Bump version to 1.15.0

Update from Weblate.

.gitattributes

@@ -1,16 +1,17 @@
-src/static/fontawesome/* linguist-vendored
-src/static/lightbox/* linguist-vendored
-src/static/typeahead/* linguist-vendored
-src/static/moment/* linguist-vendored
-src/static/datetimepicker/* linguist-vendored
-src/static/colorpicker/* linguist-vendored
-src/static/fileupload/* linguist-vendored
-src/static/vuejs/* linguist-vendored
-src/static/select2/* linguist-vendored
-src/static/charts/* linguist-vendored
-src/static/iframeresizer/* linguist-vendored
-src/pretix/plugins/ticketoutputpdf/static/pretixplugins/ticketoutputpdf/fabric.* linguist-vendored
-src/pretix/plugins/ticketoutputpdf/static/pretixplugins/ticketoutputpdf/pdf.* linguist-vendored
+src/pretix/static/fontawesome/* linguist-vendored
+src/pretix/static/lightbox/* linguist-vendored
+src/pretix/static/typeahead/* linguist-vendored
+src/pretix/static/moment/* linguist-vendored
+src/pretix/static/datetimepicker/* linguist-vendored
+src/pretix/static/colorpicker/* linguist-vendored
+src/pretix/static/fileupload/* linguist-vendored
+src/pretix/static/vuejs/* linguist-vendored
+src/pretix/static/select2/* linguist-vendored
+src/pretix/static/charts/* linguist-vendored
+src/pretix/static/rrule/* linguist-vendored
+src/pretix/static/iframeresizer/* linguist-vendored
+src/pretix/static/pdfjs/* linguist-vendored
+src/pretix/static/fabric/* linguist-vendored
 
 # Denote all files that are truly binary and should not be modified.
 *.eot binary

.travis.yml

@@ -43,3 +43,6 @@ addons:
   apt:
       packages:
           - enchant
+branches:
+  except:
+  - /^weblate-.*/

README.rst

@@ -40,6 +40,9 @@ Contributing
 If you want to contribute to pretix, please read the `developer documentation`_
 in our documentation. If you have any further questions, please do not hesitate to ask!
 
+.. image:: https://translate.pretix.eu/widgets/pretix/-/pretix/multi-blue.svg
+   :target: https://translate.pretix.eu/engage/pretix/
+
 Code of Conduct
 ---------------
 We have a `Code of Conduct`_ in place that applies to all project contributions,

doc/admin/config.rst

@@ -70,6 +70,10 @@ Example::
     that are used to print tax amounts in the customer currency on invoices for some currencies. Set to ``off`` to
     disable this feature. Defaults to ``on``.
 
+``audit_comments``
+    Enables or disables nagging staff users for leaving comments on their sessions for auditability.
+    Defaults to ``off``.
+
 
 Locale settings
 ---------------

doc/admin/installation/docker_smallscale.rst

@@ -268,8 +268,8 @@ to re-build your custom image after you pulled ``pretix/standalone`` if you want
 .. _pretix.eu: https://pretix.eu/
 .. _MySQL: https://dev.mysql.com/doc/refman/5.7/en/linux-installation-apt-repo.html
 .. _PostgreSQL: https://www.digitalocean.com/community/tutorials/how-to-install-and-use-postgresql-9-4-on-debian-8
-.. _redis: http://blog.programster.org/debian-8-install-redis-server/
+.. _redis: https://blog.programster.org/debian-8-install-redis-server/
 .. _ufw: https://en.wikipedia.org/wiki/Uncomplicated_Firewall
-.. _redis website: http://redis.io/topics/security
+.. _redis website: https://redis.io/topics/security
 .. _redis in docker: https://hub.docker.com/r/_/redis/
 .. _strong encryption settings: https://mozilla.github.io/server-side-tls/ssl-config-generator/

doc/admin/installation/manual_smallscale.rst

@@ -298,6 +298,6 @@ example::
 .. _pretix.eu: https://pretix.eu/
 .. _MySQL: https://dev.mysql.com/doc/refman/5.7/en/linux-installation-apt-repo.html
 .. _PostgreSQL: https://www.digitalocean.com/community/tutorials/how-to-install-and-use-postgresql-9-4-on-debian-8
-.. _redis: http://blog.programster.org/debian-8-install-redis-server/
+.. _redis: https://blog.programster.org/debian-8-install-redis-server/
 .. _ufw: https://en.wikipedia.org/wiki/Uncomplicated_Firewall
 .. _strong encryption settings: https://mozilla.github.io/server-side-tls/ssl-config-generator/

doc/api/fundamentals.rst

@@ -44,6 +44,25 @@ like the following:
           adding OAuth2 support in the future for user-level authentication. If you want
           to use session authentication, be sure to comply with Django's `CSRF policies`_.
 
+Permissions
+-----------
+
+The API follows pretix team based permissions model. Each organizer can have several teams
+each with it's own set of permissions. Each team can have any number of API keys attached.
+
+To access a given endpoint the team the API key belongs to needs to have the corresponding
+permission for the organizer/event being accessed.
+
+Possible permissions are:
+
+* Can create events
+* Can change event settings
+* Can change product settings
+* Can view orders
+* Can change orders
+* Can view vouchers
+* Can change vouchers
+
 Compatibility
 -------------
 

doc/api/resources/categories.rst

@@ -22,6 +22,10 @@ is_addon                              boolean                    If ``True``, it
                                                                  defining add-ons for other products.
 ===================================== ========================== =======================================================
 
+.. versionchanged:: 1.14
+
+   The operations POST, PATCH, PUT and DELETE have been added.
+
 
 Endpoints
 ---------
@@ -106,3 +110,118 @@ Endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/categories/
+
+   Creates a new category
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/categories/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "name": {"en": "Tickets"},
+        "description": {"en": "Tickets are what you need to get in."},
+        "position": 1,
+        "is_addon": false
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": {"en": "Tickets"},
+        "description": {"en": "Tickets are what you need to get in."},
+        "position": 1,
+        "is_addon": false
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event to create a category for
+   :param event: The ``slug`` field of the event to create a category for
+   :statuscode 201: no error
+   :statuscode 400: The category could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/categories/(id)/
+
+   Update a category. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``id`` field.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/categories/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "is_addon": true
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": {"en": "Tickets"},
+        "description": {"en": "Tickets are what you need to get in."},
+        "position": 1,
+        "is_addon": true
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the category to modify
+   :statuscode 200: no error
+   :statuscode 400: The category could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/category/(id)/
+
+   Delete a category.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/categories/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the category to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.

doc/api/resources/checkinlists.rst

@@ -44,6 +44,10 @@ include_pending                       boolean                    If ``true``, th
 Endpoints
 ---------
 
+.. versionchanged:: 1.15
+
+   The ``../status/`` detail endpoint has been added.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/
 
    Returns a list of all check-in lists within a given event.
@@ -128,6 +132,72 @@ Endpoints
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
 
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(id)/status/
+
+   Returns detailed status information on a check-in list, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/checkinlists/1/status/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "checkin_count": 17,
+        "position_count": 42,
+        "event": {
+          "name": "Demo Converence",
+        },
+        "items": [
+          {
+            "name": "T-Shirt",
+            "id": 1,
+            "checkin_count": 1,
+            "admission": False,
+            "position_count": 1,
+            "variations": [
+              {
+                "value": "Red",
+                "id": 1,
+                "checkin_count": 1,
+                "position_count": 12
+              },
+              {
+                "value": "Blue",
+                "id": 2,
+                "checkin_count": 4,
+                "position_count": 8
+              }
+            ]
+          },
+          {
+            "name": "Ticket",
+            "id": 2,
+            "checkin_count": 15,
+            "admission": True,
+            "position_count": 22,
+            "variations": []
+          }
+        ]
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param id: The ``id`` field of the check-in list to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/
 
    Creates a new check-in list.
@@ -254,6 +324,14 @@ Endpoints
 Order position endpoints
 ------------------------
 
+.. versionchanged:: 1.15
+
+   The order positions endpoint has been extended by the filter queries ``item__in``, ``variation__in``,
+   ``order__status__in``, ``subevent__in``, ``addon_to__in``, and ``search``. The search for attendee names and order
+   codes is now case-insensitive.
+
+   The ``.../redeem/`` endpoint has been added.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(list)/positions/
 
    Returns a list of all order positions within a given event. The result is the same as
@@ -325,15 +403,24 @@ Order position endpoints
                            ``order__datetime``, ``positionid``, ``attendee_name``, ``last_checked_in`` and ``order__email``. Default:
                            ``attendee_name,positionid``
    :query string order: Only return positions of the order with the given order code
+   :query string search: Fuzzy search matching the attendee name, order code, invoice address name as well as to the beginning of the secret.
    :query integer item: Only return positions with the purchased item matching the given ID.
+   :query integer item__in: Only return positions with the purchased item matching one of the given comma-separated IDs.
    :query integer variation: Only return positions with the purchased item variation matching the given ID.
+   :query integer variation__in: Only return positions with one of the purchased item variation matching the given
+                                 comma-separated IDs.
    :query string attendee_name: Only return positions with the given value in the attendee_name field. Also, add-on
                                 products positions are shown if they refer to an attendee with the given name.
    :query string secret: Only return positions with the given ticket secret.
-   :query bollean has_checkin: If set to ``true`` or ``false``, only return positions that have or have not been
-                               checked in already on this list.
+   :query string order__status: Only return positions with the given order status.
+   :query string order__status__in: Only return positions with one the given comma-separated order status.
+   :query boolean has_checkin: If set to ``true`` or ``false``, only return positions that have or have not been
+                               checked in already.
    :query integer subevent: Only return positions of the sub-event with the given ID
+   :query integer subevent__in: Only return positions of one of the sub-events with the given comma-separated IDs
    :query integer addon_to: Only return positions that are add-ons to the position with the given ID.
+   :query integer addon_to__in: Only return positions that are add-ons to one of the positions with the given
+                                      comma-separated IDs.
    :param organizer: The ``slug`` field of the organizer to fetch
    :param event: The ``slug`` field of the event to fetch
    :param list: The ID of the check-in list to look for
@@ -342,7 +429,7 @@ Order position endpoints
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
    :statuscode 404: The requested check-in list does not exist.
 
-.. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(list)/positions/(id)
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(list)/positions/(id)/
 
    Returns information on one order position, identified by its internal ID.
    The result format is the same as the :ref:`order-position-resource`, with one important difference: the
@@ -352,7 +439,7 @@ Order position endpoints
 
    .. sourcecode:: http
 
-      GET /api/v1/organizers/bigevents/events/sampleconf/checkinlists/1/positions/ HTTP/1.1
+      GET /api/v1/organizers/bigevents/events/sampleconf/checkinlists/1/positions/23442/ HTTP/1.1
       Host: pretix.eu
       Accept: application/json, text/javascript
 
@@ -409,3 +496,127 @@ Order position endpoints
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
    :statuscode 404: The requested order position or check-in list does not exist.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(list)/positions/(id)/redeem/
+
+   Tries to redeem an order position, identified by its internal ID, i.e. checks the attendee in. This endpoint
+   accepts a number of optional requests in the body.
+
+   :<json boolean questions_supported: When this parameter is set to ``true``, handling of questions is supported. If
+                                       you do not implement question handling in your user interface, you **must**
+                                       set this to ``false``. In that case, questions will just be ignored. Defaults
+                                       to ``true``.
+   :<json datetime datetime: Specifies the datetime of the check-in. If not supplied, the current time will be used.
+   :<json boolean force: Specifies that the check-in should succeed regardless of previous check-ins or required
+                         questions that have not been filled. Defaults to ``false``.
+   :<json boolean ignore_unpaid: Specifies that the check-in should succeed even if the order is in pending state.
+                                 Defaults to ``false``.
+   :<json string nonce: You can set this parameter to a unique random value to identify this check-in. If you're sending
+                        this request twice with the same nonce, the second request will also succeed but will always
+                        create only one check-in object even when the previous request was successful as well. This
+                        allows for a certain level of idempotency and enables you to re-try after a connection failure.
+   :<json object answers: If questions are supported/required, you may/must supply a mapping of question IDs to their
+                          respective answers. The answers should always be strings. In case of (multiple-)choice-type
+                          answers, the string should contain the (comma-separated) IDs of the selected options.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/checkinlists/1/positions/234/redeem/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+      {
+        "force": false,
+        "ignore_unpaid": false,
+        "nonce": "Pvrk50vUzQd0DhdpNRL4I4OcXsvg70uA",
+        "datetime": null,
+        "questions_supported": true,
+        "answers": {
+          "4": "XS"
+        }
+      }
+
+   **Example successful response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "status": "ok"
+      }
+
+   **Example response with required questions**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 400 Bad Request
+      Content-Type: text/json
+
+      {
+        "status": "incomplete"
+        "questions": [
+          {
+            "id": 1,
+            "question": {"en": "T-Shirt size"},
+            "type": "C",
+            "required": false,
+            "items": [1, 2],
+            "position": 1,
+            "identifier": "WY3TP9SL",
+            "ask_during_checkin": true,
+            "options": [
+              {
+                "id": 1,
+                "identifier": "LVETRWVU",
+                "position": 0,
+                "answer": {"en": "S"}
+              },
+              {
+                "id": 2,
+                "identifier": "DFEMJWMJ",
+                "position": 1,
+                "answer": {"en": "M"}
+              },
+              {
+                "id": 3,
+                "identifier": "W9AH7RDE",
+                "position": 2,
+                "answer": {"en": "L"}
+              }
+            ]
+          }
+        ]
+      }
+
+   **Example error response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Content-Type: text/json
+
+      {
+        "status": "error",
+        "reason": "unpaid",
+      }
+
+   Possible error reasons:
+
+   * ``unpaid`` - Ticket is not paid for or has been refunded
+   * ``already_redeemed`` - Ticket already has been redeemed
+   * ``product`` - Tickets with this product may not be scanned at this device
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param list: The ID of the check-in list to look for
+   :param id: The ``id`` field of the order position to fetch
+   :statuscode 201: no error
+   :statuscode 400: Invalid or incomplete request, see above
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order position or check-in list does not exist.

doc/api/resources/events.rst

@@ -25,14 +25,22 @@ presale_start                         datetime                   The date at whi
 presale_end                           datetime                   The date at which the ticket shop closes (or ``null``)
 location                              multi-lingual string       The event location (or ``null``)
 has_subevents                         boolean                    ``True`` if the event series feature is active for this
-                                                                 event
+                                                                 event. Cannot change after event is created.
 meta_data                             dict                       Values set for organizer-specific meta data parameters.
+plugins                               list                       A list of package names of the enabled plugins for this
+                                                                 event.
 ===================================== ========================== =======================================================
 
+
 .. versionchanged:: 1.7
 
    The ``meta_data`` field has been added.
 
+.. versionchanged:: 1.15
+
+   The ``plugins`` field has been added.
+   The operations POST, PATCH, PUT and DELETE have been added.
+
 Endpoints
 ---------
 
@@ -40,6 +48,8 @@ Endpoints
 
    Returns a list of all events within a given organizer the authenticated user/token has access to.
 
+   Permission required: "Can change event settings"
+
    **Example request**:
 
    .. sourcecode:: http
@@ -74,7 +84,13 @@ Endpoints
             "presale_end": null,
             "location": null,
             "has_subevents": false,
-            "meta_data": {}
+            "meta_data": {},
+            "plugins": [
+              "pretix.plugins.banktransfer"
+              "pretix.plugins.stripe"
+              "pretix.plugins.paypal"
+              "pretix.plugins.ticketoutputpdf"
+            ]
           }
         ]
       }
@@ -89,6 +105,8 @@ Endpoints
 
    Returns information on one event, identified by its slug.
 
+   Permission required: "Can change event settings"
+
    **Example request**:
 
    .. sourcecode:: http
@@ -118,7 +136,13 @@ Endpoints
         "presale_end": null,
         "location": null,
         "has_subevents": false,
-        "meta_data": {}
+        "meta_data": {},
+        "plugins": [
+          "pretix.plugins.banktransfer"
+          "pretix.plugins.stripe"
+          "pretix.plugins.paypal"
+          "pretix.plugins.ticketoutputpdf"
+        ]
       }
 
    :param organizer: The ``slug`` field of the organizer to fetch
@@ -126,3 +150,242 @@ Endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view it.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/
+
+   Creates a new event
+
+   Please note that events cannot be created as 'live' using this endpoint. Quotas and payment must be added to the
+   event before sales can go live.
+
+   Permission required: "Can create events"
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "name": {"en": "Sample Conference"},
+        "slug": "sampleconf",
+        "live": false,
+        "currency": "EUR",
+        "date_from": "2017-12-27T10:00:00Z",
+        "date_to": null,
+        "date_admission": null,
+        "is_public": false,
+        "presale_start": null,
+        "presale_end": null,
+        "location": null,
+        "has_subevents": false,
+        "meta_data": {},
+        "plugins": [
+          "pretix.plugins.stripe",
+          "pretix.plugins.paypal"
+        ]
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "name": {"en": "Sample Conference"},
+        "slug": "sampleconf",
+        "live": false,
+        "currency": "EUR",
+        "date_from": "2017-12-27T10:00:00Z",
+        "date_to": null,
+        "date_admission": null,
+        "is_public": false,
+        "presale_start": null,
+        "presale_end": null,
+        "location": null,
+        "has_subevents": false,
+        "meta_data": {},
+        "plugins": [
+          "pretix.plugins.stripe",
+          "pretix.plugins.paypal"
+        ]
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event to create.
+   :statuscode 201: no error
+   :statuscode 400: The event could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/clone/
+
+   Creates a new event with properties as set in the request body. The properties that are copied are: 'is_public',
+   settings, plugin settings, items, variations, add-ons, quotas, categories, tax rules, questions.
+
+   If the 'plugins' and/or 'is_public' fields are present in the post body this will determine their value. Otherwise
+   their value will be copied from the existing event.
+
+   Please note that you can only copy from events under the same organizer.
+
+   Permission required: "Can create events"
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/clone/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "name": {"en": "Sample Conference"},
+        "slug": "sampleconf",
+        "live": false,
+        "currency": "EUR",
+        "date_from": "2017-12-27T10:00:00Z",
+        "date_to": null,
+        "date_admission": null,
+        "is_public": false,
+        "presale_start": null,
+        "presale_end": null,
+        "location": null,
+        "has_subevents": false,
+        "meta_data": {},
+        "plugins": [
+          "pretix.plugins.stripe",
+          "pretix.plugins.paypal"
+        ]
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "name": {"en": "Sample Conference"},
+        "slug": "sampleconf",
+        "live": false,
+        "currency": "EUR",
+        "date_from": "2017-12-27T10:00:00Z",
+        "date_to": null,
+        "date_admission": null,
+        "is_public": false,
+        "presale_start": null,
+        "presale_end": null,
+        "location": null,
+        "has_subevents": false,
+        "meta_data": {},
+        "plugins": [
+          "pretix.plugins.stripe",
+          "pretix.plugins.paypal"
+        ]
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event to create.
+   :param event: The ``slug`` field of the event to copy settings and items from.
+   :statuscode 201: no error
+   :statuscode 400: The event could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/
+
+   Updates an event
+
+   Permission required: "Can change event settings"
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "plugins": [
+          "pretix.plugins.banktransfer",
+          "pretix.plugins.stripe",
+          "pretix.plugins.paypal",
+          "pretix.plugins.pretixdroid"
+        ]
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "name": {"en": "Sample Conference"},
+        "slug": "sampleconf",
+        "live": false,
+        "currency": "EUR",
+        "date_from": "2017-12-27T10:00:00Z",
+        "date_to": null,
+        "date_admission": null,
+        "is_public": false,
+        "presale_start": null,
+        "presale_end": null,
+        "location": null,
+        "has_subevents": false,
+        "meta_data": {},
+        "plugins": [
+          "pretix.plugins.banktransfer",
+          "pretix.plugins.stripe",
+          "pretix.plugins.paypal",
+          "pretix.plugins.pretixdroid"
+        ]
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event to update
+   :param event: The ``slug`` field of the event to update
+   :statuscode 201: no error
+   :statuscode 400: The event could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/items/(id)/
+
+   Delete an event. Note that events with orders cannot be deleted to ensure data integrity.
+
+   Permission required: "Can change event settings"
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.

doc/api/resources/index.rst

@@ -13,6 +13,7 @@ Resources and endpoints
    item_variations
    item_add-ons
    questions
+   question_options
    quotas
    orders
    invoices

doc/api/resources/invoices.rst

@@ -223,3 +223,59 @@ Endpoints
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
    :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting for a few
                     seconds.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/invoices/(invoice_no)/reissue/
+
+   Cancels the invoice and creates a new one.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/invoices/00001/reissue/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+      Content-Type: application/pdf
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param invoice_no: The ``invoice_no`` field of the invoice to reissue
+   :statuscode 200: no error
+   :statuscode 400: The invoice has already been canceled
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/invoices/(invoice_no)/regenerate/
+
+   Re-generates the invoice from order data.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/invoices/00001/regenerate/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+      Content-Type: application/pdf
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param invoice_no: The ``invoice_no`` field of the invoice to regenerate
+   :statuscode 200: no error
+   :statuscode 400: The invoice has already been canceled
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.

doc/api/resources/item_add-ons.rst

@@ -148,7 +148,7 @@ Endpoints
 
    .. sourcecode:: http
 
-      HTTP/1.1 200 OK
+      HTTP/1.1 201 Created
       Vary: Accept
       Content-Type: application/json
 

doc/api/resources/item_variations.rst

@@ -6,7 +6,7 @@ Resource description
 
 Variations of items can be use for products (items) that are available in different sizes, colors or other variations
 of the same product.
-The addons resource contains the following public fields:
+The variations resource contains the following public fields:
 
 .. rst-class:: rest-resource-table
 
@@ -158,7 +158,7 @@ Endpoints
 
    .. sourcecode:: http
 
-      HTTP/1.1 200 OK
+      HTTP/1.1 201 Created
       Vary: Accept
       Content-Type: application/json
 

doc/api/resources/items.rst

@@ -56,7 +56,8 @@ checkin_attention                     boolean                    If ``True``, th
                                                                  a product is being scanned.
 has_variations                        boolean                    Shows whether or not this item has variations.
 variations                            list of objects            A list with one object for each variation of this item.
-                                                                 Can be empty. Only writable on POST.
+                                                                 Can be empty. Only writable during creation,
+                                                                 use separate endpoint to modify this later.
 ├ id                                  integer                    Internal ID of the variation
 ├ default_price                       money (string)             The price set directly for this variation or ``null``
 ├ price                               money (string)             The price used for this variation. This is either the
@@ -67,7 +68,8 @@ variations                            list of objects            A list with one
                                                                  Markdown syntax or can be ``null``.
 └ position                            integer                    An integer, used for sorting
 addons                                list of objects            Definition of add-ons that can be chosen for this item.
-                                                                 Only writable on POST.
+                                                                 Only writable during creation,
+                                                                 use separate endpoint to modify this later.
 ├ addon_category                      integer                    Internal ID of the item category the add-on can be
                                                                  chosen from.
 ├ min_count                           integer                    The minimal number of add-ons that need to be chosen.
@@ -256,7 +258,7 @@ Endpoints
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
 
-.. http:post:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/items/
 
    Creates a new item
 
@@ -315,7 +317,7 @@ Endpoints
 
    .. sourcecode:: http
 
-      HTTP/1.1 200 OK
+      HTTP/1.1 201 Created
       Vary: Accept
       Content-Type: application/json
 
@@ -369,7 +371,7 @@ Endpoints
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
 
-.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/items/(id)/
 
    Update an item. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
    the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you

doc/api/resources/orders.rst

@@ -28,10 +28,6 @@ datetime                              datetime                   Time of order c
 expires                               datetime                   The order will expire, if it is still pending by this time
 payment_date                          date                       Date of payment receipt
 payment_provider                      string                     Payment provider used for this order
-payment_fee                           money (string)             Payment fee included in this order's total
-payment_fee_tax_rate                  decimal (string)           Tax rate applied to the payment fee
-payment_fee_tax_value                 money (string)             Tax value included in the payment fee
-payment_fee_tax_rule                  integer                    The ID of the used tax rule (or ``null``)
 total                                 money (string)             Total value of this order
 comment                               string                     Internal comment on this order
 checkin_attention                     boolean                    If ``True``, the check-in app should show a warning
@@ -95,6 +91,11 @@ downloads                             list of objects            List of ticket
 
    The field ``checkin_attention`` has been added.
 
