Bump version to 1.14.0

Merge pull request #855 from pretix-translations/weblate-pretix-pretix
Update from Weblate.
2018-04-04 15:21:47 +02:00 · 2018-04-04 14:12:41 +02:00 · 2018-04-04 11:18:13 +00:00 · 2018-04-04 11:11:15 +00:00 · 2018-04-04 13:02:33 +02:00 · 2018-04-04 13:00:56 +02:00
236 changed files with 125039 additions and 2878 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -8,6 +8,7 @@ src/static/fileupload/* linguist-vendored
 src/static/vuejs/* linguist-vendored
 src/static/select2/* linguist-vendored
 src/static/charts/* linguist-vendored
 src/static/rrule/* linguist-vendored
 src/static/iframeresizer/* linguist-vendored
 src/pretix/plugins/ticketoutputpdf/static/pretixplugins/ticketoutputpdf/fabric.* linguist-vendored
 src/pretix/plugins/ticketoutputpdf/static/pretixplugins/ticketoutputpdf/pdf.* linguist-vendored
--- a/.travis.yml
+++ b/.travis.yml
@@ -43,3 +43,6 @@ addons:
  apt:
      packages:
          - enchant
 branches:
  except:
  - /^weblate-.*/
--- a/README.rst
+++ b/README.rst
@@ -40,6 +40,9 @@ Contributing
 If you want to contribute to pretix, please read the `developer documentation`_
 in our documentation. If you have any further questions, please do not hesitate to ask!
 .. image:: https://translate.pretix.eu/widgets/pretix/-/pretix/multi-blue.svg
   :target: https://translate.pretix.eu/engage/pretix/
 Code of Conduct
 ---------------
 We have a `Code of Conduct`_ in place that applies to all project contributions,
--- a/doc/admin/config.rst
+++ b/doc/admin/config.rst
@@ -70,6 +70,10 @@ Example::
    that are used to print tax amounts in the customer currency on invoices for some currencies. Set to ``off`` to
    disable this feature. Defaults to ``on``.
 ``audit_comments``
    Enables or disables nagging staff users for leaving comments on their sessions for auditability.
    Defaults to ``off``.
 Locale settings
 ---------------
--- a/doc/admin/installation/docker_smallscale.rst
+++ b/doc/admin/installation/docker_smallscale.rst
@@ -268,8 +268,8 @@ to re-build your custom image after you pulled ``pretix/standalone`` if you want
 .. _pretix.eu: https://pretix.eu/
 .. _MySQL: https://dev.mysql.com/doc/refman/5.7/en/linux-installation-apt-repo.html
 .. _PostgreSQL: https://www.digitalocean.com/community/tutorials/how-to-install-and-use-postgresql-9-4-on-debian-8
-.. _redis: http://blog.programster.org/debian-8-install-redis-server/
+.. _redis: https://blog.programster.org/debian-8-install-redis-server/
 .. _ufw: https://en.wikipedia.org/wiki/Uncomplicated_Firewall
-.. _redis website: http://redis.io/topics/security
+.. _redis website: https://redis.io/topics/security
 .. _redis in docker: https://hub.docker.com/r/_/redis/
 .. _strong encryption settings: https://mozilla.github.io/server-side-tls/ssl-config-generator/
--- a/doc/admin/installation/manual_smallscale.rst
+++ b/doc/admin/installation/manual_smallscale.rst
@@ -298,6 +298,6 @@ example::
 .. _pretix.eu: https://pretix.eu/
 .. _MySQL: https://dev.mysql.com/doc/refman/5.7/en/linux-installation-apt-repo.html
 .. _PostgreSQL: https://www.digitalocean.com/community/tutorials/how-to-install-and-use-postgresql-9-4-on-debian-8
-.. _redis: http://blog.programster.org/debian-8-install-redis-server/
+.. _redis: https://blog.programster.org/debian-8-install-redis-server/
 .. _ufw: https://en.wikipedia.org/wiki/Uncomplicated_Firewall
 .. _strong encryption settings: https://mozilla.github.io/server-side-tls/ssl-config-generator/
--- a/doc/api/resources/categories.rst
+++ b/doc/api/resources/categories.rst
@@ -22,6 +22,10 @@ is_addon                              boolean                    If ``True``, it
                                                                 defining add-ons for other products.
 ===================================== ========================== =======================================================
 .. versionchanged:: 1.14
   The operations POST, PATCH, PUT and DELETE have been added.
 Endpoints
 ---------
@@ -106,3 +110,118 @@ Endpoints
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/categories/
   Creates a new category
   **Example request**:
   .. sourcecode:: http
      POST /api/v1/organizers/bigevents/events/sampleconf/categories/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
      Content: application/json
      {
        "name": {"en": "Tickets"},
        "description": {"en": "Tickets are what you need to get in."},
        "position": 1,
        "is_addon": false
      }
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 201 Created
      Vary: Accept
      Content-Type: application/json
      {
        "id": 1,
        "name": {"en": "Tickets"},
        "description": {"en": "Tickets are what you need to get in."},
        "position": 1,
        "is_addon": false
      }
   :param organizer: The ``slug`` field of the organizer of the event to create a category for
   :param event: The ``slug`` field of the event to create a category for
   :statuscode 201: no error
   :statuscode 400: The category could not be created due to invalid submitted data.
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
 .. http:patch:: /api/v1/organizers/(organizer)/events/(event)/categories/(id)/
   Update a category. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
   want to change.
   You can change all fields of the resource except the ``id`` field.
   **Example request**:
   .. sourcecode:: http
      PATCH /api/v1/organizers/bigevents/events/sampleconf/categories/1/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
      Content-Type: application/json
      Content-Length: 94
      {
        "is_addon": true
      }
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 200 OK
      Vary: Accept
      Content-Type: application/json
      {
        "id": 1,
        "name": {"en": "Tickets"},
        "description": {"en": "Tickets are what you need to get in."},
        "position": 1,
        "is_addon": true
      }
   :param organizer: The ``slug`` field of the organizer to modify
   :param event: The ``slug`` field of the event to modify
   :param id: The ``id`` field of the category to modify
   :statuscode 200: no error
   :statuscode 400: The category could not be modified due to invalid submitted data
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
 .. http:delete:: /api/v1/organizers/(organizer)/events/(event)/category/(id)/
   Delete a category.
   **Example request**:
   .. sourcecode:: http
      DELETE /api/v1/organizers/bigevents/events/sampleconf/categories/1/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 204 No Content
      Vary: Accept
   :param organizer: The ``slug`` field of the organizer to modify
   :param event: The ``slug`` field of the event to modify
   :param id: The ``id`` field of the category to delete
   :statuscode 204: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.
--- a/doc/api/resources/index.rst
+++ b/doc/api/resources/index.rst
@@ -13,6 +13,7 @@ Resources and endpoints
   item_variations
   item_add-ons
   questions
   question_options
   quotas
   orders
   invoices
--- a/doc/api/resources/item_add-ons.rst
+++ b/doc/api/resources/item_add-ons.rst
@@ -148,7 +148,7 @@ Endpoints
   .. sourcecode:: http
-      HTTP/1.1 200 OK
+      HTTP/1.1 201 Created
      Vary: Accept
      Content-Type: application/json
--- a/doc/api/resources/item_variations.rst
+++ b/doc/api/resources/item_variations.rst
@@ -6,7 +6,7 @@ Resource description
 Variations of items can be use for products (items) that are available in different sizes, colors or other variations
 of the same product.
-The addons resource contains the following public fields:
+The variations resource contains the following public fields:
 .. rst-class:: rest-resource-table
@@ -158,7 +158,7 @@ Endpoints
   .. sourcecode:: http
-      HTTP/1.1 200 OK
+      HTTP/1.1 201 Created
      Vary: Accept
      Content-Type: application/json
--- a/doc/api/resources/items.rst
+++ b/doc/api/resources/items.rst
@@ -56,7 +56,8 @@ checkin_attention                     boolean                    If ``True``, th
                                                                 a product is being scanned.
 has_variations                        boolean                    Shows whether or not this item has variations.
 variations                            list of objects            A list with one object for each variation of this item.
-                                                                 Can be empty. Only writable on POST.
+                                                                 Can be empty. Only writable during creation,
                                                                 use separate endpoint to modify this later.
 ├ id                                  integer                    Internal ID of the variation
 ├ default_price                       money (string)             The price set directly for this variation or ``null``
 ├ price                               money (string)             The price used for this variation. This is either the
@@ -67,7 +68,8 @@ variations                            list of objects            A list with one
                                                                 Markdown syntax or can be ``null``.
 └ position                            integer                    An integer, used for sorting
 addons                                list of objects            Definition of add-ons that can be chosen for this item.
-                                                                 Only writable on POST.
+                                                                 Only writable during creation,
                                                                 use separate endpoint to modify this later.
 ├ addon_category                      integer                    Internal ID of the item category the add-on can be
                                                                 chosen from.
 ├ min_count                           integer                    The minimal number of add-ons that need to be chosen.
@@ -256,7 +258,7 @@ Endpoints
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
-.. http:post:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/items/
   Creates a new item
@@ -315,7 +317,7 @@ Endpoints
   .. sourcecode:: http
-      HTTP/1.1 200 OK
+      HTTP/1.1 201 Created
      Vary: Accept
      Content-Type: application/json
@@ -369,7 +371,7 @@ Endpoints
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
-.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/items/(id)/
   Update an item. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
--- a/doc/api/resources/orders.rst
+++ b/doc/api/resources/orders.rst
@@ -129,7 +129,9 @@ downloads                             list of objects            List of ticket
 answers                               list of objects            Answers to user-defined questions
 ├ question                            integer                    Internal ID of the answered question
 ├ answer                              string                     Text representation of the answer
-└ options                             list of integers           Internal IDs of selected option(s)s (only for choice types)
+├ question_identifier                 string                     The question's ``identifier`` field
 ├ options                             list of integers           Internal IDs of selected option(s)s (only for choice types)
 └ option_identifiers                  list of strings            The ``identifier`` fields of the selected option(s)s
 ===================================== ========================== =======================================================
 .. versionchanged:: 1.7
@@ -140,6 +142,10 @@ answers                               list of objects            Answers to user
   The attribute ``checkins.list`` has been added.
 .. versionchanged:: 1.14
  The attributes ``answers.question_identifier`` and ``answers.option_identifiers`` have been added.
 Order endpoints
 ---------------
@@ -222,7 +228,9 @@ Order endpoints
                "answers": [
                  {
                    "question": 12,
                    "question_identifier": "WY3TP9SL",
                    "answer": "Foo",
                    "option_idenfiters": [],
                    "options": []
                  }
                ],
@@ -330,7 +338,9 @@ Order endpoints
            "answers": [
              {
                "question": 12,
                "question_identifier": "WY3TP9SL",
                "answer": "Foo",
                "option_idenfiters": [],
                "options": []
              }
            ],
@@ -649,7 +659,9 @@ Order position endpoints
            "answers": [
              {
                "question": 12,
                "question_identifier": "WY3TP9SL",
                "answer": "Foo",
                "option_idenfiters": [],
                "options": []
              }
            ],
@@ -729,7 +741,9 @@ Order position endpoints
        "answers": [
          {
            "question": 12,
            "question_identifier": "WY3TP9SL",
            "answer": "Foo",
            "option_idenfiters": [],
            "options": []
          }
        ],
--- a/doc/api/resources/question_options.rst
+++ b/doc/api/resources/question_options.rst
@@ -0,0 +1,233 @@
 Question options
 ================
 Resource description
 --------------------
 Questions of type "choice" or "multiple choice" can have different options attached.
 The options resource contains the following public fields:
 .. rst-class:: rest-resource-table
 ===================================== ========================== =======================================================
 Field                                 Type                       Description
 ===================================== ========================== =======================================================
 id                                    integer                    Internal ID of the option
 position                              integer                    An integer, used for sorting
 identifier                            string                     An arbitrary string that can be used for matching with
                                                                 other sources.
 answer                                multi-lingual string       The displayed value of this option
 ===================================== ========================== =======================================================
 .. versionchanged:: 1.12
   This resource has been added.
 Endpoints
 ---------
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/questions/(question)/options/
   Returns a list of all options for a given question.
   **Example request**:
   .. sourcecode:: http
      GET /api/v1/organizers/bigevents/events/sampleconf/questions/11/options/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 200 OK
      Vary: Accept
      Content-Type: application/json
      {
        "count": 2,
        "next": null,
        "previous": null,
        "results": [
          {
            "id": 1,
            "identifier": "LVETRWVU",
            "position": 1,
            "answer": {"en": "S"}
          },
          {
            "id": 2,
            "identifier": "DFEMJWMJ",
            "position": 2,
            "answer": {"en": "M"}
          },
          {
            "id": 3,
            "identifier": "W9AH7RDE",
            "position": 3,
            "answer": {"en": "L"}
          }
        ]
      }
   :query integer page: The page number in case of a multi-page result set, default is 1
   :query boolean active: If set to ``true`` or ``false``, only questions with this value for the field ``active`` will be
                          returned.
   :param organizer: The ``slug`` field of the organizer to fetch
   :param event: The ``slug`` field of the event to fetch
   :param question: The ``id`` field of the question to fetch
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event/question does not exist **or** you have no permission to view this resource.
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/questions/(question)/options/(id)/
   Returns information on one option, identified by its ID.
   **Example request**:
   .. sourcecode:: http
      GET /api/v1/organizers/bigevents/events/sampleconf/questions/1/options/1/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 200 OK
      Vary: Accept
      Content-Type: application/json
      {
        "id": 1,
        "identifier": "LVETRWVU",
        "position": 1,
        "answer": {"en": "S"}
      }
   :param organizer: The ``slug`` field of the organizer to fetch
   :param event: The ``slug`` field of the event to fetch
   :param question: The ``id`` field of the question to fetch
   :param id: The ``id`` field of the option to fetch
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/questions/(question)/options/
   Creates a new option
   **Example request**:
   .. sourcecode:: http
      POST /api/v1/organizers/bigevents/events/sampleconf/questions/1/options/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
      Content: application/json
      {
        "identifier": "LVETRWVU",
        "position": 1,
        "answer": {"en": "S"}
      }
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 201 Created
      Vary: Accept
      Content-Type: application/json
      {
        "id": 1,
        "identifier": "LVETRWVU",
        "position": 1,
        "answer": {"en": "S"}
      }
   :param organizer: The ``slug`` field of the organizer of the event/question to create a option for
   :param event: The ``slug`` field of the event to create a option for
   :param question: The ``id`` field of the question to create a option for
   :statuscode 201: no error
   :statuscode 400: The option could not be created due to invalid submitted data.
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
 .. http:patch:: /api/v1/organizers/(organizer)/events/(event)/questions/(question)/options/(id)/
   Update an option. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
   want to change.
   You can change all fields of the resource except the ``id`` field.
   **Example request**:
   .. sourcecode:: http
      PATCH /api/v1/organizers/bigevents/events/sampleconf/questions/1/options/1/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
      Content-Type: application/json
      Content-Length: 94
      {
        "position": 3
      }
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 200 OK
      Vary: Accept
      Content-Type: application/json
      {
        "id": 1,
        "identifier": "LVETRWVU",
        "position": 1,
        "answer": {"en": "S"}
      }
   :param organizer: The ``slug`` field of the organizer to modify
   :param event: The ``slug`` field of the event to modify
   :param id: The ``id`` field of the question to modify
   :param id: The ``id`` field of the option to modify
   :statuscode 200: no error
   :statuscode 400: The option could not be modified due to invalid submitted data
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
 .. http:delete:: /api/v1/organizers/(organizer)/events/(event)/questions/(id)/options/(id)/
   Delete an option.
   **Example request**:
   .. sourcecode:: http
      DELETE /api/v1/organizers/bigevents/events/sampleconf/questions/1/options/1/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 204 No Content
      Vary: Accept
   :param organizer: The ``slug`` field of the organizer to modify
   :param event: The ``slug`` field of the event to modify
   :param id: The ``id`` field of the question to modify
   :param id: The ``id`` field of the option to delete
   :statuscode 204: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.
--- a/doc/api/resources/questions.rst
+++ b/doc/api/resources/questions.rst
@@ -31,12 +31,18 @@ type                                  string                     The expected ty
 required                              boolean                    If ``True``, the question needs to be filled out.
 position                              integer                    An integer, used for sorting
 items                                 list of integers           List of item IDs this question is assigned to.
 identifier                            string                     An arbitrary string that can be used for matching with
                                                                 other sources.
 ask_during_checkin                    boolean                    If ``True``, this question will not be asked while
                                                                 buying the ticket, but will show up when redeeming
                                                                 the ticket instead.
 options                               list of objects            In case of question type ``C`` or ``M``, this lists the
-                                                                 available objects.
+                                                                 available objects. Only writable during creation,
                                                                 use separate endpoint to modify this later.
 ├ id                                  integer                    Internal ID of the option
 ├ position                            integer                    An integer, used for sorting
 ├ identifier                          string                     An arbitrary string that can be used for matching with
                                                                 other sources.
 └ answer                              multi-lingual string       The displayed value of this option
 ===================================== ========================== =======================================================
@@ -45,6 +51,11 @@ options                               list of objects            In case of ques
  The values ``D``, ``H``, and ``W`` for the field ``type`` are now allowed and the ``ask_during_checkin`` field has
  been added.
 .. versionchanged:: 1.14
  Write methods have been added. The attribute ``identifier`` has been added to both the resource itself and the
  options resource. The ``position`` attribute has been added to the options resource.
 Endpoints
 ---------
@@ -80,18 +91,25 @@ Endpoints
            "required": false,
            "items": [1, 2],
            "position": 1,
            "identifier": "WY3TP9SL",
            "ask_during_checkin": false,
            "options": [
              {
                "id": 1,
                "identifier": "LVETRWVU",
                "position": 0,
                "answer": {"en": "S"}
              },
              {
                "id": 2,
                "identifier": "DFEMJWMJ",
                "position": 1,
                "answer": {"en": "M"}
              },
              {
                "id": 3,
                "identifier": "W9AH7RDE",
                "position": 2,
                "answer": {"en": "L"}
              }
            ]
@@ -134,19 +152,26 @@ Endpoints
        "type": "C",
        "required": false,
        "items": [1, 2],
        "ask_during_checkin": false,
        "position": 1,
        "identifier": "WY3TP9SL",
        "ask_during_checkin": false,
        "options": [
          {
            "id": 1,
            "identifier": "LVETRWVU",
            "position": 1,
            "answer": {"en": "S"}
          },
          {
            "id": 2,
            "identifier": "DFEMJWMJ",
            "position": 2,
            "answer": {"en": "M"}
          },
          {
            "id": 3,
            "identifier": "W9AH7RDE",
            "position": 3,
            "answer": {"en": "L"}
          }
        ]
@@ -158,3 +183,179 @@ Endpoints
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/questions/
   Creates a new question
   **Example request**:
   .. sourcecode:: http
      POST /api/v1/organizers/bigevents/events/sampleconf/questions/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
      Content: application/json
      {
        "question": {"en": "T-Shirt size"},
        "type": "C",
        "required": false,
        "items": [1, 2],
        "position": 1,
        "ask_during_checkin": false,
        "options": [
          {
            "answer": {"en": "S"}
          },
          {
            "answer": {"en": "M"}
          },
          {
            "answer": {"en": "L"}
          }
        ]
      }
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 201 Created
      Vary: Accept
      Content-Type: application/json
      {
        "id": 1,
        "question": {"en": "T-Shirt size"},
        "type": "C",
        "required": false,
        "items": [1, 2],
        "position": 1,
        "identifier": "WY3TP9SL",
        "ask_during_checkin": false,
        "options": [
          {
            "id": 1,
            "identifier": "LVETRWVU",
            "position": 1,
            "answer": {"en": "S"}
          },
          {
            "id": 2,
            "identifier": "DFEMJWMJ",
            "position": 2,
            "answer": {"en": "M"}
          },
          {
            "id": 3,
            "identifier": "W9AH7RDE",
            "position": 3,
            "answer": {"en": "L"}
          }
        ]
      }
   :param organizer: The ``slug`` field of the organizer of the event to create an item for
   :param event: The ``slug`` field of the event to create an item for
   :statuscode 201: no error
   :statuscode 400: The item could not be created due to invalid submitted data.
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
 .. http:patch:: /api/v1/organizers/(organizer)/events/(event)/questions/(id)/
   Update a question. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
   want to change.
   You can change all fields of the resource except the ``options`` field. If
   you need to update/delete options please use the nested dedicated endpoints.
   **Example request**:
   .. sourcecode:: http
      PATCH /api/v1/organizers/bigevents/events/sampleconf/items/1/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
      Content-Type: application/json
      Content-Length: 94
      {
        "position": 2
      }
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 200 OK
      Vary: Accept
      Content-Type: application/json
      {
        "id": 1,
        "question": {"en": "T-Shirt size"},
        "type": "C",
        "required": false,
        "items": [1, 2],
        "position": 2,
        "identifier": "WY3TP9SL",
        "ask_during_checkin": false,
        "options": [
          {
            "id": 1,
            "identifier": "LVETRWVU",
            "position": 1,
            "answer": {"en": "S"}
          },
          {
            "id": 2,
            "identifier": "DFEMJWMJ",
            "position": 2,
            "answer": {"en": "M"}
          },
          {
            "id": 3,
            "identifier": "W9AH7RDE",
            "position": 3,
            "answer": {"en": "L"}
          }
        ]
      }
   :param organizer: The ``slug`` field of the organizer to modify
   :param event: The ``slug`` field of the event to modify
   :param id: The ``id`` field of the question to modify
   :statuscode 200: no error
   :statuscode 400: The item could not be modified due to invalid submitted data
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
 .. http:delete:: /api/v1/organizers/(organizer)/events/(event)/questions/(id)/
   Delete a question.
