Bump version

* mention CoC in README.md

According to the discussion in #689, the Code of Conduct gets directly
referenced in the README-file, instead of linking to the
CODE_OF_CONDUCT-file

* undo whitespace-change

.gitattributes

@@ -5,6 +5,7 @@ src/static/moment/* linguist-vendored
 src/static/datetimepicker/* linguist-vendored
 src/static/colorpicker/* linguist-vendored
 src/static/fileupload/* linguist-vendored
+src/static/vuejs/* linguist-vendored
 src/static/charts/* linguist-vendored
 src/pretix/plugins/ticketoutputpdf/static/pretixplugins/ticketoutputpdf/fabric.* linguist-vendored
 src/pretix/plugins/ticketoutputpdf/static/pretixplugins/ticketoutputpdf/pdf.* linguist-vendored

.gitlab-ci.yml

@@ -8,6 +8,8 @@ tests:
         - XDG_CACHE_HOME=/cache bash .travis.sh tests
     tags:
         - python3
+    except:
+        - pypi
 pypi:
     stage: release
     script:
@@ -22,7 +24,7 @@ pypi:
     tags:
         - python3
     only:
-        - release
+        - pypi
     artifacts:
         paths:
             - src/dist/

.travis.yml

@@ -12,29 +12,29 @@ services:
   - postgresql
 matrix:
   include:
-    - python: 3.4
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
-    - python: 3.5
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
     - python: 3.6
       env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
-    - python: 3.4
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
-    - python: 3.5
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
-    - python: 3.6
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
-    - python: 3.4
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.5
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.6
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.6
-      env: JOB=style
-    - python: 3.6
-      env: JOB=plugins
     - python: 3.6
       env: JOB=tests-cov
+    - python: 3.6
+      env: JOB=style
+    - python: 3.4
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
+    - python: 3.5
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
+    - python: 3.4
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
+    - python: 3.5
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
+    - python: 3.6
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
+    - python: 3.4
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
+    - python: 3.5
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
+    - python: 3.6
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
+    - python: 3.6
+      env: JOB=plugins
 addons:
   postgresql: "9.4"

CODE_OF_CONDUCT.md

@@ -0,0 +1,5 @@
+Code of Conduct
+===============
+
+We have a [Code of Conduct](https://docs.pretix.eu/en/latest/development/contribution/codeofconduct.html)
+in place that applies to all project contributions, including issues, pull requests, etc.

README.rst

@@ -40,6 +40,11 @@ Contributing
 If you want to contribute to pretix, please read the `developer documentation`_
 in our documentation. If you have any further questions, please do not hesitate to ask!
 
+Code of Conduct
+---------------
+We have a `Code of Conduct`_ in place that applies to all project contributions,
+including issues, pull requests, etc.
+
 License
 -------
 The code in this repository is published under the terms of the Apache License. 
@@ -50,5 +55,6 @@ AUTHORS file for a list of all the awesome folks who contributed to this project
 
 .. _installation guide: https://docs.pretix.eu/en/latest/admin/installation/index.html
 .. _developer documentation: https://docs.pretix.eu/en/latest/development/index.html
+.. _Code of Conduct: https://docs.pretix.eu/en/latest/development/contribution/codeofconduct.html
 .. _pretix.eu: https://pretix.eu
 .. _blog: https://pretix.eu/about/en/blog/

deployment/docker/supervisord.conf

@@ -23,6 +23,7 @@ autostart=true
 autorestart=true
 priority=5
 user=pretixuser
+environment=HOME=/pretix
 
 [program:pretixtask]
 command=/usr/local/bin/pretix taskworker

doc/admin/installation/docker_smallscale.rst

@@ -239,6 +239,8 @@ Restarting the service can take a few seconds, especially if the update requires
 Replace ``stable`` above with a specific version number like ``1.0`` or with ``latest`` for the development
 version, if you want to.
 
+.. _`docker_plugininstall`:
+
 Install a plugin
 ----------------
 

doc/admin/installation/manual_smallscale.rst

@@ -177,7 +177,7 @@ For background tasks we need a second service ``/etc/systemd/system/pretix-worke
     [Install]
     WantedBy=multi-user.target
 
-You can now run the following comamnds to enable and start the services::
+You can now run the following commands to enable and start the services::
 
     # systemctl daemon-reload
     # systemctl enable pretix-web pretix-worker
@@ -213,7 +213,7 @@ The following snippet is an example on how to configure a nginx proxy for pretix
         ssl_certificate /path/to/cert.chain.pem;
         ssl_certificate_key /path/to/key.pem;
 
-        add_header Referrer-Options same-origin;
+        add_header Referrer-Policy same-origin;
         add_header X-Content-Type-Options nosniff;
 
         location / {
@@ -276,6 +276,8 @@ To upgrade to a new pretix release, pull the latest code changes and run the fol
     # systemctl restart pretix-web pretix-worker
 
 
+.. _`manual_plugininstall`:
+
 Install a plugin
 ----------------
 

doc/api/resources/categories.rst

@@ -44,7 +44,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -90,7 +90,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,

doc/api/resources/checkinlists.rst

@@ -0,0 +1,238 @@
+Check-in lists
+==============
+
+Resource description
+--------------------
+
+You can create check-in lists that you can use e.g. at the entrance of your event to track who is coming and if they
+actually bought a ticket.
+
+You can create multiple check-in lists to separate multiple parts of your event, for example if you have separate
+entries for multiple ticket types. Different check-in lists are completely independent: If a ticket shows up on two
+lists, it is valid once on every list. This might be useful if you run a festival with festival passes that allow
+access to every or multiple performances as well as tickets only valid for single performances.
+
+The check-in list resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the check-in list
+name                                  string                     The internal name of the check-in list
+all_products                          boolean                    If ``True``, the check-in lists contains tickets of all products in this event. The ``limit_products`` field is ignored in this case.
+limit_products                        list of integers           List of item IDs to include in this list.
+subevent                              integer                    ID of the date inside an event series this list belongs to (or ``null``).
+position_count                        integer                    Number of tickets that match this list (read-only).
+checkin_count                         integer                    Number of check-ins performed on this list (read-only).
+===================================== ========================== =======================================================
+
+.. versionchanged:: 1.10
+
+   This resource has been added.
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/
+
+   Returns a list of all check-in lists within a given event.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/checkinlists/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "name": "Default list",
+            "checkin_count": 123,
+            "position_count": 456,
+            "all_products": true,
+            "limit_products": [],
+            "subevent": null
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :query integer subevent: Only return check-in lists of the sub-event with the given ID
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(id)/
+
+   Returns information on one check-in list, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/checkinlists/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "Default list",
+        "checkin_count": 123,
+        "position_count": 456,
+        "all_products": true,
+        "limit_products": [],
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param id: The ``id`` field of the check-in list to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/
+
+   Creates a new check-in list.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/checkinlists/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "name": "VIP entry",
+        "all_products": false,
+        "limit_products": [1, 2],
+        "subevent": null
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "name": "VIP entry",
+        "checkin_count": 0,
+        "position_count": 0,
+        "all_products": false,
+        "limit_products": [1, 2],
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event/item to create a list for
+   :param event: The ``slug`` field of the event to create a list for
+   :statuscode 201: no error
+   :statuscode 400: The list could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(id)/
+
+   Update a check-in list. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be resetted to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``id`` field and the ``checkin_count`` and ``position_count``
+   fields.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/checkinlists/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "name": "Backstage",
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "name": "Backstage",
+        "checkin_count": 23,
+        "position_count": 42,
+        "all_products": false,
+        "limit_products": [1, 2],
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the list to modify
+   :statuscode 200: no error
+   :statuscode 400: The list could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/checkinlist/(id)/
+
+   Delete a check-in list. Note that this also deletes the information on all checkins performed via this list.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/checkinlist/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the check-in list to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.

doc/api/resources/events.rst

@@ -54,7 +54,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -103,7 +103,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "name": {"en": "Sample Conference"},

doc/api/resources/index.rst

@@ -15,4 +15,5 @@ Resources and endpoints
    orders
    invoices
    vouchers
+   checkinlists
    waitinglist

doc/api/resources/invoices.rst

@@ -41,6 +41,7 @@ foreign_currency_rate                 decimal (string)           If ``foreign_cu
                                                                  invoicing time, it is stored here.
 foreign_currency_rate_date            date                       If ``foreign_currency_rate`` is set, this signifies the
                                                                  date at which the currency rate was obtained.
+internal_reference                    string                     Customer's reference to be printed on the invoice.
 ===================================== ========================== =======================================================
 
 
@@ -57,6 +58,11 @@ foreign_currency_rate_date            date                       If ``foreign_cu
    ``foreign_currency_rate_date`` have been added.
 
 
+.. versionchanged:: 1.9
+
+   The attribute ``internal_reference`` has been added.
+
+
 Endpoints
 ---------
 
@@ -78,7 +84,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -95,6 +101,7 @@ Endpoints
             "refers": null,
             "locale": "en",
             "introductory_text": "thank you for your purchase of the following items:",
+            "internal_reference": "",
             "additional_text": "We are looking forward to see you on our conference!",
             "payment_provider_text": "Please transfer the money to our account ABC…",
             "footer_text": "Big Events LLC - Registration No. 123456 - VAT ID: EU0987654321",
@@ -118,7 +125,7 @@ Endpoints
    :query boolean is_cancellation: If set to ``true`` or ``false``, only invoices with this value for the field
                                    ``is_cancellation`` will be returned.
    :query string order: If set, only invoices belonging to the order with the given order code will be returned.
-   :query string refers: If set, only invoices refering to the given invoice will be returned.
+   :query string refers: If set, only invoices referring to the given invoice will be returned.
    :query string locale: If set, only invoices with the given locale will be returned.
    :query string ordering: Manually set the ordering of results. Valid fields to be used are ``date`` and
                            ``nr`` (equals to ``number``). Default: ``nr``
@@ -146,7 +153,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "number": "SAMPLECONF-00001",
@@ -158,6 +165,7 @@ Endpoints
         "refers": null,
         "locale": "en",
         "introductory_text": "thank you for your purchase of the following items:",
+        "internal_reference": "",
         "additional_text": "We are looking forward to see you on our conference!",
         "payment_provider_text": "Please transfer the money to our account ABC…",
         "footer_text": "Big Events LLC - Registration No. 123456 - VAT ID: EU0987654321",

doc/api/resources/items.rst

@@ -101,7 +101,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -188,7 +188,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,

doc/api/resources/orders.rst

@@ -24,7 +24,7 @@ email                                 string                     The customer em
 locale                                string                     The locale used for communication with this customer
 datetime                              datetime                   Time of order creation
 expires                               datetime                   The order will expire, if it is still pending by this time
-payment_date                          date                       Date of payment receival
+payment_date                          date                       Date of payment receipt
 payment_provider                      string                     Payment provider used for this order
 payment_fee                           money (string)             Payment fee included in this order's total
 payment_fee_tax_rate                  decimal (string)           Tax rate applied to the payment fee
@@ -43,6 +43,7 @@ invoice_address                       object                     Invoice address
 ├ zipcode                             string                     Customer ZIP code
 ├ city                                string                     Customer city
 ├ country                             string                     Customer country
+├ internal_reference                  string                     Customer's internal reference to be printed on the invoice
 ├ vat_id                              string                     Customer VAT ID
 └ vat_id_validated                    string                     ``True``, if the VAT ID has been validated against the
                                                                  EU VAT service and validation was successful. This only
@@ -80,6 +81,10 @@ downloads                             list of objects            List of ticket
    The attributes ``order.payment_fee``, ``order.payment_fee_tax_rate`` and ``order.payment_fee_tax_value`` have been
    deprecated in favour of the new ``fees`` attribute but will still be served and removed in 1.9.
 
+.. versionchanged:: 1.9
+
+   First write operations (``…/mark_paid/``, ``…/mark_pending/``, ``…/mark_canceled/``, ``…/mark_expired/``) have been added.
+   The attribute ``invoice_address.internal_reference`` has been added.
 
 Order position resource
 -----------------------
@@ -89,7 +94,7 @@ Order position resource
 ===================================== ========================== =======================================================
 Field                                 Type                       Description
 ===================================== ========================== =======================================================
-id                                    integer                    Internal ID of the order positon
+id                                    integer                    Internal ID of the order position
 code                                  string                     Order code of the order the position belongs to
 positionid                            integer                    Number of the position within the order
 item                                  integer                    ID of the purchased item
@@ -141,7 +146,7 @@ Order endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -170,6 +175,7 @@ Order endpoints
                 "zipcode": "12345",
                 "city": "Testington",
                 "country": "Testikistan",
+                "internal_reference": "",
                 "vat_id": "EU123456789",
                 "vat_id_validated": False
             },
@@ -251,7 +257,7 @@ Order endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "code": "ABC12",
@@ -275,6 +281,7 @@ Order endpoints
             "zipcode": "12345",
             "city": "Testington",
             "country": "Testikistan",
+            "internal_reference": "",
             "vat_id": "EU123456789",
             "vat_id_validated": False
         },
@@ -329,6 +336,7 @@ Order endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
 
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/download/(output)/
 
@@ -365,11 +373,208 @@ Order endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource
-                    **or** downlodas are not available for this order at this time. The response content will
+                    **or** downloads are not available for this order at this time. The response content will
                     contain more details.
-   :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting vor a few
+   :statuscode 404: The requested order or output provider does not exist.
+   :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting for a few
                           seconds.
 
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_paid/
+
+   Marks a pending or expired order as successfully paid.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/mark_paid/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "code": "ABC12",
+        "status": "p",
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to modify
+   :statuscode 200: no error
+   :statuscode 400: The order cannot be marked as paid, either because the current order status does not allow it or because no quota is left to perform the operation.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+   :statuscode 409: The server was unable to acquire a lock and could not process your request. You can try again after a short waiting period.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_canceled/
+
+   Marks a pending order as canceled.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/mark_canceled/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: text/json
+
+      {
+          "send_email": true
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "code": "ABC12",
+        "status": "c",
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to modify
+   :statuscode 200: no error
+   :statuscode 400: The order cannot be marked as canceled since the current order status does not allow it.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_pending/
+
+   Marks a paid order as unpaid.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/mark_pending/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "code": "ABC12",
+        "status": "n",
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to modify
+   :statuscode 200: no error
+   :statuscode 400: The order cannot be marked as unpaid since the current order status does not allow it.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_expired/
+
+   Marks a unpaid order as expired.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/mark_expired/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "code": "ABC12",
+        "status": "e",
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to modify
+   :statuscode 200: no error
+   :statuscode 400: The order cannot be marked as expired since the current order status does not allow it.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/extend/
+
+   Extends the payment deadline of a pending order. If the order is already expired and quota is still
+   available, its state will be changed to pending.
+
+   The only required parameter of this operation is ``expires``, which should contain a date in the future.
+   Note that only a date is expected, not a datetime, since pretix will always set the deadline to the end of the
+   day in the event's timezone.
+
+   You can pass the optional parameter ``force``. If it is set to ``true``, the operation will be performed even if
+   it leads to an overbooked quota because the order was expired and the tickets have been sold again.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/extend/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: text/json
+
+      {
+          "expires": "2017-10-28",
+          "force": false
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "code": "ABC12",
+        "status": "n",
+        "expires": "2017-10-28T23:59:59Z",
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to modify
+   :statuscode 200: no error
+   :statuscode 400: The order cannot be extended since the current order status does not allow it or no quota is available or the submitted date is invalid.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+
 
 Order position endpoints
 ------------------------
@@ -392,7 +597,7 @@ Order position endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -476,7 +681,7 @@ Order position endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 23442,
@@ -520,12 +725,13 @@ Order position endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order position does not exist.
 
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orderpositions/(id)/download/(output)/
 
    Download tickets for one order position, identified by its internal ID.
    Depending on the chosen output, the response might be a ZIP file, PDF file or something else. The order details
-   response contains a list of output options for this partictular order position.
+   response contains a list of output options for this particular order position.
 
    Tickets can be only downloaded if the order is paid and if ticket downloads are active. Also, depending on event
    configuration downloads might be only unavailable for add-on products or non-admission products.
@@ -557,7 +763,8 @@ Order position endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource
-                    **or** downlodas are not available for this order position at this time. The response content will
+                    **or** downloads are not available for this order position at this time. The response content will
                     contain more details.
-   :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting vor a few
+   :statuscode 404: The requested order position or download provider does not exist.
+   :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting for a few
                     seconds.

doc/api/resources/organizers.rst

@@ -41,7 +41,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -77,7 +77,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "name": "Big Events LLC",

doc/api/resources/questions.rst

@@ -54,7 +54,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -113,7 +113,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,

doc/api/resources/quotas.rst

@@ -4,7 +4,7 @@ Quotas
 Resource description
 --------------------
 
-Questions define how many times an item can be sold.
+Quotas define how many times an item can be sold.
 The quota resource contains the following public fields:
 
 .. rst-class:: rest-resource-table
@@ -20,6 +20,10 @@ variations                            list of integers           List of item va
 subevent                              integer                    ID of the date inside an event series this quota belongs to (or ``null``).
 ===================================== ========================== =======================================================
 
+.. versionchanged:: 1.10
+
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
+
 
 Endpoints
 ---------
@@ -42,7 +46,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -88,7 +92,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,
@@ -106,6 +110,131 @@ Endpoints
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
 
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/quotas/
+
+   Creates a new quota
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/quotas/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "name": "Ticket Quota",
+        "size": 200,
+        "items": [1, 2],
+        "variations": [1, 4, 5, 7],
+        "subevent": null
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "Ticket Quota",
+        "size": 200,
+        "items": [1, 2],
+        "variations": [1, 4, 5, 7],
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event/item to create a quota for
+   :param event: The ``slug`` field of the event to create a quota for
+   :statuscode 201: no error
+   :statuscode 400: The quota could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/quotas/(id)/
+
+   Update a quota. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be resetted to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``id`` field.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/quotas/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "name": "New Ticket Quota",
+        "size": 100,
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "name": "New Ticket Quota",
+        "size": 100,
+        "items": [
+          1,
+          2
+        ],
+        "variations": [
+          1,
+          2
+        ],
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the quota rule to modify
+   :statuscode 200: no error
+   :statuscode 400: The quota could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/quota/(id)/
+
+   Delete a quota. Note that if you delete a quota the items the quota acts on might no longer be available for sale.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/quotas/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the quotas to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/quotas/(id)/availability/
 
    Returns availability information on one quota, identified by its ID.
@@ -124,7 +253,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "available": true,

doc/api/resources/subevents.rst

@@ -60,7 +60,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -114,7 +114,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,

doc/api/resources/taxrules.rst

@@ -25,6 +25,10 @@ home_country                          string                     Merchant countr
 
    This resource has been added.
 