+.. versionchanged:: 1.15
+
+   The attributes ``order.payment_fee``, ``order.payment_fee_tax_rate``, ``order.payment_fee_tax_value`` and
+   ``order.payment_fee_tax_rule`` have finally been removed.
+
 .. _order-position-resource:
 
 Order position resource
@@ -129,7 +130,9 @@ downloads                             list of objects            List of ticket
 answers                               list of objects            Answers to user-defined questions
 ├ question                            integer                    Internal ID of the answered question
 ├ answer                              string                     Text representation of the answer
-└ options                             list of integers           Internal IDs of selected option(s)s (only for choice types)
+├ question_identifier                 string                     The question's ``identifier`` field
+├ options                             list of integers           Internal IDs of selected option(s)s (only for choice types)
+└ option_identifiers                  list of strings            The ``identifier`` fields of the selected option(s)s
 ===================================== ========================== =======================================================
 
 .. versionchanged:: 1.7
@@ -140,10 +143,18 @@ answers                               list of objects            Answers to user
 
    The attribute ``checkins.list`` has been added.
 
+.. versionchanged:: 1.14
+
+  The attributes ``answers.question_identifier`` and ``answers.option_identifiers`` have been added.
+
 
 Order endpoints
 ---------------
 
+.. versionchanged:: 1.15
+
+   Filtering for emails or order codes is now case-insensitive.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/
 
    Returns a list of all orders within a given event.
@@ -222,7 +233,9 @@ Order endpoints
                 "answers": [
                   {
                     "question": 12,
+                    "question_identifier": "WY3TP9SL",
                     "answer": "Foo",
+                    "option_idenfiters": [],
                     "options": []
                   }
                 ],
@@ -330,7 +343,9 @@ Order endpoints
             "answers": [
               {
                 "question": 12,
+                "question_identifier": "WY3TP9SL",
                 "answer": "Foo",
+                "option_idenfiters": [],
                 "options": []
               }
             ],
@@ -599,6 +614,12 @@ Order endpoints
 Order position endpoints
 ------------------------
 
+.. versionchanged:: 1.15
+
+   The order positions endpoint has been extended by the filter queries ``item__in``, ``variation__in``,
+   ``order__status__in``, ``subevent__in``, ``addon_to__in`` and ``search``. The search for attendee names and order
+   codes is now case-insensitive.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orderpositions/
 
    Returns a list of all order positions within a given event.
@@ -649,7 +670,9 @@ Order position endpoints
             "answers": [
               {
                 "question": 12,
+                "question_identifier": "WY3TP9SL",
                 "answer": "Foo",
+                "option_idenfiters": [],
                 "options": []
               }
             ],
@@ -668,16 +691,24 @@ Order position endpoints
                            ``order__datetime``, ``positionid``, ``attendee_name``, and ``order__status``. Default:
                            ``order__datetime,positionid``
    :query string order: Only return positions of the order with the given order code
+   :query string search: Fuzzy search matching the attendee name, order code, invoice address name as well as to the beginning of the secret.
    :query integer item: Only return positions with the purchased item matching the given ID.
+   :query integer item__in: Only return positions with the purchased item matching one of the given comma-separated IDs.
    :query integer variation: Only return positions with the purchased item variation matching the given ID.
+   :query integer variation__in: Only return positions with one of the purchased item variation matching the given
+                                 comma-separated IDs.
    :query string attendee_name: Only return positions with the given value in the attendee_name field. Also, add-on
                                 products positions are shown if they refer to an attendee with the given name.
    :query string secret: Only return positions with the given ticket secret.
    :query string order__status: Only return positions with the given order status.
-   :query bollean has_checkin: If set to ``true`` or ``false``, only return positions that have or have not been
+   :query string order__status__in: Only return positions with one the given comma-separated order status.
+   :query boolean has_checkin: If set to ``true`` or ``false``, only return positions that have or have not been
                                checked in already.
    :query integer subevent: Only return positions of the sub-event with the given ID
+   :query integer subevent__in: Only return positions of one of the sub-events with the given comma-separated IDs
    :query integer addon_to: Only return positions that are add-ons to the position with the given ID.
+   :query integer addon_to__in: Only return positions that are add-ons to one of the positions with the given
+                                comma-separated IDs.
    :param organizer: The ``slug`` field of the organizer to fetch
    :param event: The ``slug`` field of the event to fetch
    :statuscode 200: no error
@@ -729,7 +760,9 @@ Order position endpoints
         "answers": [
           {
             "question": 12,
+            "question_identifier": "WY3TP9SL",
             "answer": "Foo",
+            "option_idenfiters": [],
             "options": []
           }
         ],

doc/api/resources/question_options.rst

@@ -0,0 +1,233 @@
+Question options
+================
+
+Resource description
+--------------------
+
+Questions of type "choice" or "multiple choice" can have different options attached.
+The options resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the option
+position                              integer                    An integer, used for sorting
+identifier                            string                     An arbitrary string that can be used for matching with
+                                                                 other sources.
+answer                                multi-lingual string       The displayed value of this option
+===================================== ========================== =======================================================
+
+.. versionchanged:: 1.12
+
+   This resource has been added.
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/questions/(question)/options/
+
+   Returns a list of all options for a given question.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/questions/11/options/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 2,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "identifier": "LVETRWVU",
+            "position": 1,
+            "answer": {"en": "S"}
+          },
+          {
+            "id": 2,
+            "identifier": "DFEMJWMJ",
+            "position": 2,
+            "answer": {"en": "M"}
+          },
+          {
+            "id": 3,
+            "identifier": "W9AH7RDE",
+            "position": 3,
+            "answer": {"en": "L"}
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :query boolean active: If set to ``true`` or ``false``, only questions with this value for the field ``active`` will be
+                          returned.
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param question: The ``id`` field of the question to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/question does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/questions/(question)/options/(id)/
+
+   Returns information on one option, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/questions/1/options/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "identifier": "LVETRWVU",
+        "position": 1,
+        "answer": {"en": "S"}
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param question: The ``id`` field of the question to fetch
+   :param id: The ``id`` field of the option to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/questions/(question)/options/
+
+   Creates a new option
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/questions/1/options/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "identifier": "LVETRWVU",
+        "position": 1,
+        "answer": {"en": "S"}
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "identifier": "LVETRWVU",
+        "position": 1,
+        "answer": {"en": "S"}
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event/question to create a option for
+   :param event: The ``slug`` field of the event to create a option for
+   :param question: The ``id`` field of the question to create a option for
+   :statuscode 201: no error
+   :statuscode 400: The option could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/questions/(question)/options/(id)/
+
+   Update an option. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``id`` field.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/questions/1/options/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "position": 3
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "identifier": "LVETRWVU",
+        "position": 1,
+        "answer": {"en": "S"}
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the question to modify
+   :param id: The ``id`` field of the option to modify
+   :statuscode 200: no error
+   :statuscode 400: The option could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/questions/(id)/options/(id)/
+
+   Delete an option.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/questions/1/options/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the question to modify
+   :param id: The ``id`` field of the option to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.

doc/api/resources/questions.rst

@@ -31,12 +31,18 @@ type                                  string                     The expected ty
 required                              boolean                    If ``True``, the question needs to be filled out.
 position                              integer                    An integer, used for sorting
 items                                 list of integers           List of item IDs this question is assigned to.
+identifier                            string                     An arbitrary string that can be used for matching with
+                                                                 other sources.
 ask_during_checkin                    boolean                    If ``True``, this question will not be asked while
                                                                  buying the ticket, but will show up when redeeming
                                                                  the ticket instead.
 options                               list of objects            In case of question type ``C`` or ``M``, this lists the
-                                                                 available objects.
+                                                                 available objects. Only writable during creation,
+                                                                 use separate endpoint to modify this later.
 ├ id                                  integer                    Internal ID of the option
+├ position                            integer                    An integer, used for sorting
+├ identifier                          string                     An arbitrary string that can be used for matching with
+                                                                 other sources.
 └ answer                              multi-lingual string       The displayed value of this option
 ===================================== ========================== =======================================================
 
@@ -45,9 +51,19 @@ options                               list of objects            In case of ques
   The values ``D``, ``H``, and ``W`` for the field ``type`` are now allowed and the ``ask_during_checkin`` field has
   been added.
 
+.. versionchanged:: 1.14
+
+  Write methods have been added. The attribute ``identifier`` has been added to both the resource itself and the
+  options resource. The ``position`` attribute has been added to the options resource.
+
 Endpoints
 ---------
 
+.. versionchanged:: 1.15
+
+   The questions endpoint has been extended by the filter queries ``ask_during_checkin``, ``requred``, and
+   ``identifier``.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/questions/
 
    Returns a list of all questions within a given event.
@@ -80,18 +96,25 @@ Endpoints
             "required": false,
             "items": [1, 2],
             "position": 1,
+            "identifier": "WY3TP9SL",
             "ask_during_checkin": false,
             "options": [
               {
                 "id": 1,
+                "identifier": "LVETRWVU",
+                "position": 0,
                 "answer": {"en": "S"}
               },
               {
                 "id": 2,
+                "identifier": "DFEMJWMJ",
+                "position": 1,
                 "answer": {"en": "M"}
               },
               {
                 "id": 3,
+                "identifier": "W9AH7RDE",
+                "position": 2,
                 "answer": {"en": "L"}
               }
             ]
@@ -102,6 +125,9 @@ Endpoints
    :query integer page: The page number in case of a multi-page result set, default is 1
    :query string ordering: Manually set the ordering of results. Valid fields to be used are ``id`` and ``position``.
                            Default: ``position``
+   :query string identifier: Only return questions with the given identifier string
+   :query boolean ask_during_checkin: Only return questions that are or are not to be asked during check-in
+   :query boolean required: Only return questions that are or are not required to fill in
    :param organizer: The ``slug`` field of the organizer to fetch
    :param event: The ``slug`` field of the event to fetch
    :statuscode 200: no error
@@ -134,19 +160,26 @@ Endpoints
         "type": "C",
         "required": false,
         "items": [1, 2],
-        "ask_during_checkin": false,
         "position": 1,
+        "identifier": "WY3TP9SL",
+        "ask_during_checkin": false,
         "options": [
           {
             "id": 1,
+            "identifier": "LVETRWVU",
+            "position": 1,
             "answer": {"en": "S"}
           },
           {
             "id": 2,
+            "identifier": "DFEMJWMJ",
+            "position": 2,
             "answer": {"en": "M"}
           },
           {
             "id": 3,
+            "identifier": "W9AH7RDE",
+            "position": 3,
             "answer": {"en": "L"}
           }
         ]
@@ -158,3 +191,179 @@ Endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/questions/
+
+   Creates a new question
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/questions/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "question": {"en": "T-Shirt size"},
+        "type": "C",
+        "required": false,
+        "items": [1, 2],
+        "position": 1,
+        "ask_during_checkin": false,
+        "options": [
+          {
+            "answer": {"en": "S"}
+          },
+          {
+            "answer": {"en": "M"}
+          },
+          {
+            "answer": {"en": "L"}
+          }
+        ]
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+
+      {
+        "id": 1,
+        "question": {"en": "T-Shirt size"},
+        "type": "C",
+        "required": false,
+        "items": [1, 2],
+        "position": 1,
+        "identifier": "WY3TP9SL",
+        "ask_during_checkin": false,
+        "options": [
+          {
+            "id": 1,
+            "identifier": "LVETRWVU",
+            "position": 1,
+            "answer": {"en": "S"}
+          },
+          {
+            "id": 2,
+            "identifier": "DFEMJWMJ",
+            "position": 2,
+            "answer": {"en": "M"}
+          },
+          {
+            "id": 3,
+            "identifier": "W9AH7RDE",
+            "position": 3,
+            "answer": {"en": "L"}
+          }
+        ]
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event to create an item for
+   :param event: The ``slug`` field of the event to create an item for
+   :statuscode 201: no error
+   :statuscode 400: The item could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/questions/(id)/
+
+   Update a question. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``options`` field. If
+   you need to update/delete options please use the nested dedicated endpoints.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/items/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "position": 2
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "question": {"en": "T-Shirt size"},
+        "type": "C",
+        "required": false,
+        "items": [1, 2],
+        "position": 2,
+        "identifier": "WY3TP9SL",
+        "ask_during_checkin": false,
+        "options": [
+          {
+            "id": 1,
+            "identifier": "LVETRWVU",
+            "position": 1,
+            "answer": {"en": "S"}
+          },
+          {
+            "id": 2,
+            "identifier": "DFEMJWMJ",
+            "position": 2,
+            "answer": {"en": "M"}
+          },
+          {
+            "id": 3,
+            "identifier": "W9AH7RDE",
+            "position": 3,
+            "answer": {"en": "L"}
+          }
+        ]
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the question to modify
+   :statuscode 200: no error
+   :statuscode 400: The item could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/questions/(id)/
+
+   Delete a question.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/items/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the item to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.

doc/api/resources/quotas.rst

@@ -135,7 +135,7 @@ Endpoints
 
    .. sourcecode:: http
 
-      HTTP/1.1 200 OK
+      HTTP/1.1 201 Created
       Vary: Accept
       Content-Type: application/json
 

doc/api/resources/vouchers.rst

@@ -251,7 +251,7 @@ Endpoints
 
       {
         "price_mode": "set",
-        "value": "24.00",
+        "value": "24.00"
       }
 
    **Example response**:

doc/api/resources/waitinglist.rst

@@ -27,6 +27,12 @@ subevent                              integer                    ID of the date
 ===================================== ========================== =======================================================
 
 
+.. versionchanged:: 1.15
+
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added as well as a method to send out
+   vouchers.
+
+
 Endpoints
 ---------
 
@@ -121,3 +127,161 @@ Endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/waitinglistentries/
+
+   Create a new entry.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/waitinglistentries/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 408
+
+      {
+        "email": "waiting@example.org",
+        "item": 3,
+        "variation": null,
+        "locale": "de",
+        "subevent": null
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "created": "2017-12-01T10:00:00Z",
+        "email": "waiting@example.org",
+        "voucher": null,
+        "item": 3,
+        "variation": null,
+        "locale": "de",
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create an entry for
+   :param event: The ``slug`` field of the event to create an entry for
+   :statuscode 201: no error
+   :statuscode 400: The voucher could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this
+                    resource **or** entries cannot be created for this item at this time.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/waitinglistentries/(id)/
+
+   Update an entry. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``id``, ``voucher`` and ``created`` fields. You can only change
+   an entry as long as no ``voucher`` is set.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/waitinglistentries/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 408
+
+      {
+        "item": 4
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "created": "2017-12-01T10:00:00Z",
+        "email": "waiting@example.org",
+        "voucher": null,
+        "item": 4,
+        "variation": null,
+        "locale": "de",
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the entry to modify
+   :statuscode 200: no error
+   :statuscode 400: The entry could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this
+                    resource **or** entries cannot be created for this item at this time **or** this entry already
+                    has a voucher assigned
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/waitinglistentries/(id)/send_voucher/
+
+   Manually sends a voucher to someone on the waiting list
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/waitinglistentries/1/send_voucher/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 0
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the entry to modify
+   :statuscode 204: no error
+   :statuscode 400: The voucher could not be sent out, see body for details (e.g. voucher has already been sent or
+                    item is not available).
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to do this
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/waitinglistentries/(id)/
+
+   Delete an entry. Note that you cannot delete an entry once it is assigned a voucher.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/waitinglistentries/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the entry to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this
+                    resource **or** this entry already has a voucher assigned.

doc/conf.py

@@ -31,6 +31,13 @@ import django
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "pretix.testutils.settings")
 django.setup()
 
+
+try:
+    import enchant
+    HAS_PYENCHANT = True
+except:
+    HAS_PYENCHANT = False
+
 # -- General configuration ------------------------------------------------
 
 # If your documentation needs a minimal Sphinx version, state it here.
@@ -45,8 +52,9 @@ extensions = [
     'sphinx.ext.coverage',
     'sphinxcontrib.httpdomain',
     'sphinxcontrib.images',
-    'sphinxcontrib.spelling',
 ]
+if HAS_PYENCHANT:
+    extensions.append('sphinxcontrib.spelling')
 
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
@@ -292,21 +300,25 @@ images_config = {
     'default_image_width': '250px'
 }
 
+linkcheck_ignore = [
+    r'http://localhost.*', r'.*yourdomain.*', r'https://en.wikipedia.org', 'https://pretix.eu/',
+]
+
 # -- Options for Spelling output ------------------------------------------
+if HAS_PYENCHANT:
+    # String specifying the language, as understood by PyEnchant and enchant.
+    # Defaults to en_US for US English.
+    spelling_lang = 'en_US'
 
-# String specifying the language, as understood by PyEnchant and enchant.
-# Defaults to en_US for US English.
-spelling_lang = 'en_US'
+    # String specifying a file containing a list of words known to be spelled
+    # correctly but that do not appear in the language dictionary selected by
+    # spelling_lang. The file should contain one word per line.
+    spelling_word_list_filename='spelling_wordlist.txt'
 
-# String specifying a file containing a list of words known to be spelled
-# correctly but that do not appear in the language dictionary selected by
-# spelling_lang. The file should contain one word per line.
-spelling_word_list_filename='spelling_wordlist.txt'
+    # Boolean controlling whether suggestions for misspelled words are printed.
+    # Defaults to False.
+    spelling_show_suggestions=True
 
-# Boolean controlling whether suggestions for misspelled words are printed.
-# Defaults to False.
-spelling_show_suggestions=True
-
-# List of filter classes to be added to the tokenizer that produces words to be checked. 
-from checkin_filter import CheckinFilter
-spelling_filters=[CheckinFilter]
+    # List of filter classes to be added to the tokenizer that produces words to be checked.
+    from checkin_filter import CheckinFilter
+    spelling_filters=[CheckinFilter]

doc/development/api/general.rst

@@ -11,7 +11,8 @@ Core
 ----
 
 .. automodule:: pretix.base.signals
-   :members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types
+   :members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types,
+      item_copy_data
 
 Order events
 """"""""""""
@@ -56,6 +57,12 @@ Backend
 Vouchers
 """"""""
 
+.. automodule:: pretix.control.signals
+   :members: item_forms
+
+Vouchers
+""""""""
+
 .. automodule:: pretix.control.signals
    :members: voucher_form_class, voucher_form_html, voucher_form_validation
 
@@ -68,5 +75,5 @@ Dashboards
 Ticket designs
 """"""""""""""
 