   **Example request**:
   .. sourcecode:: http
      DELETE /api/v1/organizers/bigevents/events/sampleconf/items/1/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 204 No Content
      Vary: Accept
   :param organizer: The ``slug`` field of the organizer to modify
   :param event: The ``slug`` field of the event to modify
   :param id: The ``id`` field of the item to delete
   :statuscode 204: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.
--- a/doc/api/resources/quotas.rst
+++ b/doc/api/resources/quotas.rst
@@ -135,7 +135,7 @@ Endpoints
   .. sourcecode:: http
-      HTTP/1.1 200 OK
+      HTTP/1.1 201 Created
      Vary: Accept
      Content-Type: application/json
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -31,6 +31,13 @@ import django
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "pretix.testutils.settings")
 django.setup()
 try:
    import enchant
    HAS_PYENCHANT = True
 except:
    HAS_PYENCHANT = False
 # -- General configuration ------------------------------------------------
 # If your documentation needs a minimal Sphinx version, state it here.
@@ -45,8 +52,9 @@ extensions = [
    'sphinx.ext.coverage',
    'sphinxcontrib.httpdomain',
    'sphinxcontrib.images',
    'sphinxcontrib.spelling',
 ]
 if HAS_PYENCHANT:
    extensions.append('sphinxcontrib.spelling')
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
@@ -292,21 +300,25 @@ images_config = {
    'default_image_width': '250px'
 }
 linkcheck_ignore = [
    r'http://localhost.*', r'.*yourdomain.*', r'https://en.wikipedia.org', 'https://pretix.eu/',
 ]
 # -- Options for Spelling output ------------------------------------------
 if HAS_PYENCHANT:
    # String specifying the language, as understood by PyEnchant and enchant.
    # Defaults to en_US for US English.
    spelling_lang = 'en_US'
-# String specifying the language, as understood by PyEnchant and enchant.
+    # String specifying a file containing a list of words known to be spelled
-# Defaults to en_US for US English.
+    # correctly but that do not appear in the language dictionary selected by
-spelling_lang = 'en_US'
+    # spelling_lang. The file should contain one word per line.
    spelling_word_list_filename='spelling_wordlist.txt'
-# String specifying a file containing a list of words known to be spelled
+    # Boolean controlling whether suggestions for misspelled words are printed.
-# correctly but that do not appear in the language dictionary selected by
+    # Defaults to False.
-# spelling_lang. The file should contain one word per line.
+    spelling_show_suggestions=True
 spelling_word_list_filename='spelling_wordlist.txt'
-# Boolean controlling whether suggestions for misspelled words are printed.
+    # List of filter classes to be added to the tokenizer that produces words to be checked.
-# Defaults to False.
+    from checkin_filter import CheckinFilter
-spelling_show_suggestions=True
+    spelling_filters=[CheckinFilter]
 # List of filter classes to be added to the tokenizer that produces words to be checked. 
 from checkin_filter import CheckinFilter
 spelling_filters=[CheckinFilter]
--- a/doc/development/api/invoice.rst
+++ b/doc/development/api/invoice.rst
@@ -13,7 +13,7 @@ Output registration
 -------------------
 The invoice renderer API does not make a lot of usage from signals, however, it
-does use a signal to get a list of all available ticket outputs. Your plugin
+does use a signal to get a list of all available invoice renderers. Your plugin
 should listen for this signal and return the subclass of ``pretix.base.invoice.BaseInvoiceRenderer``
 that we'll provide in this plugin::
--- a/doc/development/api/plugins.rst
+++ b/doc/development/api/plugins.rst
@@ -142,5 +142,5 @@ your Django app label.
 .. _Django app: https://docs.djangoproject.com/en/1.7/ref/applications/
 .. _signal dispatcher: https://docs.djangoproject.com/en/1.7/topics/signals/
 .. _namespace packages: http://legacy.python.org/dev/peps/pep-0420/
-.. _entry point: https://pythonhosted.org/setuptools/setuptools.html#dynamic-discovery-of-services-and-plugins
+.. _entry point: https://setuptools.readthedocs.io/en/latest/pkg_resources.html#locating-plugins
 .. _cookiecutter: https://cookiecutter.readthedocs.io/en/latest/
--- a/doc/development/contribution/codeofconduct.rst
+++ b/doc/development/contribution/codeofconduct.rst
@@ -77,6 +77,6 @@ Attribution
 -----------
 This Code of Conduct is adapted from the `Contributor Covenant`_, version 1.4,
-available at http://contributor-covenant.org/version/1/4/
+available at https://www.contributor-covenant.org/version/1/4/
-.. _Contributor Covenant: http://contributor-covenant.org
+.. _Contributor Covenant: https://www.contributor-covenant.org
--- a/doc/development/contribution/style.rst
+++ b/doc/development/contribution/style.rst
@@ -24,7 +24,7 @@ Coding style and quality
  ``Fix #123 -- Problems with order creation`` or ``Refs #123 -- Fix this part of that bug``.
-.. _PEP 8: http://legacy.python.org/dev/peps/pep-0008/
+.. _PEP 8: https://legacy.python.org/dev/peps/pep-0008/
 .. _flake8: https://pypi.python.org/pypi/flake8
 .. _Django Coding Style: https://docs.djangoproject.com/en/dev/internals/contributing/writing-code/coding-style/
 .. _translation: https://docs.djangoproject.com/en/1.11/topics/i18n/translation/
--- a/doc/development/implementation/index.rst
+++ b/doc/development/implementation/index.rst
@@ -16,4 +16,5 @@ Contents:
   settings
   background
   email
   permissions
   logging
--- a/doc/development/implementation/models.rst
+++ b/doc/development/implementation/models.rst
@@ -31,6 +31,9 @@ Organizers and events
 .. autoclass:: pretix.base.models.Team
   :members:
 .. autoclass:: pretix.base.models.TeamAPIToken
   :members:
 .. autoclass:: pretix.base.models.RequiredAction
   :members:
--- a/doc/development/implementation/permissions.rst
+++ b/doc/development/implementation/permissions.rst
@@ -0,0 +1,194 @@
 Permissions
 ===========
 pretix uses a fine-grained permission system to control who is allowed to control what parts of the system.
 The central concept here is the concept of *Teams*. You can read more on `configuring teams and permissions <user-teams>`_
 and the :class:`pretix.base.models.Team` model in the respective parts of the documentation. The basic digest is:
 An organizer account can have any number of teams, and any number of users can be part of a team. A team can be
 assigned a set of permissions and connected to some or all of the events of the organizer.
 A second way to access pretix is via the REST API, which allows authentication via tokens that are bound to a team,
 but not to a user. You can read more at :class:`pretix.base.models.TeamAPIToken`. This page will show you how to
 work with permissions in plugins and within the pretix code base.
 Requiring permissions for a view
 --------------------------------
 pretix provides a number of useful mixins and decorators that allow you to specify that a user needs a certain
 permission level to access a view::
    from pretix.control.permissions import (
        OrganizerPermissionRequiredMixin, organizer_permission_required
    )
    class MyOrgaView(OrganizerPermissionRequiredMixin, View):
        permission = 'can_change_organizer_settings'
        # Only users with the permission ``can_change_organizer_settings`` on
        # this organizer can access this
    class MyOtherOrgaView(OrganizerPermissionRequiredMixin, View):
        permission = None
        # Only users with *any* permission on this organizer can access this
    @organizer_permission_required('can_change_organizer_settings')
    def my_orga_view(request, organizer, **kwargs):
        # Only users with the permission ``can_change_organizer_settings`` on
        # this organizer can access this
    @organizer_permission_required()
    def my_other_orga_view(request, organizer, **kwargs):
        # Only users with *any* permission on this organizer can access this
 Of course, the same is available on event level::
    from pretix.control.permissions import (
        EventPermissionRequiredMixin, event_permission_required
    )
    class MyEventView(EventPermissionRequiredMixin, View):
        permission = 'can_change_event_settings'
        # Only users with the permission ``can_change_event_settings`` on
        # this event can access this
    class MyOtherEventView(EventPermissionRequiredMixin, View):
        permission = None
        # Only users with *any* permission on this event can access this
    @event_permission_required('can_change_event_settings')
    def my_event_view(request, organizer, **kwargs):
        # Only users with the permission ``can_change_event_settings`` on
        # this event can access this
    @event_permission_required()
    def my_other_event_view(request, organizer, **kwargs):
        # Only users with *any* permission on this event can access this
 You can also require that this view is only accessible by system administrators with an active "admin session"
 (see below for what this means)::
    from pretix.control.permissions import (
        AdministratorPermissionRequiredMixin, administrator_permission_required
    )
    class MyGlobalView(AdministratorPermissionRequiredMixin, View):
        # ...
    @administrator_permission_required
    def my_global_view(request, organizer, **kwargs):
        # ...
 In rare cases it might also be useful to expose a feature only to people who have a staff account but do not
 necessarily have an active admin session::
    from pretix.control.permissions import (
        StaffMemberRequiredMixin, staff_member_required
    )
    class MyGlobalView(StaffMemberRequiredMixin, View):
        # ...
    @staff_member_required
    def my_global_view(request, organizer, **kwargs):
        # ...
 Requiring permissions in the REST API
 -------------------------------------
 When creating your own ``viewset`` using Django REST framework, you just need to set the ``permission`` attribute
 and pretix will check it automatically for you::
    class MyModelViewSet(viewsets.ReadOnlyModelViewSet):
        permission = 'can_view_orders'
 Checking permission in code
 ---------------------------
 If you need to work with permissions manually, there are a couple of useful helper methods on the :class:`pretix.base.models.Event`,
 :class:`pretix.base.models.User` and :class:`pretix.base.models.TeamAPIToken` classes. Here's a quick overview.
 Return all users that are in any team that is connected to this event::
    >>> event.get_users_with_any_permission()
    <QuerySet: …>
 Return all users that are in a team with a specific permission for this event::
    >>> event.get_users_with_permission('can_change_event_settings')
    <QuerySet: …>
 Determine if a user has a certain permission for a specific event::
    >>> user.has_event_permission(organizer, event, 'can_change_event_settings', request=request)
    True
 Determine if a user has any permission for a specific event::
    >>> user.has_event_permission(organizer, event, request=request)
    True
 In the two previous commands, the ``request`` argument is optional, but required to support staff sessions (see below).
 The same method exists for organizer-level permissions::
    >>> user.has_organizer_permission(organizer, 'can_change_event_settings', request=request)
    True
 Sometimes, it might be more useful to get the set of permissions at once::
    >>> user.get_event_permission_set(organizer, event)
    {'can_change_event_settings', 'can_view_orders', 'can_change_orders'}
    >>> user.get_organizer_permission_set(organizer, event)
    {'can_change_organizer_settings', 'can_create_events'}
 Within a view on the ``/control`` subpath, the results of these two methods are already available in the
 ``request.eventpermset`` and ``request.orgapermset`` properties. This makes it convenient to query them in templates::
    {% if "can_change_orders" in request.eventpermset %}
        …
    {% endif %}
 You can also do the reverse to get any events a user has access to::
    >>> user.get_events_with_permission('can_change_event_settings', request=request)
    <QuerySet: …>
    >>> user.get_events_with_any_permission(request=request)
    <QuerySet: …>
 Most of these methods work identically on :class:`pretix.base.models.TeamAPIToken`.
 Staff sessions
 --------------
 .. versionchanged:: 1.14
   In 1.14, the ``User.is_superuser`` attribute has been deprecated and statically set to return ``False``. Staff
   sessions have been newly introduced.
 System administrators of a pretix instance are identified by the ``is_staff`` attribute on the user model. By default,
 the regular permission rules apply for users with ``is_staff = True``. The only difference is that such users can
 temporarily turn on "staff mode" via a button in the user interface that grants them **all permissions** as long as
 staff mode is active. You can check if a user is in staff mode using their session key:
    >>> user.has_active_staff_session(request.session.session_key)
    False
 Staff mode has a hard time limit and during staff mode, a middleware will log all requests made by that user. Later,
 the user is able to also save a message to comment on what they did in their administrative session. This feature is
 intended to help compliance with data protection rules as imposed e.g. by GDPR.
--- a/doc/development/index.rst
+++ b/doc/development/index.rst
@@ -8,5 +8,6 @@ Developer documentation
   setup
   contribution/index
   implementation/index
   translation/index
   api/index
   structure
--- a/doc/development/setup.rst
+++ b/doc/development/setup.rst
@@ -145,6 +145,10 @@ and update the ``*.po`` files accordingly::
    make localegen
 However, most of the time you don't need to care about this. Just create your pull request
 with functionality and English strings only, and we'll push the new translation strings
 to our translation platform after the merge.
 To actually see pretix in your language, you have to compile the ``*.po`` files to their
 optimized binary ``*.mo`` counterparts::
--- a/doc/development/translation/img/weblate1.png
+++ b/doc/development/translation/img/weblate1.png
--- a/doc/development/translation/img/weblate2.png
+++ b/doc/development/translation/img/weblate2.png
--- a/doc/development/translation/img/weblate3.png
+++ b/doc/development/translation/img/weblate3.png
--- a/doc/development/translation/img/weblate4.png
+++ b/doc/development/translation/img/weblate4.png
--- a/doc/development/translation/img/weblate5.png
+++ b/doc/development/translation/img/weblate5.png
--- a/doc/development/translation/img/weblate6.png
+++ b/doc/development/translation/img/weblate6.png
--- a/doc/development/translation/index.rst
+++ b/doc/development/translation/index.rst
@@ -0,0 +1,88 @@
 Translating pretix
 ==================
 pretix has been designed for multi-language capabilities from its start. Organizers can enter their event information
 in multiple languages at the same time. However, the software interface of pretix also needs to be translated for
 this to be useful.
 Since we (the developers of pretix) only speak a very limited number of languages, we need help from the community
 to achieve this goal. To make translating pretix easy not only for software developers, we set up a translation
 platform at `translate.pretix.eu`_.
 Official and inofficial languages
 ---------------------------------
 In the pretix project, there are three types of languages:
 Official languages
    are translated and maintained by the core team behind pretix or as part of long-term partnerships. We are
    committed to keeping these translations up-to-date with new features or changes in pretix and try to offer
    support in this language.
 Inofficial languages
    are contributed and maintained by the Community. We ship them with pretix so you can use them, but we can not
    guarantee that new or changed features in pretix will be translated in time.
 Incubating languages
    are currently in the process of being translated. They can not yet be selected in pretix by end users on
    production installations and are only available in development mode for testing.
 Please contact translate@pretix.eu if you think an incubated language should be promoted to an inofficial one or if
 you are interested in a partnership to make your language official.
 The current translation status of various languages is:
 .. image:: https://translate.pretix.eu/widgets/pretix/-/multi-blue.svg
   :target: https://translate.pretix.eu/engage/pretix/?utm_source=widget
 Using our translation platform
 ------------------------------
 If you visit `translate.pretix.eu`_ for the first time, it admittedly looks pretty bare.
 .. image:: img/weblate1.png
   :class: screenshot
 It gets better if you create an account, which you will need to contribute translations. Click on "Register" in the
 top-right corner to get started:
 .. image:: img/weblate2.png
   :class: screenshot
 You can either create an account or choose to log in with your GitHub account, whichever you like more.
 After creating and activating your account, we recommend that you change your profile and select which languages you
 can translate to and which languages you understand. You can find your profile settings by clicking on your name in
 the top-right corner.
 .. image:: img/weblate3.png
   :class: screenshot
 Going back to the dashboard by clicking on the logo in the top-left corner, you can select between different lists
 of translation projects. You can either filter by projects that already have a translation in your language, or you
 go to the `pretix project page`_ where you can select specific components.
 .. note::
   If you want to translate pretix to a new language that is not yet listed here, you are very welcome to do so!
   While you technically can add the language to the portal yourself, we ask you to drop us a short mail to
   translate@pretix.eu so we can add it to all components at once and also make it selectable in pretix itself.
 .. image:: img/weblate4.png
   :class: screenshot
 Once you selected a component of a language, you can start going through strings to translate. You can start of by
 clicking the "Strings needing action" line in this view:
 .. image:: img/weblate5.png
   :class: screenshot
 In the translate view, you can input your translation for a given source string. If you're unsure about your
 translation, you can also just "Suggest" it or mark it as "Needs editing". If you have no idea, just "Skip". If you
 scroll down, there is also a "Comments" section to discuss any questions with fellow translators or us developers.
 .. image:: img/weblate6.png
   :class: screenshot
 .. _translate.pretix.eu: https://translate.pretix.eu
 .. _pretix project page: https://translate.pretix.eu/projects/pretix/
--- a/doc/doc_warnings
+++ b/doc/doc_warnings
--- a/doc/requirements.txt
+++ b/doc/requirements.txt
@@ -4,4 +4,5 @@ sphinx-rtd-theme
 sphinxcontrib-httpdomain
 sphinxcontrib-images
 sphinxcontrib-spelling
-pyenchant
+# See https://github.com/rfk/pyenchant/pull/130
 git+https://github.com/raphaelm/pyenchant.git@patch-1#egg=pyenchant
--- a/doc/spelling_wordlist.txt
+++ b/doc/spelling_wordlist.txt
@@ -1,6 +1,7 @@
 addon
 addons
 api
 auditability
 auth
 autobuild
 backend
@@ -33,8 +34,10 @@ gettext
 gunicorn
 hardcoded
 hostname
 inofficial
 invalidations
 iterable
 Jimdo
 libsass
 linters
 memcached
@@ -77,6 +80,7 @@ renderer
 renderers
 reportlab
 screenshot
 selectable
 serializers
 serializers
 sexualized
--- a/doc/user/events/email.rst
+++ b/doc/user/events/email.rst
@@ -126,4 +126,29 @@ With the checkbox "Use custom SMTP server" you can turn using your SMTP server o
 button "Save and test custom SMTP connection", you can test if the connection and authentication to your SMTP server
 succeeds, even before turning that checkbox on.
 Spam issues
 -----------
 If you use an email address of your own domain as a sender address and do not use a custom SMTP server, it is very
 likely that at least some of your emails will go to the spam folders of their recipients. We **strongly recommend**
 to use your organization's SMTP server in this case, making your email really come from your organization. If you don't
 want that or cannot do that, you should add the pretix application server to your SPF record.
 If you are using our hosted service at pretix.eu, you can add the following to your SPF record::
   include:_spf.pretix.eu
 A complete record could look like this::
   v=spf1 a mx include:_spf.pretix.eu ~all
 Make sure to read up on the `SPF specification`_. If you want to authenticate your emails with DKIM, set up a DNS TXT
 record for the subdomain ``pretix._domainkey`` with the following contents::
   v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXrDk6lwOWX00e2MbiiJac6huI+gnzLf9N4G1FnBv3PXq8fz3i2q1szH72OF5mAlKm3zXO4cl/uxx+lfidS1ERbX6Bn9BRstBTQUKWC4JFj8Yk9+fwT7LWehDURazLdTzfsIjJFudLLvxtOKSaOCtMhbPX05DIhziaqVCBqgz/NQIDAQAB
 Then, please contact support@pretix.eu and we will enable DKIM for your domain on our mail servers.
 .. _Sender Policy Framework: https://en.wikipedia.org/wiki/Sender_Policy_Framework
 .. _SPF specification: http://www.openspf.org/SPF_Record_Syntax
--- a/doc/user/events/widget.rst
+++ b/doc/user/events/widget.rst
@@ -36,6 +36,12 @@ The second snippet should be embedded at the position where the widget should sh
    You can of course embed multiple widgets of multiple events on your page. In this case, please add the first
    snippet only *once* and the second snippets once *for each event*.
 .. note::
    Some website builders like Jimdo have trouble with our custom HTML tag. In that case, you can use
    ``<div class="pretix-widget-compat" …></div>`` instead of ``<pretix-widget …></pretix-widget>`` starting with
    pretix 1.14.
 Example
 -------
--- a/doc/user/faq.rst
+++ b/doc/user/faq.rst
@@ -51,3 +51,25 @@ If you created a product and it doesn't show up, please follow the following ste
   quota that is assigned to the series date that you access the shop for.
 6. If the sale period has not started yet or is already over, check the "Show items outside presale period" setting of
   your event.
 How can I revert a check-in?
 ----------------------------
 Neither our apps nor our web interface can currently undo the check-in of a tickets. We know that this is
 inconvenient for some of you, but we have a good reason for it:
 Our Desktop and Android apps both support an asynchronous mode in which they can scan tickets while staying
 independent of their internet connection. When scanning with multiple devices, it can of course happen that two
 devices scan the same ticket without knowing of the other scan. As soon as one of the devices regains connectivity, it
 will upload its activity and the server marks the ticket as checked in -- regardless of the order in which the two
 scans were made and uploaded (which could be two different orders).