+.. versionchanged:: 1.9
+
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
+
 
 Endpoints
 ---------
@@ -47,7 +51,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -90,7 +94,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,
@@ -103,7 +107,128 @@ Endpoints
 
    :param organizer: The ``slug`` field of the organizer to fetch
    :param event: The ``slug`` field of the event to fetch
-   :param id: The ``slug`` field of the sub-event to fetch
+   :param id: The ``id`` field of the tax rule to fetch
    :statuscode 200: no error
    :statuscode 401: Authentication failure
-   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view it.
+   :statuscode 403: The requested organizer/event/rule does not exist **or** you have no permission to view it.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/taxrules/
+
+   Create a new tax rule.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/taxrules/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 166
+
+      {
+        "name": {"en": "VAT"},
+        "rate": "19.00",
+        "price_includes_tax": true,
+        "eu_reverse_charge": false,
+        "home_country": "DE"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": {"en": "VAT"},
+        "rate": "19.00",
+        "price_includes_tax": true,
+        "eu_reverse_charge": false,
+        "home_country": "DE"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a tax rule for
+   :param event: The ``slug`` field of the event to create a tax rule for
+   :statuscode 201: no error
+   :statuscode 400: The tax rule could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create tax rules.
+
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/taxrules/(id)/
+
+   Update a tax rule. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/taxrules/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 34
+
+      {
+        "rate": "20.00",
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: text/javascript
+
+      {
+        "id": 1,
+        "name": {"en": "VAT"},
+        "rate": "20.00",
+        "price_includes_tax": true,
+        "eu_reverse_charge": false,
+        "home_country": "DE"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the tax rule to modify
+   :statuscode 200: no error
+   :statuscode 400: The tax rule could not be modified due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/rule does not exist **or** you have no permission to change it.
+
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/taxrules/(id)/
+
+   Delete a tax rule. Note that tax rules can only be deleted if they are not in use for any products, settings
+   or orders. If you cannot delete a tax rule, this method will return a ``403`` status code and you can only
+   discontinue using it everywhere else.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/taxrules/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the tax rule to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/rule does not exist **or** you have no permission to change it **or** this tax rule cannot be deleted since it is currently in use.

doc/api/resources/vouchers.rst

@@ -44,6 +44,10 @@ subevent                              integer                    ID of the date
 ===================================== ========================== =======================================================
 
 
+.. versionchanged:: 1.9
+
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
+
 Endpoints
 ---------
 
@@ -65,7 +69,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -136,7 +140,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,
@@ -162,3 +166,151 @@ Endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/vouchers/
+
+   Create a new voucher.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/vouchers/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 408
+
+      {
+        "code": "43K6LKM37FBVR2YG",
+        "max_usages": 1,
+        "valid_until": null,
+        "block_quota": false,
+        "allow_ignore_quota": false,
+        "price_mode": "set",
+        "value": "12.00",
+        "item": 1,
+        "variation": null,
+        "quota": null,
+        "tag": "testvoucher",
+        "comment": "",
+        "subevent": null
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "code": "43K6LKM37FBVR2YG",
+        "max_usages": 1,
+        "redeemed": 0,
+        "valid_until": null,
+        "block_quota": false,
+        "allow_ignore_quota": false,
+        "price_mode": "set",
+        "value": "12.00",
+        "item": 1,
+        "variation": null,
+        "quota": null,
+        "tag": "testvoucher",
+        "comment": "",
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a voucher for
+   :param event: The ``slug`` field of the event to create a voucher for
+   :statuscode 201: no error
+   :statuscode 400: The voucher could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+   :statuscode 409: The server was unable to acquire a lock and could not process your request. You can try again after a short waiting period.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/vouchers/(id)/
+
+   Update a voucher. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``id`` and ``redeemed`` fields.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/vouchers/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 408
+
+      {
+        "price_mode": "set",
+        "value": "24.00",
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "code": "43K6LKM37FBVR2YG",
+        "max_usages": 1,
+        "redeemed": 0,
+        "valid_until": null,
+        "block_quota": false,
+        "allow_ignore_quota": false,
+        "price_mode": "set",
+        "value": "24.00",
+        "item": 1,
+        "variation": null,
+        "quota": null,
+        "tag": "testvoucher",
+        "comment": "",
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the voucher to modify
+   :statuscode 200: no error
+   :statuscode 400: The voucher could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+   :statuscode 409: The server was unable to acquire a lock and could not process your request. You can try again after a short waiting period.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/vouchers/(id)/
+
+   Delete a voucher. Note that you cannot delete a voucher if it already has been redeemed.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/vouchers/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the voucher to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.

doc/api/resources/waitinglist.rst

@@ -48,7 +48,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -102,7 +102,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,

doc/development/api/customview.rst

@@ -60,7 +60,85 @@ your views::
     def admin_view(request, organizer, event):
         ...
 
-Similarly, there is ``organizer_permission_required`` and ``OrganizerPermissionRequiredMixin``.
+Similarly, there is ``organizer_permission_required`` and ``OrganizerPermissionRequiredMixin``. In case of
+event-related views, there is also a signal that allows you to add the view to the event navigation like this::
+
+
+    from django.core.urlresolvers import resolve, reverse
+    from django.dispatch import receiver
+    from django.utils.translation import ugettext_lazy as _
+    from pretix.control.signals import nav_event
+
+
+    @receiver(nav_event, dispatch_uid='friends_tickets_nav')
+    def navbar_info(sender, request, **kwargs):
+        url = resolve(request.path_info)
+        if not request.user.has_event_permission(request.organizer, request.event, 'can_change_vouchers'):
+            return []
+        return [{
+            'label': _('My plugin view'),
+            'icon': 'heart',
+            'url': reverse('plugins:myplugin:index', kwargs={
+                'event': request.event.slug,
+                'organizer': request.organizer.slug,
+            }),
+            'active': url.namespace == 'plugins:myplugin' and url.url_name == 'review',
+        }]
+
+
+Event settings view
+-------------------
+
+A special case of a control panel view is a view hooked into the event settings page. For this case, there is a
+special navigation signal::
+
+    @receiver(nav_event_settings, dispatch_uid='friends_tickets_nav_settings')
+    def navbar_settings(sender, request, **kwargs):
+        url = resolve(request.path_info)
+        return [{
+            'label': _('My settings'),
+            'url': reverse('plugins:myplugin:settings', kwargs={
+                'event': request.event.slug,
+                'organizer': request.organizer.slug,
+            }),
+            'active': url.namespace == 'plugins:myplugin' and url.url_name == 'settings',
+        }]
+
+Also, your view should inherit from ``EventSettingsViewMixin`` and your template from ``pretixcontrol/event/settings_base.html``
+for good integration. If you just want to display a form, you could do it like the following::
+
+    class MySettingsView(EventSettingsViewMixin, EventSettingsFormView):
+        model = Event
+        permission = 'can_change_settings'
+        form_class = MySettingsForm
+        template_name = 'my_plugin/settings.html'
+
+        def get_success_url(self, **kwargs):
+            return reverse('plugins:myplugin:settings', kwargs={
+                'organizer': self.request.event.organizer.slug,
+                'event': self.request.event.slug,
+            })
+
+With this template::
+
+    {% extends "pretixcontrol/event/settings_base.html" %}
+    {% load i18n %}
+    {% load bootstrap3 %}
+    {% block title %} {% trans "Friends Tickets Settings" %} {% endblock %}
+    {% block inside %}
+        <form action="" method="post" class="form-horizontal">
+            {% csrf_token %}
+            <fieldset>
+                <legend>{% trans "Friends Tickets Settings" %}</legend>
+                {% bootstrap_form form layout="horizontal" %}
+            </fieldset>
+            <div class="form-group submit-group">
+                <button type="submit" class="btn btn-primary btn-save">
+                    {% trans "Save" %}
+                </button>
+            </div>
+        </form>
+    {% endblock %}
 
 Frontend views
 --------------

doc/development/api/general.rst

@@ -11,7 +11,7 @@ Core
 ----
 
 .. automodule:: pretix.base.signals
-   :members: periodic_task, event_live_issues, event_copy_data
+   :members: periodic_task, event_live_issues, event_copy_data, email_filter
 
 Order events
 """"""""""""
@@ -19,13 +19,13 @@ Order events
 There are multiple signals that will be sent out in the ordering cycle:
 
 .. automodule:: pretix.base.signals
-   :members: validate_cart, order_paid, order_placed
+   :members: validate_cart, order_fee_calculation, order_paid, order_placed, order_fee_type_name, allow_ticket_download
 
 Frontend
 --------
 
 .. automodule:: pretix.presale.signals
-   :members: html_head, html_footer, footer_links, front_page_top, front_page_bottom, contact_form_fields, question_form_fields, checkout_confirm_messages
+   :members: html_head, html_footer, footer_links, front_page_top, front_page_bottom, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content
 
 
 .. automodule:: pretix.presale.signals
@@ -47,11 +47,11 @@ Backend
 -------
 
 .. automodule:: pretix.control.signals
-   :members: nav_event, html_head, quota_detail_html, nav_topbar, nav_global, nav_organizer
+   :members: nav_event, html_head, quota_detail_html, nav_topbar, nav_global, nav_organizer, nav_event_settings, order_info, event_settings_widget
 
 
 .. automodule:: pretix.base.signals
-   :members: logentry_display, requiredaction_display
+   :members: logentry_display, logentry_object_link, requiredaction_display
 
 Vouchers
 """"""""
@@ -64,3 +64,9 @@ Dashboards
 
 .. automodule:: pretix.control.signals
    :members: event_dashboard_widgets, user_dashboard_widgets
+
+Ticket designs
+""""""""""""""
+
+.. automodule:: pretix.plugins.ticketoutputpdf.signals
+   :members: layout_text_variables

doc/development/api/plugins.rst

@@ -114,6 +114,19 @@ method to make your receivers available::
         def ready(self):
             from . import signals  # NOQA
 
+You can optionally specify code that is executed when your plugin is activated for an event
+in the ``installed`` method::
+
+    class PaypalApp(AppConfig):
+        …
+
+        def installed(self, event):
+            pass  # Your code here
+
+
+Note that ``installed`` will *not* be called if the plugin in indirectly activated for an event
+because the event is created with settings copied from another event.
+
 Views
 -----
 

doc/development/concepts.rst

@@ -59,7 +59,7 @@ If an item is assigned to multiple quotas, it can only be bought if *all of them
 If multiple items are assigned to the same quota, the quota will be counted as sold out as soon as the
 *sum* of the two items exceeds the quota limit.
 
-The availability of a quota is currently calculated by substracting the following numbers from the quota
+The availability of a quota is currently calculated by subtracting the following numbers from the quota
 limit:
 
 * The number of orders placed for an item that are either already paid or within their granted payment period

doc/development/implementation/models.rst

@@ -21,7 +21,7 @@ Organizers and events
    :members:
 
 .. autoclass:: pretix.base.models.Event
-   :members: get_date_from_display, get_time_from_display, get_date_to_display, get_date_range_display, presale_has_ended, presale_is_running, get_cache, lock, get_plugins, get_mail_backend, payment_term_last, get_payment_providers, get_invoice_renderers, active_subevents, invoice_renderer, settings
+   :members: get_date_from_display, get_time_from_display, get_date_to_display, get_date_range_display, presale_has_ended, presale_is_running, cache, lock, get_plugins, get_mail_backend, payment_term_last, get_payment_providers, get_invoice_renderers, active_subevents, invoice_renderer, settings
 
 .. autoclass:: pretix.base.models.SubEvent
    :members: get_date_from_display, get_time_from_display, get_date_to_display, get_date_range_display, presale_has_ended, presale_is_running

doc/development/setup.rst

@@ -20,7 +20,6 @@ Your should install the following on your system:
 
 * Python 3.4 or newer
 * ``pip`` for Python 3 (Debian package: ``python3-pip``)
-* ``pyvenv`` for Python 3 (Debian package: ``python3-venv``)
 * ``python-dev`` for Python 3 (Debian package: ``python3-dev``)
 * ``libffi`` (Debian package: ``libffi-dev``)
 * ``libssl`` (Debian package: ``libssl-dev``)
@@ -37,7 +36,7 @@ Please execute ``python -V`` or ``python3 -V`` to make sure you have Python 3.4
 execute ``pip3 -V`` to check. Then use Python's internal tools to create a virtual
 environment and activate it for your current session::
 
-    pyvenv env
+    python3 -m venv env
     source env/bin/activate
 
 You should now see a ``(env)`` prepended to your shell prompt. You have to do this

doc/user/events/create.rst

@@ -1,3 +1,5 @@
+.. _event_create:
+
 Creating an event
 =================
 
@@ -26,7 +28,7 @@ is useful if you have a large number of events that are very similar to each oth
 (i.e. users should be able to buy tickets for multiple events at the same time). Those single events can differ in
 available products, quotas, prices and some meta information, but most settings need to be the same for all of them.
 We recommend to use this feature only if you really know that you need it and if you really run a lot of events, not if
-you run e.g. a yearly conference.
+you run e.g. a yearly conference. You can read more on this feature :ref:`here <subevents>`.
 
 Once you set these values, you can procede to the next step:
 

doc/user/events/display.rst

@@ -0,0 +1,42 @@
+Display settings
+================
+
+The settings at "Settings" → "Display" allow you to customize the appearance of your ticket shop.
+
+.. thumbnail:: ../../screens/event/settings_display.png
+   :align: center
+   :class: screenshot
+
+The upper part of the page contains settings that you always need to set specifically for your event. Those are
+currently::
+
+Logo image
+    This logo will be shown as a banner above your shop. If you set it, the event name and date will no longer be
+    displayed by the shop, so we suggest to include them in the image yourself. The maximal height of the image is
+    120 pixels and if you want to use the full width, make your image 1140 pixels wide. If the user's screen is
+    smaller, the logo will be scaled down automatically, so it should still be legigible at smaller sizes.
+
+Frontpage text
+    This text will be shown on the front page of your ticket shop, above the list of products. You can use it to explain
+    your product types, give more information on the event or for other general notices.
+    You can use :ref:`Markdown syntax <markdown-guide>` in this field.
+
+Show variations of a product expanded by default
+    If this is not checked, a product with variations will be shown as one row in the show by default and will expand
+    into multiple rows once it is clicked on. With this box checked, the variations will be shown as multiple rows
+    right from the beginning.
+
+
+The lower part of the page contains settings that you can **either** set on organizer-level for all your events **or**
+override for this single event individually. Those are:
+
+Primary color
+    This color will be used for links, buttons, and other design elements throughout your shop and emails sent to your
+    customers. We suggest not choosing something to light, since text in that color should be readable on a white
+    background and white text should be readable on a background of this color.
+
+Font
+    Choose one of multiple fonts to use for your web shop.
+
+.. note:: Both the color and font settings can take a few seconds up to a few minutes before they become active on your
+          shop.

doc/user/events/plugins.rst

@@ -0,0 +1,20 @@
+Configuring plugins
+===================
+
+Plugins are optional parts of pretix that can be installed to extend the available functionality and that can be turned
+on or off completely for every event. For your event, a number of plugins might be active already, but you can unlock
+even more functionality by going to "Settings" → "Plugins" and enable more of them, if you need.
+
+.. thumbnail:: ../../screens/event/settings_plugins.png
+   :align: center
+   :class: screenshot
+
+For each plugin, you will find a short description as well as an Enable/Disable button. The pretix website has
+`an overview`_ of available plugins and more details of them. If you are on the pretix.eu hosted service, look for
+the "pretix Hosted" badge in the plugin list to learn which ones are supported there.
+
+If you are running pretix on your own server, refer to the installation manual of your installation type to learn
+how to install additional plugins (:ref:`manual <manual_plugininstall>` or :ref:`Docker <docker_plugininstall>`).
+
+.. _an overview: https://pretix.eu/about/en/plugins
+

doc/user/events/settings.rst

@@ -0,0 +1,11 @@
+Configuring an event
+====================
+
+.. toctree::
+   :maxdepth: 2
+
+   subevents
+   ../payments/index
+   plugins
+   display
+   taxes

doc/user/events/subevents.rst

@@ -0,0 +1,111 @@
+.. _subevents:
+
+Event series
+============
+
+During creation of a new event, you can choose that you want to create this event as an event series.
+By event series, we mean a group of events that are similar in their structure and that you want to
+sell within a single shop. An event series consists of **dates**. Each date represents one "event"
+within the series.
+
+For example, we think good examples to use the event series feature are:
+
+* A theater or theater group that shows the same play on five evenings.
+
+* A band on tour that hosts the same show in different locations.
+
+* A workshop that is given multiple times in different locations or at different times.
+
+We **don't** think that the feature is well-suited for events like the following:
+
+* Event series distributed over a large timescale like annual conferences. We suggest using multiple events in this
+  case. You can avoid having to configure everything twice since you can copy settings from an existing event during
+  creation of the new event.
+
+* Multiple parts of a conference or festival (e.g. different days) if a significant number of attendees will visit
+  more than one of them. We suggest just using different products in this case.
+
+When using an event series, the single dates of the series are using the same settings in most places. They can
+**only** differ in the following aspects:
+
+* They can have different date, time, and location parameters.
+
+* They can use different text on the shop front page.
+
+* They can have different prices for the various products.
+
+* They always have distinct quotas, which allows you to assign different amounts of tickets or to enable or disable
+  some products completely.
+
+* They can have different rules for check-in.
+
+Therefore, if your events are likely to need more different settings, this is probably not the feature for you. The
+benefits of using event series, on the other hand, are:
+
+* You only need to set most settings once, as the multiple dates live in the same shop.
+
+* Your customers can build mixed orders, i.e. they can order tickets for multiple dates at once.
+
+
+Creating and modifying dates in the series
+------------------------------------------
+
+Click on "Dates" in the left navigation menu of your event. This page shows you the list of currently existing event
+dates and allows you to create, edit, clone and delete them.
+
+If "Dates" is missing from the navigation menu, you have insufficient permission or your event has not been set up as
+an event series and you need to create a new event.
+
+.. thumbnail:: ../../screens/event/subevent_list.png
+   :align: center
+   :class: screenshot
+
+If you click on one of them or create a new one, you will see the following form:
+
+.. thumbnail:: ../../screens/event/subevent_create.png
+   :align: center
+   :class: screenshot
+
+Here, you can make changes to the following fields, most of which are optional:
+
+Name
+  This is the public name of your date. It should be descriptive enough to tell the user which date to select in
+  a calendar.
+
+Active
+  This date will only show up for customers if you check this box. In this sense, it corresponds to the "live" setting
+  of events.
+
+
+Event start time
+  The date and time that this date starts at.
+
+Event end time
+  The date and time this date ends at.
+
+Location
+  This is the location of your date in a human-readable format. We will show this on the ticket shop frontpage, but
+  it might also be used e.g. in Wallet tickets.
+
+Admission time
+  The admission date and time to show on the ticket shop page or on the tickets.
+
+Frontpage text
+  A text to show on the front page of the ticket shop for this date.
+
+Start of presale
+  If you set this, no ticket will be sold before the time you set. If you set this on event series level as well,
+  both dates must be in the past for the tickets to be available.
+
+End of presale
+  If you set this, no ticket will be sold after the time you set. If you set this on event series level as well,
+  both dates must be in the future for the tickets to be available.
+
+Quotas
+  As for all events, no tickets will be available unless there is a quota created for them that specifies the number
+  of tickets available. You can create multiple quotas that are assinged to this date directly from this interface.
+
+Item prices
+  This is a table of all products configured for your shop. If you want, you can enter a new price for each one of them
+  in the right column to make them cheaper or more expensive for this date. If you leave a field empty, the price will
+  follow the product's default price.