-.. automodule:: pretix.plugins.ticketoutputpdf.signals
+.. automodule:: pretix.base.signals
    :members: layout_text_variables

doc/development/api/index.rst

@@ -11,5 +11,7 @@ Contents:
    ticketoutput
    payment
    invoice
+   shredder
    customview
    general
+   quality

doc/development/api/invoice.rst

@@ -13,7 +13,7 @@ Output registration
 -------------------
 
 The invoice renderer API does not make a lot of usage from signals, however, it
-does use a signal to get a list of all available ticket outputs. Your plugin
+does use a signal to get a list of all available invoice renderers. Your plugin
 should listen for this signal and return the subclass of ``pretix.base.invoice.BaseInvoiceRenderer``
 that we'll provide in this plugin::
 

doc/development/api/payment.rst

@@ -104,6 +104,8 @@ The provider class
 
    .. automethod:: is_implicit
 
+   .. automethod:: shred_payment_info
+
 
 Additional views
 ----------------

doc/development/api/plugins.rst

@@ -142,5 +142,5 @@ your Django app label.
 .. _Django app: https://docs.djangoproject.com/en/1.7/ref/applications/
 .. _signal dispatcher: https://docs.djangoproject.com/en/1.7/topics/signals/
 .. _namespace packages: http://legacy.python.org/dev/peps/pep-0420/
-.. _entry point: https://pythonhosted.org/setuptools/setuptools.html#dynamic-discovery-of-services-and-plugins
+.. _entry point: https://setuptools.readthedocs.io/en/latest/pkg_resources.html#locating-plugins
 .. _cookiecutter: https://cookiecutter.readthedocs.io/en/latest/

doc/development/api/quality.rst

@@ -0,0 +1,125 @@
+.. highlight:: python
+   :linenothreshold: 5
+
+.. _`pluginquality`:
+
+Plugin quality checklist
+========================
+
+If you want to write a high-quality pretix plugin, this is a list of things you should check before
+you publish it. This is also a list of things that we check, if we consider installing an externally
+developed plugin on our hosted infrastructure.
+
+A. Meta
+-------
+
+#. The plugin is clearly licensed under an appropriate license.
+
+#. The plugin has an unambiguous name, description, and author metadata.
+
+#. The plugin has a clear versioning scheme and the latest version of the plugin is kept compatible to the latest
+   stable version of pretix.
+
+#. The plugin is properly packaged using standard Python packaging tools.
+
+#. The plugin correctly declares its external dependencies.
+
+#. A contact address is provided in case of security issues.
+
+B. Isolation
+------------
+
+#. If any signal receivers use the `dispatch_uid`_ feature, the UIDs are prefixed by the plugin's name and do not
+   clash with other plugins.
+
+#. If any templates or static files are shipped, they are located in subdirectories with the name of the plugin and do
+   not clash with other plugins or core files.
+
+#. Any keys stored to the settings store are prefixed with the plugin's name and do not clash with other plugins or
+   core.
+
+#. Any keys stored to the user session are prefixed with the plugin's name and do not clash with other plugins or
+   core.
+
+#. Any registered URLs are unlikely to clash with other plugins or future core URLs.
+
+C. Security
+-----------
+
+#. All important actions are logged to the :ref:`shared log storage <logging>` and a signal receiver is registered to
+   provide a human-readable representation of the log entry.
+
+#. All views require appropriate permissions and use the ``event_urls`` mechanism if appropriate.
+   :ref:`Read more <customview>`
+
+#. Any session data for customers is stored in the cart session system if appropriate.
+
+#. If the plugin is a payment provider:
+
+  #. No credit card numbers may be stored within pretix.
+
+  #. A notification/webhook system is implemented to notify pretix of any refunds.
+
+  #. If such a webhook system is implemented, contents of incoming webhooks are either verified using a cryptographic
+     signature or are not being trusted and all data is fetched from an API instead.
+
+D. Privacy
+----------
+
+#. No personal data is stored that is not required for the plugin's functionality.
+
+#. For any personal data that is saved to the database, an appropriate :ref:`data shredder <shredder>` is provided
+   that offers the data for download and then removes it from the database (including log entries).
+
+E. Internationalization
+-----------------------
+
+#. All user-facing strings in templates, Python code, and templates are wrapped in `gettext calls`_.
+
+#. No languages, time zones, date formats, or time formats are hardcoded.
+
+#. Installing the plugin automatically compiles ``.po`` files to ``.mo`` files. This is fulfilled automatically if
+   you use the ``setup.py`` file form our plugin cookiecutter.
+
+F. Functionality
+----------------
+
+#. If the plugin adds any database models or relationships from the settings storage to database models, it registers
+   a receiver to the :py:attr:`pretix.base.signals.event_copy_data` or :py:attr:`pretix.base.signals.item_copy_data`
+   signals.
+
+#. If the plugin is a payment provider:
+
+    #. A webhook-like system is implemented if payment confirmations are not sent instantly.
+
+    #. Refunds are implemented, if possible.
+
+    #. In case of overpayment or external refunds, a "required action" is created to notify the event organizer.
+
+#. If the plugin adds steps to the checkout process, it has been tested in combination with the pretix widget.
+
+G. Code quality
+---------------
+
+#. `isort`_ and `flake8`_ are used to ensure consistent code styling.
+
+#. Unit tests are provided for important pieces of business logic.
+
+#. Functional tests are provided for important interface parts.
+
+#. Tests are provided to check that permission checks are working.
+
+#. Continuous Integration is set up to check that tests are passing and styling is consistent.
+
+H. Specific to pretix.eu
+------------------------
+
+#. pretix.eu integrates the data stored by this plugin with its data report features.
+
+#. pretix.eu integrates this plugin in its generated privacy statements, if necessary.
+
+
+.. _isort: https://www.google.de/search?q=isort&oq=isort&aqs=chrome..69i57j0j69i59j69i60l2j69i59.599j0j4&sourceid=chrome&ie=UTF-8
+.. _flake8: http://flake8.pycqa.org/en/latest/
+.. _gettext calls: https://docs.djangoproject.com/en/2.0/topics/i18n/translation/
+.. _dispatch_uid: https://docs.djangoproject.com/en/2.0/topics/signals/#django.dispatch.Signal.connect

doc/development/api/shredder.rst

@@ -0,0 +1,94 @@
+.. highlight:: python
+   :linenothreshold: 5
+
+.. _`shredder`:
+
+Writing a data shredder
+=======================
+
+If your plugin adds the ability to store personal data within pretix, you should also implement a "data shredder"
+to anonymize or pseudonymize the data later.
+
+Shredder registration
+---------------------
+
+The data shredder API does not make a lot of usage from signals, however, it
+does use a signal to get a list of all available data shredders. Your plugin
+should listen for this signal and return the subclass of ``pretix.base.shredder.BaseDataShredder``
+that we'll provide in this plugin:
+
+.. sourcecode:: python
+
+    from django.dispatch import receiver
+
+    from pretix.base.signals import register_data_shredders
+
+
+    @receiver(register_data_shredders, dispatch_uid="custom_data_shredders")
+    def register_shredder(sender, **kwargs):
+        return [
+            PluginDataShredder,
+        ]
+
+The shredder class
+------------------
+
+.. class:: pretix.base.shredder.BaseDataShredder
+
+   The central object of each invoice renderer is the subclass of ``BaseInvoiceRenderer``.
+
+   .. py:attribute:: BaseInvoiceRenderer.event
+
+      The default constructor sets this property to the event we are currently
+      working for.
+
+   .. autoattribute:: identifier
+
+      This is an abstract attribute, you **must** override this!
+
+   .. autoattribute:: verbose_name
+
+      This is an abstract attribute, you **must** override this!
+
+   .. autoattribute:: description
+
+      This is an abstract attribute, you **must** override this!
+
+   .. automethod:: generate_files
+
+   .. automethod:: shred_data
+
+Example
+-------
+
+For example, the core data shredder responsible for removing invoice address information including their history
+looks like this:
+
+.. sourcecode:: python
+
+    class InvoiceAddressShredder(BaseDataShredder):
+        verbose_name = _('Invoice addresses')
+        identifier = 'invoice_addresses'
+        description = _('This will remove all invoice addresses from orders, '
+                        'as well as logged changes to them.')
+
+        def generate_files(self) -> List[Tuple[str, str, str]]:
+            yield 'invoice-addresses.json', 'application/json', json.dumps({
+                ia.order.code: InvoiceAdddressSerializer(ia).data
+                for ia in InvoiceAddress.objects.filter(order__event=self.event)
+            }, indent=4)
+
+        @transaction.atomic
+        def shred_data(self):
+            InvoiceAddress.objects.filter(order__event=self.event).delete()
+
+            for le in self.event.logentry_set.filter(action_type="pretix.event.order.modified"):
+                d = le.parsed_data
+                if 'invoice_data' in d and not isinstance(d['invoice_data'], bool):
+                    for field in d['invoice_data']:
+                        if d['invoice_data'][field]:
+                            d['invoice_data'][field] = '█'
+                    le.data = json.dumps(d)
+                    le.shredded = True
+                    le.save(update_fields=['data', 'shredded'])
+

doc/development/contribution/codeofconduct.rst

@@ -77,6 +77,6 @@ Attribution
 -----------
 
 This Code of Conduct is adapted from the `Contributor Covenant`_, version 1.4,
-available at http://contributor-covenant.org/version/1/4/
+available at https://www.contributor-covenant.org/version/1/4/
 
-.. _Contributor Covenant: http://contributor-covenant.org
+.. _Contributor Covenant: https://www.contributor-covenant.org

doc/development/contribution/style.rst

@@ -24,7 +24,7 @@ Coding style and quality
   ``Fix #123 -- Problems with order creation`` or ``Refs #123 -- Fix this part of that bug``.
 
 
-.. _PEP 8: http://legacy.python.org/dev/peps/pep-0008/
+.. _PEP 8: https://legacy.python.org/dev/peps/pep-0008/
 .. _flake8: https://pypi.python.org/pypi/flake8
 .. _Django Coding Style: https://docs.djangoproject.com/en/dev/internals/contributing/writing-code/coding-style/
 .. _translation: https://docs.djangoproject.com/en/1.11/topics/i18n/translation/

doc/development/implementation/index.rst

@@ -16,4 +16,5 @@ Contents:
    settings
    background
    email
+   permissions
    logging

doc/development/implementation/logging.rst

@@ -4,6 +4,8 @@ Logging and notifications
 As pretix is handling monetary transactions, we are very careful to make it possible to review all changes
 in the system that lead to the current state.
 
+.. _`logging`:
+
 Logging changes
 ---------------
 

doc/development/implementation/models.rst

@@ -31,6 +31,9 @@ Organizers and events
 .. autoclass:: pretix.base.models.Team
    :members:
 
+.. autoclass:: pretix.base.models.TeamAPIToken
+   :members:
+
 .. autoclass:: pretix.base.models.RequiredAction
    :members:
 

doc/development/implementation/permissions.rst

@@ -0,0 +1,194 @@
+Permissions
+===========
+
+pretix uses a fine-grained permission system to control who is allowed to control what parts of the system.
+The central concept here is the concept of *Teams*. You can read more on `configuring teams and permissions <user-teams>`_
+and the :class:`pretix.base.models.Team` model in the respective parts of the documentation. The basic digest is:
+An organizer account can have any number of teams, and any number of users can be part of a team. A team can be
+assigned a set of permissions and connected to some or all of the events of the organizer.
+
+A second way to access pretix is via the REST API, which allows authentication via tokens that are bound to a team,
+but not to a user. You can read more at :class:`pretix.base.models.TeamAPIToken`. This page will show you how to
+work with permissions in plugins and within the pretix code base.
+
+Requiring permissions for a view
+--------------------------------
+
+pretix provides a number of useful mixins and decorators that allow you to specify that a user needs a certain
+permission level to access a view::
+
+    from pretix.control.permissions import (
+        OrganizerPermissionRequiredMixin, organizer_permission_required
+    )
+
+
+    class MyOrgaView(OrganizerPermissionRequiredMixin, View):
+        permission = 'can_change_organizer_settings'
+        # Only users with the permission ``can_change_organizer_settings`` on
+        # this organizer can access this
+
+
+    class MyOtherOrgaView(OrganizerPermissionRequiredMixin, View):
+        permission = None
+        # Only users with *any* permission on this organizer can access this
+
+
+    @organizer_permission_required('can_change_organizer_settings')
+    def my_orga_view(request, organizer, **kwargs):
+        # Only users with the permission ``can_change_organizer_settings`` on
+        # this organizer can access this
+
+
+    @organizer_permission_required()
+    def my_other_orga_view(request, organizer, **kwargs):
+        # Only users with *any* permission on this organizer can access this
+
+
+Of course, the same is available on event level::
+
+    from pretix.control.permissions import (
+        EventPermissionRequiredMixin, event_permission_required
+    )
+
+
+    class MyEventView(EventPermissionRequiredMixin, View):
+        permission = 'can_change_event_settings'
+        # Only users with the permission ``can_change_event_settings`` on
+        # this event can access this
+
+
+    class MyOtherEventView(EventPermissionRequiredMixin, View):
+        permission = None
+        # Only users with *any* permission on this event can access this
+
+
+    @event_permission_required('can_change_event_settings')
+    def my_event_view(request, organizer, **kwargs):
+        # Only users with the permission ``can_change_event_settings`` on
+        # this event can access this
+
+
+    @event_permission_required()
+    def my_other_event_view(request, organizer, **kwargs):
+        # Only users with *any* permission on this event can access this
+
+You can also require that this view is only accessible by system administrators with an active "admin session"
+(see below for what this means)::
+
+    from pretix.control.permissions import (
+        AdministratorPermissionRequiredMixin, administrator_permission_required
+    )
+
+
+    class MyGlobalView(AdministratorPermissionRequiredMixin, View):
+        # ...
+
+
+    @administrator_permission_required
+    def my_global_view(request, organizer, **kwargs):
+        # ...
+
+In rare cases it might also be useful to expose a feature only to people who have a staff account but do not
+necessarily have an active admin session::
+
+    from pretix.control.permissions import (
+        StaffMemberRequiredMixin, staff_member_required
+    )
+
+
+    class MyGlobalView(StaffMemberRequiredMixin, View):
+        # ...
+
+
+    @staff_member_required
+    def my_global_view(request, organizer, **kwargs):
+        # ...
+
+
+
+Requiring permissions in the REST API
+-------------------------------------
+
+When creating your own ``viewset`` using Django REST framework, you just need to set the ``permission`` attribute
+and pretix will check it automatically for you::
+
+    class MyModelViewSet(viewsets.ReadOnlyModelViewSet):
+        permission = 'can_view_orders'
+
+Checking permission in code
+---------------------------
+
+If you need to work with permissions manually, there are a couple of useful helper methods on the :class:`pretix.base.models.Event`,
+:class:`pretix.base.models.User` and :class:`pretix.base.models.TeamAPIToken` classes. Here's a quick overview.
+
+Return all users that are in any team that is connected to this event::
+
+    >>> event.get_users_with_any_permission()
+    <QuerySet: …>
+
+Return all users that are in a team with a specific permission for this event::
+
+    >>> event.get_users_with_permission('can_change_event_settings')
+    <QuerySet: …>
+
+Determine if a user has a certain permission for a specific event::
+
+    >>> user.has_event_permission(organizer, event, 'can_change_event_settings', request=request)
+    True
+
+Determine if a user has any permission for a specific event::
+
+    >>> user.has_event_permission(organizer, event, request=request)
+    True
+
+In the two previous commands, the ``request`` argument is optional, but required to support staff sessions (see below).
+
+The same method exists for organizer-level permissions::
+
+    >>> user.has_organizer_permission(organizer, 'can_change_event_settings', request=request)
+    True
+
+Sometimes, it might be more useful to get the set of permissions at once::
+
+    >>> user.get_event_permission_set(organizer, event)
+    {'can_change_event_settings', 'can_view_orders', 'can_change_orders'}
+
+    >>> user.get_organizer_permission_set(organizer, event)
+    {'can_change_organizer_settings', 'can_create_events'}
+
+Within a view on the ``/control`` subpath, the results of these two methods are already available in the
+``request.eventpermset`` and ``request.orgapermset`` properties. This makes it convenient to query them in templates::
+
+    {% if "can_change_orders" in request.eventpermset %}
+        …
+    {% endif %}
+
+You can also do the reverse to get any events a user has access to::
+
+    >>> user.get_events_with_permission('can_change_event_settings', request=request)
+    <QuerySet: …>
+
+    >>> user.get_events_with_any_permission(request=request)
+    <QuerySet: …>
+
+Most of these methods work identically on :class:`pretix.base.models.TeamAPIToken`.
+
+Staff sessions
+--------------
+
+.. versionchanged:: 1.14
+
+   In 1.14, the ``User.is_superuser`` attribute has been deprecated and statically set to return ``False``. Staff
+   sessions have been newly introduced.
+
+System administrators of a pretix instance are identified by the ``is_staff`` attribute on the user model. By default,
+the regular permission rules apply for users with ``is_staff = True``. The only difference is that such users can
+temporarily turn on "staff mode" via a button in the user interface that grants them **all permissions** as long as
+staff mode is active. You can check if a user is in staff mode using their session key:
+
+    >>> user.has_active_staff_session(request.session.session_key)
+    False
+
+Staff mode has a hard time limit and during staff mode, a middleware will log all requests made by that user. Later,
+the user is able to also save a message to comment on what they did in their administrative session. This feature is
+intended to help compliance with data protection rules as imposed e.g. by GDPR.

doc/development/index.rst

@@ -8,5 +8,6 @@ Developer documentation
    setup
    contribution/index
    implementation/index
+   translation/index
    api/index
    structure

doc/development/setup.rst

@@ -115,12 +115,19 @@ Execute the following command to run pretix' test suite (might take a couple of
           ``NUM`` being the number of threads you want to use.
 
 It is a good idea to put this command into your git hook ``.git/hooks/pre-commit``,
-for example::
+for example, to check for any errors in any staged files when committing::
 
-    #!/bin/sh
+    #!/bin/bash
     cd $GIT_DIR/../src
-    flake8 . || exit 1
-    isort -q -rc -c . || exit 1
+    export GIT_WORK_TREE=../
+    export GIT_DIR=../.git
+    source ../env/bin/activate  # Adjust to however you activate your virtual environment
+    for file in $(git diff --cached --name-only | grep -E '\.py$')
+    do
+      git show ":$file" | flake8 - --stdin-display-name="$file" || exit 1 # we only want to lint the staged changes, not any un-staged changes
+      git show ":$file" | isort -df --check-only - | grep ERROR && exit 1 || true
+    done
+
 
 This keeps you from accidentally creating commits violating the style guide.
 
@@ -145,6 +152,10 @@ and update the ``*.po`` files accordingly::
 
     make localegen
 
+However, most of the time you don't need to care about this. Just create your pull request
+with functionality and English strings only, and we'll push the new translation strings
+to our translation platform after the merge.
+
 To actually see pretix in your language, you have to compile the ``*.po`` files to their
 optimized binary ``*.mo`` counterparts::
 

doc/development/translation/index.rst

@@ -0,0 +1,88 @@
+Translating pretix
+==================
+
+pretix has been designed for multi-language capabilities from its start. Organizers can enter their event information
+in multiple languages at the same time. However, the software interface of pretix also needs to be translated for
+this to be useful.
+
+Since we (the developers of pretix) only speak a very limited number of languages, we need help from the community
+to achieve this goal. To make translating pretix easy not only for software developers, we set up a translation
+platform at `translate.pretix.eu`_.
+
+Official and inofficial languages
+---------------------------------
+
+In the pretix project, there are three types of languages:
+
+Official languages
+    are translated and maintained by the core team behind pretix or as part of long-term partnerships. We are
+    committed to keeping these translations up-to-date with new features or changes in pretix and try to offer
+    support in this language.
+
+Inofficial languages
+    are contributed and maintained by the Community. We ship them with pretix so you can use them, but we can not
+    guarantee that new or changed features in pretix will be translated in time.
+
+Incubating languages
+    are currently in the process of being translated. They can not yet be selected in pretix by end users on
+    production installations and are only available in development mode for testing.
+
+Please contact translate@pretix.eu if you think an incubated language should be promoted to an inofficial one or if
+you are interested in a partnership to make your language official.
+
+The current translation status of various languages is:
+
+.. image:: https://translate.pretix.eu/widgets/pretix/-/multi-blue.svg
+   :target: https://translate.pretix.eu/engage/pretix/?utm_source=widget
+
+
+Using our translation platform
+------------------------------
+
+If you visit `translate.pretix.eu`_ for the first time, it admittedly looks pretty bare.
+
+.. image:: img/weblate1.png
+   :class: screenshot
+
+It gets better if you create an account, which you will need to contribute translations. Click on "Register" in the
+top-right corner to get started:
+
+.. image:: img/weblate2.png
+   :class: screenshot
+
+You can either create an account or choose to log in with your GitHub account, whichever you like more.
+After creating and activating your account, we recommend that you change your profile and select which languages you
+can translate to and which languages you understand. You can find your profile settings by clicking on your name in
+the top-right corner.
+
+.. image:: img/weblate3.png
+   :class: screenshot
+
+Going back to the dashboard by clicking on the logo in the top-left corner, you can select between different lists
+of translation projects. You can either filter by projects that already have a translation in your language, or you
+go to the `pretix project page`_ where you can select specific components.
+
+.. note::
+
+   If you want to translate pretix to a new language that is not yet listed here, you are very welcome to do so!
+   While you technically can add the language to the portal yourself, we ask you to drop us a short mail to
+   translate@pretix.eu so we can add it to all components at once and also make it selectable in pretix itself.
+
+.. image:: img/weblate4.png
+   :class: screenshot
+
+Once you selected a component of a language, you can start going through strings to translate. You can start of by
+clicking the "Strings needing action" line in this view:
+
+.. image:: img/weblate5.png
+   :class: screenshot
+
+In the translate view, you can input your translation for a given source string. If you're unsure about your
+translation, you can also just "Suggest" it or mark it as "Needs editing". If you have no idea, just "Skip". If you
+scroll down, there is also a "Comments" section to discuss any questions with fellow translators or us developers.
+
+.. image:: img/weblate6.png
+   :class: screenshot
+
+.. _translate.pretix.eu: https://translate.pretix.eu
+.. _pretix project page: https://translate.pretix.eu/projects/pretix/

doc/plugins/pretixdroid.rst

@@ -4,10 +4,10 @@ pretixdroid HTTP API
 The pretixdroid plugin provides a HTTP API that the `pretixdroid Android app`_
 uses to communicate with the pretix server.
 
-.. warning:: This API is intended **only** to serve the pretixdroid Android app. There are no backwards compatibility
-             guarantees on this API. We will not add features that are not required for the Android App. There is a
-             general-purpose :ref:`rest-api` that not yet provides all features that this API provides, but will do
-             so in the future.
+.. warning:: This API is **DEPRECATED** and will probably go away soon. It is used **only** to serve the pretixdroid
+             Android app. There are no backwards compatibility guarantees on this API. We will not add features that
+             are not required for the  Android App. There is a general-purpose :ref:`rest-api` that provides all
+             features that you need to check in.
 