 If we'd provide a "check out" feature, it would not only be used to fix an accidental scan, but scan at entry and
 exit to count the current number of people inside etc. In this case, the order of operations matters very much for them
 to make sense and provide useful results. This makes implementing an asynchronous mode much more complicated.
 In this trade off, we chose offline-capabilities over the check out feature. We plan on solving this problem in the
 future, but we're not there yet.
 If you're just *testing* the check-in capabilities and want to clean out everything for the real process, you can just
 delete and re-create the check-in list.
--- a/doc/user/organizers/teams.rst
+++ b/doc/user/organizers/teams.rst
@@ -1,3 +1,5 @@
 .. _user-teams:
 Teams
 =====
--- a/doc/user/payments/settings.rst
+++ b/doc/user/payments/settings.rst
@@ -1,7 +1,7 @@
 General settings
 ================
-At "Settings" → "Pages", you can configure every aspect related to the payments you want to accept. The upper part
+At "Settings" → "Payment", you can configure every aspect related to the payments you want to accept. The upper part
 of the page shows a number of general settings that affect all payment methods:
 .. thumbnail:: ../../screens/event/settings_payment.png
--- a/doc/user/payments/stripe.rst
+++ b/doc/user/payments/stripe.rst
@@ -3,6 +3,10 @@
 Stripe
 ======
 .. note:: If you use the Hosted version of pretix at pretix.eu, you do not need to copy API keys and create webhooks
          any more. Instead, you can just click "Connect with Stripe" in pretix and everything will connect
          automatically.
 To integrate Stripe with pretix, you first need to have an active Stripe merchant account. If you do not already have a
 Stripe account, you can create one on `stripe.com`_. Then, click on "API" in the left navigation of the Stripe
 Dashboard. As you can see in the following screenshot, you will be presented with two sets of API keys, one for test
--- a/src/.update-locales
+++ b/src/.update-locales
@@ -0,0 +1,37 @@
 #!/bin/sh
 COMPONENTS="pretix/pretix pretix/pretix-js"
 DIR=pretix/locale
 # Renerates .po files used for translating the plugin
 set -e
 set -x
 # Lock Weblate
 for c in $COMPONENTS; do
 	wlc lock $c;
 done
 # Push changes from Weblate to GitHub
 for c in $COMPONENTS; do
 	wlc commit $c;
 done
 # Pull changes from GitHub
 git pull --rebase
 # Update po files itself
 make localegen
 # Commit changes
 git add $DIR/*/*/*.po
 git add $DIR/*.pot
 git commit -s -m "Update po files
 [CI skip]"
 # Push changes
 git push
 # Unlock Weblate
 for c in $COMPONENTS; do
 	wlc unlock $c;
 done
--- a/src/Makefile
+++ b/src/Makefile
@@ -1,12 +1,13 @@
 all: localecompile staticfiles
 production: localecompile staticfiles compress
 LNGS:=`find pretix/locale/ -mindepth 1 -maxdepth 1 -type d -printf "-l %f "`
 localecompile:
 	./manage.py compilemessages
 localegen:
-	./manage.py makemessages --all --ignore "pretix/helpers/*"
+	./manage.py makemessages --keep-pot --ignore "pretix/helpers/*" $(LNGS)
-	./manage.py makemessages --all -d djangojs --ignore "pretix/helpers/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static.dist/*" --ignore "data/*" --ignore "build/*"
+	./manage.py makemessages --keep-pot -d djangojs --ignore "pretix/helpers/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static.dist/*" --ignore "data/*" --ignore "build/*" $(LNGS)
 staticfiles: jsi18n
 	./manage.py collectstatic --noinput
--- a/src/pretix/init.py
+++ b/src/pretix/init.py
@@ -1 +1 @@
-__version__ = "1.13.0"
+__version__ = "1.14.0"
--- a/src/pretix/api/auth/permission.py
+++ b/src/pretix/api/auth/permission.py
@@ -1,4 +1,3 @@
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import SAFE_METHODS, BasePermission
 from pretix.base.models import Event
@@ -57,18 +56,3 @@ class EventPermission(BasePermission):
            if required_permission and required_permission not in request.orgapermset:
                return False
        return True
 def permission_required(required_permission):
    def decorator(function):
        def wrapper(self, request, *args, **kw):
            if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs:
                if required_permission and required_permission not in request.eventpermset:
                    raise PermissionDenied('You do not have permission to perform this operation.')
            elif 'organizer' in request.resolver_match.kwargs:
                if required_permission and required_permission not in request.orgapermset:
                    raise PermissionDenied('You do not have permission to perform this operation.')
            return function(self, request, *args, **kw)
        return wrapper
    return decorator
--- a/src/pretix/api/serializers/item.py
+++ b/src/pretix/api/serializers/item.py
@@ -87,6 +87,9 @@ class ItemSerializer(I18nAwareModelSerializer):
    def validate(self, data):
        data = super().validate(data)
        if self.instance and ('addons' in data or 'variations' in data):
            raise ValidationError(_('Updating add-ons or variations via PATCH/PUT is not supported. Please use the '
                                    'dedicated nested endpoint.'))
        Item.clean_per_order(data.get('min_per_order'), data.get('max_per_order'))
        Item.clean_available(data.get('available_from'), data.get('available_until'))
@@ -101,17 +104,8 @@ class ItemSerializer(I18nAwareModelSerializer):
        Item.clean_tax_rule(value, self.context['event'])
        return value
    def validate_variations(self, value):
        if self.instance is not None:
            raise ValidationError(_('Updating variations via PATCH/PUT is not supported. Please use the dedicated'
                                    ' nested endpoint.'))
        return value
    def validate_addons(self, value):
-        if self.instance is not None:
+        if not self.instance:
            raise ValidationError(_('Updating add-ons via PATCH/PUT is not supported. Please use the dedicated'
                                    ' nested endpoint.'))
        else:
            for addon_data in value:
                ItemAddOn.clean_categories(self.context['event'], None, self.instance, addon_data['addon_category'])
                ItemAddOn.clean_min_count(addon_data['min_count'])
@@ -138,20 +132,72 @@ class ItemCategorySerializer(I18nAwareModelSerializer):
        fields = ('id', 'name', 'description', 'position', 'is_addon')
-class InlineQuestionOptionSerializer(I18nAwareModelSerializer):
+class QuestionOptionSerializer(I18nAwareModelSerializer):
    identifier = serializers.CharField(allow_null=True)
    class Meta:
        model = QuestionOption
-        fields = ('id', 'answer')
+        fields = ('id', 'identifier', 'answer', 'position')
    def validate_identifier(self, value):
        QuestionOption.clean_identifier(self.context['event'], value, self.instance)
        return value
 class InlineQuestionOptionSerializer(I18nAwareModelSerializer):
    identifier = serializers.CharField(allow_null=True)
    class Meta:
        model = QuestionOption
        fields = ('id', 'identifier', 'answer', 'position')
 class QuestionSerializer(I18nAwareModelSerializer):
-    options = InlineQuestionOptionSerializer(many=True)
+    options = InlineQuestionOptionSerializer(many=True, required=False)
    identifier = serializers.CharField(allow_null=True)
    class Meta:
        model = Question
        fields = ('id', 'question', 'type', 'required', 'items', 'options', 'position',
-                  'ask_during_checkin')
+                  'ask_during_checkin', 'identifier')
    def validate_identifier(self, value):
        Question._clean_identifier(self.context['event'], value, self.instance)
        return value
    def validate(self, data):
        data = super().validate(data)
        if self.instance and 'options' in data:
            raise ValidationError(_('Updating options via PATCH/PUT is not supported. Please use the dedicated'
                                    ' nested endpoint.'))
        event = self.context['event']
        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
        full_data.update(data)
        Question.clean_items(event, full_data.get('items'))
        return data
    def validate_options(self, value):
        if not self.instance:
            known = []
            for opt_data in value:
                if opt_data.get('identifier'):
                    QuestionOption.clean_identifier(self.context['event'], opt_data.get('identifier'), self.instance,
                                                    known)
                    known.append(opt_data.get('identifier'))
        return value
    @transaction.atomic
    def create(self, validated_data):
        options_data = validated_data.pop('options') if 'options' in validated_data else []
        items = validated_data.pop('items')
        question = Question.objects.create(**validated_data)
        question.items.set(items)
        for opt_data in options_data:
            QuestionOption.objects.create(question=question, **opt_data)
        return question
 class QuotaSerializer(I18nAwareModelSerializer):
--- a/src/pretix/api/serializers/order.py
+++ b/src/pretix/api/serializers/order.py
@@ -29,10 +29,23 @@ class InvoiceAdddressSerializer(I18nAwareModelSerializer):
                  'vat_id_validated', 'internal_reference')
 class AnswerQuestionIdentifierField(serializers.Field):
    def to_representation(self, instance: QuestionAnswer):
        return instance.question.identifier
 class AnswerQuestionOptionsIdentifierField(serializers.Field):
    def to_representation(self, instance: QuestionAnswer):
        return [o.identifier for o in instance.options.all()]
 class AnswerSerializer(I18nAwareModelSerializer):
    question_identifier = AnswerQuestionIdentifierField(source='*', read_only=True)
    option_identifiers = AnswerQuestionOptionsIdentifierField(source='*', read_only=True)
    class Meta:
        model = QuestionAnswer
-        fields = ('question', 'answer', 'options')
+        fields = ('question', 'answer', 'question_identifier', 'options', 'option_identifiers')
 class CheckinSerializer(I18nAwareModelSerializer):
--- a/src/pretix/api/urls.py
+++ b/src/pretix/api/urls.py
@@ -29,6 +29,9 @@ event_router.register(r'checkinlists', checkin.CheckinListViewSet)
 checkinlist_router = routers.DefaultRouter()
 checkinlist_router.register(r'positions', checkin.CheckinListPositionViewSet)
 question_router = routers.DefaultRouter()
 question_router.register(r'options', item.QuestionOptionViewSet)
 item_router = routers.DefaultRouter()
 item_router.register(r'variations', item.ItemVariationViewSet)
 item_router.register(r'addons', item.ItemAddOnViewSet)
@@ -44,6 +47,8 @@ urlpatterns = [
    url(r'^organizers/(?P<organizer>[^/]+)/', include(orga_router.urls)),
    url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/', include(event_router.urls)),
    url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/items/(?P<item>[^/]+)/', include(item_router.urls)),
    url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/questions/(?P<question>[^/]+)/',
        include(question_router.urls)),
    url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/checkinlists/(?P<list>[^/]+)/',
        include(checkinlist_router.urls)),
 ]
--- a/src/pretix/api/views/item.py
+++ b/src/pretix/api/views/item.py
@@ -10,10 +10,12 @@ from rest_framework.response import Response
 from pretix.api.serializers.item import (
    ItemAddOnSerializer, ItemCategorySerializer, ItemSerializer,
-    ItemVariationSerializer, QuestionSerializer, QuotaSerializer,
+    ItemVariationSerializer, QuestionOptionSerializer, QuestionSerializer,
    QuotaSerializer,
 )
 from pretix.base.models import (
-    Item, ItemAddOn, ItemCategory, ItemVariation, Question, Quota,
+    Item, ItemAddOn, ItemCategory, ItemVariation, Question, QuestionOption,
    Quota,
 )
 from pretix.base.models.organizer import TeamAPIToken
 from pretix.helpers.dicts import merge_dicts
@@ -201,7 +203,7 @@ class ItemCategoryFilter(FilterSet):
        fields = ['is_addon']
-class ItemCategoryViewSet(viewsets.ReadOnlyModelViewSet):
+class ItemCategoryViewSet(viewsets.ModelViewSet):
    serializer_class = ItemCategorySerializer
    queryset = ItemCategory.objects.none()
    filter_backends = (DjangoFilterBackend, OrderingFilter)
@@ -209,12 +211,47 @@ class ItemCategoryViewSet(viewsets.ReadOnlyModelViewSet):
    ordering_fields = ('id', 'position')
    ordering = ('position', 'id')
    permission = 'can_change_items'
    write_permission = 'can_change_items'
    def get_queryset(self):
        return self.request.event.categories.all()
    def perform_create(self, serializer):
        serializer.save(event=self.request.event)
        serializer.instance.log_action(
            'pretix.event.category.added',
            user=self.request.user,
            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
            data=self.request.data
        )
-class QuestionViewSet(viewsets.ReadOnlyModelViewSet):
+    def get_serializer_context(self):
        ctx = super().get_serializer_context()
        ctx['event'] = self.request.event
        return ctx
    def perform_update(self, serializer):
        serializer.save(event=self.request.event)
        serializer.instance.log_action(
            'pretix.event.category.changed',
            user=self.request.user,
            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
            data=self.request.data
        )
    def perform_destroy(self, instance):
        for item in instance.items.all():
            item.category = None
            item.save()
        instance.log_action(
            'pretix.event.category.deleted',
            user=self.request.user,
            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
        )
        super().perform_destroy(instance)
 class QuestionViewSet(viewsets.ModelViewSet):
    serializer_class = QuestionSerializer
    queryset = Question.objects.none()
    filter_backends = (OrderingFilter,)
@@ -225,6 +262,85 @@ class QuestionViewSet(viewsets.ReadOnlyModelViewSet):
    def get_queryset(self):
        return self.request.event.questions.prefetch_related('options').all()
    def perform_create(self, serializer):
        serializer.save(event=self.request.event)
        serializer.instance.log_action(
            'pretix.event.question.added',
            user=self.request.user,
            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
            data=self.request.data
        )
    def get_serializer_context(self):
        ctx = super().get_serializer_context()
        ctx['event'] = self.request.event
        return ctx
    def perform_update(self, serializer):
        serializer.save(event=self.request.event)
        serializer.instance.log_action(
            'pretix.event.question.changed',
            user=self.request.user,
            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
            data=self.request.data
        )
    def perform_destroy(self, instance):
        instance.log_action(
            'pretix.event.question.deleted',
            user=self.request.user,
            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
        )
        super().perform_destroy(instance)
 class QuestionOptionViewSet(viewsets.ModelViewSet):
    serializer_class = QuestionOptionSerializer
    queryset = QuestionOption.objects.none()
    filter_backends = (DjangoFilterBackend, OrderingFilter,)
    ordering_fields = ('id', 'position')
    ordering = ('position',)
    permission = 'can_change_items'
    write_permission = 'can_change_items'
    def get_queryset(self):
        q = get_object_or_404(Question, pk=self.kwargs['question'], event=self.request.event)
        return q.options.all()
    def get_serializer_context(self):
        ctx = super().get_serializer_context()
        ctx['event'] = self.request.event
        ctx['question'] = get_object_or_404(Question, pk=self.kwargs['question'], event=self.request.event)
        return ctx
    def perform_create(self, serializer):
        q = get_object_or_404(Question, pk=self.kwargs['question'], event=self.request.event)
        serializer.save(question=q)
        q.log_action(
            'pretix.event.question.option.added',
            user=self.request.user,
            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
            data=merge_dicts(self.request.data, {'ORDER': serializer.instance.position}, {'id': serializer.instance.pk})
        )
    def perform_update(self, serializer):
        serializer.save(event=self.request.event)
        serializer.instance.question.log_action(
            'pretix.event.question.option.changed',
            user=self.request.user,
            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
            data=merge_dicts(self.request.data, {'ORDER': serializer.instance.position}, {'id': serializer.instance.pk})
        )
    def perform_destroy(self, instance):
        instance.question.log_action(
            'pretix.event.question.option.deleted',
            user=self.request.user,
            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
            data={'id': instance.pk}
        )
        super().perform_destroy(instance)
 class QuotaFilter(FilterSet):
    class Meta:
--- a/src/pretix/api/views/order.py
+++ b/src/pretix/api/views/order.py
@@ -50,7 +50,7 @@ class OrderViewSet(viewsets.ReadOnlyModelViewSet):
    def get_queryset(self):
        return self.request.event.orders.prefetch_related(
            'positions', 'positions__checkins', 'positions__item', 'positions__answers', 'positions__answers__options',
-            'fees'
+            'positions__answers__question', 'fees'
        ).select_related(
            'invoice_address'
        )
@@ -234,7 +234,7 @@ class OrderPositionViewSet(viewsets.ReadOnlyModelViewSet):
    def get_queryset(self):
        return OrderPosition.objects.filter(order__event=self.request.event).prefetch_related(
-            'checkins', 'answers', 'answers__options'
+            'checkins', 'answers', 'answers__options', 'answers__question'
        ).select_related(
            'item', 'order', 'order__event', 'order__event__organizer'
        )
--- a/src/pretix/api/views/organizer.py
+++ b/src/pretix/api/views/organizer.py
@@ -12,7 +12,7 @@ class OrganizerViewSet(viewsets.ReadOnlyModelViewSet):
    def get_queryset(self):
        if self.request.user.is_authenticated():
-            if self.request.user.is_superuser:
+            if self.request.user.has_active_staff_session(self.request.session.session_key):
                return Organizer.objects.all()
            else:
                return Organizer.objects.filter(pk__in=self.request.user.teams.values_list('organizer', flat=True))
--- a/src/pretix/base/init.py
+++ b/src/pretix/base/init.py
@@ -12,7 +12,7 @@ class PretixBaseConfig(AppConfig):
        from . import exporters  # NOQA
        from . import invoice  # NOQA
        from . import notifications  # NOQA
-        from .services import export, mail, tickets, cart, orders, invoices, cleanup, update_check, quotas, notifications  # NOQA
+        from .services import auth, export, mail, tickets, cart, orders, invoices, cleanup, update_check, quotas, notifications  # NOQA
        try:
            from .celery_app import app as celery_app  # NOQA
--- a/src/pretix/base/forms/init.py
+++ b/src/pretix/base/forms/init.py
@@ -69,4 +69,5 @@ class SettingsForm(i18nfield.forms.I18nFormMixin, HierarkeyForm):
            )
        else:
            fname = '%s/%s.%s.%s' % (self.obj.slug, name, nonce, name.split('.')[-1])
-        return fname
+        # TODO: make sure pub is always correct
        return 'pub/' + fname
--- a/src/pretix/base/forms/user.py
+++ b/src/pretix/base/forms/user.py
@@ -8,6 +8,7 @@ from django.utils.translation import ugettext_lazy as _
 from pytz import common_timezones
 from pretix.base.models import User
 from pretix.control.forms import SingleLanguageWidget
 class UserSettingsForm(forms.ModelForm):
@@ -47,6 +48,9 @@ class UserSettingsForm(forms.ModelForm):
            'timezone',
            'email'
        ]
        widgets = {
            'locale': SingleLanguageWidget
        }
    def __init__(self, *args, **kwargs):
        self.user = kwargs.pop('user')
--- a/src/pretix/base/migrations/0085_auto_20180312_1119.py
+++ b/src/pretix/base/migrations/0085_auto_20180312_1119.py
@@ -0,0 +1,59 @@
 # -*- coding: utf-8 -*-
 # Generated by Django 1.11.11 on 2018-03-12 11:19
 from __future__ import unicode_literals
 from django.db import migrations, models
 from django.utils.crypto import get_random_string
 def set_identifiers(apps, schema_editor):
    Question = apps.get_model('pretixbase', 'Question')
    QuestionOption = apps.get_model('pretixbase', 'QuestionOption')
    for q in Question.objects.select_related('event'):
        if not q.identifier:
            charset = list('ABCDEFGHJKLMNPQRSTUVWXYZ3789')
            while True:
                code = get_random_string(length=8, allowed_chars=charset)
                if not Question.objects.filter(event=q.event, identifier=code).exists():
                    q.identifier = code
                    q.save()
                    break
    for q in QuestionOption.objects.select_related('question', 'question__event'):
        if not q.identifier:
            charset = list('ABCDEFGHJKLMNPQRSTUVWXYZ3789')
            while True:
                code = get_random_string(length=8, allowed_chars=charset)
                if not QuestionOption.objects.filter(question__event=q.question.event, identifier=code).exists():
                    q.identifier = code
                    q.save()
                    break
 class Migration(migrations.Migration):
    dependencies = [
        ('pretixbase', '0084_questionoption_position'),
    ]
    operations = [
        migrations.AddField(
            model_name='question',
            name='identifier',
            field=models.CharField(default='', max_length=190),
            preserve_default=False,
        ),
        migrations.AddField(
            model_name='questionoption',
            name='identifier',
            field=models.CharField(default='', max_length=190),
            preserve_default=False,
        ),
        migrations.AlterField(
            model_name='user',
            name='locale',
            field=models.CharField(choices=[('en', 'English'), ('de', 'German'), ('de-informal', 'German (informal)'), ('nl', 'Dutch'), ('da', 'Danish'), ('pt-br', 'Portuguese (Brazil)')], default='en', max_length=50, verbose_name='Language'),
        ),
        migrations.RunPython(set_identifiers, migrations.RunPython.noop)
    ]
--- a/src/pretix/base/migrations/0086_auto_20180320_1219.py
+++ b/src/pretix/base/migrations/0086_auto_20180320_1219.py
@@ -0,0 +1,43 @@
 # -*- coding: utf-8 -*-
 # Generated by Django 1.11.11 on 2018-03-20 12:19
 from __future__ import unicode_literals
 from django.db import migrations, models
 import pretix.base.models.invoices
 import pretix.base.models.orders
 class Migration(migrations.Migration):
    dependencies = [
        ('pretixbase', '0085_auto_20180312_1119'),
    ]
    operations = [
        migrations.AlterField(
            model_name='cachedcombinedticket',
            name='file',
            field=models.FileField(blank=True, max_length=255, null=True, upload_to=pretix.base.models.orders.cachedcombinedticket_name),
        ),
        migrations.AlterField(
            model_name='cachedticket',
            name='file',
            field=models.FileField(blank=True, max_length=255, null=True, upload_to=pretix.base.models.orders.cachedticket_name),
        ),
        migrations.AlterField(
            model_name='invoice',
            name='file',
            field=models.FileField(blank=True, max_length=255, null=True, upload_to=pretix.base.models.invoices.invoice_filename),
        ),
        migrations.AlterField(
            model_name='question',
            name='identifier',
            field=models.CharField(help_text='You can enter any value here to make it easier to match the data with other sources. If you do not input one, we will generate one automatically.', max_length=190, verbose_name='Internal identifier'),
        ),
        migrations.AlterField(
            model_name='questionanswer',
            name='file',
            field=models.FileField(blank=True, max_length=255, null=True, upload_to=pretix.base.models.orders.answerfile_name),
        ),
    ]
--- a/src/pretix/base/migrations/0087_auto_20180317_1952.py
+++ b/src/pretix/base/migrations/0087_auto_20180317_1952.py
@@ -0,0 +1,64 @@
 # -*- coding: utf-8 -*-
 # Generated by Django 1.11.10 on 2018-03-17 19:52
 from __future__ import unicode_literals
 from django.conf import settings
 from django.db import migrations, models
 def set_is_staff(apps, schema_editor):
    User = apps.get_model('pretixbase', 'User')
    User.objects.filter(is_superuser=True).update(is_staff=True)
 class Migration(migrations.Migration):
    dependencies = [
        ('pretixbase', '0086_auto_20180320_1219'),
    ]
    operations = [
        migrations.RunPython(
            set_is_staff,
            migrations.RunPython.noop,
        ),
        migrations.RemoveField(
            model_name='user',
            name='is_superuser',
        ),
        migrations.CreateModel(
            name='StaffSession',
            fields=[
                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
                ('date_start', models.DateTimeField(auto_now_add=True)),
                ('date_end', models.DateTimeField(blank=True, null=True)),
                ('session_key', models.CharField(max_length=255)),
                ('comment', models.TextField()),
            ],
        ),
        migrations.CreateModel(
            name='StaffSessionAuditLog',
            fields=[
                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
                ('datetime', models.DateTimeField(auto_now_add=True)),
                ('url', models.CharField(max_length=255)),
                ('session', models.ForeignKey(on_delete=models.deletion.CASCADE, related_name='logs', to='pretixbase.StaffSession')),
            ],
        ),
        migrations.AddField(
            model_name='staffsession',
            name='user',
            field=models.ForeignKey(default=None, on_delete=models.deletion.CASCADE, to=settings.AUTH_USER_MODEL),
            preserve_default=False,
        ),
        migrations.AddField(
            model_name='staffsessionauditlog',
            name='impersonating',
            field=models.ForeignKey(blank=True, null=True, on_delete=models.deletion.CASCADE, to=settings.AUTH_USER_MODEL),
        ),
        migrations.AddField(
            model_name='staffsessionauditlog',
            name='method',
            field=models.CharField(default='GET', max_length=255),
            preserve_default=False,
        ),
    ]
--- a/src/pretix/base/migrations/0088_auto_20180328_1217.py
+++ b/src/pretix/base/migrations/0088_auto_20180328_1217.py
@@ -0,0 +1,30 @@
 # -*- coding: utf-8 -*-
 # Generated by Django 1.11.11 on 2018-03-28 12:17
 from __future__ import unicode_literals
 from django.db import migrations, models
 import pretix.base.models.items
 class Migration(migrations.Migration):
    dependencies = [
        ('pretixbase', '0087_auto_20180317_1952'),
    ]
    operations = [
        migrations.AlterModelOptions(
            name='staffsession',
            options={'ordering': ('date_start',)},
        ),
        migrations.AlterModelOptions(
            name='staffsessionauditlog',
            options={'ordering': ('datetime',)},
        ),
        migrations.AlterField(
            model_name='item',
            name='picture',
            field=models.ImageField(blank=True, max_length=255, null=True, upload_to=pretix.base.models.items.itempicture_upload_to, verbose_name='Product picture'),
        ),
    ]
--- a/src/pretix/base/models/init.py
+++ b/src/pretix/base/models/init.py
@@ -19,7 +19,9 @@ from .orders import (
    cachedcombinedticket_name, cachedticket_name, generate_position_secret,
    generate_secret,
 )
-from .organizer import Organizer, Organizer_SettingsStore, Team, TeamInvite
+from .organizer import (
    Organizer, Organizer_SettingsStore, Team, TeamAPIToken, TeamInvite,
 )
 from .tax import TaxRule
 from .vouchers import Voucher
 from .waitinglist import WaitingListEntry
--- a/src/pretix/base/models/auth.py
+++ b/src/pretix/base/models/auth.py
@@ -1,4 +1,4 @@
-from typing import Union
+from datetime import timedelta
 from django.conf import settings
 from django.contrib.auth.models import (
@@ -9,6 +9,7 @@ from django.contrib.contenttypes.models import ContentType
 from django.db import models
 from django.db.models import Q
 from django.utils.crypto import get_random_string
 from django.utils.timezone import now
 from django.utils.translation import ugettext_lazy as _
 from django_otp.models import Device
@@ -36,7 +37,6 @@ class UserManager(BaseUserManager):
            raise Exception("You must provide a password")
        user = self.model(email=email)
        user.is_staff = True
        user.is_superuser = True
        user.set_password(password)
        user.save()
        return user
@@ -46,6 +46,11 @@ def generate_notifications_token():
    return get_random_string(length=32)
 class SuperuserPermissionSet:
    def __contains__(self, item):
        return True
 class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
    """
    This is the user model used by pretix for authentication.