doc/user/events/taxes.rst

@@ -1,5 +1,7 @@
-Tax rules
-=========
+.. _taxes:
+
+Configuring taxes
+=================
 
 In most countries, you will be required to pay some form of sales tax for your event tickets. If you don't know about
 the exact rules, you should consult a professional tax consultant right now.

doc/user/events/widget.rst

@@ -0,0 +1,104 @@
+Embeddable Widget
+=================
+
+If you want to show your ticket shop on your event website or blog, you can use our JavaScript widget. This way,
+users will not need to leave your site to buy their ticket in most cases. The widget will still open a new tab
+for the checkout if the user is on a mobile device.
+
+To obtain the correct HTML code for embedding your event into your website, we recommend that you go to the "Widget"
+tab of your event's settings. You can specify some optional settings there (for example the language of the widget)
+and then click "Generate widget code".
+
+.. thumbnail:: ../../screens/event/widget_form.png
+   :align: center
+   :class: screenshot
+
+You will obtain two code snippets that look *roughly* like the following. The first should be embedded into the
+``<head>`` part of your website, if possible. If this inconvenient, you can put it in the ``<body>`` part as well::
+
+    <link rel="stylesheet" type="text/css" href="https://pretix.eu/demo/democon/widget/v1.css">
+    <script type="text/javascript" src="https://pretix.eu/widget/v1.en.js" async></script>
+
+The second snippet should be embedded at the position where the widget should show up::
+
+    <pretix-widget event="https://pretix.eu/demo/democon/"></pretix-widget>
+    <noscript>
+       <div class="pretix-widget">
+            <div class="pretix-widget-info-message">
+                JavaScript is disabled in your browser. To access our ticket shop without JavaScript,
+                please <a target="_blank" href="https://pretix.eu/demo/democon/">click here</a>.
+            </div>
+        </div>
+    </noscript>
+
+.. note::
+
+    You can of course embed multiple widgets of multiple events on your page. In this case, please add the first
+    snippet only *once* and the second snippets once *for each event*.
+
+Example
+-------
+
+Your embedded widget could look like the following:
+
+.. raw:: html
+
+    <link rel="stylesheet" type="text/css" href="https://pretix.eu/demo/democon/widget/v1.css">
+    <script type="text/javascript" src="https://pretix.eu/widget/v1.en.js" async></script>
+    <pretix-widget event="https://pretix.eu/demo/democon/"></pretix-widget>
+    <noscript>
+       <div class="pretix-widget">
+            <div class="pretix-widget-info-message">
+                JavaScript is disabled in your browser. To access our ticket shop without javascript, please <a target="_blank" href="https://pretix.eu/demo/democon/">click here</a>.
+            </div>
+        </div>
+    </noscript>
+
+
+Styling
+-------
+
+If you want, you can customize the appearance of the widget to fit your website with CSS. If you inspect the rendered
+HTML of the widget with your browser's developer tools, you will see that nearly every element has a custom class
+and all classes are prefixed with ``pretix-widget``. You can override the styles as much as you want to and if
+you want to go all custom, you don't even need to use the stylesheet provided by us at all.
+
+SSL
+---
+
+Since buying a ticket normally involves entering sensitive data, we strongly suggest that you use SSL/HTTPS for the page
+that includes the widget. Initiatives like `Let's Encrypt`_ allow you to obtain a SSL certificat free of charge.
+
+All data transferred to pretix will be made over SSL, even if using the widget on a non-SSL site. However, without
+using SSL for your site, a man-in-the-middle attacker could potentially alter the widget in dangerous ways. Moreover,
+using SSL is becoming standard practice and your customers might want expect see the secure lock icon in their browser
+granted to SSL-enabled web pages.
+
+By default, the checkout process will open in a new tab in your customer's browsers if you don't use SSL for your
+website. If you confident to have a good reason for not using SSL, you can override this behaviour with the
+``skip-ssl-check`` attribute::
+
+   <pretix-widget event="https://pretix.eu/demo/democon/" skip-ssl-check></pretix-widget>
+
+Pre-selecting a voucher
+-----------------------
+
+You can pre-select a voucher for the widget with the ``voucher`` attribute::
+
+   <pretix-widget event="https://pretix.eu/demo/democon/" voucher="ABCDE123456"></pretix-widget>
+
+This way, the widget will only show products that can be bought with the voucher and prices according to the
+voucher's settings.
+
+.. raw:: html
+
+    <pretix-widget event="https://pretix.eu/demo/democon/" voucher="ABCDE123456"></pretix-widget>
+    <noscript>
+       <div class="pretix-widget">
+            <div class="pretix-widget-info-message">
+                JavaScript is disabled in your browser. To access our ticket shop without javascript, please <a target="_blank" href="https://pretix.eu/demo/democon/">click here</a>.
+            </div>
+        </div>
+    </noscript>
+
+.. _Let's Encrypt: https://letsencrypt.org/

doc/user/faq.rst

@@ -0,0 +1,51 @@
+FAQ and Troubleshooting
+=======================
+
+How can I test my shop before taking it live?
+---------------------------------------------
+
+There are multiple ways to do this.
+
+First, you could just create some orders in your real shop and cancel/refund them later. If you don't want to process
+real payments for the tests, you can either use a "manual" payment method like bank transfer and just mark the orders
+as paid with the button in the backend, or if you want to use e.g. Stripe, you can configure pretix to use your keys
+for the Stripe test sytem and use their test credit cars. Read our :ref:`Stripe documentation <stripe>` for more
+information.
+
+Second, you could create a separate event, just for testing. In the last step of the :ref:`event creation process <event_create>`,
+you can specify that you want to copy all settings from your real event, so you don't have to do all of it twice.
+
+We are planning to add a dedicated test mode in a later version of pretix.
+
+If you are using the hosted service at pretix.eu and want to get rid of the test orders completely, contact us at
+support@pretix.eu and we can remove them for you. Please note that we only are able to do that *before* you have
+received any real orders (i.e. taken the shop public). We won't charge any fees for test orders or test events.
+
+How do I delete an event?
+-------------------------
+
+It is currently not possible to delete events, you can just disable the shop by clicking the first square on your event
+dashboard. Events can't be deleted as they most likely contain information on financial transactions which legally
+needs to be kept on record for multiple years in most countries.
+
+If you are using the hosted service at pretix.eu and want to get rid of an event that you only used for testing, contact
+us at support@pretix.eu and we can remove it for you.
+
+Why doesn't my product show up in the ticket shop?
+--------------------------------------------------
+
+If you created a product and it doesn't show up, please follow the following steps to find out why:
+
+1. Check if the product's "active" checkbox is enabled.
+2. Check if the product is in a category that has the "Products in this category are add-on products" checkbox enabled.
+   If this is the case, the product won't show up on the shop front page, but only in the first step of checkout when
+   a product in the cart allows to add add-on products from this category.
+3. Check if the product's "Available from" or "Available until" settings restrict it to a date range.
+4. Check if the product's checkbox "This product will only be shown if a voucher matching the product is redeemed." is
+   enabled. If this is the case, the product will only be shown if the customer redeems a voucher that *directly* matches
+   to this product. It will not be shown if the voucher only is configured to match a quota that contains the product.
+5. Check that a quota exists that contains this product. If your product has variations, check that at least one
+   variation is contained in a quota. If your event is an event series, make sure that the product is contained in a
+   quota that is assigned to the series date that you access the shop for.
+6. If the sale period has not started yet or is already over, check the "Show items outside presale period" setting of
+   your event.

doc/user/index.rst

@@ -9,5 +9,7 @@ wanting to use pretix to sell tickets.
 
    organizers/index
    events/create
-   events/taxes
-   payments/index
+   events/settings
+   events/widget
+   faq
+   markdown

doc/user/markdown.rst

@@ -0,0 +1,166 @@
+.. _markdown-guide:
+
+Markdown Guide
+==============
+
+What is markdown?
+-----------------
+
+In many places of your shop, like frontpage texts, product descriptions and email texts, you can use
+`Markdown`_ to create links, bold text, and other formatted content. Markdown is a good middle-ground
+since it is way easier to learn than languages like HTML but allows all basic formatting options required
+for text in those places.
+
+Formatting rules
+----------------
+
+Simple text formatting
+""""""""""""""""""""""
+
+To set a text in italics, you can put it in asterisks or underscores. For example,
+
+.. code-block:: markdown
+
+    Please *really* pay your _ticket_.
+
+will become:
+
+    Please *really* pay your _ticket_.
+
+If you set double asterisks or underscores, the text will be printed in bold. For example,
+
+.. code-block:: markdown
+
+    This is **important**.
+
+will become:
+
+    This is **important**.
+
+You can also display, for example:
+
+.. code-block:: markdown
+
+    Input this `exactly like this`.
+
+You will get:
+
+    Input this ``exactly like this``.
+
+Links
+"""""
+
+You can create a link by just pasting it in, e.g.
+
+.. code-block:: markdown
+
+    Check this on https://en.wikipedia.org
+
+will become:
+
+    Check this on https://en.wikipedia.org
+
+However, if you want to control the text of the link, you can put the text of the link in ``[]`` brackets and the
+link target in ``()`` parentheses, like this:
+
+.. code-block:: markdown
+
+    Check this on [Wikipedia](https://en.wikipedia.org).
+
+This will yield:
+
+    Check this on `Wikipedia`_
+
+All links created with pretix Markdown syntax will open in a new tab.
+
+Lists
+"""""
+
+You can create un-numbered lists by prepending the lines with asterisks.
+
+.. code-block:: markdown
+
+    * First item
+    * Second item with a text that is too long to
+      fit in a line
+    * Third item
+
+will become:
+
+    * First item
+    * Second item with a text that is too long to
+      fit in a line
+    * Third item
+
+You can also use numbers as list items
+
+.. code-block:: markdown
+
+    1.  Red
+    2.  Green
+    3.  Blue
+
+to get
+
+    1.  Red
+    2.  Green
+    3.  Blue
+
+Headlines
+"""""""""
+
+To create a headline, prepend it with ``#`` for the main headline, ``##`` for a headline of the second level,
+and so on. For example:
+
+.. code-block:: markdown
+
+    # Headline 1
+    ## Headline 2
+    ### Headline 3
+    #### Headline 4
+    ##### Headline 5
+    ###### Headline 6
+
+We do not recommend using headlines of the first level, as pretix will already set the name of your event as a level-1
+headline of the page and HTML pages should have only one headline on the first level.
+
+You can also use
+
+.. code-block:: markdown
+
+    *****
+
+to create a horizontal line, like the following:
+
+.. raw:: html
+
+    <hr>
+
+Using HTML
+----------
+
+You can also directly embed HTML code, if you want, although we recommend
+using Markdown, as it enables e.g. people using text-based email clients
+to get a better plain text representation of your text. Note however, that for
+security reasons you can only use the following HTML elements::
+
+    a, abbr, acronym, b, br, code, div, em, h1, h2,
+    h3, h4, h5, h6, hr, i, li, ol, p, span, strong,
+    table, tbody, td, thead, tr, ul
+
+Additionally, only the following attributes are allowed on them::
+
+    <a href="…" title="…">
+    <abbr title="…">
+    <acronym title="…">
+    <table width="…">
+    <td width="…" align="…">
+    <div class="…">
+    <p class="…">
+    <span class="…">
+
+All other elements and attributes will be stripped during parsing.
+
+
+.. _Markdown: https://en.wikipedia.org/wiki/Markdown
+.. _Wikipedia: https://en.wikipedia.org

doc/user/organizers/account.rst

@@ -0,0 +1,43 @@
+Organizer account
+=================
+
+The basis of all your operations within pretix is your organizer account. It represents an entity that is running
+events, for example a company, yourself or any other institution.
+Every event belongs to one organizer account and events within the same organizer account are assumed to belong together
+in some sense, whereas events in different organizer accounts are completely isolated.
+
+If you want to use the hosted pretix service, you can create an organizer account on our `Get started`_ page. Otherwise,
+ask your pretix administrator for access to an organizer account.
+
+You can find out all organizer accounts you have access to by going to your global dashboard (click on the pretix logo
+in the top-left corner) and then select "Organizers" from the navigation bar on the left side. Then, choose one of the
+organizer accounts presented, if there are multiple of them:
+
+.. thumbnail:: ../../screens/organizer/list.png
+   :align: center
+   :class: screenshot
+
+This overview shows you all event that belong to the organizer and you have access to:
+
+.. thumbnail:: ../../screens/organizer/event_list.png
+   :align: center
+   :class: screenshot
+
+With the "Edit" button at the top, next to the organizer account name, you can modify properties of the organizer
+account such as its name and display settings for the public profile page of the organizer account:
+
+.. thumbnail:: ../../screens/organizer/edit.png
+   :align: center
+   :class: screenshot
+
+.. tip::
+
+   The profile page will be shown as ``https://pretix.eu/slug/`` where ``slug`` is to be replaced by the short form of
+   the organizer name that you entered during account creation and ``pretix.eu`` is to be replaced by your
+   installation's domain name if you are not using our hosted service.
+
+   Instead, you can also use a custom domain for the profile page and your events, for example
+   ``https://tickets.example.com/`` if ``example.com`` is a domain that you own.  Head to :ref:`custom_domain` to learn
+   more.
+
+.. _Get started: https://pretix.eu/about/en/setup

doc/user/organizers/domain.rst

@@ -0,0 +1,54 @@
+.. _custom_domain:
+
+Using a custom domain
+=====================
+
+By default, event shops built with pretix are accessible at ``https://<domain>/<organizer>/<event>/``, where
+``<domain>`` is ``pretix.eu`` if you are using our hosted service and ``<organizer>`` and ``<event>`` are the short
+form versions of your organizer account name and event name, respectively.
+
+However, you are also able to use a custom domain for your ticket shops! If you work for "Awesome Party Corporation"
+and your website is ``awesomepartycorp.com``, you might want to sell your tickets at ``tickets.awesomepartycorp.com``
+and with pretix, you can do this. On this page, you find out the necessary steps to take.
+
+With the pretix.eu hosted service
+---------------------------------
+
+Step 1: DNS Configuration
+#########################
+
+Go to the website of the provider you registered your domain name with. Look for the "DNS" settings page in their
+interface. Unfortunately, we can't tell you exactly how that is named and how it looks, since it is different for every
+domain provider.
+
+Use this interface to add a new subdomain record, e.g. ``tickets`` of the type ``CNAME`` (might also be called "alias").
+The value of the record should be ``www.pretix.eu``.
+
+Step 2: Wait for the DNS entry to propagate
+###########################################
+
+Submit your changes and wait a bit, it can regularly take up to three hours for DNS changes to propagate to the caches
+of all DNS servers. You can try checking by accessing your new subdomain, ``http://tickets.awesomepartycorp.com``.
+If DNS was changed successfully, you should see a SSL certificate error. If you ignore the error and access the page
+anyways, you should get a pretix-themed error page with the headline "Unknown domain".
+
+Step 3: Tell us
+###############
+
+Write an email to support@pretix.eu, naming your new domain and your organizer account. We will then generate a SSL
+certificate for you (for free!) and configure the domain.
+
+
+With a custom pretix installation
+---------------------------------
+
+If you installed pretix on a server yourself, you can also use separate domains for separate organizers.
+First of all, configure your webserver or reverse proxy to pass requests to the new domain to pretix as well.
+Then, go to the organizer account in pretix and click the "Edit" button. Enter the new domain in the "Custom Domain"
+field, then you're done!
+
+.. thumbnail:: ../../screens/organizer/edit_sysadmin.png
+   :align: center
+   :class: screenshot
+
+Note that this field only shows up if you are logged in as a system administrator of your pretix installation.