 .. versionchanged:: 1.12
 

doc/requirements.txt

@@ -4,4 +4,5 @@ sphinx-rtd-theme
 sphinxcontrib-httpdomain
 sphinxcontrib-images
 sphinxcontrib-spelling
-pyenchant
+# See https://github.com/rfk/pyenchant/pull/130
+git+https://github.com/raphaelm/pyenchant.git@patch-1#egg=pyenchant

doc/spelling_wordlist.txt

@@ -1,6 +1,8 @@
 addon
 addons
+anonymize
 api
+auditability
 auth
 autobuild
 backend
@@ -15,8 +17,10 @@ checksum
 config
 contenttypes
 contextmanager
+cookiecutter
 cron
 cronjob
+cryptographic
 debian
 deduplication
 discoverable
@@ -33,8 +37,11 @@ gettext
 gunicorn
 hardcoded
 hostname
+idempotency
+inofficial
 invalidations
 iterable
+Jimdo
 libsass
 linters
 memcached
@@ -53,6 +60,7 @@ nginx
 NotificationType
 ons
 optimizations
+overpayment
 param
 percental
 positionid
@@ -68,6 +76,7 @@ pretixpresale
 prometheus
 proxied
 proxying
+pseudonymize
 queryset
 redemptions
 redis
@@ -77,6 +86,7 @@ renderer
 renderers
 reportlab
 screenshot
+selectable
 serializers
 serializers
 sexualized
@@ -94,6 +104,7 @@ subpath
 systemd
 testutils
 timestamp
+tuples
 un
 unconfigured
 unix
@@ -102,6 +113,7 @@ untrusted
 username
 url
 versa
+versioning
 viewset
 viewsets
 webhook

doc/user/events/email.rst

@@ -126,4 +126,29 @@ With the checkbox "Use custom SMTP server" you can turn using your SMTP server o
 button "Save and test custom SMTP connection", you can test if the connection and authentication to your SMTP server
 succeeds, even before turning that checkbox on.
 
+Spam issues
+-----------
+
+If you use an email address of your own domain as a sender address and do not use a custom SMTP server, it is very
+likely that at least some of your emails will go to the spam folders of their recipients. We **strongly recommend**
+to use your organization's SMTP server in this case, making your email really come from your organization. If you don't
+want that or cannot do that, you should add the pretix application server to your SPF record.
+
+If you are using our hosted service at pretix.eu, you can add the following to your SPF record::
+
+   include:_spf.pretix.eu
+
+A complete record could look like this::
+
+   v=spf1 a mx include:_spf.pretix.eu ~all
+
+Make sure to read up on the `SPF specification`_. If you want to authenticate your emails with DKIM, set up a DNS TXT
+record for the subdomain ``pretix._domainkey`` with the following contents::
+
+   v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXrDk6lwOWX00e2MbiiJac6huI+gnzLf9N4G1FnBv3PXq8fz3i2q1szH72OF5mAlKm3zXO4cl/uxx+lfidS1ERbX6Bn9BRstBTQUKWC4JFj8Yk9+fwT7LWehDURazLdTzfsIjJFudLLvxtOKSaOCtMhbPX05DIhziaqVCBqgz/NQIDAQAB
+
+Then, please contact support@pretix.eu and we will enable DKIM for your domain on our mail servers.
+
+
 .. _Sender Policy Framework: https://en.wikipedia.org/wiki/Sender_Policy_Framework
+.. _SPF specification: http://www.openspf.org/SPF_Record_Syntax

doc/user/events/widget.rst

@@ -36,6 +36,12 @@ The second snippet should be embedded at the position where the widget should sh
     You can of course embed multiple widgets of multiple events on your page. In this case, please add the first
     snippet only *once* and the second snippets once *for each event*.
 
+.. note::
+
+    Some website builders like Jimdo have trouble with our custom HTML tag. In that case, you can use
+    ``<div class="pretix-widget-compat" …></div>`` instead of ``<pretix-widget …></pretix-widget>`` starting with
+    pretix 1.14.
+
 Example
 -------
 

doc/user/faq.rst

@@ -51,3 +51,25 @@ If you created a product and it doesn't show up, please follow the following ste
    quota that is assigned to the series date that you access the shop for.
 6. If the sale period has not started yet or is already over, check the "Show items outside presale period" setting of
    your event.
+
+How can I revert a check-in?
+----------------------------
+
+Neither our apps nor our web interface can currently undo the check-in of a tickets. We know that this is
+inconvenient for some of you, but we have a good reason for it:
+
+Our Desktop and Android apps both support an asynchronous mode in which they can scan tickets while staying
+independent of their internet connection. When scanning with multiple devices, it can of course happen that two
+devices scan the same ticket without knowing of the other scan. As soon as one of the devices regains connectivity, it
+will upload its activity and the server marks the ticket as checked in -- regardless of the order in which the two
+scans were made and uploaded (which could be two different orders).
+
+If we'd provide a "check out" feature, it would not only be used to fix an accidental scan, but scan at entry and
+exit to count the current number of people inside etc. In this case, the order of operations matters very much for them
+to make sense and provide useful results. This makes implementing an asynchronous mode much more complicated.
+
+In this trade off, we chose offline-capabilities over the check out feature. We plan on solving this problem in the
+future, but we're not there yet.
+
+If you're just *testing* the check-in capabilities and want to clean out everything for the real process, you can just
+delete and re-create the check-in list.

doc/user/organizers/teams.rst

@@ -1,3 +1,5 @@
+.. _user-teams:
+
 Teams
 =====
 

doc/user/payments/settings.rst

@@ -1,7 +1,7 @@
 General settings
 ================
 
-At "Settings" → "Pages", you can configure every aspect related to the payments you want to accept. The upper part
+At "Settings" → "Payment", you can configure every aspect related to the payments you want to accept. The upper part
 of the page shows a number of general settings that affect all payment methods:
 
 .. thumbnail:: ../../screens/event/settings_payment.png

doc/user/payments/stripe.rst

@@ -3,6 +3,10 @@
 Stripe
 ======
 
+.. note:: If you use the Hosted version of pretix at pretix.eu, you do not need to copy API keys and create webhooks
+          any more. Instead, you can just click "Connect with Stripe" in pretix and everything will connect
+          automatically.
+
 To integrate Stripe with pretix, you first need to have an active Stripe merchant account. If you do not already have a
 Stripe account, you can create one on `stripe.com`_. Then, click on "API" in the left navigation of the Stripe
 Dashboard. As you can see in the following screenshot, you will be presented with two sets of API keys, one for test

src/.update-locales

@@ -0,0 +1,37 @@
+#!/bin/sh
+COMPONENTS="pretix/pretix pretix/pretix-js"
+DIR=pretix/locale
+# Renerates .po files used for translating the plugin
+set -e
+set -x
+
+# Lock Weblate
+for c in $COMPONENTS; do
+	wlc lock $c;
+done
+
+# Push changes from Weblate to GitHub
+for c in $COMPONENTS; do
+	wlc commit $c;
+done
+
+# Pull changes from GitHub
+git pull --rebase
+
+# Update po files itself
+make localegen
+
+# Commit changes
+git add $DIR/*/*/*.po
+git add $DIR/*.pot
+
+git commit -s -m "Update po files
+[CI skip]"
+
+# Push changes
+git push
+
+# Unlock Weblate
+for c in $COMPONENTS; do
+	wlc unlock $c;
+done

src/Makefile

@@ -1,12 +1,13 @@
 all: localecompile staticfiles
 production: localecompile staticfiles compress
+LNGS:=`find pretix/locale/ -mindepth 1 -maxdepth 1 -type d -printf "-l %f "`
 
 localecompile:
 	./manage.py compilemessages
 
 localegen:
-	./manage.py makemessages --all --ignore "pretix/helpers/*"
-	./manage.py makemessages --all -d djangojs --ignore "pretix/helpers/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static.dist/*" --ignore "data/*" --ignore "build/*"
+	./manage.py makemessages --keep-pot --ignore "pretix/helpers/*" $(LNGS)
+	./manage.py makemessages --keep-pot -d djangojs --ignore "pretix/helpers/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static.dist/*" --ignore "data/*" --ignore "build/*" $(LNGS)
 
 staticfiles: jsi18n
 	./manage.py collectstatic --noinput

src/pretix/__init__.py

@@ -1 +1 @@
-__version__ = "1.13.0"
+__version__ = "1.15.0"

src/pretix/api/auth/permission.py

@@ -1,4 +1,3 @@
-from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import SAFE_METHODS, BasePermission
 
 from pretix.base.models import Event
@@ -59,16 +58,16 @@ class EventPermission(BasePermission):
         return True
 
 
-def permission_required(required_permission):
-    def decorator(function):
-        def wrapper(self, request, *args, **kw):
-            if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs:
-                if required_permission and required_permission not in request.eventpermset:
-                    raise PermissionDenied('You do not have permission to perform this operation.')
-            elif 'organizer' in request.resolver_match.kwargs:
-                if required_permission and required_permission not in request.orgapermset:
-                    raise PermissionDenied('You do not have permission to perform this operation.')
+class EventCRUDPermission(EventPermission):
+    def has_permission(self, request, view):
+        if not super(EventCRUDPermission, self).has_permission(request, view):
+            return False
+        elif view.action == 'create' and 'can_create_events' not in request.orgapermset:
+            return False
+        elif view.action == 'destroy' and 'can_change_event_settings' not in request.eventpermset:
+            return False
+        elif view.action in ['retrieve', 'update', 'partial_update'] \
+                and 'can_change_event_settings' not in request.eventpermset:
+            return False
 
-            return function(self, request, *args, **kw)
-        return wrapper
-    return decorator
+        return True

src/pretix/api/serializers/event.py

@@ -1,3 +1,7 @@
+from django.core.exceptions import ValidationError
+from django.db import transaction
+from django.utils.functional import cached_property
+from django.utils.translation import ugettext as _
 from django_countries.serializers import CountryFieldMixin
 from rest_framework.fields import Field
 
@@ -14,15 +18,161 @@ class MetaDataField(Field):
             v.property.name: v.value for v in value.meta_values.all()
         }
 
+    def to_internal_value(self, data):
+        return {
+            'meta_data': data
+        }
+
+
+class PluginsField(Field):
+
+    def to_representation(self, obj):
+        from pretix.base.plugins import get_all_plugins
+
+        return {
+            p.module for p in get_all_plugins()
+            if not p.name.startswith('.') and getattr(p, 'visible', True) and p.module in obj.get_plugins()
+        }
+
+    def to_internal_value(self, data):
+        return {
+            'plugins': data
+        }
+
 
 class EventSerializer(I18nAwareModelSerializer):
-    meta_data = MetaDataField(source='*')
+    meta_data = MetaDataField(required=False, source='*')
+    plugins = PluginsField(required=False, source='*')
 
     class Meta:
         model = Event
         fields = ('name', 'slug', 'live', 'currency', 'date_from',
                   'date_to', 'date_admission', 'is_public', 'presale_start',
-                  'presale_end', 'location', 'has_subevents', 'meta_data')
+                  'presale_end', 'location', 'has_subevents', 'meta_data', 'plugins')
+
+    def validate(self, data):
+        data = super().validate(data)
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        Event.clean_dates(data.get('date_from'), data.get('date_to'))
+        Event.clean_presale(data.get('presale_start'), data.get('presale_end'))
+
+        return data
+
+    def validate_has_subevents(self, value):
+        Event.clean_has_subevents(self.instance, value)
+        return value
+
+    def validate_slug(self, value):
+        Event.clean_slug(self.context['request'].organizer, self.instance, value)
+        return value
+
+    def validate_live(self, value):
+        if value:
+            if self.instance is None:
+                raise ValidationError(_('Events cannot be created as \'live\'. Quotas and payment must be added to the '
+                                        'event before sales can go live.'))
+            else:
+                self.instance.clean_live()
+        return value
+
+    @cached_property
+    def meta_properties(self):
+        return {
+            p.name: p for p in self.context['request'].organizer.meta_properties.all()
+        }
+
+    def validate_meta_data(self, value):
+        for key in value['meta_data'].keys():
+            if key not in self.meta_properties:
+                raise ValidationError(_('Meta data property \'{name}\' does not exist.').format(name=key))
+        return value
+
+    def validate_plugins(self, value):
+        from pretix.base.plugins import get_all_plugins
+
+        plugins_available = {
+            p.module for p in get_all_plugins()
+            if not p.name.startswith('.') and getattr(p, 'visible', True)
+        }
+
+        for plugin in value.get('plugins'):
+            if plugin not in plugins_available:
+                raise ValidationError(_('Unknown plugin: \'{name}\'.').format(name=plugin))
+
+        return value
+
+    @transaction.atomic
+    def create(self, validated_data):
+        meta_data = validated_data.pop('meta_data', None)
+        plugins = validated_data.pop('plugins', None)
+        event = super().create(validated_data)
+
+        # Meta data
+        if meta_data is not None:
+            for key, value in meta_data.items():
+                event.meta_values.create(
+                    property=self.meta_properties.get(key),
+                    value=value
+                )
+
+        # Plugins
+        if plugins is not None:
+            event.set_active_plugins(plugins)
+
+        return event
+
+    @transaction.atomic
+    def update(self, instance, validated_data):
+        meta_data = validated_data.pop('meta_data', None)
+        plugins = validated_data.pop('plugins', None)
+        event = super().update(instance, validated_data)
+
+        # Meta data
+        if meta_data is not None:
+            current = {mv.property: mv for mv in event.meta_values.select_related('property')}
+            for key, value in meta_data.items():
+                prop = self.meta_properties.get(key)
+                if prop in current:
+                    current[prop].value = value
+                    current[prop].save()
+                else:
+                    event.meta_values.create(
+                        property=self.meta_properties.get(key),
+                        value=value
+                    )
+
+            for prop, current_object in current.items():
+                if prop.name not in meta_data:
+                    current_object.delete()
+
+        # Plugins
+        if plugins is not None:
+            event.set_active_plugins(plugins)
+            event.save()
+
+        return event
+
+
+class CloneEventSerializer(EventSerializer):
+    @transaction.atomic
+    def create(self, validated_data):
+        plugins = validated_data.pop('plugins', None)
+        is_public = validated_data.pop('is_public', None)
+        new_event = super().create(validated_data)
+
+        event = Event.objects.filter(slug=self.context['event'], organizer=self.context['organizer'].pk).first()
+        new_event.copy_data_from(event)
+
+        if plugins is not None:
+            new_event.set_active_plugins(plugins)
+        if is_public is not None:
+            new_event.is_public = is_public
+        new_event.save()
+
+        return new_event
 
 
 class SubEventItemSerializer(I18nAwareModelSerializer):

src/pretix/api/serializers/item.py

@@ -87,6 +87,9 @@ class ItemSerializer(I18nAwareModelSerializer):
 
     def validate(self, data):
         data = super().validate(data)
+        if self.instance and ('addons' in data or 'variations' in data):
+            raise ValidationError(_('Updating add-ons or variations via PATCH/PUT is not supported. Please use the '
+                                    'dedicated nested endpoint.'))
 
         Item.clean_per_order(data.get('min_per_order'), data.get('max_per_order'))
         Item.clean_available(data.get('available_from'), data.get('available_until'))
@@ -101,17 +104,8 @@ class ItemSerializer(I18nAwareModelSerializer):
         Item.clean_tax_rule(value, self.context['event'])
         return value
 
-    def validate_variations(self, value):
-        if self.instance is not None:
-            raise ValidationError(_('Updating variations via PATCH/PUT is not supported. Please use the dedicated'
-                                    ' nested endpoint.'))
-        return value
-
     def validate_addons(self, value):
-        if self.instance is not None:
-            raise ValidationError(_('Updating add-ons via PATCH/PUT is not supported. Please use the dedicated'
-                                    ' nested endpoint.'))
-        else:
+        if not self.instance:
             for addon_data in value:
                 ItemAddOn.clean_categories(self.context['event'], None, self.instance, addon_data['addon_category'])
                 ItemAddOn.clean_min_count(addon_data['min_count'])
@@ -138,20 +132,72 @@ class ItemCategorySerializer(I18nAwareModelSerializer):
         fields = ('id', 'name', 'description', 'position', 'is_addon')
 
 
-class InlineQuestionOptionSerializer(I18nAwareModelSerializer):
+class QuestionOptionSerializer(I18nAwareModelSerializer):
+    identifier = serializers.CharField(allow_null=True)
 
     class Meta:
         model = QuestionOption
-        fields = ('id', 'answer')
+        fields = ('id', 'identifier', 'answer', 'position')
+
+    def validate_identifier(self, value):
+        QuestionOption.clean_identifier(self.context['event'], value, self.instance)
+        return value
+
+
+class InlineQuestionOptionSerializer(I18nAwareModelSerializer):
+    identifier = serializers.CharField(allow_null=True)
+
+    class Meta:
+        model = QuestionOption
+        fields = ('id', 'identifier', 'answer', 'position')
 
 
 class QuestionSerializer(I18nAwareModelSerializer):
-    options = InlineQuestionOptionSerializer(many=True)
+    options = InlineQuestionOptionSerializer(many=True, required=False)
+    identifier = serializers.CharField(allow_null=True)
 
     class Meta:
         model = Question
         fields = ('id', 'question', 'type', 'required', 'items', 'options', 'position',
-                  'ask_during_checkin')
+                  'ask_during_checkin', 'identifier')
+
+    def validate_identifier(self, value):
+        Question._clean_identifier(self.context['event'], value, self.instance)
+        return value
+
+    def validate(self, data):
+        data = super().validate(data)
+        if self.instance and 'options' in data:
+            raise ValidationError(_('Updating options via PATCH/PUT is not supported. Please use the dedicated'
+                                    ' nested endpoint.'))
+
+        event = self.context['event']
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        Question.clean_items(event, full_data.get('items'))
+        return data
+
+    def validate_options(self, value):
+        if not self.instance:
+            known = []
+            for opt_data in value:
+                if opt_data.get('identifier'):
+                    QuestionOption.clean_identifier(self.context['event'], opt_data.get('identifier'), self.instance,
+                                                    known)
+                    known.append(opt_data.get('identifier'))
+        return value
+
+    @transaction.atomic
+    def create(self, validated_data):
+        options_data = validated_data.pop('options') if 'options' in validated_data else []
+        items = validated_data.pop('items')
+        question = Question.objects.create(**validated_data)
+        question.items.set(items)
+        for opt_data in options_data:
+            QuestionOption.objects.create(question=question, **opt_data)
+        return question
 
 
 class QuotaSerializer(I18nAwareModelSerializer):

src/pretix/api/serializers/order.py

@@ -20,7 +20,7 @@ class CompatibleCountryField(serializers.Field):
             return instance.country_old
 
 
-class InvoiceAdddressSerializer(I18nAwareModelSerializer):
+class InvoiceAddressSerializer(I18nAwareModelSerializer):
     country = CompatibleCountryField(source='*')
 
     class Meta:
@@ -29,10 +29,23 @@ class InvoiceAdddressSerializer(I18nAwareModelSerializer):
                   'vat_id_validated', 'internal_reference')
 
 
+class AnswerQuestionIdentifierField(serializers.Field):
+    def to_representation(self, instance: QuestionAnswer):
+        return instance.question.identifier
+
+
+class AnswerQuestionOptionsIdentifierField(serializers.Field):
+    def to_representation(self, instance: QuestionAnswer):
+        return [o.identifier for o in instance.options.all()]
+
+
 class AnswerSerializer(I18nAwareModelSerializer):
+    question_identifier = AnswerQuestionIdentifierField(source='*', read_only=True)
+    option_identifiers = AnswerQuestionOptionsIdentifierField(source='*', read_only=True)
+
     class Meta:
         model = QuestionAnswer
-        fields = ('question', 'answer', 'options')
+        fields = ('question', 'answer', 'question_identifier', 'options', 'option_identifiers')
 
 
 class CheckinSerializer(I18nAwareModelSerializer):
@@ -123,19 +136,16 @@ class PaymentFeeLegacyField(serializers.Field):
 
 
 class OrderSerializer(I18nAwareModelSerializer):
-    invoice_address = InvoiceAdddressSerializer()
+    invoice_address = InvoiceAddressSerializer()
     positions = OrderPositionSerializer(many=True)
     fees = OrderFeeSerializer(many=True)
     downloads = OrderDownloadsField(source='*')
-    payment_fee = PaymentFeeLegacyField(source='*', attribute='value')  # TODO: Remove in 1.9
-    payment_fee_tax_rate = PaymentFeeLegacyField(source='*', attribute='tax_rate')  # TODO: Remove in 1.9
-    payment_fee_tax_value = PaymentFeeLegacyField(source='*', attribute='tax_value')  # TODO: Remove in 1.9
 
     class Meta:
         model = Order
         fields = ('code', 'status', 'secret', 'email', 'locale', 'datetime', 'expires', 'payment_date',
                   'payment_provider', 'fees', 'total', 'comment', 'invoice_address', 'positions', 'downloads',
-                  'payment_fee', 'payment_fee_tax_rate', 'payment_fee_tax_value', 'checkin_attention')
+                  'checkin_attention')
 
 
 class InlineInvoiceLineSerializer(I18nAwareModelSerializer):

src/pretix/api/serializers/waitinglist.py

@@ -1,3 +1,5 @@
+from rest_framework.exceptions import ValidationError
+
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.models import WaitingListEntry
 
@@ -7,3 +9,27 @@ class WaitingListSerializer(I18nAwareModelSerializer):
     class Meta:
         model = WaitingListEntry
         fields = ('id', 'created', 'email', 'voucher', 'item', 'variation', 'locale', 'subevent')
+        read_only_fields = ('id', 'created', 'voucher')
+
+    def validate(self, data):
+        data = super().validate(data)
+        event = self.context['event']
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        WaitingListEntry.clean_duplicate(full_data.get('email'), full_data.get('item'), full_data.get('variation'),
+                                         full_data.get('subevent'), self.instance.pk if self.instance else None)
+        WaitingListEntry.clean_itemvar(event, full_data.get('item'), full_data.get('variation'))
+        WaitingListEntry.clean_subevent(event, full_data.get('subevent'))
+
+        if 'item' in data or 'variation' in data:
+            availability = (
+                full_data.get('variation').check_quotas(count_waitinglist=True, subevent=full_data.get('subevent'))
+                if full_data.get('variation')
+                else full_data.get('item').check_quotas(count_waitinglist=True, subevent=full_data.get('subevent'))
+            )
+            if availability[0] == 100:
+                raise ValidationError("This product is currently available.")
+
+        return data

src/pretix/api/urls.py

@@ -14,6 +14,7 @@ orga_router.register(r'events', event.EventViewSet)
 
 event_router = routers.DefaultRouter()
 event_router.register(r'subevents', event.SubEventViewSet)
+event_router.register(r'clone', event.CloneEventViewSet)
 event_router.register(r'items', item.ItemViewSet)
 event_router.register(r'categories', item.ItemCategoryViewSet)
 event_router.register(r'questions', item.QuestionViewSet)
@@ -29,6 +30,9 @@ event_router.register(r'checkinlists', checkin.CheckinListViewSet)
 checkinlist_router = routers.DefaultRouter()
 checkinlist_router.register(r'positions', checkin.CheckinListPositionViewSet)
 