@@ -114,6 +119,10 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
    def __str__(self):
        return self.email
    @property
    def is_superuser(self):
        return False
    def get_short_name(self) -> str:
        """
        Returns the first of the following user properties that is found to exist:
@@ -194,40 +203,36 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
            ))
        return self._teamcache['e{}'.format(event.pk)]
-    class SuperuserPermissionSet:
+    def get_event_permission_set(self, organizer, event) -> set:
        def __contains__(self, item):
            return True
    def get_event_permission_set(self, organizer, event) -> Union[set, SuperuserPermissionSet]:
        """
        Gets a set of permissions (as strings) that a user holds for a particular event
        :param organizer: The organizer of the event
        :param event: The event to check
-        :return: set in case of a normal user and a SuperuserPermissionSet in case of a superuser (fake object where
+        :return: set
                 a in b always returns true).
        """
        if self.is_superuser:
            return self.SuperuserPermissionSet()
        teams = self._get_teams_for_event(organizer, event)
-        return set.union(*[t.permission_set() for t in teams])
+        sets = [t.permission_set() for t in teams]
        if sets:
            return set.union(*sets)
        else:
            return set()
-    def get_organizer_permission_set(self, organizer) -> Union[set, SuperuserPermissionSet]:
+    def get_organizer_permission_set(self, organizer) -> set:
        """
        Gets a set of permissions (as strings) that a user holds for a particular organizer
        :param organizer: The organizer of the event
-        :return: set in case of a normal user and a SuperuserPermissionSet in case of a superuser (fake object where
+        :return: set
                 a in b always returns true).
        """
        if self.is_superuser:
            return self.SuperuserPermissionSet()
        teams = self._get_teams_for_organizer(organizer)
-        return set.union(*[t.permission_set() for t in teams])
+        sets = [t.permission_set() for t in teams]
        if sets:
            return set.union(*sets)
        else:
            return set()
-    def has_event_permission(self, organizer, event, perm_name=None) -> bool:
+    def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
        """
        Checks if this user is part of any team that grants access of type ``perm_name``
        to the event ``event``.
@@ -235,9 +240,10 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
        :param organizer: The organizer of the event
        :param event: The event to check
        :param perm_name: The permission, e.g. ``can_change_teams``
        :param request: The current request (optional). Required to detect staff sessions properly.
        :return: bool
        """
-        if self.is_superuser:
+        if request and self.has_active_staff_session(request.session.session_key):
            return True
        teams = self._get_teams_for_event(organizer, event)
        if teams:
@@ -246,16 +252,17 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
                return True
        return False
-    def has_organizer_permission(self, organizer, perm_name=None):
+    def has_organizer_permission(self, organizer, perm_name=None, request=None):
        """
        Checks if this user is part of any team that grants access of type ``perm_name``
        to the organizer ``organizer``.
        :param organizer: The organizer to check
        :param perm_name: The permission, e.g. ``can_change_teams``
        :param request: The current request (optional). Required to detect staff sessions properly.
        :return: bool
        """
-        if self.is_superuser:
+        if request and self.has_active_staff_session(request.session.session_key):
            return True
        teams = self._get_teams_for_organizer(organizer)
        if teams:
@@ -263,15 +270,16 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
                return True
        return False
-    def get_events_with_any_permission(self):
+    def get_events_with_any_permission(self, request=None):
        """
        Returns a queryset of events the user has any permissions to.
        :param request: The current request (optional). Required to detect staff sessions properly.
        :return: Iterable of Events
        """
        from .event import Event
-        if self.is_superuser:
+        if request and self.has_active_staff_session(request.session.session_key):
            return Event.objects.all()
        return Event.objects.filter(
@@ -279,15 +287,16 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
            | Q(id__in=self.teams.values_list('limit_events__id', flat=True))
        )
-    def get_events_with_permission(self, permission):
+    def get_events_with_permission(self, permission, request=None):
        """
        Returns a queryset of events the user has a specific permissions to.
        :param request: The current request (optional). Required to detect staff sessions properly.
        :return: Iterable of Events
        """
        from .event import Event
-        if self.is_superuser:
+        if request and self.has_active_staff_session(request.session.session_key):
            return Event.objects.all()
        kwargs = {permission: True}
@@ -297,6 +306,56 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
            | Q(id__in=self.teams.filter(**kwargs).values_list('limit_events__id', flat=True))
        )
    def has_active_staff_session(self, session_key=None):
        """
        Returns whether or not a user has an active staff session (formerly known as superuser session)
        with the given session key.
        """
        return self.get_active_staff_session(session_key) is not None
    def get_active_staff_session(self, session_key=None):
        if not self.is_staff:
            return None
        if not hasattr(self, '_staff_session_cache'):
            self._staff_session_cache = {}
        if session_key not in self._staff_session_cache:
            qs = StaffSession.objects.filter(
                user=self, date_end__isnull=True
            )
            if session_key:
                qs = qs.filter(session_key=session_key)
            sess = qs.first()
            if sess:
                if sess.date_start < now() - timedelta(seconds=settings.PRETIX_SESSION_TIMEOUT_ABSOLUTE):
                    sess.date_end = now()
                    sess.save()
                    sess = None
            self._staff_session_cache[session_key] = sess
        return self._staff_session_cache[session_key]
 class StaffSession(models.Model):
    user = models.ForeignKey('User')
    date_start = models.DateTimeField(auto_now_add=True)
    date_end = models.DateTimeField(null=True, blank=True)
    session_key = models.CharField(max_length=255)
    comment = models.TextField()
    class Meta:
        ordering = ('date_start',)
 class StaffSessionAuditLog(models.Model):
    session = models.ForeignKey('StaffSession', related_name='logs')
    datetime = models.DateTimeField(auto_now_add=True)
    url = models.CharField(max_length=255)
    method = models.CharField(max_length=255)
    impersonating = models.ForeignKey('User', null=True, blank=True)
    class Meta:
        ordering = ('datetime',)
 class U2FDevice(Device):
    json_data = models.TextField()
--- a/src/pretix/base/models/event.py
+++ b/src/pretix/base/models/event.py
@@ -437,7 +437,8 @@ class Event(EventMixin, LoggedModel):
            if s.value.startswith('file://'):
                fi = default_storage.open(s.value[7:], 'rb')
                nonce = get_random_string(length=8)
-                fname = '%s/%s/%s.%s.%s' % (
+                # TODO: make sure pub is always correct
                fname = 'pub/%s/%s/%s.%s.%s' % (
                    self.organizer.slug, self.slug, s.key, nonce, s.value.split('.')[-1]
                )
                newname = default_storage.save(fname, fi)
@@ -553,9 +554,7 @@ class Event(EventMixin, LoggedModel):
            Q(all_events=True) | Q(limit_events__pk=self.pk)
        )
-        return User.objects.annotate(twp=Exists(team_with_perm)).filter(
+        return User.objects.annotate(twp=Exists(team_with_perm)).filter(twp=True)
            Q(is_superuser=True) | Q(twp=True)
        )
    def allow_delete(self):
        return not self.orders.exists() and not self.invoices.exists()
--- a/src/pretix/base/models/invoices.py
+++ b/src/pretix/base/models/invoices.py
@@ -84,7 +84,7 @@ class Invoice(models.Model):
    foreign_currency_rate = models.DecimalField(decimal_places=4, max_digits=10, null=True, blank=True)
    foreign_currency_rate_date = models.DateField(null=True, blank=True)
-    file = models.FileField(null=True, blank=True, upload_to=invoice_filename)
+    file = models.FileField(null=True, blank=True, upload_to=invoice_filename, max_length=255)
    internal_reference = models.TextField(blank=True)
    @staticmethod
--- a/src/pretix/base/models/items.py
+++ b/src/pretix/base/models/items.py
@@ -11,6 +11,7 @@ from django.core.exceptions import ValidationError
 from django.db import models
 from django.db.models import F, Func, Q, Sum
 from django.utils import formats
 from django.utils.crypto import get_random_string
 from django.utils.functional import cached_property
 from django.utils.timezone import is_naive, make_aware, now
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
@@ -85,7 +86,7 @@ class ItemCategory(LoggedModel):
 def itempicture_upload_to(instance, filename: str) -> str:
-    return '%s/%s/item-%s-%s.%s' % (
+    return 'pub/%s/%s/item-%s-%s.%s' % (
        instance.event.organizer.slug, instance.event.slug, instance.id,
        str(uuid.uuid4()), filename.split('.')[-1]
    )
@@ -247,7 +248,7 @@ class Item(LoggedModel):
    )
    picture = models.ImageField(
        verbose_name=_("Product picture"),
-        null=True, blank=True,
+        null=True, blank=True, max_length=255,
        upload_to=itempicture_upload_to
    )
    available_from = models.DateTimeField(
@@ -630,6 +631,8 @@ class Question(LoggedModel):
    :param items: A set of ``Items`` objects that this question should be applied to
    :param ask_during_checkin: Whether to ask this question during check-in instead of during check-out.
    :type ask_during_checkin: bool
    :param identifier: An arbitrary, internal identifier
    :type identifier: str
    """
    TYPE_NUMBER = "N"
    TYPE_STRING = "S"
@@ -661,6 +664,12 @@ class Question(LoggedModel):
    question = I18nTextField(
        verbose_name=_("Question")
    )
    identifier = models.CharField(
        max_length=190,
        verbose_name=_("Internal identifier"),
        help_text=_('You can enter any value here to make it easier to match the data with other sources. If you do '
                    'not input one, we will generate one automatically.')
    )
    help_text = I18nTextField(
        verbose_name=_("Help text"),
        help_text=_("If the question needs to be explained or clarified, do it here!"),
@@ -706,7 +715,25 @@ class Question(LoggedModel):
        if self.event:
            self.event.cache.clear()
    def clean_identifier(self, code):
        Question._clean_identifier(self.event, code, self)
    @staticmethod
    def _clean_identifier(event, code, instance=None):
        qs = Question.objects.filter(event=event, identifier=code)
        if instance:
            qs = qs.exclude(pk=instance.pk)
        if qs.exists():
            raise ValidationError(_('This identifier is already used for a different question.'))
    def save(self, *args, **kwargs):
        if not self.identifier:
            charset = list('ABCDEFGHJKLMNPQRSTUVWXYZ3789')
            while True:
                code = get_random_string(length=8, allowed_chars=charset)
                if not Question.objects.filter(event=self.event, identifier=code).exists():
                    self.identifier = code
                    break
        super().save(*args, **kwargs)
        if self.event:
            self.event.cache.clear()
@@ -776,15 +803,40 @@ class Question(LoggedModel):
        return answer
    @staticmethod
    def clean_items(event, items):
        for item in items:
            if event != item.event:
                raise ValidationError(_('One or more items do not belong to this event.'))
 class QuestionOption(models.Model):
    question = models.ForeignKey('Question', related_name='options')
    identifier = models.CharField(max_length=190)
    answer = I18nCharField(verbose_name=_('Answer'))
    position = models.IntegerField(default=0)
    def __str__(self):
        return str(self.answer)
    def save(self, *args, **kwargs):
        if not self.identifier:
            charset = list('ABCDEFGHJKLMNPQRSTUVWXYZ3789')
            while True:
                code = get_random_string(length=8, allowed_chars=charset)
                if not QuestionOption.objects.filter(question__event=self.question.event, identifier=code).exists():
                    self.identifier = code
                    break
        super().save(*args, **kwargs)
    @staticmethod
    def clean_identifier(event, code, instance=None, known=[]):
        qs = QuestionOption.objects.filter(question__event=event, identifier=code)
        if instance:
            qs = qs.exclude(pk=instance.pk)
        if qs.exists() or code in known:
            raise ValidationError(_('The identifier "{}" is already used for a different option.').format(code))
    class Meta:
        verbose_name = _("Question option")
        verbose_name_plural = _("Question options")
--- a/src/pretix/base/models/orders.py
+++ b/src/pretix/base/models/orders.py
@@ -471,7 +471,8 @@ class QuestionAnswer(models.Model):
    )
    answer = models.TextField()
    file = models.FileField(
-        null=True, blank=True, upload_to=answerfile_name
+        null=True, blank=True, upload_to=answerfile_name,
        max_length=255
    )
    @property
@@ -969,7 +970,7 @@ class CachedTicket(models.Model):
    provider = models.CharField(max_length=255)
    type = models.CharField(max_length=255)
    extension = models.CharField(max_length=255)
-    file = models.FileField(null=True, blank=True, upload_to=cachedticket_name)
+    file = models.FileField(null=True, blank=True, upload_to=cachedticket_name, max_length=255)
    created = models.DateTimeField(auto_now_add=True)
@@ -978,7 +979,7 @@ class CachedCombinedTicket(models.Model):
    provider = models.CharField(max_length=255)
    type = models.CharField(max_length=255)
    extension = models.CharField(max_length=255)
-    file = models.FileField(null=True, blank=True, upload_to=cachedcombinedticket_name)
+    file = models.FileField(null=True, blank=True, upload_to=cachedcombinedticket_name, max_length=255)
    created = models.DateTimeField(auto_now_add=True)
--- a/src/pretix/base/models/organizer.py
+++ b/src/pretix/base/models/organizer.py
@@ -264,7 +264,7 @@ class TeamAPIToken(models.Model):
        """
        return self.team.permission_set() if self.team.organizer == organizer else set()
-    def has_event_permission(self, organizer, event, perm_name=None) -> bool:
+    def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
        """
        Checks if this token is part of a team that grants access of type ``perm_name``
        to the event ``event``.
@@ -272,6 +272,7 @@ class TeamAPIToken(models.Model):
        :param organizer: The organizer of the event
        :param event: The event to check
        :param perm_name: The permission, e.g. ``can_change_teams``
        :param request: This parameter is ignored and only defined for compatibility reasons.
        :return: bool
        """
        has_event_access = (self.team.all_events and organizer == self.team.organizer) or (
@@ -279,13 +280,14 @@ class TeamAPIToken(models.Model):
        )
        return has_event_access and (not perm_name or self.team.has_permission(perm_name))
-    def has_organizer_permission(self, organizer, perm_name=None):
+    def has_organizer_permission(self, organizer, perm_name=None, request=None):
        """
        Checks if this token is part of a team that grants access of type ``perm_name``
        to the organizer ``organizer``.
        :param organizer: The organizer to check
        :param perm_name: The permission, e.g. ``can_change_teams``
        :param request: This parameter is ignored and only defined for compatibility reasons.
        :return: bool
        """
        return organizer == self.team.organizer and (not perm_name or self.team.has_permission(perm_name))
--- a/src/pretix/base/models/tax.py
+++ b/src/pretix/base/models/tax.py
@@ -1,6 +1,7 @@
 import json
 from decimal import Decimal
 from django.core.exceptions import ValidationError
 from django.db import models
 from django.utils.formats import localize
 from django.utils.translation import ugettext_lazy as _
@@ -113,7 +114,7 @@ class TaxRule(LoggedModel):
    def clean(self):
        if self.eu_reverse_charge and not self.home_country:
-            raise ValueError(_('You need to set your home country to use the reverse charge feature.'))