doc/user/organizers/index.rst

@@ -1,112 +1,9 @@
 Organizer accounts and teams
 ============================
 
-Organizer account
------------------
+.. toctree::
+   :maxdepth: 2
 
-The basis of all your operations within pretix is your organizer account. It represents an entity that is running
-events, for example a company, yourself or any other institution.
-Every event belongs to one organizer account and events within the same organizer account are assumed to belong together
-in some sense, whereas events in different organizer accounts are completely isolated.
-
-If you want to use the hosted pretix service, you can create an organizer account on our `Get started`_ page. Otherwise,
-ask your pretix administrator for access to an organizer account.
-
-You can find out all organizer accounts you have access to by going to your global dashboard (click on the pretix logo
-in the top-left corner) and then select "Organizers" from the navigation bar on the left side. Then, choose one of the
-organizer accounts presented, if there are multiple of them:
-
-.. thumbnail:: ../../screens/organizer/list.png
-   :align: center
-   :class: screenshot
-
-This overview shows you all event that belong to the organizer and you have access to:
-
-.. thumbnail:: ../../screens/organizer/event_list.png
-   :align: center
-   :class: screenshot
-
-With the "Edit" button at the top, next to the organizer account name, you can modify properties of the organizer
-account such as its name and display settings for the public profile page of the organizer account:
-
-.. thumbnail:: ../../screens/organizer/edit.png
-   :align: center
-   :class: screenshot
-
-.. tip::
-
-   The profile page will be shown as ``https://pretix.eu/slug/`` where ``slug`` is to be replaced by the short form of
-   the organizer name that you entered during account creation and ``pretix.eu`` is to be replaced by your
-   installation's domain name if you are not using our hosted service.
-
-   Instead, you can also use a custom domain for the profile page and your events, for example
-   ``https://tickets.example.com/`` if ``example.com`` is a domain that you own. In this case, please contact the pretix
-   hosted support or your system administrator to set up the custom domain.
-
-Teams
------
-
-We don't expect you to work on your events all by yourself and therefore, pretix comes with ways to invite your fellow
-team members to access your pretix organizer account. To manage teams, click on the "Teams" link on your organizer
-settings page (see above how to find it). This shows you a list of teams that should contain at least one team already:
-
-.. thumbnail:: ../../screens/organizer/team_list.png
-   :align: center
-   :class: screenshot
-
-If you click on a team name, you get to a page that shows you the current members of the team:
-
-.. thumbnail:: ../../screens/organizer/team_detail.png
-   :align: center
-   :class: screenshot
-
-You see that there is a list of pretix user accounts (i.e. email addresses), who are part of the team. To add a user to
-the team, just enter their email address in the text box next to the "Add" button. If the user already has an account
-in the pretix system they will instantly get access to the team. Otherwise, they will be sent an email with an invitation
-link that can be used to create an account. This account will then instantly have access to the team. Users can be part
-of as many teams as you want.
-
-In the section below, you can also create access tokens for our :ref:`rest-api`. You can read more on this topic in the
-section :ref:`rest-auth` of the API documentation.
-
-Next to the team name, you again see a button called "Edit" that allows you to modify the permissions of the team.
-Permissions separate into two areas:
-
-* **Organizer permissions** allow actions on the level of an organizer account, in particular:
-
-   * Can create events – To create a new event under this organizer account, users need to have this permission
-
-   * Can change teams and permissions – This permission is required to perform the kind of action you are doing right now.
-     Anyone with this permission can assign arbitrary other permissions to themselves, so this is the most powerful
-     permission there is to give.
-
-   * Can change organizer settings – This permission is required to perform changes to the settings of the organizer
-     account, e.g. its name or display settings.
-
-* **Event permissions** allow actions on the level of an event. You can give the team access to all events of the
-  organizer (including future ones that are not yet created) or just a selected set of events. The specific permissions to choose from are:
-
-   * Can change event settings – This permission gives access to most areas of the control panel that are not controlled
-     by one of the other event permissions, especially those that are related to setting up and configuring the event.
-
-   * Can change product settings – This permission allows to create and modify products and objects that are closely
-     related to products, such as product categories, quotas, and questions.
-
-   * Can view orders – This permission allows viewing the list of orders and allindividual order details, but not
-     changing anything about it. This also includes the various exports offered.
-
-   * Can change orders – This permission allows all actions that involve changing an order, such as changing the products
-     in an order, marking an order as paid or refunden, importing banking data, etc. This only works properly if the
-     same users also have the "Can view orders" permission.
-
-   * Can view vouchers – This permission allows viewing the list of vouchers including the voucher codes themselves and
-     their redemption status.
-
-   * Can change vouchers – This permission allows to create and modify vouchers in all their details. It only works
-     properly if the same users also have the "Can view vouchers" permission.
-
-.. thumbnail:: ../../screens/organizer/team_edit.png
-   :align: center
-   :class: screenshot
-
-.. _Get started: https://pretix.eu/about/en/setup
+   account
+   teams
+   domain

doc/user/organizers/teams.rst

@@ -0,0 +1,65 @@
+Teams
+=====
+
+We don't expect you to work on your events all by yourself and therefore, pretix comes with ways to invite your fellow
+team members to access your pretix organizer account. To manage teams, click on the "Teams" link on your organizer
+settings page (see above how to find it). This shows you a list of teams that should contain at least one team already:
+
+.. thumbnail:: ../../screens/organizer/team_list.png
+   :align: center
+   :class: screenshot
+
+If you click on a team name, you get to a page that shows you the current members of the team:
+
+.. thumbnail:: ../../screens/organizer/team_detail.png
+   :align: center
+   :class: screenshot
+
+You see that there is a list of pretix user accounts (i.e. email addresses), who are part of the team. To add a user to
+the team, just enter their email address in the text box next to the "Add" button. If the user already has an account
+in the pretix system they will instantly get access to the team. Otherwise, they will be sent an email with an invitation
+link that can be used to create an account. This account will then instantly have access to the team. Users can be part
+of as many teams as you want.
+
+In the section below, you can also create access tokens for our :ref:`rest-api`. You can read more on this topic in the
+section :ref:`rest-auth` of the API documentation.
+
+Next to the team name, you again see a button called "Edit" that allows you to modify the permissions of the team.
+Permissions separate into two areas:
+
+* **Organizer permissions** allow actions on the level of an organizer account, in particular:
+
+   * Can create events – To create a new event under this organizer account, users need to have this permission
+
+   * Can change teams and permissions – This permission is required to perform the kind of action you are doing right now.
+     Anyone with this permission can assign arbitrary other permissions to themselves, so this is the most powerful
+     permission there is to give.
+
+   * Can change organizer settings – This permission is required to perform changes to the settings of the organizer
+     account, e.g. its name or display settings.
+
+* **Event permissions** allow actions on the level of an event. You can give the team access to all events of the
+  organizer (including future ones that are not yet created) or just a selected set of events. The specific permissions to choose from are:
+
+   * Can change event settings – This permission gives access to most areas of the control panel that are not controlled
+     by one of the other event permissions, especially those that are related to setting up and configuring the event.
+
+   * Can change product settings – This permission allows to create and modify products and objects that are closely
+     related to products, such as product categories, quotas, and questions.
+
+   * Can view orders – This permission allows viewing the list of orders and allindividual order details, but not
+     changing anything about it. This also includes the various exports offered.
+
+   * Can change orders – This permission allows all actions that involve changing an order, such as changing the products
+     in an order, marking an order as paid or refunden, importing banking data, etc. This only works properly if the
+     same users also have the "Can view orders" permission.
+
+   * Can view vouchers – This permission allows viewing the list of vouchers including the voucher codes themselves and
+     their redemption status.
+
+   * Can change vouchers – This permission allows to create and modify vouchers in all their details. It only works
+     properly if the same users also have the "Can view vouchers" permission.
+
+.. thumbnail:: ../../screens/organizer/team_edit.png
+   :align: center
+   :class: screenshot

doc/user/payments/banktransfer.rst

@@ -30,3 +30,9 @@ many orders could be processed correctly and how many could not. You can then go
 transfers from your bank statement that are not yet matched to an order. Using the input field and the buttons on the
 left of each transaction, you can manually enter an order code to match it to or just discard it from the list, e.g.
 if the transaction is not related to the event at all.
+
+
+.. tip:: If you aren't afraid of getting a bit more technical and your bank supports the HBCI/FinTS protocol (as most
+         German banks do), you can use `pretix-banktool`_ to fully automate this process.
+
+.. _pretix-banktool: https://github.com/pretix/pretix-banktool

doc/user/payments/fees.rst

@@ -1,3 +1,5 @@
+.. _payment-fees:
+
 Payment method fees
 ===================
 
@@ -18,6 +20,9 @@ might also decide to go for option one to make it easier for customers who don't
              legislation might already be in place or become relevant from January 2018 the latest. This is not
              legal advice. If in doubt, consult a lawyer or refrain from charging payment fees.
 
+If you go for the first option (as you should in the EU), you can just leave the payment fee fields in pretix' settings
+empty.
+
 If you go for the second option, you can configure pretix to charge the payment method fees to your user. You can
 define both an absolute fee as well as a percental fee based on the order total. If you do so, there are two
 different ways in which pretix can calculate the fee. Normally, it is fine to just go with the default setting, but

doc/user/payments/index.rst

@@ -1,9 +1,10 @@
-Accepting payments
-==================
+Payment settings
+================
 
 .. toctree::
    :maxdepth: 2
 
+   settings
    overview
    fees
    paypal

doc/user/payments/overview.rst

@@ -10,25 +10,8 @@ Payment methods are built as pretix plugins. For this reason, you might first ne
 If you host pretix on your own server, you might need to install a plugin first for some of the payment methods listed
 on this page as well as for additional ones.
 
-:ref:`stripe`
-    Stripe is a US-based company that offers you an easy way to accept credit card payments from all over the world.
-    To accept payments with Stripe, you need to have a Stripe merchant account that is easy to create. Click on the link
-    above to get more details about the Stripe integration into pretix.
-
-:ref:`paypal`
-    If you want to accept online payments via PayPal, you can do so using pretix. You will need a PayPal merchant
-    account and it is a little bit complicated to obtain the required technical details, but we've got you covered.
-    Click on the link above to learn more.
-
-:ref:`banktransfer`
-    Classical IBAN wire transfers are a common payment method in central Europe that has the large benefit that it
-    often does not cause any additional fees. However, it requires you to invest some more effort as you need to
-    check your bank account for incoming payments regularly. We provide some tools to make this easier for you.
-
-SEPA debit
-    In some Europen countries, a very popular online payment method is SEPA direct debit. If you want to offer this
-    option in your pretix ticket shop, we provide a convenient plugin that allows users to enter their SEPA bank
-    account details and issue a SEPA mandate. You will then need to regularly download a SEPA XML file from pretix
-    and upload it to your bank's interface to actually perform the debits.
+To get an overview of the officially supported payment methods and their pros and cons, head to the `pretix website`_.
+On these pages, you get more information on how to configure :ref:`stripe`, :ref:`paypal`, and :ref:`banktransfer`.
 
 
+.. _pretix website: https://pretix.eu/about/en/payments

doc/user/payments/settings.rst

@@ -0,0 +1,65 @@
+General settings
+================
+
+At "Settings" → "Pages", you can configure every aspect related to the payments you want to accept. The upper part
+of the page shows a number of general settings that affect all payment methods:
+
+.. thumbnail:: ../../screens/event/settings_payment.png
+   :align: center
+   :class: screenshot
+
+In particular, these are:
+
+Payment term in days
+  If a order has been created, it is supposed to be paid within this number of days. Of course, some payment mehtods
+  (like credit card) succeed immediately in most cases, but others don't (like bank transfer) and even credit card
+  payments might fail and you might want to give the customer a chance to try another credit card before losing their
+  ticket. Therefore, we recommend setting a few days here. If you are accepting bank transfers, we wouldn't recommend
+  less than 10 days.
+
+Last date of payments
+  There is probably no use for payments received after your event, so you can set a date that the payment deadline of
+  a new order will never exceed. This has precendence over the number of days configured above, so if I create an order
+  two days before the configured last date of payments, my payment term will only be two days, not ten. If you have
+  payment methods that always require some time (like bank transfer), you will later be able to selectively disable them
+  once the event comes closer.
+
+Only end payment terms on weekdays
+  If you check this box, the payment term calculated by the number of days configured above will never end on a Saturday
+  or a Sunday. If it technically would do so, the term is extended to the next Monday. Note that this currently does not
+  take into account national or bank holidays in your country.
+
+Automatically expire unpaid orders
+  If you check this box, orders will automatically go into "expired" state if the payment term is over and no payment
+  has been received. This means that the tickets will no longer be reserved for the customer and someone else can buy
+  them from the shop again. If you do not check this box, tickets do not become available again automatically, but you
+  can mark orders as expired manually.
+
+Accept late payments
+  If you check this box, incoming payments will accepted even if the order is in "expired" state -- as long as there
+  still is sufficient quota available and the last date of payments is not yet over. We recommend to check this in most
+  cases.
+
+Tax rule for payment fees
+  If you pass on the payment method fees to your customers, you will most likely also need to pay sales tax on those
+  fees. Here, you can configure the tax rate. Read :ref:`taxes` for more information.
+
+Below, you can configure the details of the various payment methods. You can find information on their different settings
+on the next pages of this documentation, but there are a few things most of them have in common:
+
+Enable payment method
+  Check this box to allow customers to use this method. At least one method needs to be active to process non-free orders.
+
+Additional fee (absolute and percentage), Calculate the fee from the total value including the fee
+  These fields allow you to pass fees on to your customers instead of paying them yourselves. Read :ref:`payment-fees`
+  for documentation on how this behaves.
+
+Available until
+  This allows you to set a date at which this payment method will automatically become disabled. This is useful if you
+  want people to be able to pay by card on the day before your event, but not by bank transfer, because it would not
+  arrive in time.
+
+Text on invoices
+  If you are using pretix' invoicing feature, this is a text that will be printed on every invoice for an order that
+  uses this payment method. You could use this to tell the accounting department of the invoice receiver that the payment
+  has already been received online or that it should be performed via bank transfer.

res/icon.svg

@@ -1,44 +1,17 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
 <svg
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:cc="http://creativecommons.org/ns#"
    xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
    xmlns:svg="http://www.w3.org/2000/svg"
    xmlns="http://www.w3.org/2000/svg"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="149.59399"
-   height="149.59399"
-   id="svg2"
+   viewBox="0 0 149.59399 149.59399"
    version="1.1"
-   inkscape:version="0.48.5 r10040"
-   sodipodi:docname="icon_draft.svg">
+   id="svg2"
+   height="159.56693"
+   width="159.56693">
   <defs
      id="defs4" />
-  <sodipodi:namedview
-     id="base"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageopacity="0.0"
-     inkscape:pageshadow="2"
-     inkscape:zoom="3.959798"
-     inkscape:cx="141.14985"
-     inkscape:cy="82.686886"
-     inkscape:document-units="px"
-     inkscape:current-layer="layer1"
-     showgrid="false"
-     inkscape:window-width="1914"
-     inkscape:window-height="1039"
-     inkscape:window-x="1920"
-     inkscape:window-y="18"
-     inkscape:window-maximized="0"
-     fit-margin-top="20"
-     fit-margin-left="20"
-     fit-margin-right="20"
-     fit-margin-bottom="20" />
   <metadata
      id="metadata7">
     <rdf:RDF>
@@ -52,15 +25,12 @@
     </rdf:RDF>
   </metadata>
   <g
-     inkscape:label="Ebene 1"
-     inkscape:groupmode="layer"
-     id="layer1"
-     transform="translate(-257.78125,-548.74975)">
+     transform="translate(-257.78125,-548.74975)"
+     id="layer1">
     <path
-       style="color:#000000;fill:#3b1c4a;fill-opacity:1;fill-rule:nonzero;stroke:none;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate"
-       d="m 277.78125,568.74975 0,34.09383 c 11.37842,0 20.613,9.28198 20.613,20.7188 0,11.4368 -9.23458,20.68754 -20.613,20.68754 l 0,34.09383 68.33691,0 0,-9.50002 2.98469,0 0,9.50002 38.2724,0 0,-34.09383 c -0.0104,2e-5 -0.0207,0 -0.031,0 -11.37841,0 -20.613,-9.25074 -20.613,-20.68754 0,-11.43682 9.23459,-20.7188 20.613,-20.7188 0.0105,0 0.0207,-2e-5 0.031,0 l 0,-34.09383 -38.2724,0 0,9.09377 -2.98469,0 0,-9.09377 z m 68.33691,16.09379 2.98469,0 0,14.00003 -2.98469,0 z m 0,21.00004 2.98469,0 0,14.00004 -2.98469,0 z m -24.40604,3.68751 c 4.02516,3e-5 7.02244,1.10354 8.98515,3.34376 1.96268,2.20685 2.92251,5.27326 2.92251,9.21877 l 0,3.87501 c 0,3.94554 -0.95983,7.04102 -2.92251,9.28127 -1.96271,2.20683 -4.95999,3.31251 -8.98515,3.31251 -0.5988,0 -1.31361,-0.0268 -2.14524,-0.0937 -0.83167,-0.0334 -1.71126,-0.11626 -2.64269,-0.25 l 0,8.87502 c -1e-5,0.26748 -0.11132,0.48687 -0.31091,0.6875 -0.19961,0.20061 -0.41788,0.31249 -0.68399,0.3125 l -4.60139,0 c -0.26614,-1e-5 -0.4844,-0.11189 -0.684,-0.3125 -0.19959,-0.20063 -0.3109,-0.42002 -0.3109,-0.6875 l 0,-34.90633 c 0,-0.36777 0.0824,-0.64529 0.24872,-0.8125 0.16633,-0.20059 0.52265,-0.39529 1.08817,-0.5625 1.5635,-0.40121 3.24248,-0.70343 5.00557,-0.93751 1.76309,-0.23403 3.43988,-0.34372 5.03666,-0.34375 z m 0,5.40627 c -0.89819,2e-5 -1.80453,0.0269 -2.73596,0.0937 -0.89819,0.0669 -1.58626,0.14971 -2.05197,0.25 l 0,17.50004 c 0.69857,0.10031 1.49359,0.18313 2.42505,0.25 0.9647,0.0669 1.76408,0.12501 2.36288,0.125 1.06449,10e-6 1.94409,-0.19469 2.64269,-0.5625 0.69857,-0.36781 1.24859,-0.86471 1.6478,-1.50001 0.39917,-0.63529 0.67527,-1.38064 0.80835,-2.25 0.16631,-0.86934 0.24871,-1.83846 0.24873,-2.87501 l 0,-3.87501 c -2e-5,-1.03651 -0.0824,-1.97438 -0.24873,-2.84375 -0.13308,-0.86934 -0.40918,-1.61469 -0.80835,-2.25001 -0.39921,-0.63527 -0.94923,-1.13218 -1.6478,-1.5 -0.6986,-0.36778 -1.5782,-0.56248 -2.64269,-0.5625 z m 24.40604,11.90627 2.98469,0 0,14.00003 -2.98469,0 z m 0,21.00005 2.98469,0 0,14.00003 -2.98469,0 z"
        id="rect3888"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="ccsccccccccssscccccccccccccccccccsscscccccccssccccccccccccccccccccccccccccc" />
+       transform="matrix(0.93749999,0,0,0.93749999,257.78125,548.74975)"
+       d="M 21.333984 21.333984 L 21.333984 57.699219 C 33.470966 57.699219 43.320312 67.601506 43.320312 79.800781 C 43.320312 92.000035 33.470966 101.86719 21.333984 101.86719 L 21.333984 138.23438 L 94.226562 138.23438 L 94.226562 128.09961 L 97.410156 128.09961 L 97.410156 138.23438 L 138.23438 138.23438 L 138.23438 101.86719 C 138.22328 101.86721 138.21216 101.86719 138.20117 101.86719 C 126.0642 101.86719 116.21289 92.000035 116.21289 79.800781 C 116.21289 67.601506 126.0642 57.699219 138.20117 57.699219 C 138.21237 57.699219 138.22339 57.699197 138.23438 57.699219 L 138.23438 21.333984 L 97.410156 21.333984 L 97.410156 31.033203 L 94.226562 31.033203 L 94.226562 21.333984 L 21.333984 21.333984 z M 94.226562 38.5 L 97.410156 38.5 L 97.410156 53.433594 L 94.226562 53.433594 L 94.226562 38.5 z M 94.226562 60.900391 L 97.410156 60.900391 L 97.410156 75.833984 L 94.226562 75.833984 L 94.226562 60.900391 z M 67.044922 64.027344 C 76.359333 64.027344 82.662109 68.991742 82.662109 79.533203 C 82.662109 89.014942 77.139434 95.039062 69.386719 95.039062 C 67.490377 95.039062 65.927327 94.814901 65.146484 94.591797 L 65.146484 106.64062 L 54.550781 106.64062 L 54.550781 66.314453 C 57.395304 64.97585 61.244324 64.027344 67.044922 64.027344 z M 66.990234 70.216797 C 66.209392 70.216797 65.648458 70.328766 65.146484 70.496094 L 65.146484 88.568359 C 65.536906 88.735677 66.097199 88.845703 66.822266 88.845703 C 70.61497 88.845703 72.175781 85.725087 72.175781 79.589844 C 72.175781 73.287273 70.838704 70.216797 66.990234 70.216797 z M 94.226562 83.300781 L 97.410156 83.300781 L 97.410156 98.234375 L 94.226562 98.234375 L 94.226562 83.300781 z M 94.226562 105.69922 L 97.410156 105.69922 L 97.410156 120.63281 L 94.226562 120.63281 L 94.226562 105.69922 z "
+       style="color:#000000;display:inline;overflow:visible;visibility:visible;fill:#3b1c4a;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1.06666672;marker:none;enable-background:accumulate" />
   </g>
 </svg>

src/Makefile

@@ -6,7 +6,7 @@ localecompile:
 
 localegen:
 	./manage.py makemessages --all --ignore "pretix/helpers/*"
-	./manage.py makemessages --all -d djangojs --ignore "pretix/helpers/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static.dist/*" --ignore "build/*"
+	./manage.py makemessages --all -d djangojs --ignore "pretix/helpers/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static.dist/*" --ignore "data/*" --ignore "build/*"
 
 staticfiles: jsi18n
 	./manage.py collectstatic --noinput

src/pretix/__init__.py

@@ -1 +1 @@
-__version__ = "1.7.2"
+__version__ = "1.10.0"

src/pretix/api/auth/permission.py

@@ -1,3 +1,8 @@
+import time
+
+from django.conf import settings
+from django.contrib.auth import logout
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import SAFE_METHODS, BasePermission
 
 from pretix.base.models import Event
@@ -9,10 +14,27 @@ class EventPermission(BasePermission):
 
     def has_permission(self, request, view):
         if not request.user.is_authenticated and not isinstance(request.auth, TeamAPIToken):
-            if request.method in SAFE_METHODS and request.path.startswith('/api/v1/docs/'):
-                return True
             return False
 
