Bump version to 1.12.1

* MKBDIGI-184: Basic create added for API items endpoint

* MKBDIGI-184: Starting endpoint for GET /api/v1/organizers/(organizer)/events/(event)/items/(id)/variations/

* MKBDIGI-184: endpoint for GET /api/v1/organizers/(organizer)/events/(event)/items/(id)/variations/

* MKBDIGI-184: Completed endpoint for variations

* MKBDIGI-184: Added endpoint for addons

* MKBDIGI-184: Added Item validation

* MKBDIGI-184: Added check for order/cart positions on item variation destroy.

* MKBDIGI-184: Fixed check for order/cart positions on item variation destroy.

* MKBDIGI-184: Updated tests, validation for addons

* MKBDIGI-184: Documentation feedback corrections

* MKBDIGI-184: Added documentation for item add-ons

* MKBDIGI-184: Code formatting fixes

* MKBDIGI-184: Feedback fixes

* MKBDIGI-184: Updated tests for delete item

* MKBDIGI-184: Cleaned up tests

* MKBDIGI-184: Added additional test URLs

* MKBDIGI-184: Documentation fixes

* MKBDIGI-184: Fixed read-only fields/Documentation

* MKBDIGI-184: Documentation fixes

* MKBDIGI-184: Added helper for dict merge for 3.4 compatibility

* MKBDIGI-184: Validation updates

* MKBDIGI-184: Fixed permissions test error. Changed to HTTP 404 for POST to addons endpoint

* MKBDIGI-184: Implemented nested variations and add-ons for POST on the item endpoint.

.gitattributes

@@ -6,6 +6,7 @@ src/static/datetimepicker/* linguist-vendored
 src/static/colorpicker/* linguist-vendored
 src/static/fileupload/* linguist-vendored
 src/static/vuejs/* linguist-vendored
+src/static/select2/* linguist-vendored
 src/static/charts/* linguist-vendored
 src/pretix/plugins/ticketoutputpdf/static/pretixplugins/ticketoutputpdf/fabric.* linguist-vendored
 src/pretix/plugins/ticketoutputpdf/static/pretixplugins/ticketoutputpdf/pdf.* linguist-vendored

.gitlab-ci.yml

@@ -8,6 +8,8 @@ tests:
         - XDG_CACHE_HOME=/cache bash .travis.sh tests
     tags:
         - python3
+    except:
+        - pypi
 pypi:
     stage: release
     script:
@@ -22,7 +24,7 @@ pypi:
     tags:
         - python3
     only:
-        - release
+        - pypi
     artifacts:
         paths:
             - src/dist/

.travis.sh

@@ -25,19 +25,27 @@ if [ "$1" == "doctests" ]; then
 	cd doc
 	make doctest
 fi
+if [ "$1" == "spelling" ]; then
+	XDG_CACHE_HOME=/cache pip3 install -Ur doc/requirements.txt
+	cd doc
+	make spelling
+	if [ -s _build/spelling/output.txt ]; then
+		exit 1
+	fi
+fi
 if [ "$1" == "tests" ]; then
 	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt -r src/requirements/py34.txt
 	cd src
 	python manage.py check
 	make all compress
-	py.test --rerun 5 tests
+	py.test --reruns 5 tests
 fi
 if [ "$1" == "tests-cov" ]; then
 	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt -r src/requirements/py34.txt
 	cd src
 	python manage.py check
 	make all compress
-	coverage run -m py.test --rerun 5 tests && codecov
+	coverage run -m py.test --reruns 5 tests && codecov
 fi
 if [ "$1" == "plugins" ]; then
 	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt -r src/requirements/py34.txt
@@ -50,7 +58,7 @@ if [ "$1" == "plugins" ]; then
     cd pretix-cartshare
     python setup.py develop
     make
-	py.test --rerun 5 tests
+	py.test --reruns 5 tests
     popd
 
 fi

.travis.yml

@@ -36,5 +36,10 @@ matrix:
       env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
     - python: 3.6
       env: JOB=plugins
+    - python: 3.6
+      env: JOB=spelling
 addons:
   postgresql: "9.4"
+  apt:
+      packages:
+          - enchant

CODE_OF_CONDUCT.md

@@ -0,0 +1,5 @@
+Code of Conduct
+===============
+
+We have a [Code of Conduct](https://docs.pretix.eu/en/latest/development/contribution/codeofconduct.html)
+in place that applies to all project contributions, including issues, pull requests, etc.