+            raise ValidationError(_('You need to set your home country to use the reverse charge feature.'))
    def __str__(self):
        if self.price_includes_tax:
@@ -124,6 +125,10 @@ class TaxRule(LoggedModel):
            s += ' ({})'.format(_('reverse charge enabled'))
        return str(s)
    @property
    def has_custom_rules(self):
        return self.custom_rules and self.custom_rules != '[]'
    def tax(self, base_price, base_price_is='auto'):
        if self.rate == Decimal('0.00'):
            return TaxedPrice(
--- a/src/pretix/base/models/vouchers.py
+++ b/src/pretix/base/models/vouchers.py
@@ -25,7 +25,7 @@ def _generate_random_code(prefix=None):
 def generate_code(prefix=None):
    while True:
        code = _generate_random_code(prefix=prefix)
-        if not Voucher.objects.filter(code=code).exists():
+        if not Voucher.objects.filter(code__iexact=code).exists():
            return code
@@ -278,11 +278,9 @@ class Voucher(LoggedModel):
            if old_instance.quota:
                quotas.add(old_instance.quota)
            elif old_instance.variation:
-                quotas |= set(old_instance.variation.quotas.filter(
+                quotas |= set(old_instance.variation.quotas.filter(subevent=old_instance.subevent))
                    subevent=old_instance.subevent))
            elif old_instance.item:
-                quotas |= set(old_instance.item.quotas.filter(
+                quotas |= set(old_instance.item.quotas.filter(subevent=old_instance.subevent))
                    subevent=old_instance.subevent))
        return quotas
    @staticmethod
@@ -313,7 +311,7 @@ class Voucher(LoggedModel):
    @staticmethod
    def clean_voucher_code(data, event, pk):
-        if 'code' in data and Voucher.objects.filter(Q(code=data['code']) & Q(event=event) & ~Q(pk=pk)).exists():
+        if 'code' in data and Voucher.objects.filter(Q(code__iexact=data['code']) & Q(event=event) & ~Q(pk=pk)).exists():
            raise ValidationError(_('A voucher with this code already exists.'))
    def save(self, *args, **kwargs):
--- a/src/pretix/base/notifications.py
+++ b/src/pretix/base/notifications.py
@@ -204,6 +204,12 @@ def register_default_notification_types(sender, **kwargs):
            _('Order canceled'),
            _('Order {order.code} has been canceled.')
        ),
        ParametrizedOrderNotificationType(
            sender,
            'pretix.event.order.expired',
            _('Order expired'),
            _('Order {order.code} has been marked as expired.'),
        ),
        ParametrizedOrderNotificationType(
            sender,
            'pretix.event.order.modified',
--- a/src/pretix/base/payment.py
+++ b/src/pretix/base/payment.py
@@ -169,6 +169,22 @@ class BasePaymentProvider:
                 label=_('Enable payment method'),
                 required=False,
             )),
            ('_availability_date',
             RelativeDateField(
                 label=_('Available until'),
                 help_text=_('Users will not be able to choose this payment provider after the given date.'),
                 required=False,
             )),
            ('_invoice_text',
             I18nFormField(
                 label=_('Text on invoices'),
                 help_text=_('Will be printed just below the payment figures and above the closing text on invoices. '
                             'This will only be used if the invoice is generated before the order is paid. If the '
                             'invoice is generated later, it will show a text stating that it has already been paid.'),
                 required=False,
                 widget=I18nTextarea,
                 widget_kwargs={'attrs': {'rows': '2'}}
             )),
            ('_fee_abs',
             forms.DecimalField(
                 label=_('Additional fee'),
@@ -187,12 +203,6 @@ class BasePaymentProvider:
                 localize=True,
                 required=False,
             )),
            ('_availability_date',
             RelativeDateField(
                 label=_('Available until'),
                 help_text=_('Users will not be able to choose this payment provider after the given date.'),
                 required=False,
             )),
            ('_fee_reverse_calc',
             forms.BooleanField(
                 label=_('Calculate the fee from the total value including the fee.'),
@@ -202,16 +212,6 @@ class BasePaymentProvider:
                             'above!').format(docs_url='https://docs.pretix.eu/en/latest/user/payments/fees.html'),
                 required=False
             )),
            ('_invoice_text',
             I18nFormField(
                 label=_('Text on invoices'),
                 help_text=_('Will be printed just below the payment figures and above the closing text on invoices. '
                             'This will only be used if the invoice is generated before the order is paid. If the '
                             'invoice is generated later, it will show a text stating that it has already been paid.'),
                 required=False,
                 widget=I18nTextarea,
                 widget_kwargs={'attrs': {'rows': '2'}}
             )),
        ])
    def settings_content_render(self, request: HttpRequest) -> str:
@@ -220,7 +220,7 @@ class BasePaymentProvider:
        page, this method is called. It may return HTML containing additional information
        that is displayed below the form fields configured in ``settings_form_fields``.
        """
-        pass
+        return ""
    def render_invoice_text(self, order: Order) -> str:
        """
--- a/src/pretix/base/reldate.py
+++ b/src/pretix/base/reldate.py
@@ -71,6 +71,7 @@ class RelativeDateWrapper:
            else:
                base_date = getattr(event, self.data.base_date_name) or event.date_from
            oldoffset = base_date.utcoffset()
            new_date = base_date.astimezone(tz) - datetime.timedelta(days=self.data.days_before)
            if self.data.time:
                new_date = new_date.replace(
@@ -78,6 +79,9 @@ class RelativeDateWrapper:
                    minute=self.data.time.minute,
                    second=self.data.time.second
                )
            new_date = new_date.astimezone(tz)
            newoffset = new_date.utcoffset()
            new_date += oldoffset - newoffset
            return new_date
    def to_string(self) -> str:
@@ -149,6 +153,11 @@ class RelativeDateTimeField(forms.MultiValueField):
            ('absolute', _('Fixed date:')),
            ('relative', _('Relative date:')),
        ]
        if kwargs.get('limit_choices'):
            limit = kwargs.pop('limit_choices')
            choices = [(k, v) for k, v in BASE_CHOICES if k in limit]
        else:
            choices = BASE_CHOICES
        if not kwargs.get('required', True):
            status_choices.insert(0, ('unset', _('Not set')))
        fields = (
@@ -163,7 +172,7 @@ class RelativeDateTimeField(forms.MultiValueField):
                required=False
            ),
            forms.ChoiceField(
-                choices=BASE_CHOICES,
+                choices=choices,
                required=False
            ),
            forms.TimeField(
@@ -171,7 +180,7 @@ class RelativeDateTimeField(forms.MultiValueField):
            ),
        )
        if 'widget' not in kwargs:
-            kwargs['widget'] = RelativeDateTimeWidget(status_choices=status_choices, base_choices=BASE_CHOICES)
+            kwargs['widget'] = RelativeDateTimeWidget(status_choices=status_choices, base_choices=choices)
        kwargs.pop('max_length', 0)
        kwargs.pop('empty_value', 0)
        super().__init__(
--- a/src/pretix/base/services/auth.py
+++ b/src/pretix/base/services/auth.py
@@ -0,0 +1,19 @@
 from datetime import timedelta
 from django.conf import settings
 from django.db.models import Max, Q
 from django.dispatch import receiver
 from django.utils.timezone import now
 from pretix.base.models.auth import StaffSession
 from ..signals import periodic_task
@receiver(signal=periodic_task)
 def close_inactive_staff_sessions(sender, **kwargs):
    StaffSession.objects.annotate(last_used=Max('logs__datetime')).filter(
        Q(last_used__lte=now() - timedelta(seconds=settings.PRETIX_SESSION_TIMEOUT_RELATIVE)) & Q(date_end__isnull=True)
    ).update(
        date_end=now()
    )
--- a/src/pretix/base/services/cart.py
+++ b/src/pretix/base/services/cart.py
@@ -295,7 +295,7 @@ class CartManager:
            if i.get('voucher'):
                try:
-                    voucher = self.event.vouchers.get(code=i.get('voucher').strip())
+                    voucher = self.event.vouchers.get(code__iexact=i.get('voucher').strip())
                except Voucher.DoesNotExist:
                    raise CartError(error_messages['voucher_invalid'])
                else:
--- a/src/pretix/base/services/invoices.py
+++ b/src/pretix/base/services/invoices.py
@@ -265,11 +265,20 @@ def build_preview_invoice_pdf(event):
        invoice.save()
        invoice.lines.all().delete()
-        InvoiceLine.objects.create(
+        if event.tax_rules.exists():
-            invoice=invoice, description=_("Sample product A"),
+            for i, tr in enumerate(event.tax_rules.all()):
-            gross_value=119, tax_value=19,
+                tax = tr.tax(Decimal('100.00'))
-            tax_rate=19
+                InvoiceLine.objects.create(
-        )
+                    invoice=invoice, description=_("Sample product {}").format(i + 1),
                    gross_value=tax.gross, tax_value=tax.tax,
                    tax_rate=tax.rate
                )
        else:
            InvoiceLine.objects.create(
                invoice=invoice, description=_("Sample product A"),
                gross_value=100, tax_value=0, tax_rate=0
            )
        return event.invoice_renderer.generate(invoice)
--- a/src/pretix/base/services/orders.py
+++ b/src/pretix/base/services/orders.py
@@ -504,7 +504,7 @@ def _create_order(event: Event, email: str, positions: List[CartPosition], now_d
        for fee in fees:
            fee.order = order
            fee._calculate_tax()
-            if not fee.tax_rule.pk:
+            if fee.tax_rule and not fee.tax_rule.pk:
                fee.tax_rule = None  # TODO: deprecate
            fee.save()
--- a/src/pretix/base/settings.py
+++ b/src/pretix/base/settings.py
@@ -321,7 +321,7 @@ Your {event} team"""))
        'default': LazyI18nString.from_gettext(ugettext_noop("""Hello,
 we did not yet receive a payment for your order for {event}.
-Please keep in mind that if we only guarantee your order if we receive
+Please keep in mind that we only guarantee your order if we receive
 your payment before {expire_date}.
 You can view the payment information and the status of your order at
@@ -486,7 +486,15 @@ Your {event} team"""))
    'update_check_id': {
        'default': None,
        'type': str
-    }
+    },
    'banner_message': {
        'default': '',
        'type': LazyI18nString
    },
    'banner_message_detail': {
        'default': '',
        'type': LazyI18nString
    },
 }
 settings_hierarkey = Hierarkey(attribute_name='settings')
--- a/src/pretix/base/views/mixins.py
+++ b/src/pretix/base/views/mixins.py
@@ -144,6 +144,7 @@ class BaseQuestionsViewMixin:
 class OrderQuestionsViewMixin(BaseQuestionsViewMixin):
    invoice_form_class = BaseInvoiceAddressForm
    only_user_visible = True
    @cached_property
    def _positions_for_questions(self):
@@ -151,6 +152,9 @@ class OrderQuestionsViewMixin(BaseQuestionsViewMixin):
    @cached_property
    def positions(self):
        qqs = Question.objects.all()
        if self.only_user_visible:
            qqs = qqs.filter(ask_during_checkin=False)
        return list(self.order.positions.select_related(
            'item', 'variation'
        ).prefetch_related(
@@ -158,7 +162,7 @@ class OrderQuestionsViewMixin(BaseQuestionsViewMixin):
                     QuestionAnswer.objects.prefetch_related('options'),
                     to_attr='answerlist'),
            Prefetch('item__questions',
-                     Question.objects.filter(ask_during_checkin=False).prefetch_related(
+                     qqs.prefetch_related(
                         Prefetch('options', QuestionOption.objects.prefetch_related(Prefetch(
                             # This prefetch statement is utter bullshit, but it actually prevents Django from doing
                             # a lot of queries since ModelChoiceIterator stops trying to be clever once we have
--- a/src/pretix/control/context.py
+++ b/src/pretix/control/context.py
@@ -3,11 +3,15 @@ from importlib import import_module
 from django.conf import settings
 from django.core.urlresolvers import Resolver404, get_script_prefix, resolve
 from django.db.models import Q
 from django.utils.translation import get_language
 from pretix.base.models.auth import StaffSession
 from pretix.base.settings import GlobalSettingsObject
-from ..helpers.i18n import get_javascript_format, get_moment_locale
+from ..helpers.i18n import (
    get_javascript_format, get_javascript_output_format, get_moment_locale,
 )
 from .signals import html_head, nav_event, nav_global, nav_topbar
 SessionStore = import_module(settings.SESSION_ENGINE).SessionStore
@@ -80,6 +84,7 @@ def contextprocessor(request):
    ctx['js_datetime_format'] = get_javascript_format('DATETIME_INPUT_FORMATS')
    ctx['js_date_format'] = get_javascript_format('DATE_INPUT_FORMATS')
    ctx['js_long_date_format'] = get_javascript_output_format('DATE_FORMAT')
    ctx['js_time_format'] = get_javascript_format('TIME_INPUT_FORMATS')
    ctx['js_locale'] = get_moment_locale()
    ctx['select2locale'] = get_language()[:2]
@@ -91,11 +96,21 @@ def contextprocessor(request):
    ctx['warning_update_available'] = False
    ctx['warning_update_check_active'] = False
-    if request.user.is_superuser:
+    gs = GlobalSettingsObject()
-        gs = GlobalSettingsObject()
+    ctx['global_settings'] = gs.settings
    if request.user.is_staff:
        if gs.settings.update_check_result_warning:
            ctx['warning_update_available'] = True
        if not gs.settings.update_check_ack and 'runserver' not in sys.argv:
            ctx['warning_update_check_active'] = True
    if request.user.is_authenticated:
        ctx['staff_session'] = request.user.has_active_staff_session(request.session.session_key)
        ctx['staff_need_to_explain'] = (
            StaffSession.objects.filter(user=request.user, date_end__isnull=False).filter(
                Q(comment__isnull=True) | Q(comment="")
            )
            if request.user.is_staff and settings.PRETIX_ADMIN_AUDIT_COMMENTS else StaffSession.objects.none()
        )
    return ctx
--- a/src/pretix/control/forms/init.py
+++ b/src/pretix/control/forms/init.py
@@ -1,6 +1,7 @@
 import os
 from django import forms
 from django.conf import settings
 from django.utils.html import conditional_escape
 from django.utils.translation import ugettext_lazy as _
@@ -102,3 +103,68 @@ class SlugWidget(forms.TextInput):
        ctx = super().get_context(name, value, attrs)
        ctx['pre'] = self.prefix
        return ctx
 class MultipleLanguagesWidget(forms.CheckboxSelectMultiple):
    option_template_name = 'pretixcontrol/multi_languages_widget.html'
    def sort(self):
        self.choices = sorted(self.choices, key=lambda l: (
            (
                0 if l[0] in settings.LANGUAGES_OFFICIAL
                else (
                    1 if l[0] not in settings.LANGUAGES_INCUBATING
                    else 2
                )
            ), str(l[1])
        ))
    def options(self, name, value, attrs=None):
        self.sort()
        return super().options(name, value, attrs)
    def optgroups(self, name, value, attrs=None):
        self.sort()
        return super().optgroups(name, value, attrs)
    def create_option(self, name, value, label, selected, index, subindex=None, attrs=None):
        opt = super().create_option(name, value, label, selected, index, subindex, attrs)
        opt['official'] = value in settings.LANGUAGES_OFFICIAL
        opt['incubating'] = value in settings.LANGUAGES_INCUBATING
        return opt
 class SingleLanguageWidget(forms.Select):
    def modify(self):
        if hasattr(self, '_modified'):
            return self.choices
        self.choices = sorted(self.choices, key=lambda l: (
            (
                0 if l[0] in settings.LANGUAGES_OFFICIAL
                else (
                    1 if l[0] not in settings.LANGUAGES_INCUBATING
                    else 2
                )
            ), str(l[1])
        ))
        new_choices = []
        for k, v in self.choices:
            new_choices.append((
                k,
                v if k in settings.LANGUAGES_OFFICIAL
                else (
                    '{} (inofficial translation)'.format(v) if k not in settings.LANGUAGES_INCUBATING
                    else '{} (translation in progress)'.format(v)
                )
            ))
        self._modified = True
        self.choices = new_choices
    def options(self, name, value, attrs=None):
        self.modify()
        return super().options(name, value, attrs)
    def optgroups(self, name, value, attrs=None):
        self.modify()
        return super().optgroups(name, value, attrs)
--- a/src/pretix/control/forms/event.py
+++ b/src/pretix/control/forms/event.py
@@ -9,7 +9,9 @@ from django.utils.timezone import get_current_timezone_name
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
 from django_countries import Countries
 from django_countries.fields import LazyTypedChoiceField
-from i18nfield.forms import I18nFormField, I18nTextarea
+from i18nfield.forms import (
    I18nForm, I18nFormField, I18nFormSetMixin, I18nTextarea, I18nTextInput,
 )
 from pytz import common_timezones, timezone
 from pretix.base.forms import I18nModelForm, PlaceholderValidator, SettingsForm
@@ -17,9 +19,11 @@ from pretix.base.models import Event, Organizer, TaxRule
 from pretix.base.models.event import EventMetaValue, SubEvent
 from pretix.base.reldate import RelativeDateField, RelativeDateTimeField
 from pretix.control.forms import (
-    ExtFileField, SlugWidget, SplitDateTimePickerWidget,
+    ExtFileField, MultipleLanguagesWidget, SingleLanguageWidget, SlugWidget,
    SplitDateTimePickerWidget,
 )
 from pretix.multidomain.urlreverse import build_absolute_uri
 from pretix.plugins.banktransfer.payment import BankTransfer
 from pretix.presale.style import get_fonts
@@ -27,7 +31,7 @@ class EventWizardFoundationForm(forms.Form):
    locales = forms.MultipleChoiceField(
        choices=settings.LANGUAGES,
        label=_("Use languages"),
-        widget=forms.CheckboxSelectMultiple,
+        widget=MultipleLanguagesWidget,
        help_text=_('Choose all languages that your event should be available in.')
    )
    has_subevents = forms.BooleanField(
@@ -144,7 +148,7 @@ class EventWizardBasicsForm(I18nModelForm):
    def clean_slug(self):
        slug = self.cleaned_data['slug']
-        if Event.objects.filter(slug=slug, organizer=self.organizer).exists():
+        if Event.objects.filter(slug__iexact=slug, organizer=self.organizer).exists():
            raise forms.ValidationError(
                self.error_messages['duplicate_slug'],
                code='duplicate_slug'
@@ -279,11 +283,12 @@ class EventSettingsForm(SettingsForm):
    )
    locales = forms.MultipleChoiceField(
        choices=settings.LANGUAGES,
-        widget=forms.CheckboxSelectMultiple,
+        widget=MultipleLanguagesWidget,
        label=_("Available languages"),
    )
    locale = forms.ChoiceField(
        choices=settings.LANGUAGES,
        widget=SingleLanguageWidget,
        label=_("Default language"),
    )
    show_quota_left = forms.BooleanField(
@@ -360,6 +365,8 @@ class EventSettingsForm(SettingsForm):
    )
    imprint_url = forms.URLField(
        label=_("Imprint URL"),
        help_text=_("This should point e.g. to a part of your website that has your contact details and legal "
                    "information."),
        required=False,
    )
    confirm_text = I18nFormField(
@@ -373,7 +380,7 @@ class EventSettingsForm(SettingsForm):
    contact_mail = forms.EmailField(
        label=_("Contact address"),
        required=False,
-        help_text=_("Public email address for contacting the organizer")
+        help_text=_("We'll show this publicly to allow attendees to contact you.")
    )
    cancel_allow_user = forms.BooleanField(
        label=_("Allow users to cancel unpaid orders"),
@@ -409,7 +416,10 @@ class EventSettingsForm(SettingsForm):
 class PaymentSettingsForm(SettingsForm):
    payment_term_days = forms.IntegerField(
        label=_('Payment term in days'),
-        help_text=_("The number of days after placing an order the user has to pay to preserve his reservation."),
+        help_text=_("The number of days after placing an order the user has to pay to preserve their reservation. If "
                    "you use slow payment methods like bank transfer, we recommend 14 days. If you only use real-time "
                    "payment methods, we recommend still setting two or three days to allow people to retry failed "
                    "payments."),
    )
    payment_term_last = RelativeDateField(
        label=_('Last date of payments'),
@@ -637,6 +647,8 @@ class InvoiceSettingsForm(SettingsForm):
            (r.identifier, r.verbose_name) for r in event.get_invoice_renderers().values()
        ]
        self.fields['invoice_numbers_prefix'].widget.attrs['placeholder'] = event.slug.upper() + '-'
        locale_names = dict(settings.LANGUAGES)
        self.fields['invoice_language'].choices = [('__user__', _('The user\'s language'))] + [(a, locale_names[a]) for a in event.settings.locales]
 class MailSettingsForm(SettingsForm):
@@ -971,6 +983,11 @@ class WidgetCodeForm(forms.Form):
                    "bought via the widget, this voucher will be used. This can for example be used to provide "
                    "widgets that give discounts or unlock secret products.")
    )
    compatibility_mode = forms.BooleanField(
        label=_("Compatibility mode"),
        help_text=_("Our regular widget doesn't work in all website builders. If you run into trouble, try using "
                    "this compatibility mode.")