+        if request.method not in SAFE_METHODS and hasattr(view, 'write_permission'):
+            required_permission = getattr(view, 'write_permission')
+        elif hasattr(view, 'permission'):
+            required_permission = getattr(view, 'permission')
+        else:
+            required_permission = None
+
+        if request.user.is_authenticated:
+            # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
+            if not settings.PRETIX_LONG_SESSIONS or not request.session.get('pretix_auth_long_session', False):
+                last_used = request.session.get('pretix_auth_last_used', time.time())
+                if time.time() - request.session.get('pretix_auth_login_time', time.time()) > settings.PRETIX_SESSION_TIMEOUT_ABSOLUTE:
+                    logout(request)
+                    request.session['pretix_auth_login_time'] = 0
+                    return False
+                if time.time() - last_used > settings.PRETIX_SESSION_TIMEOUT_RELATIVE:
+                    return False
+                request.session['pretix_auth_last_used'] = int(time.time())
+
         perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken)
                        else request.user)
         if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs:
@@ -25,9 +47,8 @@ class EventPermission(BasePermission):
             request.organizer = request.event.organizer
             request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event)
 
-            if hasattr(view, 'permission'):
-                if view.permission and view.permission not in request.eventpermset:
-                    return False
+            if required_permission and required_permission not in request.eventpermset:
+                return False
 
         elif 'organizer' in request.resolver_match.kwargs:
             request.organizer = Organizer.objects.filter(
@@ -37,7 +58,21 @@ class EventPermission(BasePermission):
                 return False
             request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer)
 
-            if hasattr(view, 'permission'):
-                if view.permission and view.permission not in request.orgapermset:
-                    return False
+            if required_permission and required_permission not in request.orgapermset:
+                return False
         return True
+
+
+def permission_required(required_permission):
+    def decorator(function):
+        def wrapper(self, request, *args, **kw):
+            if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs:
+                if required_permission and required_permission not in request.eventpermset:
+                    raise PermissionDenied('You do not have permission to perform this operation.')
+            elif 'organizer' in request.resolver_match.kwargs:
+                if required_permission and required_permission not in request.orgapermset:
+                    raise PermissionDenied('You do not have permission to perform this operation.')
+
+            return function(self, request, *args, **kw)
+        return wrapper
+    return decorator

src/pretix/api/exception.py

@@ -0,0 +1,16 @@
+from rest_framework.response import Response
+from rest_framework.views import exception_handler, status
+
+from pretix.base.services.locking import LockTimeoutException
+
+
+def custom_exception_handler(exc, context):
+    response = exception_handler(exc, context)
+
+    if isinstance(exc, LockTimeoutException):
+        response = Response(
+            {'detail': 'The server was too busy to process your request. Please try again.'},
+            status=status.HTTP_409_CONFLICT
+        )
+
+    return response

src/pretix/api/serializers/checkin.py

@@ -0,0 +1,37 @@
+from django.utils.translation import ugettext as _
+from rest_framework import serializers
+from rest_framework.exceptions import ValidationError
+
+from pretix.api.serializers.i18n import I18nAwareModelSerializer
+from pretix.base.models import CheckinList
+
+
+class CheckinListSerializer(I18nAwareModelSerializer):
+    checkin_count = serializers.IntegerField(read_only=True)
+    position_count = serializers.IntegerField(read_only=True)
+
+    class Meta:
+        model = CheckinList
+        fields = ('id', 'name', 'all_products', 'limit_products', 'subevent', 'checkin_count', 'position_count')
+
+    def validate(self, data):
+        data = super().validate(data)
+        event = self.context['event']
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        for item in full_data.get('limit_products'):
+            if event != item.event:
+                raise ValidationError(_('One or more items do not belong to this event.'))
+
+        if event.has_subevents:
+            if not full_data.get('subevent'):
+                raise ValidationError(_('Subevent cannot be null for event series.'))
+            if event != full_data.get('subevent').event:
+                raise ValidationError(_('The subevent does not belong to this event.'))
+        else:
+            if full_data.get('subevent'):
+                raise ValidationError(_('The subevent does not belong to this event.'))
+
+        return data

src/pretix/api/serializers/i18n.py

@@ -1,5 +1,7 @@
 from django.conf import settings
 from i18nfield.fields import I18nCharField, I18nTextField
+from i18nfield.strings import LazyI18nString
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import Field
 from rest_framework.serializers import ModelSerializer
 
@@ -22,6 +24,16 @@ class I18nField(Field):
                 settings.LANGUAGE_CODE: str(value.data)
             }
 
+    def to_internal_value(self, data):
+        if isinstance(data, str):
+            return LazyI18nString(data)
+        elif isinstance(data, dict):
+            if any([k not in dict(settings.LANGUAGES) for k in data.keys()]):
+                raise ValidationError('Invalid languages included.')
+            return LazyI18nString(data)
+        else:
+            raise ValidationError('Invalid data type.')
+
 
 class I18nAwareModelSerializer(ModelSerializer):
     pass

src/pretix/api/serializers/item.py

@@ -73,3 +73,16 @@ class QuotaSerializer(I18nAwareModelSerializer):
     class Meta:
         model = Quota
         fields = ('id', 'name', 'size', 'items', 'variations', 'subevent')
+
+    def validate(self, data):
+        data = super().validate(data)
+        event = self.context['event']
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        Quota.clean_variations(full_data.get('items'), full_data.get('variations'))
+        Quota.clean_items(event, full_data.get('items'), full_data.get('variations'))
+        Quota.clean_subevent(event, full_data.get('subevent'))
+
+        return data

src/pretix/api/serializers/order.py

@@ -26,7 +26,7 @@ class InvoiceAdddressSerializer(I18nAwareModelSerializer):
     class Meta:
         model = InvoiceAddress
         fields = ('last_modified', 'is_business', 'company', 'name', 'street', 'zipcode', 'city', 'country', 'vat_id',
-                  'vat_id_validated')
+                  'vat_id_validated', 'internal_reference')
 
 
 class AnswerSerializer(I18nAwareModelSerializer):
@@ -153,4 +153,5 @@ class InvoiceSerializer(I18nAwareModelSerializer):
         model = Invoice
         fields = ('order', 'number', 'is_cancellation', 'invoice_from', 'invoice_to', 'date', 'refers', 'locale',
                   'introductory_text', 'additional_text', 'payment_provider_text', 'footer_text', 'lines',
-                  'foreign_currency_display', 'foreign_currency_rate', 'foreign_currency_rate_date')
+                  'foreign_currency_display', 'foreign_currency_rate', 'foreign_currency_rate_date',
+                  'internal_reference')

src/pretix/api/serializers/voucher.py

@@ -8,3 +8,36 @@ class VoucherSerializer(I18nAwareModelSerializer):
         fields = ('id', 'code', 'max_usages', 'redeemed', 'valid_until', 'block_quota',
                   'allow_ignore_quota', 'price_mode', 'value', 'item', 'variation', 'quota',
                   'tag', 'comment', 'subevent')
+        read_only_fields = ('id', 'redeemed')
+
+    def validate(self, data):
+        data = super().validate(data)
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        Voucher.clean_item_properties(
+            full_data, self.context.get('event'),
+            full_data.get('quota'), full_data.get('item'), full_data.get('variation')
+        )
+        Voucher.clean_subevent(
+            full_data, self.context.get('event')
+        )
+        Voucher.clean_max_usages(full_data, self.instance.redeemed if self.instance else 0)
+        check_quota = Voucher.clean_quota_needs_checking(
+            full_data, self.instance,
+            item_changed=self.instance and (
+                full_data.get('item') != self.instance.item or
+                full_data.get('variation') != self.instance.variation or
+                full_data.get('quota') != self.instance.quota
+            ),
+            creating=not self.instance
+        )
+        if check_quota:
+            Voucher.clean_quota_check(
+                full_data, 1, self.instance, self.context.get('event'),
+                full_data.get('quota'), full_data.get('item'), full_data.get('variation')
+            )
+        Voucher.clean_voucher_code(full_data, self.context.get('event'), self.instance.pk if self.instance else None)
+
+        return data

src/pretix/api/templates/rest_framework/api.html

@@ -1,19 +0,0 @@
-{% extends "rest_framework/base.html" %}
-{% load staticfiles %}
-{% load compress %}
-
-{% block bootstrap_theme %}
-    {% compress css %}
-        <link rel="stylesheet" type="text/x-scss" href="{% static "rest_framework/scss/main.scss" %}" />
-    {% endcompress %}
-{% endblock %}
-{% block branding %}
-    <a class="navbar-brand" href="/api/v1/">pretix REST API</a>
-{% endblock %}
-{% block description %}
-    <div class="alert alert-info alert-docs-link">
-        <a href="https://docs.pretix.eu/en/latest/api/index.html">
-            You can find documentation on our REST API on docs.pretix.eu.
-        </a>
-    </div>
-{% endblock %}

src/pretix/api/urls.py

@@ -4,7 +4,7 @@ from django.apps import apps
 from django.conf.urls import include, url
 from rest_framework import routers
 
-from .views import event, item, order, organizer, voucher, waitinglist
+from .views import checkin, event, item, order, organizer, voucher, waitinglist
 
 router = routers.DefaultRouter()
 router.register(r'organizers', organizer.OrganizerViewSet)
@@ -24,6 +24,7 @@ event_router.register(r'orderpositions', order.OrderPositionViewSet)
 event_router.register(r'invoices', order.InvoiceViewSet)
 event_router.register(r'taxrules', event.TaxRuleViewSet)
 event_router.register(r'waitinglistentries', waitinglist.WaitingListViewSet)
+event_router.register(r'checkinlists', checkin.CheckinListViewSet)
 
 # Force import of all plugins to give them a chance to register URLs with the router
 for app in apps.get_app_configs():

src/pretix/api/views/checkin.py

@@ -0,0 +1,59 @@
+from django_filters.rest_framework import DjangoFilterBackend, FilterSet
+from rest_framework import viewsets
+
+from pretix.api.serializers.checkin import CheckinListSerializer
+from pretix.base.models import CheckinList
+from pretix.base.models.organizer import TeamAPIToken
+
+
+class CheckinListFilter(FilterSet):
+    class Meta:
+        model = CheckinList
+        fields = ['subevent']
+
+
+class CheckinListViewSet(viewsets.ModelViewSet):
+    serializer_class = CheckinListSerializer
+    queryset = CheckinList.objects.none()
+    filter_backends = (DjangoFilterBackend,)
+    filter_class = CheckinListFilter
+    permission = 'can_view_orders'
+    write_permission = 'can_change_event_settings'
+
+    def get_queryset(self):
+        qs = self.request.event.checkin_lists.prefetch_related(
+            'limit_products',
+        )
+        qs = CheckinList.annotate_with_numbers(qs, self.request.event)
+        return qs
+
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.checkinlist.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        return ctx
+
+    def perform_update(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.checkinlist.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def perform_destroy(self, instance):
+        instance.log_action(
+            'pretix.event.checkinlist.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+        super().perform_destroy(instance)

src/pretix/api/views/event.py

@@ -1,11 +1,13 @@
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import filters, viewsets
+from rest_framework.exceptions import PermissionDenied
 
 from pretix.api.serializers.event import (
     EventSerializer, SubEventSerializer, TaxRuleSerializer,
 )
 from pretix.base.models import Event, ItemCategory, TaxRule
 from pretix.base.models.event import SubEvent
+from pretix.base.models.organizer import TeamAPIToken
 
 
 class EventViewSet(viewsets.ReadOnlyModelViewSet):
@@ -36,9 +38,39 @@ class SubEventViewSet(viewsets.ReadOnlyModelViewSet):
         )
 
 
-class TaxRuleViewSet(viewsets.ReadOnlyModelViewSet):
+class TaxRuleViewSet(viewsets.ModelViewSet):
     serializer_class = TaxRuleSerializer
     queryset = TaxRule.objects.none()
+    write_permission = 'can_change_event_settings'
 
     def get_queryset(self):
         return self.request.event.tax_rules.all()
+
+    def perform_update(self, serializer):
+        super().perform_update(serializer)
+        serializer.instance.log_action(
+            'pretix.event.taxrule.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.taxrule.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def perform_destroy(self, instance):
+        if not instance.allow_delete():
+            raise PermissionDenied('This tax rule can not be deleted as it is currently in use.')
+
+        instance.log_action(
+            'pretix.event.taxrule.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+        super().perform_destroy(instance)

src/pretix/api/views/item.py

@@ -11,6 +11,7 @@ from pretix.api.serializers.item import (
     QuotaSerializer,
 )
 from pretix.base.models import Item, ItemCategory, Question, Quota
+from pretix.base.models.organizer import TeamAPIToken
 
 
 class ItemFilter(FilterSet):
@@ -34,6 +35,7 @@ class ItemViewSet(viewsets.ReadOnlyModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
     filter_class = ItemFilter
+    permission = 'can_change_items'
 
     def get_queryset(self):
         return self.request.event.items.select_related('tax_rule').prefetch_related('variations', 'addons').all()
@@ -52,6 +54,7 @@ class ItemCategoryViewSet(viewsets.ReadOnlyModelViewSet):
     filter_class = ItemCategoryFilter
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
+    permission = 'can_change_items'
 
     def get_queryset(self):
         return self.request.event.categories.all()
@@ -63,6 +66,7 @@ class QuestionViewSet(viewsets.ReadOnlyModelViewSet):
     filter_backends = (OrderingFilter,)
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
+    permission = 'can_change_items'
 
     def get_queryset(self):
         return self.request.event.questions.prefetch_related('options').all()
@@ -74,17 +78,88 @@ class QuotaFilter(FilterSet):
         fields = ['subevent']
 
 
-class QuotaViewSet(viewsets.ReadOnlyModelViewSet):
+class QuotaViewSet(viewsets.ModelViewSet):
     serializer_class = QuotaSerializer
     queryset = Quota.objects.none()
     filter_backends = (DjangoFilterBackend, OrderingFilter,)
     filter_class = QuotaFilter
     ordering_fields = ('id', 'size')
     ordering = ('id',)
+    permission = 'can_change_items'
+    write_permission = 'can_change_items'
 
     def get_queryset(self):
         return self.request.event.quotas.all()
 
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.quota.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+        if serializer.instance.subevent:
+            serializer.instance.subevent.log_action(
+                'pretix.subevent.quota.added',
+                user=self.request.user,
+                api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+                data=self.request.data
+            )
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        return ctx
+
+    def perform_update(self, serializer):
+        current_subevent = serializer.instance.subevent
+        serializer.save(event=self.request.event)
+        request_subevent = serializer.instance.subevent
+        serializer.instance.log_action(
+            'pretix.event.quota.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+        if current_subevent == request_subevent:
+            if current_subevent is not None:
+                current_subevent.log_action(
+                    'pretix.subevent.quota.changed',
+                    user=self.request.user,
+                    api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+                    data=self.request.data
+                )
+        else:
+            if request_subevent is not None:
+                request_subevent.log_action(
+                    'pretix.subevent.quota.added',
+                    user=self.request.user,
+                    api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+                    data=self.request.data
+                )
+            if current_subevent is not None:
+                current_subevent.log_action(
+                    'pretix.subevent.quota.deleted',
+                    user=self.request.user,
+                    api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+                )
+        serializer.instance.rebuild_cache()
+
+    def perform_destroy(self, instance):
+        instance.log_action(
+            'pretix.event.quota.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+        if instance.subevent:
+            instance.subevent.log_action(
+                'pretix.subevent.quota.deleted',
+                user=self.request.user,
+                api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            )
+        super().perform_destroy(instance)
+
     @detail_route(methods=['get'])
     def availability(self, request, *args, **kwargs):
         quota = self.get_object()

src/pretix/api/views/order.py

@@ -1,18 +1,28 @@
+import datetime
+
 import django_filters
+import pytz
 from django.db.models import Q
 from django.db.models.functions import Concat
 from django.http import FileResponse
+from django.utils.timezone import make_aware
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
-from rest_framework import viewsets
+from rest_framework import serializers, status, viewsets
 from rest_framework.decorators import detail_route
 from rest_framework.exceptions import APIException, NotFound, PermissionDenied
 from rest_framework.filters import OrderingFilter
+from rest_framework.response import Response
 
 from pretix.api.serializers.order import (
     InvoiceSerializer, OrderPositionSerializer, OrderSerializer,
 )
-from pretix.base.models import Invoice, Order, OrderPosition
+from pretix.base.models import Invoice, Order, OrderPosition, Quota
+from pretix.base.models.organizer import TeamAPIToken
 from pretix.base.services.invoices import invoice_pdf
+from pretix.base.services.mail import SendMailException
+from pretix.base.services.orders import (
+    OrderError, cancel_order, extend_order, mark_order_paid,
+)
 from pretix.base.services.tickets import (
     get_cachedticket_for_order, get_cachedticket_for_position,
 )
@@ -34,6 +44,7 @@ class OrderViewSet(viewsets.ReadOnlyModelViewSet):
     filter_class = OrderFilter
     lookup_field = 'code'
     permission = 'can_view_orders'
+    write_permission = 'can_change_orders'
 
     def get_queryset(self):
         return self.request.event.orders.prefetch_related(
@@ -71,6 +82,130 @@ class OrderViewSet(viewsets.ReadOnlyModelViewSet):
             )
             return resp
 