+question_router = routers.DefaultRouter()
+question_router.register(r'options', item.QuestionOptionViewSet)
+
 item_router = routers.DefaultRouter()
 item_router.register(r'variations', item.ItemVariationViewSet)
 item_router.register(r'addons', item.ItemAddOnViewSet)
@@ -44,6 +48,8 @@ urlpatterns = [
     url(r'^organizers/(?P<organizer>[^/]+)/', include(orga_router.urls)),
     url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/', include(event_router.urls)),
     url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/items/(?P<item>[^/]+)/', include(item_router.urls)),
+    url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/questions/(?P<question>[^/]+)/',
+        include(question_router.urls)),
     url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/checkinlists/(?P<list>[^/]+)/',
         include(checkinlist_router.urls)),
 ]

src/pretix/api/views/checkin.py

@@ -1,16 +1,25 @@
-import django_filters
-from django.db.models import F, Max, OuterRef, Prefetch, Q, Subquery
+from django.core.exceptions import ValidationError
+from django.db.models import Count, F, Max, OuterRef, Prefetch, Subquery
 from django.db.models.functions import Coalesce
 from django.shortcuts import get_object_or_404
 from django.utils.functional import cached_property
+from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import viewsets
+from rest_framework.decorators import detail_route
+from rest_framework.fields import DateTimeField
+from rest_framework.response import Response
 
 from pretix.api.serializers.checkin import CheckinListSerializer
+from pretix.api.serializers.item import QuestionSerializer
 from pretix.api.serializers.order import OrderPositionSerializer
 from pretix.api.views import RichOrderingFilter
+from pretix.api.views.order import OrderPositionFilter
 from pretix.base.models import Checkin, CheckinList, Order, OrderPosition
 from pretix.base.models.organizer import TeamAPIToken
+from pretix.base.services.checkin import (
+    CheckInError, RequiredQuestionsError, perform_checkin,
+)
 from pretix.helpers.database import FixedOrderBy
 
 
@@ -66,22 +75,80 @@ class CheckinListViewSet(viewsets.ModelViewSet):
         )
         super().perform_destroy(instance)
 
+    @detail_route(methods=['GET'])
+    def status(self, *args, **kwargs):
+        clist = self.get_object()
+        cqs = Checkin.objects.filter(
+            position__order__event=clist.event,
+            position__order__status__in=[Order.STATUS_PAID] + ([Order.STATUS_PENDING] if clist.include_pending else []),
+            list=clist
+        )
+        pqs = OrderPosition.objects.filter(
+            order__event=clist.event,
+            order__status__in=[Order.STATUS_PAID] + ([Order.STATUS_PENDING] if clist.include_pending else []),
+            subevent=clist.subevent,
+        )
+        if not clist.all_products:
+            pqs = pqs.filter(item__in=clist.limit_products.values_list('id', flat=True))
 
-class OrderPositionFilter(FilterSet):
-    order = django_filters.CharFilter(name='order', lookup_expr='code')
-    has_checkin = django_filters.rest_framework.BooleanFilter(method='has_checkin_qs')
-    attendee_name = django_filters.CharFilter(method='attendee_name_qs')
+        ev = clist.subevent or clist.event
+        response = {
+            'event': {
+                'name': str(ev.name),
+            },
+            'checkin_count': cqs.count(),
+            'position_count': pqs.count()
+        }
+
+        op_by_item = {
+            p['item']: p['cnt']
+            for p in pqs.order_by().values('item').annotate(cnt=Count('id'))
+        }
+        op_by_variation = {
+            p['variation']: p['cnt']
+            for p in pqs.order_by().values('variation').annotate(cnt=Count('id'))
+        }
+        c_by_item = {
+            p['position__item']: p['cnt']
+            for p in cqs.order_by().values('position__item').annotate(cnt=Count('id'))
+        }
+        c_by_variation = {
+            p['position__variation']: p['cnt']
+            for p in cqs.order_by().values('position__variation').annotate(cnt=Count('id'))
+        }
+
+        if not clist.all_products:
+            items = clist.limit_products
+        else:
+            items = clist.event.items
+
+        response['items'] = []
+        for item in items.order_by('category__position', 'position', 'pk').prefetch_related('variations'):
+            i = {
+                'id': item.pk,
+                'name': str(item),
+                'admission': item.admission,
+                'checkin_count': c_by_item.get(item.pk, 0),
+                'position_count': op_by_item.get(item.pk, 0),
+                'variations': []
+            }
+            for var in item.variations.all():
+                i['variations'].append({
+                    'id': var.pk,
+                    'value': str(var),
+                    'checkin_count': c_by_variation.get(var.pk, 0),
+                    'position_count': op_by_variation.get(var.pk, 0),
+                })
+            response['items'].append(i)
+
+        return Response(response)
+
+
+class CheckinOrderPositionFilter(OrderPositionFilter):
 
     def has_checkin_qs(self, queryset, name, value):
         return queryset.filter(last_checked_in__isnull=not value)
 
-    def attendee_name_qs(self, queryset, name, value):
-        return queryset.filter(Q(attendee_name=value) | Q(addon_to__attendee_name=value))
-
-    class Meta:
-        model = OrderPosition
-        fields = ['item', 'variation', 'attendee_name', 'secret', 'order', 'has_checkin', 'addon_to', 'subevent']
-
 
 class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
     serializer_class = OrderPositionSerializer
@@ -109,8 +176,9 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
         },
     }
 
-    filter_class = OrderPositionFilter
+    filter_class = CheckinOrderPositionFilter
     permission = 'can_view_orders'
+    write_permission = 'can_change_orders'
 
     @cached_property
     def checkinlist(self):
@@ -141,3 +209,53 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
             qs = qs.filter(item__in=self.checkinlist.limit_products.values_list('id', flat=True))
 
         return qs
+
+    @detail_route(methods=['POST'])
+    def redeem(self, *args, **kwargs):
+        force = bool(self.request.data.get('force', False))
+        ignore_unpaid = bool(self.request.data.get('ignore_unpaid', False))
+        nonce = self.request.data.get('nonce')
+        op = self.get_object()
+
+        if 'datetime' in self.request.data:
+            dt = DateTimeField().to_internal_value(self.request.data.get('datetime'))
+        else:
+            dt = now()
+
+        given_answers = {}
+        if 'answers' in self.request.data:
+            aws = self.request.data.get('answers')
+            for q in op.item.questions.filter(ask_during_checkin=True):
+                if str(q.pk) in aws:
+                    try:
+                        given_answers[q] = q.clean_answer(aws[str(q.pk)])
+                    except ValidationError:
+                        pass
+
+        try:
+            perform_checkin(
+                op=op,
+                clist=self.checkinlist,
+                given_answers=given_answers,
+                force=force,
+                ignore_unpaid=ignore_unpaid,
+                nonce=nonce,
+                datetime=dt,
+                questions_supported=self.request.data.get('questions_supported', True)
+            )
+        except RequiredQuestionsError as e:
+            return Response({
+                'status': 'incomplete',
+                'questions': [
+                    QuestionSerializer(q).data for q in e.questions
+                ]
+            }, status=400)
+        except CheckInError as e:
+            return Response({
+                'status': 'error',
+                'reason': e.code
+            }, status=400)
+        else:
+            return Response({
+                'status': 'ok',
+            }, status=201)

src/pretix/api/views/event.py

@@ -1,24 +1,123 @@
+from django.db import transaction
+from django.db.models import ProtectedError
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import filters, viewsets
 from rest_framework.exceptions import PermissionDenied
 
+from pretix.api.auth.permission import EventCRUDPermission
 from pretix.api.serializers.event import (
-    EventSerializer, SubEventSerializer, TaxRuleSerializer,
+    CloneEventSerializer, EventSerializer, SubEventSerializer,
+    TaxRuleSerializer,
 )
 from pretix.base.models import Event, ItemCategory, TaxRule
 from pretix.base.models.event import SubEvent
 from pretix.base.models.organizer import TeamAPIToken
+from pretix.helpers.dicts import merge_dicts
 
 
-class EventViewSet(viewsets.ReadOnlyModelViewSet):
+class EventViewSet(viewsets.ModelViewSet):
     serializer_class = EventSerializer
     queryset = Event.objects.none()
     lookup_field = 'slug'
     lookup_url_kwarg = 'event'
+    permission_classes = (EventCRUDPermission,)
 
     def get_queryset(self):
         return self.request.organizer.events.prefetch_related('meta_values', 'meta_values__property')
 
+    def perform_update(self, serializer):
+        current_live_value = serializer.instance.live
+        updated_live_value = serializer.validated_data.get('live', None)
+        current_plugins_value = serializer.instance.get_plugins()
+        updated_plugins_value = serializer.validated_data.get('plugins', None)
+
+        super().perform_update(serializer)
+
+        if updated_live_value is not None and updated_live_value != current_live_value:
+            log_action = 'pretix.event.live.activated' if updated_live_value else 'pretix.event.live.deactivated'
+            serializer.instance.log_action(
+                log_action,
+                user=self.request.user,
+                api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+                data=self.request.data
+            )
+
+        if updated_plugins_value is not None and set(updated_plugins_value) != set(current_plugins_value):
+            enabled = {m: 'enabled' for m in updated_plugins_value if m not in current_plugins_value}
+            disabled = {m: 'disabled' for m in current_plugins_value if m not in updated_plugins_value}
+            changed = merge_dicts(enabled, disabled)
+
+            for module, action in changed.items():
+                serializer.instance.log_action(
+                    'pretix.event.plugins.' + action,
+                    user=self.request.user,
+                    api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+                    data={'plugin': module}
+                )
+
+        other_keys = {k: v for k, v in serializer.validated_data.items() if k not in ['plugins', 'live']}
+        if other_keys:
+            serializer.instance.log_action(
+                'pretix.event.changed',
+                user=self.request.user,
+                api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+                data=self.request.data
+            )
+
+    def perform_create(self, serializer):
+        serializer.save(organizer=self.request.organizer)
+        serializer.instance.log_action(
+            'pretix.event.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def perform_destroy(self, instance):
+        if not instance.allow_delete():
+            raise PermissionDenied('The event can not be deleted as it already contains orders. Please set \'live\''
+                                   ' to false to hide the event and take the shop offline instead.')
+        try:
+            with transaction.atomic():
+                instance.organizer.log_action(
+                    'pretix.event.deleted', user=self.request.user,
+                    data={
+                        'event_id': instance.pk,
+                        'name': str(instance.name),
+                        'logentries': list(instance.logentry_set.values_list('pk', flat=True))
+                    }
+                )
+                instance.delete_sub_objects()
+                super().perform_destroy(instance)
+        except ProtectedError:
+            raise PermissionDenied('The event could not be deleted as some constraints (e.g. data created by plug-ins) '
+                                   'do not allow it.')
+
+
+class CloneEventViewSet(viewsets.ModelViewSet):
+    serializer_class = CloneEventSerializer
+    queryset = Event.objects.none()
+    lookup_field = 'slug'
+    lookup_url_kwarg = 'event'
+    http_method_names = ['post']
+    write_permission = 'can_create_events'
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.kwargs['event']
+        ctx['organizer'] = self.request.organizer
+        return ctx
+
+    def perform_create(self, serializer):
+        serializer.save(organizer=self.request.organizer)
+
+        serializer.instance.log_action(
+            'pretix.event.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
 
 class SubEventFilter(FilterSet):
     class Meta:

src/pretix/api/views/item.py

@@ -10,10 +10,12 @@ from rest_framework.response import Response
 
 from pretix.api.serializers.item import (
     ItemAddOnSerializer, ItemCategorySerializer, ItemSerializer,
-    ItemVariationSerializer, QuestionSerializer, QuotaSerializer,
+    ItemVariationSerializer, QuestionOptionSerializer, QuestionSerializer,
+    QuotaSerializer,
 )
 from pretix.base.models import (
-    Item, ItemAddOn, ItemCategory, ItemVariation, Question, Quota,
+    Item, ItemAddOn, ItemCategory, ItemVariation, Question, QuestionOption,
+    Quota,
 )
 from pretix.base.models.organizer import TeamAPIToken
 from pretix.helpers.dicts import merge_dicts
@@ -201,7 +203,7 @@ class ItemCategoryFilter(FilterSet):
         fields = ['is_addon']
 
 
-class ItemCategoryViewSet(viewsets.ReadOnlyModelViewSet):
+class ItemCategoryViewSet(viewsets.ModelViewSet):
     serializer_class = ItemCategorySerializer
     queryset = ItemCategory.objects.none()
     filter_backends = (DjangoFilterBackend, OrderingFilter)
@@ -209,15 +211,57 @@ class ItemCategoryViewSet(viewsets.ReadOnlyModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
     permission = 'can_change_items'
+    write_permission = 'can_change_items'
 
     def get_queryset(self):
         return self.request.event.categories.all()
 
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.category.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
 
-class QuestionViewSet(viewsets.ReadOnlyModelViewSet):
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        return ctx
+
+    def perform_update(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.category.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def perform_destroy(self, instance):
+        for item in instance.items.all():
+            item.category = None
+            item.save()
+        instance.log_action(
+            'pretix.event.category.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+        super().perform_destroy(instance)
+
+
+class QuestionFilter(FilterSet):
+    class Meta:
+        model = Question
+        fields = ['ask_during_checkin', 'required', 'identifier']
+
+
+class QuestionViewSet(viewsets.ModelViewSet):
     serializer_class = QuestionSerializer
     queryset = Question.objects.none()
-    filter_backends = (OrderingFilter,)
+    filter_backends = (DjangoFilterBackend, OrderingFilter)
+    filter_class = QuestionFilter
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
     permission = 'can_change_items'
@@ -225,6 +269,85 @@ class QuestionViewSet(viewsets.ReadOnlyModelViewSet):
     def get_queryset(self):
         return self.request.event.questions.prefetch_related('options').all()
 
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.question.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        return ctx
+
+    def perform_update(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.question.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def perform_destroy(self, instance):
+        instance.log_action(
+            'pretix.event.question.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+        super().perform_destroy(instance)
+
+
+class QuestionOptionViewSet(viewsets.ModelViewSet):
+    serializer_class = QuestionOptionSerializer
+    queryset = QuestionOption.objects.none()
+    filter_backends = (DjangoFilterBackend, OrderingFilter,)
+    ordering_fields = ('id', 'position')
+    ordering = ('position',)
+    permission = 'can_change_items'
+    write_permission = 'can_change_items'
+
+    def get_queryset(self):
+        q = get_object_or_404(Question, pk=self.kwargs['question'], event=self.request.event)
+        return q.options.all()
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        ctx['question'] = get_object_or_404(Question, pk=self.kwargs['question'], event=self.request.event)
+        return ctx
+
+    def perform_create(self, serializer):
+        q = get_object_or_404(Question, pk=self.kwargs['question'], event=self.request.event)
+        serializer.save(question=q)
+        q.log_action(
+            'pretix.event.question.option.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=merge_dicts(self.request.data, {'ORDER': serializer.instance.position}, {'id': serializer.instance.pk})
+        )
+
+    def perform_update(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.question.log_action(
+            'pretix.event.question.option.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=merge_dicts(self.request.data, {'ORDER': serializer.instance.position}, {'id': serializer.instance.pk})
+        )
+
+    def perform_destroy(self, instance):
+        instance.question.log_action(
+            'pretix.event.question.option.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data={'id': instance.pk}
+        )
+        super().perform_destroy(instance)
+
 
 class QuotaFilter(FilterSet):
     class Meta:

src/pretix/api/views/order.py

@@ -9,7 +9,9 @@ from django.utils.timezone import make_aware
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import serializers, status, viewsets
 from rest_framework.decorators import detail_route
-from rest_framework.exceptions import APIException, NotFound, PermissionDenied
+from rest_framework.exceptions import (
+    APIException, NotFound, PermissionDenied, ValidationError,
+)
 from rest_framework.filters import OrderingFilter
 from rest_framework.response import Response
 
@@ -18,7 +20,9 @@ from pretix.api.serializers.order import (
 )
 from pretix.base.models import Invoice, Order, OrderPosition, Quota
 from pretix.base.models.organizer import TeamAPIToken
-from pretix.base.services.invoices import invoice_pdf
+from pretix.base.services.invoices import (
+    generate_cancellation, generate_invoice, invoice_pdf, regenerate_invoice,
+)
 from pretix.base.services.mail import SendMailException
 from pretix.base.services.orders import (
     OrderError, cancel_order, extend_order, mark_order_expired,
@@ -31,6 +35,10 @@ from pretix.base.signals import register_ticket_outputs
 
 
 class OrderFilter(FilterSet):
+    email = django_filters.CharFilter(name='email', lookup_expr='iexact')
+    code = django_filters.CharFilter(name='code', lookup_expr='iexact')
+    status = django_filters.CharFilter(name='status', lookup_expr='iexact')
+
     class Meta:
         model = Order
         fields = ['code', 'status', 'email', 'locale']
@@ -50,7 +58,7 @@ class OrderViewSet(viewsets.ReadOnlyModelViewSet):
     def get_queryset(self):
         return self.request.event.orders.prefetch_related(
             'positions', 'positions__checkins', 'positions__item', 'positions__answers', 'positions__answers__options',
-            'fees'
+            'positions__answers__question', 'fees'
         ).select_related(
             'invoice_address'
         )
@@ -207,20 +215,36 @@ class OrderViewSet(viewsets.ReadOnlyModelViewSet):
 
 
 class OrderPositionFilter(FilterSet):
-    order = django_filters.CharFilter(name='order', lookup_expr='code')
+    order = django_filters.CharFilter(name='order', lookup_expr='code__iexact')
     has_checkin = django_filters.rest_framework.BooleanFilter(method='has_checkin_qs')
     attendee_name = django_filters.CharFilter(method='attendee_name_qs')
+    search = django_filters.CharFilter(method='search_qs')
+
+    def search_qs(self, queryset, name, value):
+        return queryset.filter(
+            Q(secret__istartswith=value)
+            | Q(attendee_name__icontains=value)
+            | Q(addon_to__attendee_name__icontains=value)
+            | Q(order__code__istartswith=value)
+            | Q(order__invoice_address__name__icontains=value)
+        )
 
     def has_checkin_qs(self, queryset, name, value):
         return queryset.filter(checkins__isnull=not value)
 
     def attendee_name_qs(self, queryset, name, value):
-        return queryset.filter(Q(attendee_name=value) | Q(addon_to__attendee_name=value))
+        return queryset.filter(Q(attendee_name__iexact=value) | Q(addon_to__attendee_name__iexact=value))
 
     class Meta:
         model = OrderPosition
-        fields = ['item', 'variation', 'attendee_name', 'secret', 'order', 'order__status', 'has_checkin',
-                  'addon_to', 'subevent']
+        fields = {
+            'item': ['exact', 'in'],
+            'variation': ['exact', 'in'],
+            'secret': ['exact'],
+            'order__status': ['exact', 'in'],
+            'addon_to': ['exact', 'in'],
+            'subevent': ['exact', 'in']
+        }
 
 
 class OrderPositionViewSet(viewsets.ReadOnlyModelViewSet):
@@ -234,7 +258,7 @@ class OrderPositionViewSet(viewsets.ReadOnlyModelViewSet):
 
     def get_queryset(self):
         return OrderPosition.objects.filter(order__event=self.request.event).prefetch_related(
-            'checkins', 'answers', 'answers__options'
+            'checkins', 'answers', 'answers__options', 'answers__question'
         ).select_related(
             'item', 'order', 'order__event', 'order__event__organizer'
         )
@@ -306,6 +330,7 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
     permission = 'can_view_orders'
     lookup_url_kwarg = 'number'
     lookup_field = 'nr'
+    write_permission = 'can_change_orders'
 
     def get_queryset(self):
         return self.request.event.invoices.prefetch_related('lines').select_related('order', 'refers').annotate(
@@ -320,9 +345,54 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
             invoice_pdf(invoice.pk)
             invoice.refresh_from_db()
 
+        if invoice.shredded:
+            raise PermissionDenied('The invoice file is no longer stored on the server.')
+
         if not invoice.file:
             raise RetryException()
 
         resp = FileResponse(invoice.file.file, content_type='application/pdf')
         resp['Content-Disposition'] = 'attachment; filename="{}.pdf"'.format(invoice.number)
         return resp
+
+    @detail_route(methods=['POST'])
+    def regenerate(self, request, **kwarts):
+        inv = self.get_object()
+        if inv.canceled:
+            raise ValidationError('The invoice has already been canceled.')
+        elif inv.shredded:
+            raise PermissionDenied('The invoice file is no longer stored on the server.')
+        else:
+            inv = regenerate_invoice(inv)
+            inv.order.log_action(
+                'pretix.event.order.invoice.regenerated',
+                data={
+                    'invoice': inv.pk
+                },
+                user=self.request.user,
+                api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            )
+            return Response(status=204)
+
+    @detail_route(methods=['POST'])
+    def reissue(self, request, **kwarts):
+        inv = self.get_object()
+        if inv.canceled:
+            raise ValidationError('The invoice has already been canceled.')
+        elif inv.shredded:
+            raise PermissionDenied('The invoice file is no longer stored on the server.')
+        else:
+            c = generate_cancellation(inv)
+            if inv.order.status not in (Order.STATUS_CANCELED, Order.STATUS_REFUNDED):
+                inv = generate_invoice(inv.order)
+            else:
+                inv = c
+            inv.order.log_action(
+                'pretix.event.order.invoice.reissued',
+                data={
+                    'invoice': inv.pk
+                },
+                user=self.request.user,
+                api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            )
+            return Response(status=204)

src/pretix/api/views/organizer.py

@@ -12,7 +12,7 @@ class OrganizerViewSet(viewsets.ReadOnlyModelViewSet):
 
     def get_queryset(self):
         if self.request.user.is_authenticated():
-            if self.request.user.is_superuser:
+            if self.request.user.has_active_staff_session(self.request.session.session_key):
                 return Organizer.objects.all()
             else:
                 return Organizer.objects.filter(pk__in=self.request.user.teams.values_list('organizer', flat=True))

src/pretix/api/views/waitinglist.py

@@ -1,10 +1,14 @@
 import django_filters
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import viewsets
+from rest_framework.decorators import detail_route
+from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.filters import OrderingFilter
+from rest_framework.response import Response
 
 from pretix.api.serializers.waitinglist import WaitingListSerializer
-from pretix.base.models import WaitingListEntry
+from pretix.base.models import TeamAPIToken, WaitingListEntry
+from pretix.base.models.waitinglist import WaitingListException
 
 
 class WaitingListFilter(FilterSet):
@@ -18,7 +22,7 @@ class WaitingListFilter(FilterSet):
         fields = ['item', 'variation', 'email', 'locale', 'has_voucher', 'subevent']
 
