderingFilter)
    ordering = ('created',)
    ordering_fields = ('id', 'created', 'email', 'item')
-    filter_class = WaitingListFilter
+    filterset_class = WaitingListFilter
    permission = 'can_view_orders'
    write_permission = 'can_change_orders'

@@ -69,7 +69,7 @@ class WaitingListViewSet(viewsets.ModelViewSet):
        )
        super().perform_destroy(instance)

-    @detail_route(methods=['POST'])
+    @action(detail=True, methods=['POST'])
    def send_voucher(self, *args, **kwargs):
        try:
            self.get_object().send_voucher(
--- a/Show More
+++ b/Show More