+    @detail_route(methods=['POST'])
+    def mark_paid(self, request, **kwargs):
+        order = self.get_object()
+
+        if order.status in (Order.STATUS_PENDING, Order.STATUS_EXPIRED):
+            try:
+                mark_order_paid(
+                    order, manual=True,
+                    user=request.user if request.user.is_authenticated else None,
+                    api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+                )
+            except Quota.QuotaExceededException as e:
+                return Response({'detail': str(e)}, status=status.HTTP_400_BAD_REQUEST)
+            except SendMailException:
+                pass
+
+            return self.retrieve(request, [], **kwargs)
+        return Response(
+            {'detail': 'The order is not pending or expired.'},
+            status=status.HTTP_400_BAD_REQUEST
+        )
+
+    @detail_route(methods=['POST'])
+    def mark_canceled(self, request, **kwargs):
+        send_mail = request.data.get('send_email', True)
+
+        order = self.get_object()
+        if order.status != Order.STATUS_PENDING:
+            return Response(
+                {'detail': 'The order is not pending.'},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
+        cancel_order(
+            order,
+            user=request.user if request.user.is_authenticated else None,
+            api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+            send_mail=send_mail
+        )
+        return self.retrieve(request, [], **kwargs)
+
+    @detail_route(methods=['POST'])
+    def mark_pending(self, request, **kwargs):
+        order = self.get_object()
+
+        if order.status != Order.STATUS_PAID:
+            return Response(
+                {'detail': 'The order is not paid.'},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
+        order.status = Order.STATUS_PENDING
+        order.payment_manual = True
+        order.save()
+        order.log_action(
+            'pretix.event.order.unpaid',
+            user=request.user if request.user.is_authenticated else None,
+            api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+        )
+        return self.retrieve(request, [], **kwargs)
+
+    @detail_route(methods=['POST'])
+    def mark_expired(self, request, **kwargs):
+        order = self.get_object()
+
+        if order.status != Order.STATUS_PENDING:
+            return Response(
+                {'detail': 'The order is not pending.'},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
+        order.status = Order.STATUS_EXPIRED
+        order.save()
+        order.log_action(
+            'pretix.event.order.expired',
+            user=request.user if request.user.is_authenticated else None,
+            api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+        )
+        return self.retrieve(request, [], **kwargs)
+
+    # TODO: Find a way to implement mark_refunded
+
+    @detail_route(methods=['POST'])
+    def extend(self, request, **kwargs):
+        new_date = request.data.get('expires', None)
+        force = request.data.get('force', False)
+        if not new_date:
+            return Response(
+                {'detail': 'New date is missing.'},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
+        df = serializers.DateField()
+        try:
+            new_date = df.to_internal_value(new_date)
+        except:
+            return Response(
+                {'detail': 'New date is invalid.'},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
+        tz = pytz.timezone(self.request.event.settings.timezone)
+        new_date = make_aware(datetime.datetime.combine(
+            new_date,
+            datetime.time(hour=23, minute=59, second=59)
+        ), tz)
+
+        order = self.get_object()
+
+        try:
+            extend_order(
+                order,
+                new_date=new_date,
+                force=force,
+                user=request.user if request.user.is_authenticated else None,
+                api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+            )
+            return self.retrieve(request, [], **kwargs)
+        except OrderError as e:
+            return Response(
+                {'detail': str(e)},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
 
 class OrderPositionFilter(FilterSet):
     order = django_filters.CharFilter(name='order', lookup_expr='code')

src/pretix/api/views/voucher.py

@@ -4,10 +4,12 @@ from django_filters.rest_framework import (
     BooleanFilter, DjangoFilterBackend, FilterSet,
 )
 from rest_framework import viewsets
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.filters import OrderingFilter
 
 from pretix.api.serializers.voucher import VoucherSerializer
 from pretix.base.models import Voucher
+from pretix.base.models.organizer import TeamAPIToken
 
 
 class VoucherFilter(FilterSet):
@@ -27,7 +29,7 @@ class VoucherFilter(FilterSet):
                                    (Q(valid_until__isnull=False) & Q(valid_until__lte=now())))
 
 
-class VoucherViewSet(viewsets.ReadOnlyModelViewSet):
+class VoucherViewSet(viewsets.ModelViewSet):
     serializer_class = VoucherSerializer
     queryset = Voucher.objects.none()
     filter_backends = (DjangoFilterBackend, OrderingFilter)
@@ -35,6 +37,49 @@ class VoucherViewSet(viewsets.ReadOnlyModelViewSet):
     ordering_fields = ('id', 'code', 'max_usages', 'valid_until', 'value')
     filter_class = VoucherFilter
     permission = 'can_view_vouchers'
+    write_permission = 'can_change_vouchers'
 
     def get_queryset(self):
         return self.request.event.vouchers.all()
+
+    def create(self, request, *args, **kwargs):
+        with request.event.lock():
+            return super().create(request, *args, **kwargs)
+
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.voucher.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        return ctx
+
+    def update(self, request, *args, **kwargs):
+        with request.event.lock():
+            return super().update(request, *args, **kwargs)
+
+    def perform_update(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.voucher.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def perform_destroy(self, instance):
+        if not instance.allow_delete():
+            raise PermissionDenied('This voucher can not be deleted as it has already been used.')
+
+        instance.log_action(
+            'pretix.voucher.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+        super().perform_destroy(instance)

src/pretix/base/__init__.py

@@ -11,7 +11,7 @@ class PretixBaseConfig(AppConfig):
         from . import payment  # NOQA
         from . import exporters  # NOQA
         from . import invoice  # NOQA
-        from .services import export, mail, tickets, cart, orders, invoices, cleanup, update_check  # NOQA
+        from .services import export, mail, tickets, cart, orders, invoices, cleanup, update_check, quotas  # NOQA
 
         try:
             from .celery_app import app as celery_app  # NOQA

src/pretix/base/cache.py

@@ -1,6 +1,6 @@
 import hashlib
 import time
-from typing import Dict, List
+from typing import Callable, Dict, List
 
 from django.core.cache import caches
 from django.db.models import Model
@@ -11,17 +11,19 @@ class NamespacedCache:
     def __init__(self, prefixkey: str, cache: str='default'):
         self.cache = caches[cache]
         self.prefixkey = prefixkey
+        self._last_prefix = None
 
-    def _prefix_key(self, original_key: str) -> str:
+    def _prefix_key(self, original_key: str, known_prefix=None) -> str:
         # Race conditions can happen here, but should be very very rare.
         # We could only handle this by going _really_ lowlevel using
         # memcached's `add` keyword instead of `set`.
         # See also:
         # https://code.google.com/p/memcached/wiki/NewProgrammingTricks#Namespacing
-        prefix = self.cache.get(self.prefixkey)
+        prefix = known_prefix or self.cache.get(self.prefixkey)
         if prefix is None:
             prefix = int(time.time())
             self.cache.set(self.prefixkey, prefix)
+        self._last_prefix = prefix
         key = '%s:%d:%s' % (self.prefixkey, prefix, original_key)
         if len(key) > 200:  # Hash long keys, as memcached has a length limit
             # TODO: Use a more efficient, non-cryptographic hash algorithm
@@ -32,17 +34,25 @@ class NamespacedCache:
         return key.split(":", 2 + self.prefixkey.count(":"))[-1]
 
     def clear(self) -> None:
+        self._last_prefix = None
         try:
             prefix = self.cache.incr(self.prefixkey, 1)
         except ValueError:
             prefix = int(time.time())
             self.cache.set(self.prefixkey, prefix)
 
-    def set(self, key: str, value: str, timeout: int=3600):
+    def set(self, key: str, value: str, timeout: int=300):
         return self.cache.set(self._prefix_key(key), value, timeout)
 
     def get(self, key: str) -> str:
-        return self.cache.get(self._prefix_key(key))
+        return self.cache.get(self._prefix_key(key, known_prefix=self._last_prefix))
+
+    def get_or_set(self, key: str, default: Callable, timeout=300) -> str:
+        return self.cache.get_or_set(
+            self._prefix_key(key, known_prefix=self._last_prefix),
+            default=default,
+            timeout=timeout
+        )
 
     def get_many(self, keys: List[str]) -> Dict[str, str]:
         values = self.cache.get_many([self._prefix_key(key) for key in keys])
@@ -51,7 +61,7 @@ class NamespacedCache:
             newvalues[self._strip_prefix(k)] = v
         return newvalues
 
-    def set_many(self, values: Dict[str, str], timeout=3600):
+    def set_many(self, values: Dict[str, str], timeout=300):
         newvalues = {}
         for k, v in values.items():
             newvalues[self._prefix_key(k)] = v

src/pretix/base/exporters/answers.py

@@ -25,7 +25,9 @@ class AnswerFilesExporter(BaseExporter):
                  forms.ModelMultipleChoiceField(
                      queryset=self.event.questions.filter(type='F'),
                      label=_('Questions'),
-                     widget=forms.CheckboxSelectMultiple,
+                     widget=forms.CheckboxSelectMultiple(
+                         attrs={'class': 'scrolling-multiple-choice'}
+                     ),
                      required=False
                  )),
             ]
@@ -41,7 +43,7 @@ class AnswerFilesExporter(BaseExporter):
             with ZipFile(os.path.join(d, 'tmp.zip'), 'w') as zipf:
                 for i in qs:
                     if i.file:
-                        i.file.open('r')
+                        i.file.open('rb')
                         fname = '{}-{}-{}-q{}-{}'.format(
                             self.event.slug.upper(),
                             i.orderposition.order.code,

src/pretix/base/forms/user.py

@@ -5,6 +5,7 @@ from django.contrib.auth.password_validation import (
 )
 from django.db.models import Q
 from django.utils.translation import ugettext_lazy as _
+from pytz import common_timezones
 
 from pretix.base.models import User
 
@@ -31,17 +32,19 @@ class UserSettingsForm(forms.ModelForm):
                                     required=False,
                                     label=_("Repeat new password"),
                                     widget=forms.PasswordInput())
-    # timezone = forms.ChoiceField(
-    #     choices=((a, a) for a in common_timezones),
-    #     label=_("Default timezone"),
-    # )
+    timezone = forms.ChoiceField(
+        choices=((a, a) for a in common_timezones),
+        label=_("Default timezone"),
+        help_text=_('Only used for views that are not bound to an event. For all '
+                    'event views, the event timezone is used instead.')
+    )
 
     class Meta:
         model = User
         fields = [
             'fullname',
             'locale',
-            # 'timezone',
+            'timezone',
             'email'
         ]
 

src/pretix/base/invoice.py

@@ -331,6 +331,12 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
             NextPageTemplate('OtherPages'),
         ]
 
+        if self.invoice.internal_reference:
+            story.append(Paragraph(
+                pgettext('invoice', 'Your reference: {reference}').format(reference=self.invoice.internal_reference),
+                self.stylesheet['Normal']
+            ))
+
         if self.invoice.introductory_text:
             story.append(Paragraph(self.invoice.introductory_text, self.stylesheet['Normal']))
             story.append(Spacer(1, 10 * mm))

src/pretix/base/middleware.py

@@ -47,10 +47,10 @@ class LocaleMiddleware(MiddlewareMixin):
         request.LANGUAGE_CODE = translation.get_language()
 
         tzname = None
-        if request.user.is_authenticated:
-            tzname = request.user.timezone
         if hasattr(request, 'event'):
             tzname = request.event.settings.timezone
+        elif request.user.is_authenticated:
+            tzname = request.user.timezone
         if tzname:
             try:
                 timezone.activate(pytz.timezone(tzname))
@@ -186,11 +186,13 @@ class SecurityMiddleware(MiddlewareMixin):
             'style-src': ["{static}", "{media}", "'nonce-{nonce}'"],
             'connect-src': ["{dynamic}", "{media}", "https://checkout.stripe.com"],
             'img-src': ["{static}", "{media}", "data:", "https://*.stripe.com"],
+            'font-src': ["{static}"],
             # form-action is not only used to match on form actions, but also on URLs
             # form-actions redirect to. In the context of e.g. payment providers or
             # single-sign-on this can be nearly anything so we cannot really restrict
             # this. However, we'll restrict it to HTTPS.
             'form-action': ["{dynamic}", "https:"],
+            'report-uri': ["/csp_report/"],
         }
         if 'Content-Security-Policy' in resp:
             _merge_csp(h, _parse_csp(resp['Content-Security-Policy']))
@@ -218,7 +220,14 @@ class SecurityMiddleware(MiddlewareMixin):
                     domain = '%s:%d' % (domain, siteurlsplit.port)
                 dynamicdomain += " " + domain
 
-        if request.path not in self.CSP_EXEMPT:
+        if request.path not in self.CSP_EXEMPT and not getattr(resp, '_csp_ignore', False):
             resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain,
                                                                     media=mediadomain, nonce=request.csp_nonce)
+            for k, v in h.items():
+                h[k] = ' '.join(v).format(static=staticdomain, dynamic=dynamicdomain, media=mediadomain,
+                                          nonce=request.csp_nonce).split(' ')
+            resp['Content-Security-Policy'] = _render_csp(h)
+        elif 'Content-Security-Policy' in resp:
+            del resp['Content-Security-Policy']
+
         return resp

src/pretix/base/migrations/0076_orderfee_squashed_0082_invoiceaddress_internal_reference.py

@@ -0,0 +1,173 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-11-03 11:03
+from __future__ import unicode_literals
+
+from decimal import Decimal
+
+import django.db.migrations.operations.special
+import django.db.models.deletion
+import i18nfield.fields
+from django.db import migrations, models
+
+
+def fee_converter(app, schema_editor):
+    OrderFee = app.get_model('pretixbase', 'OrderFee')
+    Order = app.get_model('pretixbase', 'Order')
+
+    of = []
+    for o in Order.objects.exclude(payment_fee=Decimal('0.00')).iterator():
+        of.append(OrderFee(
+            order=o,
+            value=o.payment_fee,
+            fee_type='payment',
+            tax_rate=o.payment_fee_tax_rate,
+            tax_rule=o.payment_fee_tax_rule,
+            tax_value=o.payment_fee_tax_value,
+            internal_type=o.payment_provider
+        ))
+        if len(of) > 900:
+            OrderFee.objects.bulk_create(of)
+            of = []
+    OrderFee.objects.bulk_create(of)
+
+
+def assign_positions(app, schema_editor):
+    Invoice = app.get_model('pretixbase', 'Invoice')
+
+    for i in Invoice.objects.iterator():
+        for j, l in enumerate(i.lines.all()):
+            l.position = j
+            l.save()
+
+
+def clear_quota_caches(app, schema_editor):
+    Quota = app.get_model('pretixbase', 'Quota')
+    Quota.objects.all().update(cached_availability_time=None)
+
+
+class Migration(migrations.Migration):
+
+    replaces = [('pretixbase', '0076_orderfee'), ('pretixbase', '0077_auto_20170829_1126'), ('pretixbase', '0078_auto_20171003_1650'), ('pretixbase', '0079_auto_20171010_2117'), ('pretixbase', '0080_auto_20171016_1553'), ('pretixbase', '0081_quota_cached_availability_paid_orders'), ('pretixbase', '0082_invoiceaddress_internal_reference')]
+
+    dependencies = [
+        ('pretixbase', '0075_auto_20170828_0901'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='OrderFee',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('value', models.DecimalField(decimal_places=2, max_digits=10, verbose_name='Value')),
+                ('description', models.CharField(blank=True, max_length=190)),
+                ('internal_type', models.CharField(blank=True, max_length=255)),
+                ('fee_type', models.CharField(choices=[('payment', 'Payment method fee'), ('shipping', 'Shipping fee')], max_length=100)),
+                ('tax_rate', models.DecimalField(decimal_places=2, max_digits=7, verbose_name='Tax rate')),
+                ('tax_value', models.DecimalField(decimal_places=2, max_digits=10, verbose_name='Tax value')),
+                ('order', models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='fees', to='pretixbase.Order', verbose_name='Order')),
+                ('tax_rule', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, to='pretixbase.TaxRule')),
+            ],
+        ),
+        migrations.RunPython(
+            code=fee_converter,
+            reverse_code=django.db.migrations.operations.special.RunPython.noop,
+        ),
+        migrations.RemoveField(
+            model_name='order',
+            name='payment_fee',
+        ),
+        migrations.RemoveField(
+            model_name='order',
+            name='payment_fee_tax_rate',
+        ),
+        migrations.RemoveField(
+            model_name='order',
+            name='payment_fee_tax_rule',
+        ),
+        migrations.RemoveField(
+            model_name='order',
+            name='payment_fee_tax_value',
+        ),
+        migrations.AddField(
+            model_name='invoiceline',
+            name='position',
+            field=models.PositiveIntegerField(default=0),
+        ),
+        migrations.AlterField(
+            model_name='orderfee',
+            name='fee_type',
+            field=models.CharField(choices=[('payment', 'Payment fee'), ('shipping', 'Shipping fee'), ('other', 'Other fees')], max_length=100),
+        ),
+        migrations.RunPython(
+            code=assign_positions,
+            reverse_code=django.db.migrations.operations.special.RunPython.noop,
+        ),
+        migrations.AlterModelOptions(
+            name='invoiceline',
+            options={'ordering': ('position', 'pk')},
+        ),
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_number',
+            field=models.PositiveIntegerField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_state',
+            field=models.PositiveIntegerField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_time',
+            field=models.DateTimeField(blank=True, null=True),
+        ),
+        migrations.AlterField(
+            model_name='eventmetaproperty',
+            name='default',
+            field=models.TextField(blank=True),
+        ),
+        migrations.AlterField(
+            model_name='taxrule',
+            name='eu_reverse_charge',
+            field=models.BooleanField(default=False, help_text='Not recommended. Most events will NOT be qualified for reverse charge since the place of taxation is the location of the event. This option disables charging VAT for all customers outside the EU and for business customers in different EU countries who entered a valid EU VAT ID. Only enable this option after consulting a tax counsel. No warranty given for correct tax calculation. USE AT YOUR OWN RISK.', verbose_name='Use EU reverse charge taxation rules'),
+        ),
+        migrations.AddField(
+            model_name='logentry',
+            name='api_token',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, to='pretixbase.TeamAPIToken'),
+        ),
+        migrations.AlterField(
+            model_name='event',
+            name='name',
+            field=i18nfield.fields.I18nCharField(max_length=200, verbose_name='Event name'),
+        ),
+        migrations.AlterField(
+            model_name='item',
+            name='category',
+            field=models.ForeignKey(blank=True, help_text='If you have many products, you can optionally sort them into categories to keep things organized.', null=True, on_delete=django.db.models.deletion.PROTECT, related_name='items', to='pretixbase.ItemCategory', verbose_name='Category'),
+        ),
+        migrations.AlterField(
+            model_name='cartposition',
+            name='cart_id',
+            field=models.CharField(blank=True, db_index=True, max_length=255, null=True, verbose_name='Cart ID (e.g. session key)'),
+        ),
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_paid_orders',
+            field=models.PositiveIntegerField(blank=True, null=True),
+        ),
+        migrations.RunPython(
+            code=clear_quota_caches,
+            reverse_code=django.db.migrations.operations.special.RunPython.noop,
+        ),
+        migrations.AddField(
+            model_name='invoiceaddress',
+            name='internal_reference',
+            field=models.TextField(blank=True, help_text='This reference will be printed on your invoice for your convenience.', verbose_name='Internal reference'),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='internal_reference',
+            field=models.TextField(blank=True),
+        ),
+    ]