 
-class WaitingListViewSet(viewsets.ReadOnlyModelViewSet):
+class WaitingListViewSet(viewsets.ModelViewSet):
     serializer_class = WaitingListSerializer
     queryset = WaitingListEntry.objects.none()
     filter_backends = (DjangoFilterBackend, OrderingFilter)
@@ -26,6 +30,53 @@ class WaitingListViewSet(viewsets.ReadOnlyModelViewSet):
     ordering_fields = ('id', 'created', 'email', 'item')
     filter_class = WaitingListFilter
     permission = 'can_view_orders'
+    write_permission = 'can_change_orders'
 
     def get_queryset(self):
         return self.request.event.waitinglistentries.all()
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        return ctx
+
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.orders.waitinglist.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+
+    def perform_update(self, serializer):
+        if serializer.instance.voucher:
+            raise PermissionDenied('This entry can not be changed as it has already been assigned a voucher.')
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.orders.waitinglist.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+
+    def perform_destroy(self, instance):
+        if instance.voucher:
+            raise PermissionDenied('This entry can not be deleted as it has already been assigned a voucher.')
+
+        instance.log_action(
+            'pretix.event.orders.waitinglist.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+        super().perform_destroy(instance)
+
+    @detail_route(methods=['POST'])
+    def send_voucher(self, *args, **kwargs):
+        try:
+            self.get_object().send_voucher(
+                user=self.request.user,
+                api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            )
+        except WaitingListException as e:
+            raise ValidationError(str(e))
+        else:
+            return Response(status=204)

src/pretix/base/__init__.py

@@ -12,7 +12,7 @@ class PretixBaseConfig(AppConfig):
         from . import exporters  # NOQA
         from . import invoice  # NOQA
         from . import notifications  # NOQA
-        from .services import export, mail, tickets, cart, orders, invoices, cleanup, update_check, quotas, notifications  # NOQA
+        from .services import auth, export, mail, tickets, cart, orders, invoices, cleanup, update_check, quotas, notifications  # NOQA
 
         try:
             from .celery_app import app as celery_app  # NOQA

src/pretix/base/decimal.py

@@ -3,9 +3,9 @@ from decimal import ROUND_HALF_UP, Decimal
 from django.conf import settings
 
 
-def round_decimal(dec, currency=None):
+def round_decimal(dec, currency=None, places_dict=settings.CURRENCY_PLACES):
     if currency:
-        places = settings.CURRENCY_PLACES.get(currency, 2)
+        places = places_dict.get(currency, 2)
         return Decimal(dec).quantize(
             Decimal('1') / 10 ** places, ROUND_HALF_UP
         )

src/pretix/base/exporters/invoices.py

@@ -18,7 +18,7 @@ class InvoiceExporter(BaseExporter):
     verbose_name = _('All invoices')
 
     def render(self, form_data: dict):
-        qs = self.event.invoices.all()
+        qs = self.event.invoices.filter(shredded=False)
 
         if form_data.get('payment_provider'):
             qs = qs.filter(order__payment_provider=form_data.get('payment_provider'))

src/pretix/base/exporters/orderlist.py

@@ -63,7 +63,7 @@ class OrderListExporter(BaseExporter):
         headers = [
             _('Order code'), _('Order total'), _('Status'), _('Email'), _('Order date'),
             _('Company'), _('Name'), _('Address'), _('ZIP code'), _('City'), _('Country'), _('VAT ID'),
-            _('Payment date'), _('Payment type'), _('Fees'),
+            _('Payment date'), _('Payment type'), _('Fees'), _('Order locale')
         ]
 
         for tr in tax_rates:
@@ -123,7 +123,8 @@ class OrderListExporter(BaseExporter):
             row += [
                 order.payment_date.astimezone(tz).strftime('%Y-%m-%d') if order.payment_date else '',
                 provider_names.get(order.payment_provider, order.payment_provider),
-                localize(full_fee_sum_cache.get(order.id) or Decimal('0.00'))
+                localize(full_fee_sum_cache.get(order.id) or Decimal('0.00')),
+                order.locale,
             ]
 
             for tr in tax_rates:

src/pretix/base/forms/__init__.py

@@ -69,4 +69,5 @@ class SettingsForm(i18nfield.forms.I18nFormMixin, HierarkeyForm):
             )
         else:
             fname = '%s/%s.%s.%s' % (self.obj.slug, name, nonce, name.split('.')[-1])
-        return fname
+        # TODO: make sure pub is always correct
+        return 'pub/' + fname

src/pretix/base/forms/user.py

@@ -8,6 +8,7 @@ from django.utils.translation import ugettext_lazy as _
 from pytz import common_timezones
 
 from pretix.base.models import User
+from pretix.control.forms import SingleLanguageWidget
 
 
 class UserSettingsForm(forms.ModelForm):
@@ -47,6 +48,9 @@ class UserSettingsForm(forms.ModelForm):
             'timezone',
             'email'
         ]
+        widgets = {
+            'locale': SingleLanguageWidget
+        }
 
     def __init__(self, *args, **kwargs):
         self.user = kwargs.pop('user')

src/pretix/base/forms/validators.py

@@ -29,7 +29,7 @@ class PlaceholderValidator(BaseValidator):
                 code='invalid',
             )
 
-        data_placeholders = list(re.findall(r'({[\w\s]*})', value, re.X))
+        data_placeholders = list(re.findall(r'({[^}]*})', value, re.X))
         invalid_placeholders = []
         for placeholder in data_placeholders:
             if placeholder not in self.limit_value:

src/pretix/base/invoice.py

@@ -282,16 +282,19 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                              preserveAspectRatio=True, anchor='n',
                              mask='auto')
 
-        if self.invoice.event.settings.show_date_to:
-            p_str = (
-                str(self.invoice.event.name) + '\n' + pgettext('invoice', '{from_date}\nuntil {to_date}').format(
-                    from_date=self.invoice.event.get_date_from_display(),
-                    to_date=self.invoice.event.get_date_to_display())
-            )
+        if not self.invoice.event.has_subevents:
+            if self.invoice.event.settings.show_date_to:
+                p_str = (
+                    str(self.invoice.event.name) + '\n' + pgettext('invoice', '{from_date}\nuntil {to_date}').format(
+                        from_date=self.invoice.event.get_date_from_display(),
+                        to_date=self.invoice.event.get_date_to_display())
+                )
+            else:
+                p_str = (
+                    str(self.invoice.event.name) + '\n' + self.invoice.event.get_date_from_display()
+                )
         else:
-            p_str = (
-                str(self.invoice.event.name) + '\n' + self.invoice.event.get_date_from_display()
-            )
+            p_str = str(self.invoice.event.name)
 
         p = Paragraph(p_str.strip().replace('\n', '<br />\n'), style=self.stylesheet['Normal'])
         p.wrapOn(canvas, 65 * mm, 50 * mm)

src/pretix/base/migrations/0085_auto_20180312_1119.py

@@ -0,0 +1,59 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.11 on 2018-03-12 11:19
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+from django.utils.crypto import get_random_string
+
+
+def set_identifiers(apps, schema_editor):
+    Question = apps.get_model('pretixbase', 'Question')
+    QuestionOption = apps.get_model('pretixbase', 'QuestionOption')
+
+    for q in Question.objects.select_related('event'):
+        if not q.identifier:
+            charset = list('ABCDEFGHJKLMNPQRSTUVWXYZ3789')
+            while True:
+                code = get_random_string(length=8, allowed_chars=charset)
+                if not Question.objects.filter(event=q.event, identifier=code).exists():
+                    q.identifier = code
+                    q.save()
+                    break
+
+    for q in QuestionOption.objects.select_related('question', 'question__event'):
+        if not q.identifier:
+            charset = list('ABCDEFGHJKLMNPQRSTUVWXYZ3789')
+            while True:
+                code = get_random_string(length=8, allowed_chars=charset)
+                if not QuestionOption.objects.filter(question__event=q.question.event, identifier=code).exists():
+                    q.identifier = code
+                    q.save()
+                    break
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0084_questionoption_position'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='question',
+            name='identifier',
+            field=models.CharField(default='', max_length=190),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name='questionoption',
+            name='identifier',
+            field=models.CharField(default='', max_length=190),
+            preserve_default=False,
+        ),
+        migrations.AlterField(
+            model_name='user',
+            name='locale',
+            field=models.CharField(choices=[('en', 'English'), ('de', 'German'), ('de-informal', 'German (informal)'), ('nl', 'Dutch'), ('da', 'Danish'), ('pt-br', 'Portuguese (Brazil)')], default='en', max_length=50, verbose_name='Language'),
+        ),
+        migrations.RunPython(set_identifiers, migrations.RunPython.noop)
+    ]

src/pretix/base/migrations/0086_auto_20180320_1219.py

@@ -0,0 +1,43 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.11 on 2018-03-20 12:19
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+import pretix.base.models.invoices
+import pretix.base.models.orders
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0085_auto_20180312_1119'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='cachedcombinedticket',
+            name='file',
+            field=models.FileField(blank=True, max_length=255, null=True, upload_to=pretix.base.models.orders.cachedcombinedticket_name),
+        ),
+        migrations.AlterField(
+            model_name='cachedticket',
+            name='file',
+            field=models.FileField(blank=True, max_length=255, null=True, upload_to=pretix.base.models.orders.cachedticket_name),
+        ),
+        migrations.AlterField(
+            model_name='invoice',
+            name='file',
+            field=models.FileField(blank=True, max_length=255, null=True, upload_to=pretix.base.models.invoices.invoice_filename),
+        ),
+        migrations.AlterField(
+            model_name='question',
+            name='identifier',
+            field=models.CharField(help_text='You can enter any value here to make it easier to match the data with other sources. If you do not input one, we will generate one automatically.', max_length=190, verbose_name='Internal identifier'),
+        ),
+        migrations.AlterField(
+            model_name='questionanswer',
+            name='file',
+            field=models.FileField(blank=True, max_length=255, null=True, upload_to=pretix.base.models.orders.answerfile_name),
+        ),
+    ]

src/pretix/base/migrations/0087_auto_20180317_1952.py

@@ -0,0 +1,64 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.10 on 2018-03-17 19:52
+from __future__ import unicode_literals
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+def set_is_staff(apps, schema_editor):
+    User = apps.get_model('pretixbase', 'User')
+    User.objects.filter(is_superuser=True).update(is_staff=True)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('pretixbase', '0086_auto_20180320_1219'),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            set_is_staff,
+            migrations.RunPython.noop,
+        ),
+        migrations.RemoveField(
+            model_name='user',
+            name='is_superuser',
+        ),
+        migrations.CreateModel(
+            name='StaffSession',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('date_start', models.DateTimeField(auto_now_add=True)),
+                ('date_end', models.DateTimeField(blank=True, null=True)),
+                ('session_key', models.CharField(max_length=255)),
+                ('comment', models.TextField()),
+            ],
+        ),
+        migrations.CreateModel(
+            name='StaffSessionAuditLog',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('datetime', models.DateTimeField(auto_now_add=True)),
+                ('url', models.CharField(max_length=255)),
+                ('session', models.ForeignKey(on_delete=models.deletion.CASCADE, related_name='logs', to='pretixbase.StaffSession')),
+            ],
+        ),
+        migrations.AddField(
+            model_name='staffsession',
+            name='user',
+            field=models.ForeignKey(default=None, on_delete=models.deletion.CASCADE, to=settings.AUTH_USER_MODEL),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name='staffsessionauditlog',
+            name='impersonating',
+            field=models.ForeignKey(blank=True, null=True, on_delete=models.deletion.CASCADE, to=settings.AUTH_USER_MODEL),
+        ),
+        migrations.AddField(
+            model_name='staffsessionauditlog',
+            name='method',
+            field=models.CharField(default='GET', max_length=255),
+            preserve_default=False,
+        ),
+    ]

src/pretix/base/migrations/0088_auto_20180328_1217.py

@@ -0,0 +1,30 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.11 on 2018-03-28 12:17
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+import pretix.base.models.items
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0087_auto_20180317_1952'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='staffsession',
+            options={'ordering': ('date_start',)},
+        ),
+        migrations.AlterModelOptions(
+            name='staffsessionauditlog',
+            options={'ordering': ('datetime',)},
+        ),
+        migrations.AlterField(
+            model_name='item',
+            name='picture',
+            field=models.ImageField(blank=True, max_length=255, null=True, upload_to=pretix.base.models.items.itempicture_upload_to, verbose_name='Product picture'),
+        ),
+    ]

src/pretix/base/migrations/0089_auto_20180315_1322.py

@@ -0,0 +1,25 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.10 on 2018-03-15 13:22
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0088_auto_20180328_1217'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='logentry',
+            name='shredded',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='shredded',
+            field=models.BooleanField(default=False),
+        ),
+    ]

src/pretix/base/models/__init__.py

@@ -19,7 +19,9 @@ from .orders import (
     cachedcombinedticket_name, cachedticket_name, generate_position_secret,
     generate_secret,
 )
-from .organizer import Organizer, Organizer_SettingsStore, Team, TeamInvite
+from .organizer import (
+    Organizer, Organizer_SettingsStore, Team, TeamAPIToken, TeamInvite,
+)
 from .tax import TaxRule
 from .vouchers import Voucher
 from .waitinglist import WaitingListEntry

src/pretix/base/models/auth.py

@@ -1,4 +1,4 @@
-from typing import Union
+from datetime import timedelta
 
 from django.conf import settings
 from django.contrib.auth.models import (
@@ -9,6 +9,7 @@ from django.contrib.contenttypes.models import ContentType
 from django.db import models
 from django.db.models import Q
 from django.utils.crypto import get_random_string
+from django.utils.timezone import now
 from django.utils.translation import ugettext_lazy as _
 from django_otp.models import Device
 
@@ -36,7 +37,6 @@ class UserManager(BaseUserManager):
             raise Exception("You must provide a password")
         user = self.model(email=email)
         user.is_staff = True
-        user.is_superuser = True
         user.set_password(password)
         user.save()
         return user
@@ -46,6 +46,11 @@ def generate_notifications_token():
     return get_random_string(length=32)
 
 
+class SuperuserPermissionSet:
+    def __contains__(self, item):
+        return True
+
+
 class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
     """
     This is the user model used by pretix for authentication.
@@ -114,6 +119,10 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
     def __str__(self):
         return self.email
 
+    @property
+    def is_superuser(self):
+        return False
+
     def get_short_name(self) -> str:
         """
         Returns the first of the following user properties that is found to exist:
@@ -194,40 +203,36 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
             ))
         return self._teamcache['e{}'.format(event.pk)]
 
-    class SuperuserPermissionSet:
-        def __contains__(self, item):
-            return True
-
-    def get_event_permission_set(self, organizer, event) -> Union[set, SuperuserPermissionSet]:
+    def get_event_permission_set(self, organizer, event) -> set:
         """
         Gets a set of permissions (as strings) that a user holds for a particular event
 
         :param organizer: The organizer of the event
         :param event: The event to check
-        :return: set in case of a normal user and a SuperuserPermissionSet in case of a superuser (fake object where
-                 a in b always returns true).
+        :return: set
         """
-        if self.is_superuser:
-            return self.SuperuserPermissionSet()
-
         teams = self._get_teams_for_event(organizer, event)
-        return set.union(*[t.permission_set() for t in teams])
+        sets = [t.permission_set() for t in teams]
+        if sets:
+            return set.union(*sets)
+        else:
+            return set()
 
-    def get_organizer_permission_set(self, organizer) -> Union[set, SuperuserPermissionSet]:
+    def get_organizer_permission_set(self, organizer) -> set:
         """
         Gets a set of permissions (as strings) that a user holds for a particular organizer
 
         :param organizer: The organizer of the event
-        :return: set in case of a normal user and a SuperuserPermissionSet in case of a superuser (fake object where
-                 a in b always returns true).
+        :return: set
         """
-        if self.is_superuser:
-            return self.SuperuserPermissionSet()
-
         teams = self._get_teams_for_organizer(organizer)
-        return set.union(*[t.permission_set() for t in teams])
+        sets = [t.permission_set() for t in teams]
+        if sets:
+            return set.union(*sets)
+        else:
+            return set()
 
-    def has_event_permission(self, organizer, event, perm_name=None) -> bool:
+    def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
         """
         Checks if this user is part of any team that grants access of type ``perm_name``
         to the event ``event``.
@@ -235,43 +240,50 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         :param organizer: The organizer of the event
         :param event: The event to check
         :param perm_name: The permission, e.g. ``can_change_teams``
+        :param request: The current request (optional). Required to detect staff sessions properly.
         :return: bool
         """
-        if self.is_superuser:
+        if request and self.has_active_staff_session(request.session.session_key):
             return True
         teams = self._get_teams_for_event(organizer, event)
         if teams:
             self._teamcache['e{}'.format(event.pk)] = teams
+            if isinstance(perm_name, (tuple, list)):
+                return any([any(team.has_permission(p) for team in teams) for p in perm_name])
             if not perm_name or any([team.has_permission(perm_name) for team in teams]):
                 return True
         return False
 
-    def has_organizer_permission(self, organizer, perm_name=None):
+    def has_organizer_permission(self, organizer, perm_name=None, request=None):
         """
         Checks if this user is part of any team that grants access of type ``perm_name``
         to the organizer ``organizer``.
 
         :param organizer: The organizer to check
         :param perm_name: The permission, e.g. ``can_change_teams``
+        :param request: The current request (optional). Required to detect staff sessions properly.
         :return: bool
         """
-        if self.is_superuser:
+        if request and self.has_active_staff_session(request.session.session_key):
             return True
         teams = self._get_teams_for_organizer(organizer)
         if teams:
+            if isinstance(perm_name, (tuple, list)):
+                return any([any(team.has_permission(p) for team in teams) for p in perm_name])
             if not perm_name or any([team.has_permission(perm_name) for team in teams]):
                 return True
         return False
 
-    def get_events_with_any_permission(self):
+    def get_events_with_any_permission(self, request=None):
         """
         Returns a queryset of events the user has any permissions to.
 
+        :param request: The current request (optional). Required to detect staff sessions properly.
         :return: Iterable of Events
         """
         from .event import Event
 
-        if self.is_superuser:
+        if request and self.has_active_staff_session(request.session.session_key):
             return Event.objects.all()
 
         return Event.objects.filter(
@@ -279,15 +291,16 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
             | Q(id__in=self.teams.values_list('limit_events__id', flat=True))
         )
 
-    def get_events_with_permission(self, permission):
+    def get_events_with_permission(self, permission, request=None):
         """
         Returns a queryset of events the user has a specific permissions to.
 