    )
    def __init__(self, *args, **kwargs):
        self.event = kwargs.pop('event')
@@ -1032,3 +1049,118 @@ class EventDeleteForm(forms.Form):
                code='slug_wrong',
            )
        return slug
 class QuickSetupForm(I18nForm):
    show_quota_left = forms.BooleanField(
        label=_("Show number of tickets left"),
        help_text=_("Publicly show how many tickets of a certain type are still available."),
        required=False
    )
    waiting_list_enabled = forms.BooleanField(
        label=_("Waiting list"),
        help_text=_("Once a ticket is sold out, people can add themselves to a waiting list. As soon as a ticket "
                    "becomes available again, it will be reserved for the first person on the waiting list and this "
                    "person will receive an email notification with a voucher that can be used to buy a ticket."),
        required=False
    )
    ticket_download = forms.BooleanField(
        label=_("Ticket downloads"),
        help_text=_("Your customers will be able to download their tickets in PDF format."),
        required=False
    )
    attendee_names_required = forms.BooleanField(
        label=_("Require all attendees to fill in their names"),
        help_text=_("By default, we will ask for names but not require them. You can turn this off completely in the "
                    "settings."),
        required=False
    )
    imprint_url = forms.URLField(
        label=_("Imprint URL"),
        help_text=_("This should point e.g. to a part of your website that has your contact details and legal "
                    "information."),
        required=False,
    )
    contact_mail = forms.EmailField(
        label=_("Contact address"),
        required=False,
        help_text=_("We'll show this publicly to allow attendees to contact you.")
    )
    total_quota = forms.IntegerField(
        label=_("Total capacity"),
        min_value=0,
        widget=forms.NumberInput(
            attrs={
                'placeholder': '∞'
            }
        ),
        required=False
    )
    payment_stripe__enabled = forms.BooleanField(
        label=_("Payment via Stripe"),
        help_text=_("Stripe is an online payments processor supporting credit cards and lots of other payment options. "
                    "To accept payments via Stripe, you will need to set up an account with them, which takes less "
                    "than five minutes using their simple interface."),
        required=False
    )
    payment_banktransfer__enabled = forms.BooleanField(
        label=_("Payment by bank transfer"),
        help_text=_("Your customers will be instructed to wire the money to your account. You can then import your "
                    "bank statements to process the payments within pretix, or mark them as paid manually."),
        required=False
    )
    payment_banktransfer_bank_details = BankTransfer.form_field(required=False)
    def __init__(self, *args, **kwargs):
        self.obj = kwargs.pop('event', None)
        self.locales = self.obj.settings.get('locales') if self.obj else kwargs.pop('locales', None)
        kwargs['locales'] = self.locales
        super().__init__(*args, **kwargs)
        if not self.obj.settings.payment_stripe_connect_client_id:
            del self.fields['payment_stripe__enabled']
        self.fields['payment_banktransfer_bank_details'].required = False
 class QuickSetupProductForm(I18nForm):
    name = I18nFormField(
        max_length=255,
        label=_("Product name"),
        widget=I18nTextInput
    )
    default_price = forms.DecimalField(
        label=_("Price (optional)"),
        max_digits=7, decimal_places=2, required=False,
        localize=True,
        widget=forms.TextInput(
            attrs={
                'placeholder': _('Free')
            }
        ),
    )
    quota = forms.IntegerField(
        label=_("Quantity available"),
        min_value=0,
        widget=forms.NumberInput(
            attrs={
                'placeholder': '∞'
            }
        ),
        initial=100,
        required=False
    )
 class BaseQuickSetupProductFormSet(I18nFormSetMixin, forms.BaseFormSet):
    def __init__(self, *args, **kwargs):
        event = kwargs.pop('event', None)
        if event:
            kwargs['locales'] = event.settings.get('locales')
        super().__init__(*args, **kwargs)
 QuickSetupProductFormSet = formset_factory(
    QuickSetupProductForm,
    formset=BaseQuickSetupProductFormSet,
    can_order=False, can_delete=True, extra=0
 )
--- a/src/pretix/control/forms/filter.py
+++ b/src/pretix/control/forms/filter.py
@@ -137,6 +137,7 @@ class OrderFilterForm(FilterForm):
                | Q(invoice_address__name__icontains=u)
                | Q(invoice_address__company__icontains=u)
                | Q(pk__in=matching_invoices)
                | Q(comment__icontains=u)
                | Q(has_pos=True)
            )
@@ -233,7 +234,7 @@ class OrderSearchFilterForm(OrderFilterForm):
    def __init__(self, *args, **kwargs):
        request = kwargs.pop('request')
        super().__init__(*args, **kwargs)
-        if request.user.is_superuser:
+        if request.user.has_active_staff_session(request.session.session_key):
            self.fields['organizer'].queryset = Organizer.objects.all()
        else:
            self.fields['organizer'].queryset = Organizer.objects.filter(
@@ -392,7 +393,7 @@ class EventFilterForm(FilterForm):
    def __init__(self, *args, **kwargs):
        request = kwargs.pop('request')
        super().__init__(*args, **kwargs)
-        if request.user.is_superuser:
+        if request.user.has_active_staff_session(request.session.session_key):
            self.fields['organizer'].queryset = Organizer.objects.all()
        else:
            self.fields['organizer'].queryset = Organizer.objects.filter(
@@ -582,9 +583,9 @@ class UserFilterForm(FilterForm):
            qs = qs.filter(is_active=False)
        if fdata.get('superuser') == 'yes':
-            qs = qs.filter(is_superuser=True)
+            qs = qs.filter(is_staff=True)
        elif fdata.get('superuser') == 'no':
-            qs = qs.filter(is_superuser=False)
+            qs = qs.filter(is_staff=False)
        if fdata.get('query'):
            qs = qs.filter(
--- a/src/pretix/control/forms/global_settings.py
+++ b/src/pretix/control/forms/global_settings.py
@@ -2,7 +2,7 @@ from collections import OrderedDict
 from django import forms
 from django.utils.translation import ugettext_lazy as _
-from i18nfield.forms import I18nFormField, I18nTextInput
+from i18nfield.forms import I18nFormField, I18nTextarea, I18nTextInput
 from pretix.base.forms import SettingsForm
 from pretix.base.settings import GlobalSettingsObject
@@ -26,7 +26,17 @@ class GlobalSettingsForm(SettingsForm):
                required=False,
                label=_("Additional footer link"),
                help_text=_("Will be included as the link in the additional footer text.")
-            ))
+            )),
            ('banner_message', I18nFormField(
                widget=I18nTextarea,
                required=False,
                label=_("Global message banner"),
            )),
            ('banner_message_detail', I18nFormField(
                widget=I18nTextarea,
                required=False,
                label=_("Global message banner detail text"),
            )),
        ])
        responses = register_global_settings.send(self)
        for r, response in sorted(responses, key=lambda r: str(r[0])):
@@ -34,6 +44,9 @@ class GlobalSettingsForm(SettingsForm):
                # We need to be this explicit, since OrderedDict.update does not retain ordering
                self.fields[key] = value
        self.fields['banner_message'].widget.attrs['rows'] = '2'
        self.fields['banner_message_detail'].widget.attrs['rows'] = '3'
 class UpdateSettingsForm(SettingsForm):
    update_check_perform = forms.BooleanField(
--- a/src/pretix/control/forms/item.py
+++ b/src/pretix/control/forms/item.py
@@ -41,6 +41,7 @@ class QuestionForm(I18nModelForm):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.fields['items'].queryset = self.instance.event.items.all()
        self.fields['identifier'].required = False
    class Meta:
        model = Question
@@ -51,6 +52,7 @@ class QuestionForm(I18nModelForm):
            'type',
            'required',
            'ask_during_checkin',
            'identifier',
            'items'
        ]
        widgets = {
@@ -221,6 +223,7 @@ class ItemCreateForm(I18nModelForm):
            self.instance.min_per_order = self.cleaned_data['copy_from'].min_per_order
            self.instance.max_per_order = self.cleaned_data['copy_from'].max_per_order
            self.instance.checkin_attention = self.cleaned_data['copy_from'].checkin_attention
            self.instance.free_price = self.cleaned_data['copy_from'].free_price
        self.instance.position = (self.event.items.aggregate(p=Max('position'))['p'] or 0) + 1
        instance = super().save(*args, **kwargs)
--- a/src/pretix/control/forms/orders.py
+++ b/src/pretix/control/forms/orders.py
@@ -2,6 +2,7 @@ from django import forms
 from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.db import models
 from django.urls import reverse
 from django.utils.timezone import now
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
@@ -11,6 +12,7 @@ from pretix.base.models import (
 )
 from pretix.base.models.event import SubEvent
 from pretix.base.services.pricing import get_price
 from pretix.control.forms.widgets import Select2
 from pretix.helpers.money import change_decimal_field
@@ -164,6 +166,18 @@ class OrderPositionAddForm(forms.Form):
        if order.event.has_subevents:
            self.fields['subevent'].queryset = order.event.subevents.all()
            self.fields['subevent'].widget = Select2(
                attrs={
                    'data-model-select2': 'event',
                    'data-select2-url': reverse('control:event.subevents.select2', kwargs={
                        'event': order.event.slug,
                        'organizer': order.event.organizer.slug,
                    }),
                    'data-placeholder': pgettext_lazy('subevent', 'Date')
                }
            )
            self.fields['subevent'].widget.choices = self.fields['subevent'].choices
            self.fields['subevent'].required = True
        else:
            del self.fields['subevent']
        change_decimal_field(self.fields['price'], order.event.currency)
--- a/src/pretix/control/forms/organizer.py
+++ b/src/pretix/control/forms/organizer.py
@@ -7,7 +7,7 @@ from i18nfield.forms import I18nFormField, I18nTextarea
 from pretix.base.forms import I18nModelForm, SettingsForm
 from pretix.base.models import Organizer, Team
-from pretix.control.forms import ExtFileField
+from pretix.control.forms import ExtFileField, MultipleLanguagesWidget
 from pretix.multidomain.models import KnownDomain
 from pretix.presale.style import get_fonts
@@ -23,7 +23,7 @@ class OrganizerForm(I18nModelForm):
    def clean_slug(self):
        slug = self.cleaned_data['slug']
-        if Organizer.objects.filter(slug=slug).exists():
+        if Organizer.objects.filter(slug__iexact=slug).exists():
            raise forms.ValidationError(
                self.error_messages['duplicate_slug'],
                code='duplicate_slug',
@@ -158,7 +158,7 @@ class OrganizerDisplaySettingsForm(SettingsForm):
    locales = forms.MultipleChoiceField(
        choices=settings.LANGUAGES,
        label=_("Use languages"),
-        widget=forms.CheckboxSelectMultiple,
+        widget=MultipleLanguagesWidget,
        help_text=_('Choose all languages that your organizer homepage should be available in.')
    )
    primary_font = forms.ChoiceField(
--- a/src/pretix/control/forms/subevents.py
+++ b/src/pretix/control/forms/subevents.py
@@ -1,10 +1,16 @@
 from datetime import timedelta
 from django import forms
 from django.forms import formset_factory
 from django.utils.functional import cached_property
 from django.utils.timezone import now
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
 from i18nfield.forms import I18nInlineFormSet
 from pretix.base.forms import I18nModelForm
 from pretix.base.models.event import SubEvent, SubEventMetaValue
 from pretix.base.models.items import SubEventItem
 from pretix.base.reldate import RelativeDateTimeField
 from pretix.base.templatetags.money import money_filter
 from pretix.control.forms import SplitDateTimePickerWidget
 from pretix.helpers.money import change_decimal_field
@@ -46,6 +52,44 @@ class SubEventForm(I18nModelForm):
        }
 class SubEventBulkForm(SubEventForm):
    time_from = forms.TimeField(
        label=_('Event start time'),
        widget=forms.TimeInput(attrs={'class': 'timepickerfield'})
    )
    time_to = forms.TimeField(
        label=_('Event end time'),
        widget=forms.TimeInput(attrs={'class': 'timepickerfield'}),
        required=False
    )
    time_admission = forms.TimeField(
        label=_('Admission time'),
        widget=forms.TimeInput(attrs={'class': 'timepickerfield'}),
        required=False
    )
    rel_presale_start = RelativeDateTimeField(
        label=_('Start of presale'),
        help_text=_('Optional. No products will be sold before this date.'),
        required=False,
        limit_choices=('date_from', 'date_to'),
    )
    rel_presale_end = RelativeDateTimeField(
        label=_('End of presale'),
        help_text=_('Optional. No products will be sold after this date. If you do not set this value, the presale '
                    'will end after the end date of your event.'),
        required=False,
        limit_choices=('date_from', 'date_to'),
    )
    def __init__(self, *args, **kwargs):
        self.event = kwargs['event']
        super().__init__(*args, **kwargs)
        self.fields['location'].widget.attrs['rows'] = '3'
        del self.fields['date_from']
        del self.fields['date_to']
        del self.fields['date_admission']
 class SubEventItemOrVariationFormMixin:
    def __init__(self, *args, **kwargs):
        self.item = kwargs.pop('item')
@@ -97,6 +141,7 @@ class QuotaFormSet(I18nInlineFormSet):
        kwargs['locales'] = self.locales
        kwargs['event'] = self.event
        kwargs['items'] = self.items
        kwargs['items'] = self.items
        return super()._construct_form(i, **kwargs)
    @property
@@ -155,3 +200,175 @@ class CheckinListFormSet(I18nInlineFormSet):
        )
        self.add_fields(form, None)
        return form
 class RRuleForm(forms.Form):
    # TODO: calendar.setfirstweekday
    exclude = forms.BooleanField(
        label=_('Exclude these dates instead of adding them.'),
        required=False
    )
    freq = forms.ChoiceField(
        choices=[
            ('yearly', _('year(s)')),
            ('monthly', _('month(s)')),
            ('weekly', _('week(s)')),
            ('daily', _('day(s)')),
        ]
    )
    interval = forms.IntegerField(
        label=_('Interval'),
        initial=1
    )
    dtstart = forms.DateField(
        label=_('Start date'),
        widget=forms.DateInput(
            attrs={
                'class': 'datepickerfield',
                'required': 'required'
            }
        ),
        initial=lambda: now().date()
    )
    end = forms.ChoiceField(
        choices=[
            ('count', ''),
            ('until', ''),
        ],
        initial='count',
        widget=forms.RadioSelect
    )
    count = forms.IntegerField(
        label=_('Number of repititions'),
        initial=10
    )
    until = forms.DateField(
        widget=forms.DateInput(
            attrs={
                'class': 'datepickerfield',
                'required': 'required'
            }
        ),
        label=_('Last date'),
        required=True,
        initial=lambda: now() + timedelta(days=365)
    )
    yearly_bysetpos = forms.ChoiceField(
        choices=[
            ('1', pgettext_lazy('rrule', 'first')),
            ('2', pgettext_lazy('rrule', 'second')),
            ('3', pgettext_lazy('rrule', 'third')),
            ('-1', pgettext_lazy('rrule', 'last')),
        ],
        required=False
    )
    yearly_same = forms.ChoiceField(
        choices=[
            ('on', ''),
            ('off', ''),
        ],
        initial='on',
        widget=forms.RadioSelect
    )
    yearly_byweekday = forms.ChoiceField(
        choices=[
            ('MO', _('Monday')),
            ('TU', _('Tuesday')),
            ('WE', _('Wednesday')),
            ('TH', _('Thursday')),
            ('FR', _('Friday')),
            ('SA', _('Saturday')),
            ('SU', _('Sunday')),
            ('MO,TU,WE,TH,FR,SA,SU', _('Day')),
            ('MO,TU,WE,TH,FR', _('Weekday')),
            ('SA,SU', _('Weekend day')),
        ],
        required=False
    )
    yearly_bymonth = forms.ChoiceField(
        choices=[
            ('1', _('January')),
            ('2', _('February')),
            ('3', _('March')),
            ('4', _('April')),
            ('5', _('May')),
            ('6', _('June')),
            ('7', _('July')),
            ('8', _('August')),
            ('9', _('September')),
            ('10', _('October')),
            ('11', _('November')),
            ('12', _('December')),
        ],
        required=False
    )
    monthly_same = forms.ChoiceField(
        choices=[
            ('on', ''),
            ('off', ''),
        ],
        initial='on',
        widget=forms.RadioSelect
    )
    monthly_bysetpos = forms.ChoiceField(
        choices=[
            ('1', pgettext_lazy('rrule', 'first')),
            ('2', pgettext_lazy('rrule', 'second')),
            ('3', pgettext_lazy('rrule', 'third')),
            ('-1', pgettext_lazy('rrule', 'last')),
        ],
        required=False
    )
    monthly_byweekday = forms.ChoiceField(
        choices=[
            ('MO', _('Monday')),
            ('TU', _('Tuesday')),
            ('WE', _('Wednesday')),
            ('TH', _('Thursday')),
            ('FR', _('Friday')),
            ('SA', _('Saturday')),
            ('SU', _('Sunday')),
            ('MO,TU,WE,TH,FR,SA,SU', _('Day')),
            ('MO,TU,WE,TH,FR', _('Weekday')),
            ('SA,SU', _('Weekend day')),
        ],
        required=False
    )
    weekly_byweekday = forms.MultipleChoiceField(
        choices=[
            ('MO', _('Monday')),
            ('TU', _('Tuesday')),
            ('WE', _('Wednesday')),
            ('TH', _('Thursday')),
            ('FR', _('Friday')),
            ('SA', _('Saturday')),
            ('SU', _('Sunday')),
        ],
        required=False,
        widget=forms.CheckboxSelectMultiple
    )
    def parse_weekdays(self, value):
        m = {
            'MO': 0,
            'TU': 1,
            'WE': 2,
            'TH': 3,
            'FR': 4,
            'SA': 5,
            'SU': 6
        }
        if ',' in value:
            return [m.get(a) for a in value.split(',')]
        else:
            return m.get(value)
 RRuleFormSet = formset_factory(
    RRuleForm,
    can_order=False, can_delete=True, extra=1
 )
--- a/src/pretix/control/forms/users.py
+++ b/src/pretix/control/forms/users.py
@@ -8,6 +8,13 @@ from django.utils.translation import ugettext_lazy as _
 from pytz import common_timezones
 from pretix.base.models import User
 from pretix.base.models.auth import StaffSession
 class StaffSessionForm(forms.ModelForm):
    class Meta:
        model = StaffSession
        fields = ['comment']
 class UserEditForm(forms.ModelForm):
@@ -41,7 +48,7 @@ class UserEditForm(forms.ModelForm):
            'email',
            'require_2fa',
            'is_active',
-            'is_superuser'
+            'is_staff'
        ]
    def __init__(self, *args, **kwargs):
--- a/src/pretix/control/forms/vouchers.py
+++ b/src/pretix/control/forms/vouchers.py
@@ -1,17 +1,25 @@
 import copy
 from django import forms
-from django.core.exceptions import ValidationError
+from django.core.exceptions import ObjectDoesNotExist, ValidationError
-from django.utils.translation import ugettext_lazy as _
+from django.db.models.functions import Lower
 from django.urls import reverse
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
 from pretix.base.forms import I18nModelForm
-from pretix.base.models import Item, ItemVariation, Quota, Voucher
+from pretix.base.models import Item, Voucher
 from pretix.control.forms import SplitDateTimePickerWidget
 from pretix.control.forms.widgets import Select2, Select2ItemVarQuota
 from pretix.control.signals import voucher_form_validation
 class FakeChoiceField(forms.ChoiceField):
    def valid_value(self, value):
        return True
 class VoucherForm(I18nModelForm):
-    itemvar = forms.ChoiceField(
+    itemvar = FakeChoiceField(
        label=_("Product"),
        help_text=_(
            "This product is added to the user's cart if the voucher is redeemed."