src/pretix/base/migrations/0077_auto_20171124_1629.py

@@ -0,0 +1,106 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.2 on 2017-11-24 16:29
+from __future__ import unicode_literals
+
+import django.core.validators
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+from django.utils.translation import ugettext as _
+
+import pretix.base.validators
+from pretix.base.i18n import language
+
+
+def create_checkin_lists(apps, schema_editor):
+    Event = apps.get_model('pretixbase', 'Event')
+    Checkin = apps.get_model('pretixbase', 'Checkin')
+    EventSettingsStore = apps.get_model('pretixbase', 'Event_SettingsStore')
+    for e in Event.objects.all():
+        locale = EventSettingsStore.objects.filter(object=e, key='locale').first()
+        if locale:
+            locale = locale.value
+        else:
+            locale = settings.LANGUAGE_CODE
+
+        if e.has_subevents:
+            for se in e.subevents.all():
+                with language(locale):
+                    cl = e.checkin_lists.create(name=se.name, subevent=se, all_products=True)
+                Checkin.objects.filter(position__subevent=se, position__order__event=e).update(list=cl)
+        else:
+            with language(locale):
+                cl = e.checkin_lists.create(name=_('Default list'), all_products=True)
+            Checkin.objects.filter(position__order__event=e).update(list=cl)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0076_orderfee_squashed_0082_invoiceaddress_internal_reference'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='event',
+            name='slug',
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters, numbers, dots, and dashes, and must be unique among your events. We recommend some kind of abbreviation or a date with less than 10 characters that can be easily remembered, but you can also choose to use a random value. This will be used in URLs, order codes, invoice numbers, and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.EventSlugBlacklistValidator()], verbose_name='Short form'),
+        ),
+        migrations.AlterField(
+            model_name='eventmetaproperty',
+            name='name',
+            field=models.CharField(db_index=True, help_text='Can not contain spaces or special characters except underscores', max_length=50, validators=[django.core.validators.RegexValidator(message='The property name may only contain letters, numbers and underscores.', regex='^[a-zA-Z0-9_]+$')], verbose_name='Name'),
+        ),
+        migrations.AlterField(
+            model_name='organizer',
+            name='slug',
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters, numbers, dots, and dashes. Every slug can only be used once. This is being used in URLs to refer to your organizer accounts and your events.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBlacklistValidator()], verbose_name='Short form'),
+        ),
+        migrations.CreateModel(
+            name='CheckinList',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.CharField(max_length=190)),
+                ('all_products', models.BooleanField(default=True, verbose_name='All products (including newly created ones)')),
+            ],
+        ),
+        migrations.AddField(
+            model_name='checkinlist',
+            name='event',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='checkin_lists', to='pretixbase.Event'),
+        ),
+        migrations.AddField(
+            model_name='checkinlist',
+            name='subevent',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, null=True, blank=True, related_name='checkin_lists', to='pretixbase.SubEvent'),
+        ),
+        migrations.AddField(
+            model_name='checkinlist',
+            name='limit_products',
+            field=models.ManyToManyField(blank=True, to='pretixbase.Item', verbose_name='Limit to products'),
+        ),
+        migrations.AddField(
+            model_name='checkin',
+            name='list',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.PROTECT, related_name='checkins', to='pretixbase.CheckinList'),
+        ),
+        migrations.AlterField(
+            model_name='checkin',
+            name='list',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, related_name='checkins', to='pretixbase.CheckinList'),
+        ),
+        migrations.AlterField(
+            model_name='checkinlist',
+            name='subevent',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='pretixbase.SubEvent', verbose_name='Date'),
+        ),
+        migrations.RunPython(
+            create_checkin_lists,
+            migrations.RunPython.noop
+        ),
+        migrations.AlterField(
+            model_name='checkin',
+            name='list',
+            field=models.ForeignKey(null=False, on_delete=django.db.models.deletion.PROTECT, related_name='checkins', to='pretixbase.CheckinList'),
+        ),
+    ]

src/pretix/base/migrations/0078_auto_20171003_1650.py

@@ -0,0 +1,40 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-10-03 16:50
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0077_auto_20170829_1126'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_number',
+            field=models.PositiveIntegerField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_state',
+            field=models.PositiveIntegerField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_time',
+            field=models.DateTimeField(blank=True, null=True),
+        ),
+        migrations.AlterField(
+            model_name='eventmetaproperty',
+            name='default',
+            field=models.TextField(blank=True),
+        ),
+        migrations.AlterField(
+            model_name='taxrule',
+            name='eu_reverse_charge',
+            field=models.BooleanField(default=False, help_text='Not recommended. Most events will NOT be qualified for reverse charge since the place of taxation is the location of the event. This option disables charging VAT for all customers outside the EU and for business customers in different EU countries who entered a valid EU VAT ID. Only enable this option after consulting a tax counsel. No warranty given for correct tax calculation. USE AT YOUR OWN RISK.', verbose_name='Use EU reverse charge taxation rules'),
+        ),
+    ]

src/pretix/base/migrations/0079_auto_20171010_2117.py

@@ -0,0 +1,32 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-10-10 21:17
+from __future__ import unicode_literals
+
+import django.db.models.deletion
+import i18nfield.fields
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0078_auto_20171003_1650'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='logentry',
+            name='api_token',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, to='pretixbase.TeamAPIToken'),
+        ),
+        migrations.AlterField(
+            model_name='event',
+            name='name',
+            field=i18nfield.fields.I18nCharField(max_length=200, verbose_name='Event name'),
+        ),
+        migrations.AlterField(
+            model_name='item',
+            name='category',
+            field=models.ForeignKey(blank=True, help_text='If you have many products, you can optionally sort them into categories to keep things organized.', null=True, on_delete=django.db.models.deletion.PROTECT, related_name='items', to='pretixbase.ItemCategory', verbose_name='Category'),
+        ),
+    ]

src/pretix/base/migrations/0080_auto_20171016_1553.py

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-10-16 15:53
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0079_auto_20171010_2117'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='cartposition',
+            name='cart_id',
+            field=models.CharField(blank=True, db_index=True, max_length=255, null=True, verbose_name='Cart ID (e.g. session key)'),
+        ),
+    ]

src/pretix/base/migrations/0081_quota_cached_availability_paid_orders.py

@@ -0,0 +1,28 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-10-18 09:06
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+def clear_quota_caches(app, schema_editor):
+    Quota = app.get_model('pretixbase', 'Quota')
+    Quota.objects.all().update(cached_availability_time=None)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0080_auto_20171016_1553'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_paid_orders',
+            field=models.PositiveIntegerField(blank=True, null=True),
+        ),
+        migrations.RunPython(
+            clear_quota_caches, migrations.RunPython.noop
+        )
+    ]

src/pretix/base/migrations/0082_invoiceaddress_internal_reference.py

@@ -0,0 +1,25 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.2 on 2017-10-26 22:13
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0081_quota_cached_availability_paid_orders'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='invoiceaddress',
+            name='internal_reference',
+            field=models.TextField(blank=True, help_text='This reference will be printed on your invoice for your convenience.', verbose_name='Internal reference'),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='internal_reference',
+            field=models.TextField(blank=True),
+        ),
+    ]

src/pretix/base/models/__init__.py

@@ -1,10 +1,10 @@
 from ..settings import GlobalSettingsObject_SettingsStore
 from .auth import U2FDevice, User
 from .base import CachedFile, LoggedModel, cachedfile_name
-from .checkin import Checkin
+from .checkin import Checkin, CheckinList
 from .event import (
-    Event, Event_SettingsStore, EventLock, RequiredAction, SubEvent,
-    generate_invite_token,
+    Event, Event_SettingsStore, EventLock, EventMetaProperty, EventMetaValue,
+    RequiredAction, SubEvent, SubEventMetaValue, generate_invite_token,
 )
 from .invoices import Invoice, InvoiceLine, invoice_filename
 from .items import (

src/pretix/base/models/auth.py

@@ -251,6 +251,24 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
             | Q(id__in=self.teams.values_list('limit_events__id', flat=True))
         )
 
+    def get_events_with_permission(self, permission):
+        """
+        Returns a queryset of events the user has a specific permissions to.
+
+        :return: Iterable of Events
+        """
+        from .event import Event
+
+        if self.is_superuser:
+            return Event.objects.all()
+
+        kwargs = {permission: True}
+
+        return Event.objects.filter(
+            Q(organizer_id__in=self.teams.filter(all_events=True, **kwargs).values_list('organizer', flat=True))
+            | Q(id__in=self.teams.filter(**kwargs).values_list('limit_events__id', flat=True))
+        )
+
 
 class U2FDevice(Device):
     json_data = models.TextField()

src/pretix/base/models/base.py

@@ -36,7 +36,7 @@ def cached_file_delete(sender, instance, **kwargs):
 
 class LoggingMixin:
 
-    def log_action(self, action, data=None, user=None):
+    def log_action(self, action, data=None, user=None, api_token=None):
         """
         Create a LogEntry object that is related to this object.
         See the LogEntry documentation for details.
@@ -53,10 +53,12 @@ class LoggingMixin:
             event = self
         elif hasattr(self, 'event'):
             event = self.event
-        l = LogEntry(content_object=self, user=user, action_type=action, event=event)
+        if user and not user.is_authenticated:
+            user = None
+        logentry = LogEntry(content_object=self, user=user, action_type=action, event=event, api_token=api_token)
         if data:
-            l.data = json.dumps(data, cls=CustomJSONEncoder)
-        l.save()
+            logentry.data = json.dumps(data, cls=CustomJSONEncoder)
+        logentry.save()
 
 
 class LoggedModel(models.Model, LoggingMixin):

src/pretix/base/models/checkin.py

@@ -1,5 +1,76 @@
 from django.db import models
+from django.db.models import Case, Count, F, OuterRef, Q, Subquery, When
+from django.db.models.functions import Coalesce
 from django.utils.timezone import now
+from django.utils.translation import pgettext_lazy, ugettext_lazy as _
+
+from pretix.base.models import LoggedModel
+
+
+class CheckinList(LoggedModel):
+    event = models.ForeignKey('Event', related_name='checkin_lists')
+    name = models.CharField(max_length=190)
+    all_products = models.BooleanField(default=True, verbose_name=_("All products (including newly created ones)"))
+    limit_products = models.ManyToManyField('Item', verbose_name=_("Limit to products"), blank=True)
+    subevent = models.ForeignKey('SubEvent', null=True, blank=True,
+                                 verbose_name=pgettext_lazy('subevent', 'Date'))
+
+    @staticmethod
+    def annotate_with_numbers(qs, event):
+        from . import Order, OrderPosition
+        cqs = Checkin.objects.filter(
+            position__order__event=event,
+            position__order__status=Order.STATUS_PAID,
+            list=OuterRef('pk')
+        ).filter(
+            # This assumes that in an event with subevents, *all* positions have subevents
+            # and *all* checkin lists have a subevent assigned
+            Q(position__subevent=OuterRef('subevent'))
+            | (Q(position__subevent__isnull=True))
+        ).order_by().values('list').annotate(
+            c=Count('*')
+        ).values('c')
+        pqs_all = OrderPosition.objects.filter(
+            order__event=event,
+            order__status=Order.STATUS_PAID,
+        ).filter(
+            # This assumes that in an event with subevents, *all* positions have subevents
+            # and *all* checkin lists have a subevent assigned
+            Q(subevent=OuterRef('subevent'))
+            | (Q(subevent__isnull=True))
+        ).order_by().values('order__event').annotate(
+            c=Count('*')
+        ).values('c')
+        pqs_limited = OrderPosition.objects.filter(
+            order__event=event,
+            order__status=Order.STATUS_PAID,
+            item__in=OuterRef('limit_products')
+        ).filter(
+            # This assumes that in an event with subevents, *all* positions have subevents
+            # and *all* checkin lists have a subevent assigned
+            Q(subevent=OuterRef('subevent'))
+            | (Q(subevent__isnull=True))
+        ).order_by().values('order__event').annotate(
+            c=Count('*')
+        ).values('c')
+
+        return qs.annotate(
+            checkin_count=Coalesce(Subquery(cqs, output_field=models.IntegerField()), 0),
+            position_count=Coalesce(Case(
+                When(all_products=True, then=Subquery(pqs_all, output_field=models.IntegerField())),
+                default=Subquery(pqs_limited, output_field=models.IntegerField()),
+                output_field=models.IntegerField()
+            ), 0)
+        ).annotate(
+            percent=Case(
+                When(position_count__gt=0, then=F('checkin_count') * 100 / F('position_count')),
+                default=0,
+                output_field=models.IntegerField()
+            )
+        )
+
+    def __str__(self):
+        return self.name
 
 
 class Checkin(models.Model):
@@ -9,3 +80,11 @@ class Checkin(models.Model):
     position = models.ForeignKey('pretixbase.OrderPosition', related_name='checkins')
     datetime = models.DateTimeField(default=now)
     nonce = models.CharField(max_length=190, null=True, blank=True)
+    list = models.ForeignKey(
+        'pretixbase.CheckinList', related_name='checkins', on_delete=models.PROTECT,
+    )
+
+    def __repr__(self):
+        return "<Checkin: pos {} on list '{}' at {}>".format(
+            self.position, self.list, self.datetime
+        )

src/pretix/base/models/event.py

@@ -38,6 +38,31 @@ class EventMixin:
             raise ValidationError({'date_to': _('The end of the event has to be later than its start.')})
         super().clean()
 
+    def get_short_date_from_display(self, tz=None, show_times=True) -> str:
+        """
+        Returns a shorter formatted string containing the start date of the event with respect
+        to the current locale and to the ``show_times`` setting.
+        """
+        tz = tz or pytz.timezone(self.settings.timezone)
+        return _date(
+            self.date_from.astimezone(tz),
+            "SHORT_DATETIME_FORMAT" if self.settings.show_times and show_times else "DATE_FORMAT"
+        )
+
+    def get_short_date_to_display(self, tz=None) -> str:
+        """
+        Returns a shorter formatted string containing the start date of the event with respect
+        to the current locale and to the ``show_times`` setting. Returns an empty string
+        if ``show_date_to`` is ``False``.
+        """
+        tz = tz or pytz.timezone(self.settings.timezone)
+        if not self.settings.show_date_to or not self.date_to:
+            return ""
+        return _date(
+            self.date_to.astimezone(tz),
+            "SHORT_DATETIME_FORMAT" if self.settings.show_times else "DATE_FORMAT"
+        )
+
     def get_date_from_display(self, tz=None, show_times=True) -> str:
         """
         Returns a formatted string containing the start date of the event with respect
@@ -169,13 +194,13 @@ class Event(EventMixin, LoggedModel):
     organizer = models.ForeignKey(Organizer, related_name="events", on_delete=models.PROTECT)
     name = I18nCharField(
         max_length=200,
-        verbose_name=_("Name"),
+        verbose_name=_("Event name"),
     )
     slug = models.SlugField(
         max_length=50, db_index=True,
         help_text=_(
-            "Should be short, only contain lowercase letters and numbers, and must be unique among your events. "
-            "We recommend some kind of abbreviation or a date with less than 10 characters that can be easily "
+            "Should be short, only contain lowercase letters, numbers, dots, and dashes, and must be unique among your "
+            "events. We recommend some kind of abbreviation or a date with less than 10 characters that can be easily "
             "remembered, but you can also choose to use a random value. "
             "This will be used in URLs, order codes, invoice numbers, and bank transfer references."),
         validators=[
@@ -239,7 +264,7 @@ class Event(EventMixin, LoggedModel):
 
     def save(self, *args, **kwargs):
         obj = super().save(*args, **kwargs)
-        self.get_cache().clear()
+        self.cache.clear()
         return obj
 
     def get_plugins(self) -> "list[str]":
@@ -256,6 +281,19 @@ class Event(EventMixin, LoggedModel):
         Django's built-in cache backends, but puts you into an isolated environment for
         this event, so you don't have to prefix your cache keys. In addition, the cache
         is being cleared every time the event or one of its related objects change.
+
+        .. deprecated:: 1.9
+           Use the property ``cache`` instead.
+        """
+        return self.cache
+
+    @cached_property
+    def cache(self):
+        """
+        Returns an :py:class:`ObjectRelatedCache` object. This behaves equivalent to
+        Django's built-in cache backends, but puts you into an isolated environment for
+        this event, so you don't have to prefix your cache keys. In addition, the cache
+        is being cleared every time the event or one of its related objects change.
         """
         from pretix.base.cache import ObjectRelatedCache
 
@@ -356,12 +394,15 @@ class Event(EventMixin, LoggedModel):
             for v in vars:
                 q.variations.add(variation_map[v.pk])
 
+        question_map = {}
         for q in Question.objects.filter(event=other).prefetch_related('items', 'options'):
             items = list(q.items.all())
             opts = list(q.options.all())
+            question_map[q.pk] = q
             q.pk = None
             q.event = self
             q.save()
+
             for i in items:
                 q.items.add(item_map[i.pk])
             for o in opts:
@@ -369,6 +410,14 @@ class Event(EventMixin, LoggedModel):
                 o.question = q
                 o.save()
 
+        for cl in other.checkin_lists.filter(subevent__isnull=True).prefetch_related('limit_products'):
+            items = list(cl.limit_products.all())
+            cl.pk = None
+            cl.event = self
+            cl.save()
+            for i in items:
+                cl.limit_products.add(item_map[i.pk])
+
         for s in other.settings._objects.all():
             s.object = self
             s.pk = None
@@ -393,7 +442,11 @@ class Event(EventMixin, LoggedModel):
             else:
                 s.save()
 
-        event_copy_data.send(sender=self, other=other)
+        event_copy_data.send(
+            sender=self, other=other,
+            tax_map=tax_map, category_map=category_map, item_map=item_map, variation_map=variation_map,
+            question_map=question_map
+        )
 
     def get_payment_providers(self) -> dict:
         """
@@ -553,6 +606,16 @@ class SubEvent(EventMixin, LoggedModel):
         data.update({v.property.name: v.value for v in self.meta_values.select_related('property').all()})
         return data
 