+        :param request: The current request (optional). Required to detect staff sessions properly.
         :return: Iterable of Events
         """
         from .event import Event
 
-        if self.is_superuser:
+        if request and self.has_active_staff_session(request.session.session_key):
             return Event.objects.all()
 
         kwargs = {permission: True}
@@ -297,6 +310,56 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
             | Q(id__in=self.teams.filter(**kwargs).values_list('limit_events__id', flat=True))
         )
 
+    def has_active_staff_session(self, session_key=None):
+        """
+        Returns whether or not a user has an active staff session (formerly known as superuser session)
+        with the given session key.
+        """
+        return self.get_active_staff_session(session_key) is not None
+
+    def get_active_staff_session(self, session_key=None):
+        if not self.is_staff:
+            return None
+        if not hasattr(self, '_staff_session_cache'):
+            self._staff_session_cache = {}
+        if session_key not in self._staff_session_cache:
+            qs = StaffSession.objects.filter(
+                user=self, date_end__isnull=True
+            )
+            if session_key:
+                qs = qs.filter(session_key=session_key)
+            sess = qs.first()
+            if sess:
+                if sess.date_start < now() - timedelta(seconds=settings.PRETIX_SESSION_TIMEOUT_ABSOLUTE):
+                    sess.date_end = now()
+                    sess.save()
+                    sess = None
+
+            self._staff_session_cache[session_key] = sess
+        return self._staff_session_cache[session_key]
+
+
+class StaffSession(models.Model):
+    user = models.ForeignKey('User')
+    date_start = models.DateTimeField(auto_now_add=True)
+    date_end = models.DateTimeField(null=True, blank=True)
+    session_key = models.CharField(max_length=255)
+    comment = models.TextField()
+
+    class Meta:
+        ordering = ('date_start',)
+
+
+class StaffSessionAuditLog(models.Model):
+    session = models.ForeignKey('StaffSession', related_name='logs')
+    datetime = models.DateTimeField(auto_now_add=True)
+    url = models.CharField(max_length=255)
+    method = models.CharField(max_length=255)
+    impersonating = models.ForeignKey('User', null=True, blank=True)
+
+    class Meta:
+        ordering = ('datetime',)
+
 
 class U2FDevice(Device):
     json_data = models.TextField()

src/pretix/base/models/event.py

@@ -437,7 +437,8 @@ class Event(EventMixin, LoggedModel):
             if s.value.startswith('file://'):
                 fi = default_storage.open(s.value[7:], 'rb')
                 nonce = get_random_string(length=8)
-                fname = '%s/%s/%s.%s.%s' % (
+                # TODO: make sure pub is always correct
+                fname = 'pub/%s/%s/%s.%s.%s' % (
                     self.organizer.slug, self.slug, s.key, nonce, s.value.split('.')[-1]
                 )
                 newname = default_storage.save(fname, fi)
@@ -494,6 +495,22 @@ class Event(EventMixin, LoggedModel):
                 renderers[pp.identifier] = pp
         return renderers
 
+    def get_data_shredders(self) -> dict:
+        """
+        Returns a dictionary of initialized data shredders mapped by their identifiers.
+        """
+        from ..signals import register_data_shredders
+
+        responses = register_data_shredders.send(self)
+        renderers = {}
+        for receiver, response in responses:
+            if not isinstance(response, list):
+                response = [response]
+            for p in response:
+                pp = p(self)
+                renderers[pp.identifier] = pp
+        return renderers
+
     @property
     def invoice_renderer(self):
         """
@@ -524,6 +541,40 @@ class Event(EventMixin, LoggedModel):
         data.update({v.property.name: v.value for v in self.meta_values.select_related('property').all()})
         return data
 
+    @property
+    def has_payment_provider(self):
+        result = False
+        for provider in self.get_payment_providers().values():
+            if provider.is_enabled and provider.identifier != 'free':
+                result = True
+                break
+        return result
+
+    @property
+    def has_paid_things(self):
+        from .items import Item, ItemVariation
+
+        return Item.objects.filter(event=self, default_price__gt=0).exists()\
+            or ItemVariation.objects.filter(item__event=self, default_price__gt=0).exists()
+
+    @cached_property
+    def live_issues(self):
+        from pretix.base.signals import event_live_issues
+        issues = []
+
+        if self.has_paid_things and not self.has_payment_provider:
+            issues.append(_('You have configured at least one paid product but have not enabled any payment methods.'))
+
+        if not self.quotas.exists():
+            issues.append(_('You need to configure at least one quota to sell anything.'))
+
+        responses = event_live_issues.send(self)
+        for receiver, response in sorted(responses, key=lambda r: str(r[0])):
+            if response:
+                issues.append(response)
+
+        return issues
+
     def get_users_with_any_permission(self):
         """
         Returns a queryset of users who have any permission to this event.
@@ -553,13 +604,80 @@ class Event(EventMixin, LoggedModel):
             Q(all_events=True) | Q(limit_events__pk=self.pk)
         )
 
-        return User.objects.annotate(twp=Exists(team_with_perm)).filter(
-            Q(is_superuser=True) | Q(twp=True)
-        )
+        return User.objects.annotate(twp=Exists(team_with_perm)).filter(twp=True)
+
+    def clean_live(self):
+        for issue in self.live_issues:
+            if issue:
+                raise ValidationError(issue)
 
     def allow_delete(self):
         return not self.orders.exists() and not self.invoices.exists()
 
+    def delete_sub_objects(self):
+        self.items.all().delete()
+        self.subevents.all().delete()
+
+    def set_active_plugins(self, modules, allow_restricted=False):
+        from pretix.base.plugins import get_all_plugins
+
+        plugins_active = self.get_plugins()
+        plugins_available = {
+            p.module: p for p in get_all_plugins()
+            if not p.name.startswith('.') and getattr(p, 'visible', True)
+        }
+
+        enable = [m for m in modules if m not in plugins_active and m in plugins_available]
+
+        for module in enable:
+            if getattr(plugins_available[module].app, 'restricted', False) and not allow_restricted:
+                modules.remove(module)
+            elif hasattr(plugins_available[module].app, 'installed'):
+                getattr(plugins_available[module].app, 'installed')(self)
+
+        self.plugins = ",".join(modules)
+
+    def enable_plugin(self, module, allow_restricted=False):
+        plugins_active = self.get_plugins()
+
+        if module not in plugins_active:
+            plugins_active.append(module)
+            self.set_active_plugins(plugins_active, allow_restricted=allow_restricted)
+
+    def disable_plugin(self, module):
+        plugins_active = self.get_plugins()
+
+        if module in plugins_active:
+            plugins_active.remove(module)
+            self.set_active_plugins(plugins_active)
+
+    @staticmethod
+    def clean_has_subevents(event, has_subevents):
+        if event is not None and event.has_subevents is not None:
+            if event.has_subevents != has_subevents:
+                raise ValidationError(_('Once created an event cannot change between an series and a single event.'))
+
+    @staticmethod
+    def clean_slug(organizer, event, slug):
+        if event is not None and event.slug is not None:
+            if event.slug != slug:
+                raise ValidationError(_('The event slug cannot be changed.'))
+        else:
+            if Event.objects.filter(slug=slug, organizer=organizer).exists():
+                raise ValidationError(_('This slug has already been used for a different event.'))
+
+    @staticmethod
+    def clean_dates(date_from, date_to):
+        if date_from is not None and date_to is not None:
+            if date_from > date_to:
+                raise ValidationError(_('The event cannot end before it starts.'))
+
+    @staticmethod
+    def clean_presale(presale_start, presale_end):
+        if presale_start is not None and presale_end is not None:
+            if presale_start > presale_end:
+                raise ValidationError(_('The event\'s presale cannot end before it starts.'))
+
 
 class SubEvent(EventMixin, LoggedModel):
     """
@@ -661,7 +779,7 @@ class SubEvent(EventMixin, LoggedModel):
         return self.event.currency
 
     def allow_delete(self):
-        return self.event.subevents.count() > 1
+        return not self.orderposition_set.exists()
 
     def delete(self, *args, **kwargs):
         super().delete(*args, **kwargs)

src/pretix/base/models/invoices.py

@@ -83,8 +83,9 @@ class Invoice(models.Model):
     foreign_currency_display = models.CharField(max_length=50, null=True, blank=True)
     foreign_currency_rate = models.DecimalField(decimal_places=4, max_digits=10, null=True, blank=True)
     foreign_currency_rate_date = models.DateField(null=True, blank=True)
+    shredded = models.BooleanField(default=False)
 
-    file = models.FileField(null=True, blank=True, upload_to=invoice_filename)
+    file = models.FileField(null=True, blank=True, upload_to=invoice_filename, max_length=255)
     internal_reference = models.TextField(blank=True)
 
     @staticmethod

src/pretix/base/models/items.py

@@ -11,6 +11,7 @@ from django.core.exceptions import ValidationError
 from django.db import models
 from django.db.models import F, Func, Q, Sum
 from django.utils import formats
+from django.utils.crypto import get_random_string
 from django.utils.functional import cached_property
 from django.utils.timezone import is_naive, make_aware, now
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
@@ -85,7 +86,7 @@ class ItemCategory(LoggedModel):
 
 
 def itempicture_upload_to(instance, filename: str) -> str:
-    return '%s/%s/item-%s-%s.%s' % (
+    return 'pub/%s/%s/item-%s-%s.%s' % (
         instance.event.organizer.slug, instance.event.slug, instance.id,
         str(uuid.uuid4()), filename.split('.')[-1]
     )
@@ -247,7 +248,7 @@ class Item(LoggedModel):
     )
     picture = models.ImageField(
         verbose_name=_("Product picture"),
-        null=True, blank=True,
+        null=True, blank=True, max_length=255,
         upload_to=itempicture_upload_to
     )
     available_from = models.DateTimeField(
@@ -630,6 +631,8 @@ class Question(LoggedModel):
     :param items: A set of ``Items`` objects that this question should be applied to
     :param ask_during_checkin: Whether to ask this question during check-in instead of during check-out.
     :type ask_during_checkin: bool
+    :param identifier: An arbitrary, internal identifier
+    :type identifier: str
     """
     TYPE_NUMBER = "N"
     TYPE_STRING = "S"
@@ -661,6 +664,12 @@ class Question(LoggedModel):
     question = I18nTextField(
         verbose_name=_("Question")
     )
+    identifier = models.CharField(
+        max_length=190,
+        verbose_name=_("Internal identifier"),
+        help_text=_('You can enter any value here to make it easier to match the data with other sources. If you do '
+                    'not input one, we will generate one automatically.')
+    )
     help_text = I18nTextField(
         verbose_name=_("Help text"),
         help_text=_("If the question needs to be explained or clarified, do it here!"),
@@ -706,7 +715,25 @@ class Question(LoggedModel):
         if self.event:
             self.event.cache.clear()
 
+    def clean_identifier(self, code):
+        Question._clean_identifier(self.event, code, self)
+
+    @staticmethod
+    def _clean_identifier(event, code, instance=None):
+        qs = Question.objects.filter(event=event, identifier=code)
+        if instance:
+            qs = qs.exclude(pk=instance.pk)
+        if qs.exists():
+            raise ValidationError(_('This identifier is already used for a different question.'))
+
     def save(self, *args, **kwargs):
+        if not self.identifier:
+            charset = list('ABCDEFGHJKLMNPQRSTUVWXYZ3789')
+            while True:
+                code = get_random_string(length=8, allowed_chars=charset)
+                if not Question.objects.filter(event=self.event, identifier=code).exists():
+                    self.identifier = code
+                    break
         super().save(*args, **kwargs)
         if self.event:
             self.event.cache.clear()
@@ -776,15 +803,40 @@ class Question(LoggedModel):
 
         return answer
 
+    @staticmethod
+    def clean_items(event, items):
+        for item in items:
+            if event != item.event:
+                raise ValidationError(_('One or more items do not belong to this event.'))
+
 
 class QuestionOption(models.Model):
     question = models.ForeignKey('Question', related_name='options')
+    identifier = models.CharField(max_length=190)
     answer = I18nCharField(verbose_name=_('Answer'))
     position = models.IntegerField(default=0)
 
     def __str__(self):
         return str(self.answer)
 
+    def save(self, *args, **kwargs):
+        if not self.identifier:
+            charset = list('ABCDEFGHJKLMNPQRSTUVWXYZ3789')
+            while True:
+                code = get_random_string(length=8, allowed_chars=charset)
+                if not QuestionOption.objects.filter(question__event=self.question.event, identifier=code).exists():
+                    self.identifier = code
+                    break
+        super().save(*args, **kwargs)
+
+    @staticmethod
+    def clean_identifier(event, code, instance=None, known=[]):
+        qs = QuestionOption.objects.filter(question__event=event, identifier=code)
+        if instance:
+            qs = qs.exclude(pk=instance.pk)
+        if qs.exists() or code in known:
+            raise ValidationError(_('The identifier "{}" is already used for a different option.').format(code))
+
     class Meta:
         verbose_name = _("Question option")
         verbose_name_plural = _("Question options")
@@ -886,6 +938,7 @@ class Quota(LoggedModel):
     class Meta:
         verbose_name = _("Quota")
         verbose_name_plural = _("Quotas")
+        ordering = ('name',)
 
     def __str__(self):
         return self.name
@@ -1015,9 +1068,10 @@ class Quota(LoggedModel):
         return CartPosition.objects.filter(
             Q(event=self.event) & Q(subevent=self.subevent) &
             Q(expires__gte=now_dt) &
-            ~Q(
-                Q(voucher__isnull=False) & Q(voucher__block_quota=True)
-                & Q(Q(voucher__valid_until__isnull=True) | Q(voucher__valid_until__gte=now_dt))
+            Q(
+                Q(voucher__isnull=True)
+                | Q(voucher__block_quota=False)
+                | Q(voucher__valid_until__lt=now_dt)
             ) &
             self._position_lookup
         ).count()

src/pretix/base/models/log.py

@@ -45,6 +45,7 @@ class LogEntry(models.Model):
     action_type = models.CharField(max_length=255)
     data = models.TextField(default='{}')
     visible = models.BooleanField(default=True)
+    shredded = models.BooleanField(default=False)
 
     objects = VisibleOnlyManager()
     all = models.Manager()

src/pretix/base/models/orders.py

@@ -191,7 +191,10 @@ class Order(LoggedModel):
 
     @cached_property
     def meta_info_data(self):
-        return json.loads(self.meta_info)
+        try:
+            return json.loads(self.meta_info)
+        except TypeError:
+            return None
 
     @property
     def full_code(self):
@@ -471,7 +474,8 @@ class QuestionAnswer(models.Model):
     )
     answer = models.TextField()
     file = models.FileField(
-        null=True, blank=True, upload_to=answerfile_name
+        null=True, blank=True, upload_to=answerfile_name,
+        max_length=255
     )
 
     @property
@@ -670,11 +674,13 @@ class OrderFee(models.Model):
     FEE_TYPE_SHIPPING = "shipping"
     FEE_TYPE_SERVICE = "service"
     FEE_TYPE_OTHER = "other"
+    FEE_TYPE_GIFTCARD = "giftcard"
     FEE_TYPES = (
         (FEE_TYPE_PAYMENT, _("Payment fee")),
         (FEE_TYPE_SHIPPING, _("Shipping fee")),
         (FEE_TYPE_SERVICE, _("Service fee")),
         (FEE_TYPE_OTHER, _("Other fees")),
+        (FEE_TYPE_GIFTCARD, _("Gift card")),
     )
 
     value = models.DecimalField(
@@ -969,7 +975,7 @@ class CachedTicket(models.Model):
     provider = models.CharField(max_length=255)
     type = models.CharField(max_length=255)
     extension = models.CharField(max_length=255)
-    file = models.FileField(null=True, blank=True, upload_to=cachedticket_name)
+    file = models.FileField(null=True, blank=True, upload_to=cachedticket_name, max_length=255)
     created = models.DateTimeField(auto_now_add=True)
 
 
@@ -978,7 +984,7 @@ class CachedCombinedTicket(models.Model):
     provider = models.CharField(max_length=255)
     type = models.CharField(max_length=255)
     extension = models.CharField(max_length=255)
-    file = models.FileField(null=True, blank=True, upload_to=cachedcombinedticket_name)
+    file = models.FileField(null=True, blank=True, upload_to=cachedcombinedticket_name, max_length=255)
     created = models.DateTimeField(auto_now_add=True)
 
 

src/pretix/base/models/organizer.py

@@ -264,7 +264,7 @@ class TeamAPIToken(models.Model):
         """
         return self.team.permission_set() if self.team.organizer == organizer else set()
 
-    def has_event_permission(self, organizer, event, perm_name=None) -> bool:
+    def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
         """
         Checks if this token is part of a team that grants access of type ``perm_name``
         to the event ``event``.
@@ -272,22 +272,28 @@ class TeamAPIToken(models.Model):
         :param organizer: The organizer of the event
         :param event: The event to check
         :param perm_name: The permission, e.g. ``can_change_teams``
+        :param request: This parameter is ignored and only defined for compatibility reasons.
         :return: bool
         """
         has_event_access = (self.team.all_events and organizer == self.team.organizer) or (
             event in self.team.limit_events.all()
         )
+        if isinstance(perm_name, (tuple, list)):
+            return has_event_access and any(self.team.has_permission(p) for p in perm_name)
         return has_event_access and (not perm_name or self.team.has_permission(perm_name))
 
-    def has_organizer_permission(self, organizer, perm_name=None):
+    def has_organizer_permission(self, organizer, perm_name=None, request=None):
         """
         Checks if this token is part of a team that grants access of type ``perm_name``
         to the organizer ``organizer``.
 
         :param organizer: The organizer to check
         :param perm_name: The permission, e.g. ``can_change_teams``
+        :param request: This parameter is ignored and only defined for compatibility reasons.
         :return: bool
         """
+        if isinstance(perm_name, (tuple, list)):
+            return organizer == self.team.organizer and any(self.team.has_permission(p) for p in perm_name)
         return organizer == self.team.organizer and (not perm_name or self.team.has_permission(perm_name))
 
     def get_events_with_any_permission(self):

src/pretix/base/models/tax.py

@@ -1,6 +1,7 @@
 import json
 from decimal import Decimal
 
+from django.core.exceptions import ValidationError
 from django.db import models
 from django.utils.formats import localize
 from django.utils.translation import ugettext_lazy as _
@@ -113,7 +114,7 @@ class TaxRule(LoggedModel):
 
     def clean(self):
         if self.eu_reverse_charge and not self.home_country:
-            raise ValueError(_('You need to set your home country to use the reverse charge feature.'))
+            raise ValidationError(_('You need to set your home country to use the reverse charge feature.'))
 
     def __str__(self):
         if self.price_includes_tax:
@@ -124,6 +125,10 @@ class TaxRule(LoggedModel):
             s += ' ({})'.format(_('reverse charge enabled'))
         return str(s)
 
+    @property
+    def has_custom_rules(self):
+        return self.custom_rules and self.custom_rules != '[]'
+
     def tax(self, base_price, base_price_is='auto'):
         if self.rate == Decimal('0.00'):
             return TaxedPrice(

src/pretix/base/models/vouchers.py

@@ -25,7 +25,7 @@ def _generate_random_code(prefix=None):
 def generate_code(prefix=None):
     while True:
         code = _generate_random_code(prefix=prefix)
-        if not Voucher.objects.filter(code=code).exists():
+        if not Voucher.objects.filter(code__iexact=code).exists():
             return code
 
 
@@ -278,11 +278,9 @@ class Voucher(LoggedModel):
             if old_instance.quota:
                 quotas.add(old_instance.quota)
             elif old_instance.variation:
-                quotas |= set(old_instance.variation.quotas.filter(
-                    subevent=old_instance.subevent))
+                quotas |= set(old_instance.variation.quotas.filter(subevent=old_instance.subevent))
             elif old_instance.item:
-                quotas |= set(old_instance.item.quotas.filter(
-                    subevent=old_instance.subevent))
+                quotas |= set(old_instance.item.quotas.filter(subevent=old_instance.subevent))
         return quotas
 
     @staticmethod
@@ -313,7 +311,7 @@ class Voucher(LoggedModel):
 
     @staticmethod
     def clean_voucher_code(data, event, pk):
-        if 'code' in data and Voucher.objects.filter(Q(code=data['code']) & Q(event=event) & ~Q(pk=pk)).exists():
+        if 'code' in data and Voucher.objects.filter(Q(code__iexact=data['code']) & Q(event=event) & ~Q(pk=pk)).exists():
             raise ValidationError(_('A voucher with this code already exists.'))
 
     def save(self, *args, **kwargs):

src/pretix/base/models/waitinglist.py

@@ -73,15 +73,11 @@ class WaitingListEntry(LoggedModel):
         return '%s waits for %s' % (str(self.email), str(self.item))
 
     def clean(self):
-        if WaitingListEntry.objects.filter(
-            item=self.item, variation=self.variation, email=self.email, voucher__isnull=True
-        ).exclude(pk=self.pk).exists():
-            raise ValidationError(_('You are already on this waiting list! We will notify '
-                                    'you as soon as we have a ticket available for you.'))
-        if not self.variation and self.item.has_variations:
-            raise ValidationError(_('Please select a specific variation of this product.'))
+        WaitingListEntry.clean_duplicate(self.email, self.item, self.variation, self.subevent, self.pk)
+        WaitingListEntry.clean_itemvar(self.event, self.item, self.variation)
+        WaitingListEntry.clean_subevent(self.event, self.subevent)
 
-    def send_voucher(self, quota_cache=None, user=None):
+    def send_voucher(self, quota_cache=None, user=None, api_token=None):
         availability = (
             self.variation.check_quotas(count_waitinglist=False, subevent=self.subevent, _cache=quota_cache)
             if self.variation
@@ -91,6 +87,8 @@ class WaitingListEntry(LoggedModel):
             raise WaitingListException(_('This product is currently not available.'))
         if self.voucher:
             raise WaitingListException(_('A voucher has already been sent to this person.'))
+        if '@' not in self.email:
+            raise WaitingListException(_('This entry is anonymized and can no longer be used.'))
 
         with transaction.atomic():
             v = Voucher.objects.create(
@@ -116,8 +114,8 @@ class WaitingListEntry(LoggedModel):
                 'email': self.email,
                 'waitinglistentry': self.pk,
                 'subevent': self.subevent.pk if self.subevent else None,
-            }, user=user)
-            self.log_action('pretix.waitinglist.voucher', user=user)
+            }, user=user, api_token=api_token)
+            self.log_action('pretix.waitinglist.voucher', user=user, api_token=api_token)
             self.voucher = v
             self.save()
 
@@ -136,3 +134,29 @@ class WaitingListEntry(LoggedModel):
                 self.event,
                 locale=self.locale
             )
+
+    @staticmethod
+    def clean_itemvar(event, item, variation):
+        if event != item.event:
+            raise ValidationError(_('The selected item does not belong to this event.'))
+        if item.has_variations and (not variation or variation.item != item):
+            raise ValidationError(_('Please select a specific variation of this product.'))
+
+    @staticmethod
+    def clean_subevent(event, subevent):
+        if event.has_subevents:
+            if not subevent:
+                raise ValidationError(_('Subevent cannot be null for event series.'))
+            if event != subevent.event:
+                raise ValidationError(_('The subevent does not belong to this event.'))
+        else:
+            if subevent:
+                raise ValidationError(_('The subevent does not belong to this event.'))
+
+    @staticmethod
+    def clean_duplicate(email, item, variation, subevent, pk):
+        if WaitingListEntry.objects.filter(
+                item=item, variation=variation, email=email, voucher__isnull=True, subevent=subevent
+        ).exclude(pk=pk).exists():
+            raise ValidationError(_('You are already on this waiting list! We will notify '
+                                    'you as soon as we have a ticket available for you.'))

src/pretix/base/notifications.py

@@ -174,6 +174,7 @@ class ParametrizedOrderNotificationType(NotificationType):
             title=self._title.format(order=order, event=logentry.event),
             url=order_url
         )
+        n.add_attribute(_('Event'), order.event.name)
         n.add_attribute(_('Order code'), order.code)
         n.add_attribute(_('Order total'), money_filter(order.total, logentry.event.currency))
         n.add_attribute(_('Order date'), date_format(order.datetime, 'SHORT_DATETIME_FORMAT'))
@@ -204,6 +205,12 @@ def register_default_notification_types(sender, **kwargs):
             _('Order canceled'),
             _('Order {order.code} has been canceled.')
         ),
+        ParametrizedOrderNotificationType(
+            sender,
+            'pretix.event.order.expired',
+            _('Order expired'),
+            _('Order {order.code} has been marked as expired.'),
+        ),
         ParametrizedOrderNotificationType(
             sender,
             'pretix.event.order.modified',

src/pretix/base/payment.py

@@ -169,6 +169,22 @@ class BasePaymentProvider:
                  label=_('Enable payment method'),
                  required=False,
              )),
+            ('_availability_date',
+             RelativeDateField(
+                 label=_('Available until'),
+                 help_text=_('Users will not be able to choose this payment provider after the given date.'),
+                 required=False,
+             )),
+            ('_invoice_text',
+             I18nFormField(
+                 label=_('Text on invoices'),
+                 help_text=_('Will be printed just below the payment figures and above the closing text on invoices. '
+                             'This will only be used if the invoice is generated before the order is paid. If the '
+                             'invoice is generated later, it will show a text stating that it has already been paid.'),
+                 required=False,
+                 widget=I18nTextarea,
+                 widget_kwargs={'attrs': {'rows': '2'}}
+             )),
             ('_fee_abs',
              forms.DecimalField(
                  label=_('Additional fee'),
@@ -187,12 +203,6 @@ class BasePaymentProvider:
                  localize=True,
                  required=False,
              )),
-            ('_availability_date',
-             RelativeDateField(
-                 label=_('Available until'),
-                 help_text=_('Users will not be able to choose this payment provider after the given date.'),
-                 required=False,
-             )),
             ('_fee_reverse_calc',
              forms.BooleanField(
                  label=_('Calculate the fee from the total value including the fee.'),
@@ -202,16 +212,6 @@ class BasePaymentProvider:
                              'above!').format(docs_url='https://docs.pretix.eu/en/latest/user/payments/fees.html'),
                  required=False
              )),
-            ('_invoice_text',
-             I18nFormField(
-                 label=_('Text on invoices'),
-                 help_text=_('Will be printed just below the payment figures and above the closing text on invoices. '
-                             'This will only be used if the invoice is generated before the order is paid. If the '
-                             'invoice is generated later, it will show a text stating that it has already been paid.'),
-                 required=False,
-                 widget=I18nTextarea,
-                 widget_kwargs={'attrs': {'rows': '2'}}
-             )),
         ])
 
     def settings_content_render(self, request: HttpRequest) -> str:
@@ -220,7 +220,7 @@ class BasePaymentProvider:
         page, this method is called. It may return HTML containing additional information
         that is displayed below the form fields configured in ``settings_form_fields``.
         """
-        pass
+        return ""
 
     def render_invoice_text(self, order: Order) -> str:
         """
@@ -566,6 +566,19 @@ class BasePaymentProvider:
         messages.success(request, _('The order has been marked as refunded. Please transfer the money '
                                     'back to the buyer manually.'))
 