@@ -53,47 +61,64 @@ class VoucherForm(I18nModelForm):
        if instance.event.has_subevents:
            self.fields['subevent'].queryset = instance.event.subevents.all()
            self.fields['subevent'].widget = Select2(
                attrs={
                    'data-model-select2': 'event',
                    'data-select2-url': reverse('control:event.subevents.select2', kwargs={
                        'event': instance.event.slug,
                        'organizer': instance.event.organizer.slug,
                    }),
                    'data-placeholder': pgettext_lazy('subevent', 'Date')
                }
            )
            self.fields['subevent'].widget.choices = self.fields['subevent'].choices
            self.fields['subevent'].required = False
        elif 'subevent':
            del self.fields['subevent']
        choices = []
        for i in self.instance.event.items.prefetch_related('variations').all():
            variations = list(i.variations.all())
            if variations:
                choices.append((str(i.pk), _('{product} – Any variation').format(product=i.name)))
                for v in variations:
                    choices.append(('%d-%d' % (i.pk, v.pk), '%s – %s' % (i.name, v.value)))
            else:
                choices.append((str(i.pk), i.name))
        for q in self.instance.event.quotas.all():
            choices.append(('q-%d' % q.pk, _('Any product in quota "{quota}"').format(quota=q)))
        self.fields['itemvar'].choices = choices
        self.fields['itemvar'].widget = Select2ItemVarQuota(
            attrs={
                'data-model-select2': 'generic',
                'data-select2-url': reverse('control:event.vouchers.itemselect2', kwargs={
                    'event': instance.event.slug,
                    'organizer': instance.event.organizer.slug,
                }),
                'data-placeholder': ''
            }
        )
        self.fields['itemvar'].widget.choices = self.fields['itemvar'].choices
        self.fields['itemvar'].required = True
    def clean(self):
        data = super().clean()
        if not self._errors:
-            itemid = quotaid = None
+            try:
-            iv = self.data.get('itemvar', '')
+                itemid = quotaid = None
-            if iv.startswith('q-'):
+                iv = self.data.get('itemvar', '')
-                quotaid = iv[2:]
+                if iv.startswith('q-'):
-            elif '-' in iv:
+                    quotaid = iv[2:]
-                itemid, varid = iv.split('-')
+                elif '-' in iv:
-            else:
+                    itemid, varid = iv.split('-')
                itemid, varid = iv, None
            if itemid:
                self.instance.item = Item.objects.get(pk=itemid, event=self.instance.event)
                if varid:
                    self.instance.variation = ItemVariation.objects.get(pk=varid, item=self.instance.item)
                else:
-                    self.instance.variation = None
+                    itemid, varid = iv, None
                self.instance.quota = None
-            else:
+                if itemid:
-                self.instance.quota = Quota.objects.get(pk=quotaid, event=self.instance.event)
+                    self.instance.item = self.instance.event.items.get(pk=itemid)
-                self.instance.item = None
+                    if varid:
-                self.instance.variation = None
+                        self.instance.variation = self.instance.item.variations.get(pk=varid)
                    else:
                        self.instance.variation = None
                    self.instance.quota = None
                else:
                    self.instance.quota = self.instance.event.quotas.get(pk=quotaid)
                    self.instance.item = None
                    self.instance.variation = None
            except ObjectDoesNotExist:
                raise ValidationError(_("Invalid product selected."))
        if 'codes' in data:
            data['codes'] = [a.strip() for a in data.get('codes', '').strip().split("\n") if a]
@@ -164,7 +189,10 @@ class VoucherBulkForm(VoucherForm):
    def clean(self):
        data = super().clean()
-        if Voucher.objects.filter(code__in=data['codes'], event=self.instance.event).exists():
+        vouchers = self.instance.event.vouchers.annotate(
            code_lower=Lower('code')
        ).filter(code_lower__in=[c.lower() for c in data['codes']])
        if vouchers.exists():
            raise ValidationError(_('A voucher with one of these codes already exists.'))
        return data
--- a/src/pretix/control/forms/widgets.py
+++ b/src/pretix/control/forms/widgets.py
@@ -36,3 +36,23 @@ class Select2(Select2Mixin, forms.Select):
 class Select2Multiple(Select2Mixin, forms.SelectMultiple):
    pass
 class Select2ItemVarQuotaMixin(Select2Mixin):
    def options(self, name, value, attrs=None):
        if value and value[0]:
            yield self.create_option(
                None,
                value[0],
                value[0],
                True,
                0,
                subindex=None,
                attrs=attrs
            )
        return
 class Select2ItemVarQuota(Select2ItemVarQuotaMixin, forms.Select):
    pass
--- a/src/pretix/control/middleware.py
+++ b/src/pretix/control/middleware.py
@@ -4,12 +4,14 @@ from django.conf import settings
 from django.contrib.auth import REDIRECT_FIELD_NAME, logout
 from django.core.urlresolvers import get_script_prefix, resolve, reverse
 from django.http import Http404
-from django.shortcuts import redirect, resolve_url
+from django.shortcuts import get_object_or_404, redirect, resolve_url
 from django.utils.deprecation import MiddlewareMixin
 from django.utils.encoding import force_str
 from django.utils.translation import ugettext as _
 from hijack.templatetags.hijack_tags import is_hijacked
 from pretix.base.models import Event, Organizer
 from pretix.base.models.auth import SuperuserPermissionSet, User
 from pretix.helpers.security import (
    SessionInvalid, SessionReauthRequired, assert_session_valid,
 )
@@ -81,16 +83,52 @@ class PermissionMiddleware(MiddlewareMixin):
                slug=url.kwargs['event'],
                organizer__slug=url.kwargs['organizer'],
            ).select_related('organizer').first()
-            if not request.event or not request.user.has_event_permission(request.event.organizer, request.event):
+            if not request.event or not request.user.has_event_permission(request.event.organizer, request.event,
                                                                          request=request):
                raise Http404(_("The selected event was not found or you "
                                "have no permission to administrate it."))
            request.organizer = request.event.organizer
-            request.eventpermset = request.user.get_event_permission_set(request.organizer, request.event)
+            if request.user.has_active_staff_session(request.session.session_key):
                request.eventpermset = SuperuserPermissionSet()
            else:
                request.eventpermset = request.user.get_event_permission_set(request.organizer, request.event)
        elif 'organizer' in url.kwargs:
            request.organizer = Organizer.objects.filter(
                slug=url.kwargs['organizer'],
            ).first()
-            if not request.organizer or not request.user.has_organizer_permission(request.organizer):
+            if not request.organizer or not request.user.has_organizer_permission(request.organizer, request=request):
                raise Http404(_("The selected organizer was not found or you "
                                "have no permission to administrate it."))
-            request.orgapermset = request.user.get_organizer_permission_set(request.organizer)
+            if request.user.has_active_staff_session(request.session.session_key):
                request.orgapermset = SuperuserPermissionSet()
            else:
                request.orgapermset = request.user.get_organizer_permission_set(request.organizer)
 class AuditLogMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response
    def __call__(self, request):
        if request.path.startswith(get_script_prefix() + 'control') and request.user.is_authenticated:
            if is_hijacked(request):
                hijack_history = request.session.get('hijack_history', False)
                hijacker = get_object_or_404(User, pk=hijack_history[0])
                ss = hijacker.get_active_staff_session(request.session.get('hijacker_session'))
                if ss:
                    ss.logs.create(
                        url=request.path,
                        method=request.method,
                        impersonating=request.user
                    )
            else:
                ss = request.user.get_active_staff_session(request.session.session_key)
                if ss:
                    ss.logs.create(
                        url=request.path,
                        method=request.method
                    )
        response = self.get_response(request)
        return response
--- a/src/pretix/control/permissions.py
+++ b/src/pretix/control/permissions.py
@@ -1,4 +1,7 @@
 from django.core.exceptions import PermissionDenied
 from django.shortcuts import redirect
 from django.urls import reverse
 from django.utils.http import urlquote
 from django.utils.translation import ugettext as _
@@ -18,8 +21,7 @@ def event_permission_required(permission):
                raise PermissionDenied()
            allowed = (
-                request.user.is_superuser
+                request.user.has_event_permission(request.organizer, request.event, permission, request=request)
                or request.user.has_event_permission(request.organizer, request.event, permission)
            )
            if allowed:
                return function(request, *args, **kw)
@@ -57,10 +59,7 @@ def organizer_permission_required(permission):
                # just a double check, should not ever happen
                raise PermissionDenied()
-            allowed = (
+            allowed = request.user.has_organizer_permission(request.organizer, permission, request=request)
                request.user.is_superuser
                or request.user.has_organizer_permission(request.organizer, permission)
            )
            if allowed:
                return function(request, *args, **kw)
@@ -85,14 +84,33 @@ class OrganizerPermissionRequiredMixin:
 def administrator_permission_required():
    """
    This view decorator rejects all requests with a 403 response which are not from
-    users with the is_superuser flag.
+    users with a current staff member session.
    """
    def decorator(function):
        def wrapper(request, *args, **kw):
            if not request.user.is_authenticated:  # NOQA
                # just a double check, should not ever happen
                raise PermissionDenied()
-            if not request.user.is_superuser:
+            if not request.user.has_active_staff_session(request.session.session_key):
                if request.user.is_staff:
                    return redirect(reverse('control:user.sudo') + '?next=' + urlquote(request.path))
                raise PermissionDenied(_('You do not have permission to view this content.'))
            return function(request, *args, **kw)
        return wrapper
    return decorator
 def staff_member_required():
    """
    This view decorator rejects all requests with a 403 response which are not staff
    members (but do not need to have an active session).
    """
    def decorator(function):
        def wrapper(request, *args, **kw):
            if not request.user.is_authenticated:  # NOQA
                # just a double check, should not ever happen
                raise PermissionDenied()
            if not request.user.is_staff:
                raise PermissionDenied(_('You do not have permission to view this content.'))
            return function(request, *args, **kw)
        return wrapper
@@ -108,3 +126,14 @@ class AdministratorPermissionRequiredMixin:
    def as_view(cls, **initkwargs):
        view = super(AdministratorPermissionRequiredMixin, cls).as_view(**initkwargs)
        return administrator_permission_required()(view)
 class StaffMemberRequiredMixin:
    """
    This mixin is equivalent to the staff_memer_required view decorator but
    is in a form suitable for class-based views.
    """
    @classmethod
    def as_view(cls, **initkwargs):
        view = super(StaffMemberRequiredMixin, cls).as_view(**initkwargs)
        return staff_member_required()(view)
--- a/src/pretix/control/templates/pretixcontrol/base.html
+++ b/src/pretix/control/templates/pretixcontrol/base.html
@@ -30,6 +30,7 @@
            <script type="text/javascript" src="{% static "charts/raphael-min.js" %}"></script>
            <script type="text/javascript" src="{% static "charts/morris.js" %}"></script>
            <script type="text/javascript" src="{% static "clipboard/clipboard.js" %}"></script>
            <script type="text/javascript" src="{% static "rrule/rrule.js" %}"></script>
            <script type="text/javascript" src="{% static "pretixcontrol/js/jquery.qrcode.min.js" %}"></script>
            <script type="text/javascript" src="{% static "pretixcontrol/js/clipboard.js" %}"></script>
            <script type="text/javascript" src="{% static "pretixcontrol/js/menu.js" %}"></script>
@@ -40,6 +41,7 @@
            <script type="text/javascript" src="{% static "pretixcontrol/js/ui/question.js" %}"></script>
            <script type="text/javascript" src="{% static "pretixcontrol/js/ui/mail.js" %}"></script>
            <script type="text/javascript" src="{% static "pretixcontrol/js/ui/typeahead.js" %}"></script>
            <script type="text/javascript" src="{% static "pretixcontrol/js/ui/quicksetup.js" %}"></script>
            <script type="text/javascript" src="{% static "pretixbase/js/asynctask.js" %}"></script>
            <script type="text/javascript" src="{% static "pretixbase/js/asyncdownload.js" %}"></script>
            <script type="text/javascript" src="{% static "colorpicker/bootstrap-colorpicker.js" %}"></script>
@@ -51,7 +53,7 @@
        <link rel="icon" href="{% static "pretixbase/img/favicon.ico" %}">
        {% block custom_header %}{% endblock %}
 	</head>
-	<body data-datetimeformat="{{ js_datetime_format }}" data-timeformat="{{ js_time_format }}" data-dateformat="{{ js_date_format }}" data-datetimelocale="{{ js_locale }}" data-payment-weekdays-disabled="{{ js_payment_weekdays_disabled }}" data-select2-locale="{{ select2locale }}">
+	<body data-datetimeformat="{{ js_datetime_format }}" data-timeformat="{{ js_time_format }}" data-dateformat="{{ js_date_format }}" data-datetimelocale="{{ js_locale }}" data-payment-weekdays-disabled="{{ js_payment_weekdays_disabled }}" data-select2-locale="{{ select2locale }}" data-longdateformat="{{ js_long_date_format }}">
        <div id="wrapper">
            <nav class="navbar navbar-inverse navbar-static-top" role="navigation">
                <div class="navbar-header">
@@ -150,6 +152,22 @@
                        </li>
                    {% endfor %}
                    {% if request.user.is_staff and not staff_session %}
                        <li>
                            <form action="{% url 'control:user.sudo' %}?next={{ request.path|urlencode }}" method="post">
                                {% csrf_token %}
                                <button type="submit" class="btn btn-link" id="button-sudo">
                                    <i class="fa fa-id-card"></i> {% trans "Admin mode" %}
                                </button>
                            </form>
                        </li>
                    {% elif request.user.is_staff and staff_session %}
                        <li>
                            <a href="{% url 'control:user.sudo.stop' %}" class="danger">
                                <i class="fa fa-id-card"></i> {% trans "End admin session" %}
                            </a>
                        </li>
                    {% endif %}
                    {% if warning_update_available %}
                        <li>
                            <a href="{% url 'control:global.update' %}" class="danger">
@@ -190,7 +208,7 @@
                                        {% trans "Dashboard" %}
                                    </a>
                                </li>
-                                {% if request.user.is_superuser %}
+                                {% if staff_session %}
                                    <li>
                                        <a href="{% url 'control:global.settings' %}"
                                                {% if "global.settings" in url_name %}class="active"{% endif %}>
@@ -218,14 +236,21 @@
                                        {% trans "Order search" %}
                                    </a>
                                </li>
-                                {% if request.user.is_superuser %}
+                                {% if staff_session %}
                                    <li>
                                        <a href="{% url 'control:users' %}"
-                                                {% if "users" in url_name %}class="active"{% endif %}>
+                                           {% if "users" in url_name %}class="active"{% endif %}>
                                            <i class="fa fa-user fa-fw"></i>
                                            {% trans "Users" %}
                                        </a>
                                    </li>
                                    <li>
                                        <a href="{% url 'control:user.sudo.list' %}"
                                                {% if "sudo" in url_name %}class="active"{% endif %}>
                                            <i class="fa fa-id-card fa-fw"></i>
                                            {% trans "Admin sessions" %}
                                        </a>
                                    </li>
                                {% endif %}
                                {% for nav in nav_global %}
                                    <li>
@@ -259,6 +284,21 @@
                    </div>
                </div>
            </nav>
            {% if staff_need_to_explain %}
                <div class="impersonate-warning">
                    <span class="fa fa-id-card"></span>
                    {% blocktrans trimmed %}
                        Please leave a short comment on what you did in the following admin sessions:
                    {% endblocktrans %}
                    <ul>
                        {% for s in staff_need_to_explain %}
                            <li>
                                <a href="{% url "control:user.sudo.edit" id=s.pk %}">#{{ s.pk }}</a>
                            </li>
                        {% endfor %}
                    </ul>
                </div>
            {% endif %}
            {% if request|is_hijacked %}
                <div class="impersonate-warning">
                    <span class="fa fa-user-secret"></span>
@@ -272,6 +312,17 @@
                    </form>
                </div>
            {% endif %}
            {% if global_settings.banner_message %}
                <div class="impersonate-warning">
                    <span class="fa fa-bell"></span>
                    {{ global_settings.banner_message }}
                    {% if global_settings.banner_message %}
                        <a href="{% url 'control:global.message' %}">
                            {% trans "Read more" %}
                        </a>
                    {% endif %}
                </div>
            {% endif %}
            <div id="page-wrapper">
                <div class="container-fluid">
                    {% if messages %}
--- a/src/pretix/control/templates/pretixcontrol/event/index.html
+++ b/src/pretix/control/templates/pretixcontrol/event/index.html
@@ -109,7 +109,7 @@
                        </div>
                        <div class="col-lg-2 col-sm-6 col-xs-12">
                            {% if log.user %}
-                                {% if log.user.is_superuser %}
+                                {% if log.user.is_staff %}
                                    <span class="fa fa-id-card fa-danger fa-fw"
                                          data-toggle="tooltip"
                                          title="{% trans "This change was performed by a pretix administrator." %}">
--- a/src/pretix/control/templates/pretixcontrol/event/logs.html
+++ b/src/pretix/control/templates/pretixcontrol/event/logs.html
@@ -34,7 +34,7 @@
                    </div>
                    <div class="col-lg-2 col-sm-6 col-xs-12">
                        {% if log.user %}
-                            {% if log.user.is_superuser %}
+                            {% if log.user.is_staff %}
                                <span class="fa fa-id-card fa-danger fa-fw"
                                     data-toggle="tooltip"
                                     title="{% trans "This change was performed by a pretix administrator." %}">
--- a/src/pretix/control/templates/pretixcontrol/event/payment.html
+++ b/src/pretix/control/templates/pretixcontrol/event/payment.html
@@ -5,49 +5,53 @@
    <form action="" method="post" class="form-horizontal form-plugins">
        {% csrf_token %}
        <fieldset>
-            <legend>{% trans "Payment settings" %}</legend>
+            <legend>{% trans "Payment providers" %}</legend>
-            {% bootstrap_field sform.payment_term_days layout="control" %}
+            <table class="table table-payment-providers">
-            {% bootstrap_field sform.payment_term_last layout="control" %}
+                <tbody>
-            {% bootstrap_field sform.payment_term_weekdays layout="control" %}
+                {% for provider in providers %}
-            {% bootstrap_field sform.payment_term_expire_automatically layout="control" %}
+                    <tr>
-            {% bootstrap_field sform.payment_term_accept_late layout="control" %}
+                        <td>
-            {% bootstrap_field sform.tax_rate_default layout="control" %}
+                            <strong>{{ provider.verbose_name }}</strong>
                        </td>
                        <td>
                            {% if provider.is_enabled %}
                                <span class="text-success">
                                    <span class="fa fa-check"></span>
                                    {% trans "Enabled" %}
                                </span>
                            {% else %}
                                <span class="text-danger">
                                    <span class="fa fa-times"></span>
                                    {% trans "Disabled" %}
                                </span>
                            {% endif %}
                        </td>
                        <td class="text-right">
                            <a href="{% url 'control:event.settings.payment.provider' event=request.event.slug organizer=request.organizer.slug provider=provider.identifier %}"
                                    class="btn btn-default">
                                <span class="fa fa-cog"></span>
                                {% trans "Settings" %}
                            </a>
                        </td>
                    </tr>
                {% empty %}
                    <tr>
                        <td colspan="3">
                            {% trans "There are no payment providers available. Please go to the plugin settings and activate one or more payment plugins." %}
                        </td>
                    </tr>
                {% endfor %}
                </tbody>
            </table>
        </fieldset>
        <fieldset>
-            <legend>{% trans "Payment providers" %}</legend>
+            <legend>{% trans "General payment settings" %}</legend>
-            <div class="alert alert-warning">
+            {% bootstrap_field form.payment_term_days layout="control" %}
-                <span class="fa fa-w fa-legal fa-4x pull-left"></span>
+            {% bootstrap_field form.payment_term_last layout="control" %}
-                <strong>{% trans "Warning:" %}</strong>
+            {% bootstrap_field form.payment_term_weekdays layout="control" %}
-                {% blocktrans trimmed %}
+            {% bootstrap_field form.payment_term_expire_automatically layout="control" %}
-                    Please note that EU Directive 2015/2366 bans surcharging payment fees for most common payment
+            {% bootstrap_field form.payment_term_accept_late layout="control" %}
-                    methods within the European Union. Depending on the payment method, this might affect
+            {% bootstrap_field form.tax_rate_default layout="control" %}
                    selling to consumers only or to business customers as well. Depending on your country, this
                    legislation might already be in effect or become relevant from January 2018 at the latest. This
                    is not legal advice. If in doubt, consult a lawyer or refrain from charging payment fees.
                {% endblocktrans %}
            </div>
            {% for provider in providers %}
                <div class="panel panel-default">
                    <div class="panel-heading">
                        <h3 class="panel-title">
                            <a class="collapsed" data-toggle="collapse" href="#{{ provider.identifier }}">
                                {{ provider.verbose_name }}  
                                <i class="fa fa-angle-down collapse-indicator"></i>
                            </a>
                        </h3>
                    </div>
                    <div id="{{ provider.identifier }}" class="panel-collapse collapse">
                        <div class="panel-body">
                            {% bootstrap_form provider.form layout='control' %}
                            {% with c=provider.settings_content %}
                                {% if c %}{{ c|safe }}{% endif %}
                            {% endwith %}
                        </div>
                    </div>
                </div>
            {% empty %}
                <em>{% trans "There are no payment providers available. Please go to the plugin settings and activate one or more payment plugins." %}</em>
            {% endfor %}
        </fieldset>
        <div class="form-group submit-group">
            <button type="submit" class="btn btn-primary btn-save">
--- a/src/pretix/control/templates/pretixcontrol/event/payment_provider.html
+++ b/src/pretix/control/templates/pretixcontrol/event/payment_provider.html
@@ -0,0 +1,40 @@
 {% extends "pretixcontrol/event/settings_base.html" %}
 {% load i18n %}
 {% load bootstrap3 %}
 {% block inside %}
    <form action="" method="post" class="form-horizontal form-plugins">
        {% csrf_token %}
        <fieldset>
            <legend>
                <a href="{% url 'control:event.settings.payment' event=request.event.slug organizer=request.organizer.slug %}"
                        class="btn btn-default btn-sm btn-link">
                    <span class="fa fa-caret-left"></span>
                    {% trans "Back" %}
                </a>
                {% trans "Payment provider:" %} {{ provider.verbose_name }}
            </legend>
            {% bootstrap_form form layout='control' %}
            {% if settings_content %}{{ settings_content|safe }}{% endif %}
            <p>&nbsp;</p>
            <div class="alert alert-warning">
                <span class="fa fa-w fa-legal fa-2x pull-left"></span>
                <strong>{% trans "Warning:" %}</strong>
                {% blocktrans trimmed %}
                    Please note that EU Directive 2015/2366 bans surcharging payment fees for most common payment
                    methods within the European Union. If in doubt, consult a lawyer or refrain from charging payment
                    fees.