+    def delete(self, *args, **kwargs):
+        super().delete(*args, **kwargs)
+        if self.event:
+            self.event.cache.clear()
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+        if self.event:
+            self.event.cache.clear()
+
 
 def generate_invite_token():
     return get_random_string(length=32, allowed_chars=string.ascii_lowercase + string.digits)
@@ -619,7 +682,7 @@ class EventMetaProperty(LoggedModel):
     name = models.CharField(
         max_length=50, db_index=True,
         help_text=_(
-            "Can not contain spaces or special characters execpt underscores"
+            "Can not contain spaces or special characters except underscores"
         ),
         validators=[
             RegexValidator(
@@ -652,6 +715,16 @@ class EventMetaValue(LoggedModel):
     class Meta:
         unique_together = ('event', 'property')
 
+    def delete(self, *args, **kwargs):
+        super().delete(*args, **kwargs)
+        if self.event:
+            self.event.cache.clear()
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+        if self.event:
+            self.event.cache.clear()
+
 
 class SubEventMetaValue(LoggedModel):
     """
@@ -672,3 +745,13 @@ class SubEventMetaValue(LoggedModel):
 
     class Meta:
         unique_together = ('subevent', 'property')
+
+    def delete(self, *args, **kwargs):
+        super().delete(*args, **kwargs)
+        if self.subevent:
+            self.subevent.event.cache.clear()
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+        if self.subevent:
+            self.subevent.event.cache.clear()

src/pretix/base/models/invoices.py

@@ -81,6 +81,7 @@ class Invoice(models.Model):
     foreign_currency_rate = models.DecimalField(decimal_places=4, max_digits=10, null=True, blank=True)
     foreign_currency_rate_date = models.DateField(null=True, blank=True)
     file = models.FileField(null=True, blank=True, upload_to=invoice_filename)
+    internal_reference = models.TextField(blank=True)
 
     @staticmethod
     def _to_numeric_invoice_number(number):

src/pretix/base/models/items.py

@@ -66,12 +66,12 @@ class ItemCategory(LoggedModel):
     def delete(self, *args, **kwargs):
         super().delete(*args, **kwargs)
         if self.event:
-            self.event.get_cache().clear()
+            self.event.cache.clear()
 
     def save(self, *args, **kwargs):
         super().save(*args, **kwargs)
         if self.event:
-            self.event.get_cache().clear()
+            self.event.cache.clear()
 
     @property
     def sortkey(self):
@@ -104,6 +104,16 @@ class SubEventItem(models.Model):
     item = models.ForeignKey('Item', on_delete=models.CASCADE)
     price = models.DecimalField(max_digits=7, decimal_places=2, null=True, blank=True)
 
+    def delete(self, *args, **kwargs):
+        super().delete(*args, **kwargs)
+        if self.subevent:
+            self.subevent.event.cache.clear()
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+        if self.subevent:
+            self.subevent.event.cache.clear()
+
 
 class SubEventItemVariation(models.Model):
     """
@@ -121,6 +131,16 @@ class SubEventItemVariation(models.Model):
     variation = models.ForeignKey('ItemVariation', on_delete=models.CASCADE)
     price = models.DecimalField(max_digits=7, decimal_places=2, null=True, blank=True)
 
+    def delete(self, *args, **kwargs):
+        super().delete(*args, **kwargs)
+        if self.subevent:
+            self.subevent.event.cache.clear()
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+        if self.subevent:
+            self.subevent.event.cache.clear()
+
 
 class Item(LoggedModel):
     """
@@ -175,6 +195,7 @@ class Item(LoggedModel):
         related_name="items",
         blank=True, null=True,
         verbose_name=_("Category"),
+        help_text=_("If you have many products, you can optionally sort them into categories to keep things organized.")
     )
     name = I18nCharField(
         max_length=255,
@@ -289,12 +310,12 @@ class Item(LoggedModel):
     def save(self, *args, **kwargs):
         super().save(*args, **kwargs)
         if self.event:
-            self.event.get_cache().clear()
+            self.event.cache.clear()
 
     def delete(self, *args, **kwargs):
         super().delete(*args, **kwargs)
         if self.event:
-            self.event.get_cache().clear()
+            self.event.cache.clear()
 
     def tax(self, price=None, base_price_is='auto'):
         price = price if price is not None else self.default_price
@@ -417,12 +438,12 @@ class ItemVariation(models.Model):
     def delete(self, *args, **kwargs):
         super().delete(*args, **kwargs)
         if self.item:
-            self.item.event.get_cache().clear()
+            self.item.event.cache.clear()
 
     def save(self, *args, **kwargs):
         super().save(*args, **kwargs)
         if self.item:
-            self.item.event.get_cache().clear()
+            self.item.event.cache.clear()
 
     def check_quotas(self, ignored_quotas=None, count_waitinglist=True, subevent=None, _cache=None) -> Tuple[int, int]:
         """
@@ -594,12 +615,12 @@ class Question(LoggedModel):
     def delete(self, *args, **kwargs):
         super().delete(*args, **kwargs)
         if self.event:
-            self.event.get_cache().clear()
+            self.event.cache.clear()
 
     def save(self, *args, **kwargs):
         super().save(*args, **kwargs)
         if self.event:
-            self.event.get_cache().clear()
+            self.event.cache.clear()
 
     @property
     def sortkey(self):
@@ -704,6 +725,10 @@ class Quota(LoggedModel):
         blank=True,
         verbose_name=_("Variations")
     )
+    cached_availability_state = models.PositiveIntegerField(null=True, blank=True)
+    cached_availability_number = models.PositiveIntegerField(null=True, blank=True)
+    cached_availability_paid_orders = models.PositiveIntegerField(null=True, blank=True)
+    cached_availability_time = models.DateTimeField(null=True, blank=True)
 
     class Meta:
         verbose_name = _("Quota")
@@ -715,14 +740,27 @@ class Quota(LoggedModel):
     def delete(self, *args, **kwargs):
         super().delete(*args, **kwargs)
         if self.event:
-            self.event.get_cache().clear()
+            self.event.cache.clear()
 
     def save(self, *args, **kwargs):
+        clear_cache = kwargs.pop('clear_cache', True)
         super().save(*args, **kwargs)
-        if self.event:
-            self.event.get_cache().clear()
+        if self.event and clear_cache:
+            self.event.cache.clear()
 
-    def availability(self, now_dt: datetime=None, count_waitinglist=True, _cache=None) -> Tuple[int, int]:
+    def rebuild_cache(self, now_dt=None):
+        self.cached_availability_time = None
+        self.cached_availability_number = None
+        self.cached_availability_state = None
+        self.availability(now_dt=now_dt)
+
+    def cache_is_hot(self, now_dt=None):
+        now_dt = now_dt or now()
+        return self.cached_availability_time and (now_dt - self.cached_availability_time).total_seconds() < 120
+
+    def availability(
+            self, now_dt: datetime=None, count_waitinglist=True, _cache=None, allow_cache=False
+    ) -> Tuple[int, int]:
         """
         This method is used to determine whether Items or ItemVariations belonging
         to this quota should currently be available for sale.
@@ -730,12 +768,32 @@ class Quota(LoggedModel):
         :returns: a tuple where the first entry is one of the ``Quota.AVAILABILITY_`` constants
                   and the second is the number of available tickets.
         """
+        if allow_cache and self.cache_is_hot() and count_waitinglist:
+            return self.cached_availability_state, self.cached_availability_number
+
         if _cache and count_waitinglist is not _cache.get('_count_waitinglist', True):
             _cache.clear()
 
         if _cache is not None and self.pk in _cache:
             return _cache[self.pk]
+        now_dt = now_dt or now()
         res = self._availability(now_dt, count_waitinglist)
+
+        self.event.cache.delete('item_quota_cache')
+        if count_waitinglist and not self.cache_is_hot(now_dt):
+            self.cached_availability_state = res[0]
+            self.cached_availability_number = res[1]
+            self.cached_availability_time = now_dt
+            if self.size is None:
+                self.cached_availability_paid_orders = self.count_pending_orders()
+            self.save(
+                update_fields=[
+                    'cached_availability_state', 'cached_availability_number', 'cached_availability_time',
+                    'cached_availability_paid_orders'
+                ],
+                clear_cache=False
+            )
+
         if _cache is not None:
             _cache[self.pk] = res
             _cache['_count_waitinglist'] = count_waitinglist
@@ -747,8 +805,9 @@ class Quota(LoggedModel):
         if size_left is None:
             return Quota.AVAILABILITY_OK, None
 
-        # TODO: Test for interference with old versions of Item-Quota-relations, etc.
-        size_left -= self.count_paid_orders()
+        paid_orders = self.count_paid_orders()
+        self.cached_availability_paid_orders = paid_orders
+        size_left -= paid_orders
         if size_left <= 0:
             return Quota.AVAILABILITY_GONE, 0
 
@@ -808,7 +867,7 @@ class Quota(LoggedModel):
                 & Q(Q(voucher__valid_until__isnull=True) | Q(voucher__valid_until__gte=now_dt))
             ) &
             self._position_lookup
-        ).values('id').distinct().count()
+        ).count()
 
     def count_pending_orders(self) -> dict:
         from pretix.base.models import Order, OrderPosition
@@ -816,25 +875,52 @@ class Quota(LoggedModel):
         # This query has beeen benchmarked against a Count('id', distinct=True) aggregate and won by a small margin.
         return OrderPosition.objects.filter(
             self._position_lookup, order__status=Order.STATUS_PENDING, order__event=self.event, subevent=self.subevent
-        ).values('id').distinct().count()
+        ).count()
 
     def count_paid_orders(self):
         from pretix.base.models import Order, OrderPosition
 
         return OrderPosition.objects.filter(
             self._position_lookup, order__status=Order.STATUS_PAID, order__event=self.event, subevent=self.subevent
-        ).values('id').distinct().count()
+        ).count()
 
     @cached_property
     def _position_lookup(self) -> Q:
         return (
             (  # Orders for items which do not have any variations
                Q(variation__isnull=True) &
-               Q(item__quotas=self)
+               Q(item_id__in=Quota.items.through.objects.filter(quota_id=self.pk).values_list('item_id', flat=True))
             ) | (  # Orders for items which do have any variations
-                   Q(variation__quotas=self)
+                   Q(variation__in=Quota.variations.through.objects.filter(quota_id=self.pk).values_list('itemvariation_id', flat=True))
             )
         )
 
     class QuotaExceededException(Exception):
         pass
+
+    @staticmethod
+    def clean_variations(items, variations):
+        for variation in variations:
+            if variation.item not in items:
+                raise ValidationError(_('All variations must belong to an item contained in the items list.'))
+                break
+
+    @staticmethod
+    def clean_items(event, items, variations):
+        for item in items:
+            if event != item.event:
+                raise ValidationError(_('One or more items do not belong to this event.'))
+            if item.has_variations:
+                if not any(var.item == item for var in variations):
+                    raise ValidationError(_('One or more items has variations but none of these are in the variations list.'))
+
+    @staticmethod
+    def clean_subevent(event, subevent):
+        if event.has_subevents:
+            if not subevent:
+                raise ValidationError(_('Subevent cannot be null for event series.'))
+            if event != subevent.event:
+                raise ValidationError(_('The subevent does not belong to this event.'))
+        else:
+            if subevent:
+                raise ValidationError(_('The subevent does not belong to this event.'))

src/pretix/base/models/log.py

@@ -8,6 +8,8 @@ from django.utils.functional import cached_property
 from django.utils.html import escape
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
 
+from pretix.base.signals import logentry_object_link
+
 
 class LogEntry(models.Model):
     """
@@ -33,6 +35,7 @@ class LogEntry(models.Model):
     content_object = GenericForeignKey('content_type', 'object_id')
     datetime = models.DateTimeField(auto_now_add=True, db_index=True)
     user = models.ForeignKey('User', null=True, blank=True, on_delete=models.PROTECT)
+    api_token = models.ForeignKey('TeamAPIToken', null=True, blank=True, on_delete=models.PROTECT)
     event = models.ForeignKey('Event', null=True, blank=True, on_delete=models.CASCADE)
     action_type = models.CharField(max_length=255)
     data = models.TextField(default='{}')
@@ -146,6 +149,9 @@ class LogEntry(models.Model):
         elif a_text:
             return a_text
         else:
+            for receiver, response in logentry_object_link.send(self.event, logentry=self):
+                if response:
+                    return response
             return ''
 
     @cached_property

src/pretix/base/models/orders.py

@@ -314,7 +314,7 @@ class Order(LoggedModel):
             ), tz)
         return term_last
 
-    def _can_be_paid(self) -> Union[bool, str]:
+    def _can_be_paid(self, count_waitinglist=True) -> Union[bool, str]:
         error_messages = {
             'late_lastdate': _("The payment can not be accepted as the last date of payments configured in the "
                                "payment settings is over."),
@@ -331,9 +331,9 @@ class Order(LoggedModel):
         if not self.event.settings.get('payment_term_accept_late'):
             return error_messages['late']
 
-        return self._is_still_available()
+        return self._is_still_available(count_waitinglist=count_waitinglist)
 
-    def _is_still_available(self, now_dt: datetime=None) -> Union[bool, str]:
+    def _is_still_available(self, now_dt: datetime=None, count_waitinglist=True) -> Union[bool, str]:
         error_messages = {
             'unavailable': _('The ordered product "{item}" is no longer available.'),
         }
@@ -351,7 +351,7 @@ class Order(LoggedModel):
                 for quota in quotas:
                     if quota.id not in quota_cache:
                         quota_cache[quota.id] = quota
-                        quota.cached_availability = quota.availability(now_dt)[1]
+                        quota.cached_availability = quota.availability(now_dt, count_waitinglist=count_waitinglist)[1]
                     else:
                         # Use cached version
                         quota = quota_cache[quota.id]
@@ -368,7 +368,7 @@ class Order(LoggedModel):
 
     def send_mail(self, subject: str, template: Union[str, LazyI18nString],
                   context: Dict[str, Any]=None, log_entry_type: str='pretix.event.order.email.sent',
-                  user: User=None, headers: dict=None, sender: str=None):
+                  user: User=None, headers: dict=None, sender: str=None, invoices: list=None):
         """
         Sends an email to the user that placed this order. Basically, this method does two things:
 
@@ -387,26 +387,28 @@ class Order(LoggedModel):
         """
         from pretix.base.services.mail import SendMailException, mail, render_mail
 
-        recipient = self.email
-        email_content = render_mail(template, context)[0]
-        try:
-            with language(self.locale):
+        with language(self.locale):
+            recipient = self.email
+            try:
+                email_content = render_mail(template, context)[0]
                 mail(
                     recipient, subject, template, context,
-                    self.event, self.locale, self, headers, sender
+                    self.event, self.locale, self, headers, sender,
+                    invoices=invoices
+                )
+            except SendMailException:
+                raise
+            else:
+                self.log_action(
+                    log_entry_type,
+                    user=user,
+                    data={
+                        'subject': subject,
+                        'message': email_content,
+                        'recipient': recipient,
+                        'invoices': [i.pk for i in invoices] if invoices else []
+                    }
                 )
-        except SendMailException:
-            raise
-        else:
-            self.log_action(
-                log_entry_type,
-                user=user,
-                data={
-                    'subject': subject,
-                    'message': email_content,
-                    'recipient': recipient
-                }
-            )
 
 
 def answerfile_name(instance, filename: str) -> str:
@@ -728,10 +730,6 @@ class OrderPosition(AbstractPosition):
         max_digits=10, decimal_places=2,
         verbose_name=_('Tax value')
     )
-    tax_value = models.DecimalField(
-        max_digits=10, decimal_places=2,
-        verbose_name=_('Tax value')
-    )
     secret = models.CharField(max_length=64, default=generate_position_secret, db_index=True)
 
     class Meta:
@@ -832,7 +830,7 @@ class CartPosition(AbstractPosition):
         verbose_name=_("Event")
     )
     cart_id = models.CharField(
-        max_length=255, null=True, blank=True,
+        max_length=255, null=True, blank=True, db_index=True,
         verbose_name=_("Cart ID (e.g. session key)")
     )
     datetime = models.DateTimeField(
@@ -885,6 +883,11 @@ class InvoiceAddress(models.Model):
     vat_id = models.CharField(max_length=255, blank=True, verbose_name=_('VAT ID'),
                               help_text=_('Only for business customers within the EU.'))
     vat_id_validated = models.BooleanField(default=False)
+    internal_reference = models.TextField(
+        verbose_name=_('Internal reference'),
+        help_text=_('This reference will be printed on your invoice for your convenience.'),
+        blank=True
+    )
 
 
 def cachedticket_name(instance, filename: str) -> str:

src/pretix/base/models/organizer.py

@@ -3,6 +3,7 @@ import string
 from django.core.validators import RegexValidator
 from django.db import models
 from django.utils.crypto import get_random_string
+from django.utils.functional import cached_property
 from django.utils.translation import ugettext_lazy as _
 
 from pretix.base.models.base import LoggedModel
@@ -31,8 +32,8 @@ class Organizer(LoggedModel):
     slug = models.SlugField(
         max_length=50, db_index=True,
         help_text=_(
-            "Should be short, only contain lowercase letters and numbers, and must be unique among your events. "
-            "This is being used in addresses and bank transfer references."),
+            "Should be short, only contain lowercase letters, numbers, dots, and dashes. Every slug can only be used "
+            "once. This is being used in URLs to refer to your organizer accounts and your events."),
         validators=[
             RegexValidator(
                 regex="^[a-zA-Z0-9.-]+$",
@@ -62,6 +63,19 @@ class Organizer(LoggedModel):
         Django's built-in cache backends, but puts you into an isolated environment for
         this organizer, so you don't have to prefix your cache keys. In addition, the cache
         is being cleared every time the organizer changes.
+
+        .. deprecated:: 1.9
+           Use the property ``cache`` instead.
+        """
+        return self.cache
+
+    @cached_property
+    def cache(self):
+        """
+        Returns an :py:class:`ObjectRelatedCache` object. This behaves equivalent to
+        Django's built-in cache backends, but puts you into an isolated environment for
+        this organizer, so you don't have to prefix your cache keys. In addition, the cache
+        is being cleared every time the organizer changes.
         """
         from pretix.base.cache import ObjectRelatedCache
 

src/pretix/base/models/tax.py

@@ -81,6 +81,16 @@ class TaxRule(LoggedModel):
                     'if configured above.'),
     )
 
+    def allow_delete(self):
+        from pretix.base.models.orders import OrderFee, OrderPosition
+
+        return (
+            not OrderFee.objects.filter(tax_rule=self, order__event=self.event).exists()
+            and not OrderPosition.objects.filter(tax_rule=self, order__event=self.event).exists()
+            and not self.event.items.filter(tax_rule=self).exists()
+            and self.event.settings.tax_rate_default != self
+        )
+
     @classmethod
     def zero(cls):
         return cls(
@@ -172,3 +182,13 @@ class TaxRule(LoggedModel):
 
         # Consumer in different EU country / invalid VAT
         return True
+
+    def delete(self, *args, **kwargs):
+        super().delete(*args, **kwargs)
+        if self.event:
+            self.event.cache.clear()
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+        if self.event:
+            self.event.cache.clear()