+    def shred_payment_info(self, order: Order):
+        """
+        When personal data is removed from an event, this method is called to scrub payment-related data
+        from an order. By default, it removes all info from the ``payment_info`` attribute. You can override
+        this behavior if you want to retain attributes that are not personal data on their own, i.e. a
+        reference to a transaction in an external system. You can also override this to scrub more data, e.g.
+        data from external sources that is saved in LogEntry objects or other places.
+
+        :param order: An order
+        """
+        order.payment_info = None
+        order.save(update_fields=['payment_info'])
+
 
 class PaymentException(Exception):
     pass

src/pretix/base/pdf.py

@@ -0,0 +1,298 @@
+import copy
+import logging
+import re
+import uuid
+from collections import OrderedDict
+from io import BytesIO
+
+import bleach
+from django.contrib.staticfiles import finders
+from django.utils.formats import date_format
+from django.utils.translation import ugettext_lazy as _
+from PyPDF2 import PdfFileReader
+from pytz import timezone
+from reportlab.graphics import renderPDF
+from reportlab.graphics.barcode.qr import QrCodeWidget
+from reportlab.graphics.shapes import Drawing
+from reportlab.lib.colors import Color
+from reportlab.lib.enums import TA_CENTER, TA_LEFT, TA_RIGHT
+from reportlab.lib.styles import ParagraphStyle
+from reportlab.lib.units import mm
+from reportlab.pdfbase import pdfmetrics
+from reportlab.pdfbase.pdfmetrics import getAscentDescent
+from reportlab.pdfbase.ttfonts import TTFont
+from reportlab.pdfgen.canvas import Canvas
+from reportlab.platypus import Paragraph
+
+from pretix.base.models import Order, OrderPosition
+from pretix.base.signals import layout_text_variables
+from pretix.base.templatetags.money import money_filter
+from pretix.presale.style import get_fonts
+
+logger = logging.getLogger(__name__)
+
+
+DEFAULT_VARIABLES = OrderedDict((
+    ("secret", {
+        "label": _("Ticket code (barcode content)"),
+        "editor_sample": "tdmruoekvkpbv1o2mv8xccvqcikvr58u",
+        "evaluate": lambda orderposition, order, event: orderposition.secret
+    }),
+    ("order", {
+        "label": _("Order code"),
+        "editor_sample": "A1B2C",
+        "evaluate": lambda orderposition, order, event: orderposition.order.code
+    }),
+    ("item", {
+        "label": _("Product name"),
+        "editor_sample": _("Sample product"),
+        "evaluate": lambda orderposition, order, event: str(orderposition.item)
+    }),
+    ("variation", {
+        "label": _("Variation name"),
+        "editor_sample": _("Sample variation"),
+        "evaluate": lambda op, order, event: str(op.variation) if op.variation else ''
+    }),
+    ("item_description", {
+        "label": _("Product description"),
+        "editor_sample": _("Sample product description"),
+        "evaluate": lambda orderposition, order, event: str(orderposition.item.description)
+    }),
+    ("itemvar", {
+        "label": _("Product name and variation"),
+        "editor_sample": _("Sample product – sample variation"),
+        "evaluate": lambda orderposition, order, event: (
+            '{} - {}'.format(orderposition.item, orderposition.variation)
+            if orderposition.variation else str(orderposition.item)
+        )
+    }),
+    ("item_category", {
+        "label": _("Product category"),
+        "editor_sample": _("Ticket category"),
+        "evaluate": lambda orderposition, order, event: (
+            str(orderposition.item.category.name) if orderposition.item.category else ""
+        )
+    }),
+    ("price", {
+        "label": _("Price"),
+        "editor_sample": _("123.45 EUR"),
+        "evaluate": lambda op, order, event: money_filter(op.price, event.currency)
+    }),
+    ("attendee_name", {
+        "label": _("Attendee name"),
+        "editor_sample": _("John Doe"),
+        "evaluate": lambda op, order, ev: op.attendee_name or (op.addon_to.attendee_name if op.addon_to else '')
+    }),
+    ("event_name", {
+        "label": _("Event name"),
+        "editor_sample": _("Sample event name"),
+        "evaluate": lambda op, order, ev: str(ev.name)
+    }),
+    ("event_date", {
+        "label": _("Event date"),
+        "editor_sample": _("May 31st, 2017"),
+        "evaluate": lambda op, order, ev: ev.get_date_from_display(show_times=False)
+    }),
+    ("event_date_range", {
+        "label": _("Event date range"),
+        "editor_sample": _("May 31st – June 4th, 2017"),
+        "evaluate": lambda op, order, ev: ev.get_date_range_display()
+    }),
+    ("event_begin", {
+        "label": _("Event begin date and time"),
+        "editor_sample": _("2017-05-31 20:00"),
+        "evaluate": lambda op, order, ev: ev.get_date_from_display(show_times=True)
+    }),
+    ("event_begin_time", {
+        "label": _("Event begin time"),
+        "editor_sample": _("20:00"),
+        "evaluate": lambda op, order, ev: ev.get_time_from_display()
+    }),
+    ("event_end", {
+        "label": _("Event end date and time"),
+        "editor_sample": _("2017-05-31 22:00"),
+        "evaluate": lambda op, order, ev: date_format(
+            ev.date_to.astimezone(timezone(ev.settings.timezone)),
+            "SHORT_DATETIME_FORMAT"
+        ) if ev.date_to else ""
+    }),
+    ("event_end_time", {
+        "label": _("Event end time"),
+        "editor_sample": _("22:00"),
+        "evaluate": lambda op, order, ev: date_format(
+            ev.date_to.astimezone(timezone(ev.settings.timezone)),
+            "TIME_FORMAT"
+        ) if ev.date_to else ""
+    }),
+    ("event_admission", {
+        "label": _("Event admission date and time"),
+        "editor_sample": _("2017-05-31 19:00"),
+        "evaluate": lambda op, order, ev: date_format(
+            ev.date_admission.astimezone(timezone(ev.settings.timezone)),
+            "SHORT_DATETIME_FORMAT"
+        ) if ev.date_admission else ""
+    }),
+    ("event_admission_time", {
+        "label": _("Event admission time"),
+        "editor_sample": _("19:00"),
+        "evaluate": lambda op, order, ev: date_format(
+            ev.date_admission.astimezone(timezone(ev.settings.timezone)),
+            "TIME_FORMAT"
+        ) if ev.date_admission else ""
+    }),
+    ("event_location", {
+        "label": _("Event location"),
+        "editor_sample": _("Random City"),
+        "evaluate": lambda op, order, ev: str(ev.location).replace("\n", "<br/>\n")
+    }),
+    ("invoice_name", {
+        "label": _("Invoice address: name"),
+        "editor_sample": _("John Doe"),
+        "evaluate": lambda op, order, ev: order.invoice_address.name if getattr(order, 'invoice_address') else ''
+    }),
+    ("invoice_company", {
+        "label": _("Invoice address: company"),
+        "editor_sample": _("Sample company"),
+        "evaluate": lambda op, order, ev: order.invoice_address.company if getattr(order, 'invoice_address') else ''
+    }),
+    ("addons", {
+        "label": _("List of Add-Ons"),
+        "editor_sample": _("Addon 1\nAddon 2"),
+        "evaluate": lambda op, order, ev: "<br/>".join([
+            '{} - {}'.format(p.item, p.variation) if p.variation else str(p.item)
+            for p in op.addons.select_related('item', 'variation')
+        ])
+    }),
+    ("organizer", {
+        "label": _("Organizer name"),
+        "editor_sample": _("Event organizer company"),
+        "evaluate": lambda op, order, ev: str(order.event.organizer.name)
+    }),
+    ("organizer_info_text", {
+        "label": _("Organizer info text"),
+        "editor_sample": _("Event organizer info text"),
+        "evaluate": lambda op, order, ev: str(order.event.settings.organizer_info_text)
+    }),
+))
+
+
+def get_variables(event):
+    v = copy.copy(DEFAULT_VARIABLES)
+    for recv, res in layout_text_variables.send(sender=event):
+        v.update(res)
+    return v
+
+
+class Renderer:
+
+    def __init__(self, event, layout, background_file):
+        self.layout = layout
+        self.background_file = background_file
+        self.variables = get_variables(event)
+        if self.background_file:
+            self.bg_pdf = PdfFileReader(BytesIO(self.background_file.read()))
+        else:
+            self.bg_pdf = None
+
+    @classmethod
+    def _register_fonts(cls):
+        pdfmetrics.registerFont(TTFont('Open Sans', finders.find('fonts/OpenSans-Regular.ttf')))
+        pdfmetrics.registerFont(TTFont('Open Sans I', finders.find('fonts/OpenSans-Italic.ttf')))
+        pdfmetrics.registerFont(TTFont('Open Sans B', finders.find('fonts/OpenSans-Bold.ttf')))
+        pdfmetrics.registerFont(TTFont('Open Sans B I', finders.find('fonts/OpenSans-BoldItalic.ttf')))
+
+        for family, styles in get_fonts().items():
+            pdfmetrics.registerFont(TTFont(family, finders.find(styles['regular']['truetype'])))
+            if 'italic' in styles:
+                pdfmetrics.registerFont(TTFont(family + ' I', finders.find(styles['italic']['truetype'])))
+            if 'bold' in styles:
+                pdfmetrics.registerFont(TTFont(family + ' B', finders.find(styles['bold']['truetype'])))
+            if 'bolditalic' in styles:
+                pdfmetrics.registerFont(TTFont(family + ' B I', finders.find(styles['bolditalic']['truetype'])))
+
+    def _draw_barcodearea(self, canvas: Canvas, op: OrderPosition, o: dict):
+        reqs = float(o['size']) * mm
+        qrw = QrCodeWidget(op.secret, barLevel='H', barHeight=reqs, barWidth=reqs)
+        d = Drawing(reqs, reqs)
+        d.add(qrw)
+        qr_x = float(o['left']) * mm
+        qr_y = float(o['bottom']) * mm
+        renderPDF.draw(d, canvas, qr_x, qr_y)
+
+    def _get_text_content(self, op: OrderPosition, order: Order, o: dict):
+        ev = op.subevent or order.event
+        if not o['content']:
+            return '(error)'
+        if o['content'] == 'other':
+            return o['text'].replace("\n", "<br/>\n")
+        elif o['content'].startswith('meta:'):
+            return ev.meta_data.get(o['content'][5:]) or ''
+        elif o['content'] in self.variables:
+            try:
+                return self.variables[o['content']]['evaluate'](op, order, ev)
+            except:
+                logger.exception('Failed to process variable.')
+                return '(error)'
+        return ''
+
+    def _draw_textarea(self, canvas: Canvas, op: OrderPosition, order: Order, o: dict):
+        font = o['fontfamily']
+        if o['bold']:
+            font += ' B'
+        if o['italic']:
+            font += ' I'
+
+        align_map = {
+            'left': TA_LEFT,
+            'center': TA_CENTER,
+            'right': TA_RIGHT
+        }
+        style = ParagraphStyle(
+            name=uuid.uuid4().hex,
+            fontName=font,
+            fontSize=float(o['fontsize']),
+            leading=float(o['fontsize']),
+            autoLeading="max",
+            textColor=Color(o['color'][0] / 255, o['color'][1] / 255, o['color'][2] / 255),
+            alignment=align_map[o['align']]
+        )
+        text = re.sub(
+            "<br[^>]*>", "<br/>",
+            bleach.clean(
+                self._get_text_content(op, order, o) or "",
+                tags=["br"], attributes={}, styles=[], strip=True
+            )
+        )
+        p = Paragraph(text, style=style)
+        p.wrapOn(canvas, float(o['width']) * mm, 1000 * mm)
+        # p_size = p.wrap(float(o['width']) * mm, 1000 * mm)
+        ad = getAscentDescent(font, float(o['fontsize']))
+        p.drawOn(canvas, float(o['left']) * mm, float(o['bottom']) * mm - ad[1])
+
+    def draw_page(self, canvas: Canvas, order: Order, op: OrderPosition):
+        for o in self.layout:
+            if o['type'] == "barcodearea":
+                self._draw_barcodearea(canvas, op, o)
+            elif o['type'] == "textarea":
+                self._draw_textarea(canvas, op, order, o)
+        canvas.showPage()
+
+    def render_background(self, buffer, title=_('Ticket')):
+        from PyPDF2 import PdfFileWriter, PdfFileReader
+        buffer.seek(0)
+        new_pdf = PdfFileReader(buffer)
+        output = PdfFileWriter()
+
+        for page in new_pdf.pages:
+            bg_page = copy.copy(self.bg_pdf.getPage(0))
+            bg_page.mergePage(page)
+            output.addPage(bg_page)
+
+        output.addMetadata({
+            '/Title': str(title),
+            '/Creator': 'pretix',
+        })
+        outbuffer = BytesIO()
+        output.write(outbuffer)
+        outbuffer.seek(0)
+        return outbuffer

src/pretix/base/reldate.py

@@ -71,6 +71,7 @@ class RelativeDateWrapper:
             else:
                 base_date = getattr(event, self.data.base_date_name) or event.date_from
 
+            oldoffset = base_date.utcoffset()
             new_date = base_date.astimezone(tz) - datetime.timedelta(days=self.data.days_before)
             if self.data.time:
                 new_date = new_date.replace(
@@ -78,6 +79,9 @@ class RelativeDateWrapper:
                     minute=self.data.time.minute,
                     second=self.data.time.second
                 )
+            new_date = new_date.astimezone(tz)
+            newoffset = new_date.utcoffset()
+            new_date += oldoffset - newoffset
             return new_date
 
     def to_string(self) -> str:
@@ -149,6 +153,11 @@ class RelativeDateTimeField(forms.MultiValueField):
             ('absolute', _('Fixed date:')),
             ('relative', _('Relative date:')),
         ]
+        if kwargs.get('limit_choices'):
+            limit = kwargs.pop('limit_choices')
+            choices = [(k, v) for k, v in BASE_CHOICES if k in limit]
+        else:
+            choices = BASE_CHOICES
         if not kwargs.get('required', True):
             status_choices.insert(0, ('unset', _('Not set')))
         fields = (
@@ -163,7 +172,7 @@ class RelativeDateTimeField(forms.MultiValueField):
                 required=False
             ),
             forms.ChoiceField(
-                choices=BASE_CHOICES,
+                choices=choices,
                 required=False
             ),
             forms.TimeField(
@@ -171,7 +180,7 @@ class RelativeDateTimeField(forms.MultiValueField):
             ),
         )
         if 'widget' not in kwargs:
-            kwargs['widget'] = RelativeDateTimeWidget(status_choices=status_choices, base_choices=BASE_CHOICES)
+            kwargs['widget'] = RelativeDateTimeWidget(status_choices=status_choices, base_choices=choices)
         kwargs.pop('max_length', 0)
         kwargs.pop('empty_value', 0)
         super().__init__(

src/pretix/base/services/auth.py

@@ -0,0 +1,19 @@
+from datetime import timedelta
+
+from django.conf import settings
+from django.db.models import Max, Q
+from django.dispatch import receiver
+from django.utils.timezone import now
+
+from pretix.base.models.auth import StaffSession
+
+from ..signals import periodic_task
+
+
+@receiver(signal=periodic_task)
+def close_inactive_staff_sessions(sender, **kwargs):
+    StaffSession.objects.annotate(last_used=Max('logs__datetime')).filter(
+        Q(last_used__lte=now() - timedelta(seconds=settings.PRETIX_SESSION_TIMEOUT_RELATIVE)) & Q(date_end__isnull=True)
+    ).update(
+        date_end=now()
+    )

src/pretix/base/services/cart.py

@@ -295,7 +295,7 @@ class CartManager:
 
             if i.get('voucher'):
                 try:
-                    voucher = self.event.vouchers.get(code=i.get('voucher').strip())
+                    voucher = self.event.vouchers.get(code__iexact=i.get('voucher').strip())
                 except Voucher.DoesNotExist:
                     raise CartError(error_messages['voucher_invalid'])
                 else:

src/pretix/base/services/checkin.py

@@ -0,0 +1,147 @@
+from django.db import transaction
+from django.db.models import Prefetch
+from django.utils.timezone import now
+from django.utils.translation import ugettext as _
+
+from pretix.base.models import (
+    Checkin, CheckinList, Order, OrderPosition, Question, QuestionOption,
+)
+
+
+class CheckInError(Exception):
+    def __init__(self, msg, code):
+        self.msg = msg
+        self.code = code
+        super().__init__(msg)
+
+
+class RequiredQuestionsError(Exception):
+    def __init__(self, msg, code, questions):
+        self.msg = msg
+        self.code = code
+        self.questions = questions
+        super().__init__(msg)
+
+
+def _save_answers(op, answers, given_answers):
+    for q, a in given_answers.items():
+        if not a:
+            if q in answers:
+                answers[q].delete()
+            else:
+                continue
+        if isinstance(a, QuestionOption):
+            if q in answers:
+                qa = answers[q]
+                qa.answer = str(a.answer)
+                qa.save()
+                qa.options.clear()
+            else:
+                qa = op.answers.create(question=q, answer=str(a.answer))
+            qa.options.add(a)
+        elif isinstance(a, list):
+            if q in answers:
+                qa = answers[q]
+                qa.answer = ", ".join([str(o) for o in a])
+                qa.save()
+                qa.options.clear()
+            else:
+                qa = op.answers.create(question=q, answer=", ".join([str(o) for o in a]))
+            qa.options.add(*a)
+        else:
+            if q in answers:
+                qa = answers[q]
+                qa.answer = str(a)
+                qa.save()
+            else:
+                op.answers.create(question=q, answer=str(a))
+
+
+@transaction.atomic
+def perform_checkin(op: OrderPosition, clist: CheckinList, given_answers: dict, force=False,
+                    ignore_unpaid=False, nonce=None, datetime=None, questions_supported=True):
+    """
+    Create a checkin for this particular order position and check-in list. Fails with CheckInError if the check in is
+    not valid at this time.
+
+    :param op: The order position to check in
+    :param clist: The order position to check in
+    :param given_answers: A dictionary of questions mapped to validated, given answers
+    :param force: When set to True, this will succeed even when the position is already checked in or when required
+        questions are not filled out.
+    :param ignore_unpaid: When set to True, this will succeed even when the order is unpaid.
+    :param questions_supported: When set to False, questions are ignored
+    :param nonce: A random nonce to prevent race conditions.
+    :param datetime: The datetime of the checkin, defaults to now.
+    """
+    dt = datetime or now()
+
+    # Fetch order position with related objects
+    op = OrderPosition.objects.select_related(
+        'item', 'variation', 'order', 'addon_to'
+    ).prefetch_related(
+        'item__questions',
+        Prefetch(
+            'item__questions',
+            queryset=Question.objects.filter(ask_during_checkin=True),
+            to_attr='checkin_questions'
+        ),
+        'answers'
+    ).get(pk=op.pk)
+
+    answers = {a.question: a for a in op.answers.all()}
+    require_answers = []
+    for q in op.item.checkin_questions:
+        if q not in given_answers:
+            require_answers.append(q)
+
+    _save_answers(op, answers, given_answers)
+
+    if not clist.all_products and op.item_id not in [i.pk for i in clist.limit_products.all()]:
+        raise CheckInError(
+            _('This order position has an invalid product for this check-in list.'),
+            'product'
+        )
+    elif op.order.status != Order.STATUS_PAID and not force and not (
+        ignore_unpaid and clist.include_pending and op.order.status == Order.STATUS_PENDING
+    ):
+        raise CheckInError(
+            _('This order is not marked as paid.'),
+            'unpaid'
+        )
+    elif require_answers and not force and questions_supported:
+        raise RequiredQuestionsError(
+            _('You need to answer questions to complete this check-in.'),
+            'incomplete',
+            require_answers
+        )
+    else:
+        ci, created = Checkin.objects.get_or_create(position=op, list=clist, defaults={
+            'datetime': dt,
+            'nonce': nonce,
+        })
+
+    if created or (nonce and nonce == ci.nonce):
+        if created:
+            op.order.log_action('pretix.event.checkin', data={
+                'position': op.id,
+                'positionid': op.positionid,
+                'first': True,
+                'forced': op.order.status != Order.STATUS_PAID,
+                'datetime': dt,
+                'list': clist.pk
+            })
+    else:
+        if not force:
+            raise CheckInError(
+                _('This ticket has already been redeemed.'),
+                'already_redeemed',
+            )
+        op.order.log_action('pretix.event.checkin', data={
+            'position': op.id,
+            'positionid': op.positionid,
+            'first': False,
+            'forced': force,
+            'datetime': dt,
+            'list': clist.pk
+        })