                {% endblocktrans %}
                <br>
                {% blocktrans trimmed %}
                    In simple terms, this means you need to pay any fees imposed by the payment providers and cannot
                    pass it on to your customers.
                {% endblocktrans %}
            </div>
        </fieldset>
        <div class="form-group submit-group">
            <button type="submit" class="btn btn-primary btn-save">
                {% trans "Save" %}
            </button>
        </div>
    </form>
 {% endblock %}
--- a/src/pretix/control/templates/pretixcontrol/event/plugins.html
+++ b/src/pretix/control/templates/pretixcontrol/event/plugins.html
@@ -23,7 +23,7 @@
                                    <div class="col-sm-4">
                                        {% if plugin.app.compatibility_errors %}
                                            <button class="btn disabled btn-block btn-default" disabled="disabled">{% trans "Incompatible" %}</button>
-                                        {% elif plugin.restricted and not request.user.is_superuser %}
+                                        {% elif plugin.restricted and not request.user.is_staff %}
                                            <button class="btn disabled btn-block btn-default" disabled="disabled">{% trans "Not available" %}</button>
                                        {% elif plugin.module in plugins_active %}
                                            <button class="btn btn-default btn-block" name="plugin:{{ plugin.module }}" value="disable">{% trans "Disable" %}</button>
@@ -44,7 +44,7 @@
                                    {% endblocktrans %}</p>
                                {% endif %}
                                <p>{{ plugin.description }}</p>
-                                {% if plugin.restricted and not request.user.is_superuser %}
+                                {% if plugin.restricted and not request.user.is_staff %}
                                    <div class="alert alert-warning">
                                        {% trans "This plugin needs to be enabled by a system administrator for your event." %}
                                    </div>
--- a/src/pretix/control/templates/pretixcontrol/event/quick_setup.html
+++ b/src/pretix/control/templates/pretixcontrol/event/quick_setup.html
@@ -0,0 +1,198 @@
 {% extends "pretixcontrol/event/base.html" %}
 {% load i18n %}
 {% load bootstrap3 %}
 {% load formset_tags %}
 {% block title %}{{ request.event.name }}{% endblock %}
 {% block content %}
    <div class="quick-setup-step">
        <div class="quick-icon">
            <span class="fa fa-fw fa-check-circle text-success"></span>
        </div>
        <div class="quick-content">
            <h2>{% trans "Congratulations!" %}</h2>
            <p>
                <strong>{% trans "You just created an event!" %}</strong>
            </p>
            <p>
                {% blocktrans trimmed %}
                    You can scroll down and create your first ticket products quickly, or you can use the navigation
                    on the left to modify the settings of your event in much more detail.
                {% endblocktrans %}
            </p>
            <div class="clearfix"></div>
        </div>
    </div>
    <form action="" method="post" class="form-horizontal">
        {% csrf_token %}
        <fieldset class="quick-setup-step">
            <div class="quick-icon">
                <span class="fa fa-fw fa-ticket text-muted"></span>
            </div>
            <div class="quick-content">
                <legend>{% trans "Create ticket types" %}</legend>
                <div class="formset" data-formset data-formset-prefix="{{ formset.prefix }}">
                    {{ formset.management_form }}
                    {% bootstrap_formset_errors formset %}
                    <div class="row hidden-sm hidden-xs" data-formset-form>
                        <div class="col-md-6">
                            <strong>{% trans "Ticket name" %}</strong>
                        </div>
                        <div class="col-md-3">
                            <strong>{% trans "Price (optional)" %}</strong>
                        </div>
                        <div class="col-md-2">
                            <strong>{% trans "Capacity (optional)" %}</strong>
                        </div>
                    </div>
                    <div data-formset-body id="ticket-type-formset">
                        {% for iform in formset %}
                            <div class="row question-option-row" data-formset-form>
                                <div class="sr-only">
                                    {{ iform.id }}
                                    {% bootstrap_field iform.DELETE form_group_class="" layout="inline" %}
                                </div>
                                <div class="col-md-6">
                                    {% bootstrap_form_errors iform %}
                                    {% bootstrap_field iform.name layout='inline' form_group_class="" %}
                                </div>
                                <div class="col-md-3">
                                    {% bootstrap_field iform.default_price addon_after=request.event.currency layout='inline' form_group_class="" %}
                                </div>
                                <div class="col-md-2">
                                    {% bootstrap_field iform.quota layout='inline' form_group_class="" %}
                                </div>
                                <div class="col-md-1 text-right">
                                    <button type="button" class="btn btn-danger" data-formset-delete-button>
                                        <i class="fa fa-trash"></i></button>
                                </div>
                            </div>
                        {% endfor %}
                    </div>
                    <script type="form-template" data-formset-empty-form>
                        {% escapescript %}
                            <div class="row question-option-row" data-formset-form>
                                <div class="sr-only">
                                    {{ formset.empty_form.id }}
                                    {% bootstrap_field formset.empty_form.DELETE form_group_class="" layout="inline" %}
                                </div>
                                <div class="col-md-6">
                                    {% bootstrap_field formset.empty_form.name layout='inline' form_group_class="" %}
                                </div>
                                <div class="col-md-3">
                                    {% bootstrap_field formset.empty_form.default_price addon_after=request.event.currency layout='inline' form_group_class="" %}
                                </div>
                                <div class="col-md-2">
                                    {% bootstrap_field formset.empty_form.quota layout='inline' form_group_class="" %}
                                </div>
                                <div class="col-md-1 text-right">
                                    <button type="button" class="btn btn-danger" data-formset-delete-button>
                                        <i class="fa fa-trash"></i></button>
                                </div>
                            </div>
                        {% endescapescript %}
                    </script>
                    <div class="row question-option-row helper-width-100">
                        <div class="col-md-6">
                            <button type="button" class="btn btn-default" data-formset-add>
                                <i class="fa fa-plus"></i> {% trans "Add a new ticket type" %}</button>
                        </div>
                        <div class="col-md-3">
                        </div>
                        <div class="col-md-3 form-inline form-quicksetup-total-capacity">
                            <strong>{% trans "Total capacity:" %}</strong>
                            <span id="total-capacity"></span>
                            {% bootstrap_field form.total_quota layout="inline" field_class="sr-only" %}
                            <a href="#" data-toggle="tooltip" title="{% trans 'You can set a limit on the total number of tickets sold for your event, regardless of the ticket type.' %}" id="total-capacity-edit">
                                <span class="fa fa-edit"></span>
                            </a>
                        </div>
                    </div>
                </div>
                <p>&nbsp;</p>
                <p class="bigger">
                    {% blocktrans trimmed %}
                        If you want to use more advanced features like non-admission products, product variations, custom
                        quotas, add-on products or want to modify your ticket types in more detail, you can later do so
                        in the "Products" section in the navigation. Don't worry, you can change everything you input here.
                    {% endblocktrans %}
                </p>
                <p>&nbsp;</p>
            </div>
        </fieldset>
        <fieldset class="quick-setup-step">
            <div class="quick-icon">
                <span class="fa fa-fw fa-wrench text-muted"></span>
            </div>
            <div class="quick-content">
                <legend>{% trans "Features" %}</legend>
                <p class="bigger">
                    {% blocktrans trimmed %}
                        We recommend that you take some time to go through the "Settings" part of your event, but if
                        you're in a hurry and want to get started quickly, here's a short version:
                    {% endblocktrans %}
                </p>
                {% bootstrap_field form.ticket_download layout="control" label_class="sr-only" field_class="col-md-12" %}
                {% bootstrap_field form.waiting_list_enabled layout="control" label_class="sr-only" field_class="col-md-12" %}
                {% bootstrap_field form.show_quota_left layout="control" label_class="sr-only" field_class="col-md-12" %}
                {% bootstrap_field form.attendee_names_required layout="control" label_class="sr-only" field_class="col-md-12" %}
                <p>&nbsp;</p>
            </div>
        </fieldset>
        <fieldset class="quick-setup-step" id="quick-setup-step-payment">
            <div class="quick-icon">
                <span class="fa fa-fw fa-money text-muted"></span>
            </div>
            <div class="quick-content">
                <legend>{% trans "Payment" %}</legend>
                <p class="bigger">
                    {% blocktrans trimmed %}
                        pretix supports a
                        <a href="https://pretix.eu/about/en/features/payment" target="_blank">wide range of payment
                            providers</a> allowing you to choose the payment methods that fit your workflow best.
                        Here are just two of them as examples, you can add more in the "Settings" part of your event.
                    {% endblocktrans %}
                </p>
                {% bootstrap_field form.payment_banktransfer__enabled layout="control" label_class="sr-only" field_class="col-md-12" %}
                <div data-display-dependency="#id_payment_banktransfer__enabled">
                    {% bootstrap_field form.payment_banktransfer_bank_details layout="control" %}
                </div>
                {% if form.payment_stripe__enabled %}
                    {% bootstrap_field form.payment_stripe__enabled layout="control" label_class="sr-only" field_class="col-md-12" %}
                    <div data-display-dependency="#id_payment_stripe__enabled">
                        <div class="alert alert-info">
                            {% blocktrans trimmed %}
                                After you saved this page, we will redirect you to Stripe to create or connect an account
                                there. Once you completed this, you will be taken back to pretix.
                            {% endblocktrans %}
                        </div>
                    </div>
                {% endif %}
                <p>&nbsp;</p>
            </div>
        </fieldset>
        <fieldset class="quick-setup-step">
            <div class="quick-icon">
                <span class="fa fa-fw fa-envelope text-muted"></span>
            </div>
            <div class="quick-content">
                <legend>{% trans "Getting in touch with you" %}</legend>
                <p class="bigger">
                    {% blocktrans trimmed %}
                        In case something goes wrong or is unclear, we strongly suggest that you provide ways for your
                        attendees to contact you:
                    {% endblocktrans %}
                </p>
                {% bootstrap_field form.contact_mail layout="control" %}
                {% bootstrap_field form.imprint_url layout="control" %}
            </div>
        </fieldset>
        <div class="form-group submit-group">
            <button type="submit" class="btn btn-primary btn-save">
                {% trans "Save" %}
            </button>
        </div>
    </form>
 {% endblock %}
--- a/src/pretix/control/templates/pretixcontrol/event/tax_edit.html
+++ b/src/pretix/control/templates/pretixcontrol/event/tax_edit.html
@@ -20,85 +20,101 @@
        {% bootstrap_form_errors form %}
        {% bootstrap_field form.name layout="control" %}
        {% bootstrap_field form.rate addon_after="%" layout="control" %}
        <legend>{% trans "Advanced settings" %}</legend>
        <div class="alert alert-warning">
            <span class="fa fa-fw fa-legal fa-4x pull-left"></span>
            {% blocktrans trimmed with docs="https://docs.pretix.eu/en/latest/user/events/taxes.html" %}
                These settings are intended for advanced users. See the <a href="{{ docs }}">documentation</a>
                for more information. Note that we are not responsible for the correct handling
                of taxes in your ticket shop. If in doubt, please contact a lawyer or tax consultant.
            {% endblocktrans %}
            <div class="clearfix"></div>
        </div>
        {% bootstrap_field form.price_includes_tax layout="control" %}
        {% bootstrap_field form.eu_reverse_charge layout="control" %}
        {% bootstrap_field form.home_country layout="control" %}
        <legend>{% trans "Custom taxation rules" %}</legend>
        <div class="alert alert-warning">
            <span class="fa fa-fw fa-exclamation-circle fa-4x pull-left"></span>
            {% blocktrans trimmed %}
                These settings are intended for professional users with very specific taxation situations.
                If you create any rule here, the reverse charge settings above will be ignored. The rules will be
                checked in order and once the first rule matches the order, it will be used and all further rules will
                be ignored. If no rule matches, tax will be charged.
            {% endblocktrans %}
            <div class="clearfix"></div>
        </div>
-        <div class="formset" data-formset data-formset-prefix="{{ formset.prefix }}">
+        <div class="panel panel-default">
-            {{ formset.management_form }}
+            <div class="panel-heading">
-            {% bootstrap_formset_errors formset %}
+                <h4 class="panel-title">
-            <div data-formset-body>
+                    <a data-toggle="collapse" href="#advanced">
-                {% for form in formset %}
+                        <strong>{% trans "Advanced settings" %}</strong>
-                    {% bootstrap_form_errors form %}
+                        <i class="fa fa-angle-down collapse-indicator"></i>
-                    <div class="row" data-formset-form>
+                    </a>
-                        <div class="sr-only">
+                </h4>
                            {{ form.id }}
                            {% bootstrap_field form.DELETE form_group_class="" layout="inline" %}
                        </div>
                        <div class="col-sm-4">
                            {% bootstrap_field form.country layout='inline' form_group_class="" %}
                        </div>
                        <div class="col-sm-3">
                            {% bootstrap_field form.address_type layout='inline' form_group_class="" %}
                        </div>
                        <div class="col-sm-3">
                            {% bootstrap_field form.action layout='inline' form_group_class="" %}
                        </div>
                        <div class="col-sm-2 text-right">
                            <button type="button" class="btn btn-danger" data-formset-delete-button>
                                <i class="fa fa-trash"></i></button>
                        </div>
                    </div>
                {% endfor %}
            </div>
-            <script type="form-template" data-formset-empty-form>
+            <div id="advanced" class="panel-collapse collapsed {% if rule.eu_reverse_charge or rule.has_custom_rules or form.errors %}in{% endif %}">
-                {% escapescript %}
+                <div class="panel-body">
-                    <div class="row" data-formset-form>
+                    <legend>{% trans "Advanced settings" %}</legend>
-                        <div class="sr-only">
+                    <div class="alert alert-warning">
-                            {{ form.id }}
+                        <span class="fa fa-fw fa-legal fa-4x pull-left"></span>
-                            {% bootstrap_field formset.empty_form.DELETE form_group_class="" layout="inline" %}
+                        {% blocktrans trimmed with docs="https://docs.pretix.eu/en/latest/user/events/taxes.html" %}
-                        </div>
+                            These settings are intended for advanced users. See the
-                        <div class="col-sm-4">
+                            <a href="{{ docs }}">documentation</a>
-                            {% bootstrap_field formset.empty_form.country layout='inline' form_group_class="" %}
+                            for more information. Note that we are not responsible for the correct handling
-                        </div>
+                            of taxes in your ticket shop. If in doubt, please contact a lawyer or tax consultant.
-                        <div class="col-sm-3">
+                        {% endblocktrans %}
-                            {% bootstrap_field formset.empty_form.address_type layout='inline' form_group_class="" %}
+                        <div class="clearfix"></div>
                        </div>
                        <div class="col-sm-3">
                            {% bootstrap_field formset.empty_form.action layout='inline' form_group_class="" %}
                        </div>
                        <div class="col-sm-2 text-right">
                            <button type="button" class="btn btn-danger" data-formset-delete-button>
                                <i class="fa fa-trash"></i></button>
                        </div>
                    </div>
-                {% endescapescript %}
+                    {% bootstrap_field form.price_includes_tax layout="control" %}
-            </script>
+                    {% bootstrap_field form.eu_reverse_charge layout="control" %}
-            <p>
+                    {% bootstrap_field form.home_country layout="control" %}
-                <button type="button" class="btn btn-default" data-formset-add>
+                    <legend>{% trans "Custom taxation rules" %}</legend>
-                    <i class="fa fa-plus"></i> {% trans "Add a new rule" %}</button>
+                    <div class="alert alert-warning">
-            </p>
+                        <span class="fa fa-fw fa-exclamation-circle fa-4x pull-left"></span>
                        {% blocktrans trimmed %}
                            These settings are intended for professional users with very specific taxation situations.
                            If you create any rule here, the reverse charge settings above will be ignored. The rules will be
                            checked in order and once the first rule matches the order, it will be used and all further rules will
                            be ignored. If no rule matches, tax will be charged.
                        {% endblocktrans %}
                        <div class="clearfix"></div>
                    </div>
                    <div class="formset" data-formset data-formset-prefix="{{ formset.prefix }}">
                        {{ formset.management_form }}
                        {% bootstrap_formset_errors formset %}
                        <div data-formset-body>
                            {% for form in formset %}
                                {% bootstrap_form_errors form %}
                                <div class="row" data-formset-form>
                                    <div class="sr-only">
                                        {{ form.id }}
                                        {% bootstrap_field form.DELETE form_group_class="" layout="inline" %}
                                    </div>
                                    <div class="col-sm-4">
                                        {% bootstrap_field form.country layout='inline' form_group_class="" %}
                                    </div>
                                    <div class="col-sm-3">
                                        {% bootstrap_field form.address_type layout='inline' form_group_class="" %}
                                    </div>
                                    <div class="col-sm-3">
                                        {% bootstrap_field form.action layout='inline' form_group_class="" %}
                                    </div>
                                    <div class="col-sm-2 text-right">
                                        <button type="button" class="btn btn-danger" data-formset-delete-button>
                                            <i class="fa fa-trash"></i></button>
                                    </div>
                                </div>
                            {% endfor %}
                        </div>
                        <script type="form-template" data-formset-empty-form>
                            {% escapescript %}
                                <div class="row" data-formset-form>
                                    <div class="sr-only">
                                        {{ form.id }}
                                        {% bootstrap_field formset.empty_form.DELETE form_group_class="" layout="inline" %}
                                    </div>
                                    <div class="col-sm-4">
                                        {% bootstrap_field formset.empty_form.country layout='inline' form_group_class="" %}
                                    </div>
                                    <div class="col-sm-3">
                                        {% bootstrap_field formset.empty_form.address_type layout='inline' form_group_class="" %}
                                    </div>
                                    <div class="col-sm-3">
                                        {% bootstrap_field formset.empty_form.action layout='inline' form_group_class="" %}
                                    </div>
                                    <div class="col-sm-2 text-right">
                                        <button type="button" class="btn btn-danger" data-formset-delete-button>
                                            <i class="fa fa-trash"></i></button>
                                    </div>
                                </div>
                            {% endescapescript %}
                        </script>
                        <p>
                            <button type="button" class="btn btn-default" data-formset-add>
                                <i class="fa fa-plus"></i> {% trans "Add a new rule" %}</button>
                        </p>
                    </div>
                </div>
            </div>
        </div>
--- a/src/pretix/control/templates/pretixcontrol/event/widget.html
+++ b/src/pretix/control/templates/pretixcontrol/event/widget.html
@@ -31,6 +31,20 @@
        {% else %}
          {% abseventurl request.event "presale:event.index" as indexurl %}
        {% endif %}
        {% if form.cleaned_data.compatibility_mode %}
            <pre>&lt;div class="pretix-widget-compat" event="{% abseventurl request.event "presale:event.index" %}"{% if form.cleaned_data.subevent %} subevent="{{ form.cleaned_data.subevent.pk }}"{% endif %}{% if form.cleaned_data.voucher %} voucher="{{ form.cleaned_data.voucher }}"{% endif %}&gt;&lt;/div&gt;
 &lt;noscript&gt;
   &lt;div class="pretix-widget"&gt;
        &lt;div class="pretix-widget-info-message"&gt;
                {% blocktrans trimmed with a_attr='target="_blank" rel="noopener" href="'|add:indexurl|add:'"'|safe %}
                    JavaScript is disabled in your browser. To access our ticket shop without JavaScript,
                    please &lt;a {{ a_attr }}&gt;click here&lt;/a&gt;.
                {% endblocktrans %}
                &lt;/div&gt;
    &lt;/div&gt;
 &lt;/noscript&gt;
 </pre>
        {% else %}
        <pre>&lt;pretix-widget event="{% abseventurl request.event "presale:event.index" %}"{% if form.cleaned_data.subevent %} subevent="{{ form.cleaned_data.subevent.pk }}"{% endif %}{% if form.cleaned_data.voucher %} voucher="{{ form.cleaned_data.voucher }}"{% endif %}&gt;&lt;/pretix-widget&gt;
 &lt;noscript&gt;
   &lt;div class="pretix-widget"&gt;
@@ -43,6 +57,7 @@
    &lt;/div&gt;
 &lt;/noscript&gt;
 </pre>
            {% endif %}
        <p>
            <a href="https://docs.pretix.eu/en/latest/user/events/widget.html" target="_blank" rel="noopener">
                <span class="fa fa-question-circle"></span>
--- a/src/pretix/control/templates/pretixcontrol/events/create_base.html
+++ b/src/pretix/control/templates/pretixcontrol/events/create_base.html
@@ -29,7 +29,7 @@
        <div class="alert alert-danger">
            {% trans "Every event needs to be created as part of an organizer account. Currently, you do not have access to any organizer accounts." %}
        </div>
-        {% if request.user.is_superuser %}
+        {% if staff_session %}
            <a href="{% url "control:organizers.add" %}" class="btn btn-default">
                {% trans "Create a new organizer" %}
            </a>
--- a/Show More
+++ b/Show More
`@@ -1 +1 @@`
	`__version__ = "1.13.0"`	`__version__ = "1.14.0"`