README.rst

@@ -40,6 +40,11 @@ Contributing
 If you want to contribute to pretix, please read the `developer documentation`_
 in our documentation. If you have any further questions, please do not hesitate to ask!
 
+Code of Conduct
+---------------
+We have a `Code of Conduct`_ in place that applies to all project contributions,
+including issues, pull requests, etc.
+
 License
 -------
 The code in this repository is published under the terms of the Apache License. 
@@ -50,5 +55,6 @@ AUTHORS file for a list of all the awesome folks who contributed to this project
 
 .. _installation guide: https://docs.pretix.eu/en/latest/admin/installation/index.html
 .. _developer documentation: https://docs.pretix.eu/en/latest/development/index.html
+.. _Code of Conduct: https://docs.pretix.eu/en/latest/development/contribution/codeofconduct.html
 .. _pretix.eu: https://pretix.eu
 .. _blog: https://pretix.eu/about/en/blog/

deployment/docker/pretix.bash

@@ -2,6 +2,7 @@
 cd /pretix/src
 export DJANGO_SETTINGS_MODULE=production_settings
 export DATA_DIR=/data/
+export HOME=/pretix
 NUM_WORKERS=10
 
 if [ ! -d /data/logs ]; then

deployment/docker/supervisord.conf

@@ -23,6 +23,7 @@ autostart=true
 autorestart=true
 priority=5
 user=pretixuser
+environment=HOME=/pretix
 
 [program:pretixtask]
 command=/usr/local/bin/pretix taskworker

doc/Makefile

@@ -175,3 +175,9 @@ pseudoxml:
 	$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
 	@echo
 	@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
+
+spelling:
+	$(SPHINXBUILD) -b spelling $(ALLSPHINXOPTS) $(BUILDDIR)/spelling
+	@echo
+	@echo "Spelling check finished, look at the results in " \
+		  "$(BUILDDIR)/spelling/output.txt."

doc/admin/config.rst

@@ -2,6 +2,8 @@
 
 .. _`config`:
 
+.. spelling:: Galera
+
 Configuration file
 ==================
 
@@ -45,7 +47,7 @@ Example::
 
 ``datadir``
     The local path to a data directory that will be used for storing user uploads and similar
-    data. Defaults to thea value of the environment variable ``DATA_DIR`` or ``data``.
+    data. Defaults to the value of the environment variable ``DATA_DIR`` or ``data``.
 
 ``plugins_default``
     A comma-separated list of plugins that are enabled by default for all new events.

doc/admin/installation/docker_smallscale.rst

@@ -162,7 +162,7 @@ named ``/etc/systemd/system/pretix.service`` with the following content::
         -v /etc/pretix:/etc/pretix \
         -v /var/run/redis:/var/run/redis \
         -v /var/run/mysqld:/var/run/mysqld \
-        pretix/standalone all
+        pretix/standalone:stable all
     ExecStop=/usr/bin/docker stop %n
 
     [Install]
@@ -239,6 +239,8 @@ Restarting the service can take a few seconds, especially if the update requires
 Replace ``stable`` above with a specific version number like ``1.0`` or with ``latest`` for the development
 version, if you want to.
 
+.. _`docker_plugininstall`:
+
 Install a plugin
 ----------------
 

doc/admin/installation/general.rst

@@ -1,5 +1,7 @@
 .. highlight:: ini
 
+.. spelling:: SQL
+
 General remarks
 ===============
 

doc/admin/installation/manual_smallscale.rst

@@ -177,7 +177,7 @@ For background tasks we need a second service ``/etc/systemd/system/pretix-worke
     [Install]
     WantedBy=multi-user.target
 
-You can now run the following comamnds to enable and start the services::
+You can now run the following commands to enable and start the services::
 
     # systemctl daemon-reload
     # systemctl enable pretix-web pretix-worker
@@ -213,7 +213,7 @@ The following snippet is an example on how to configure a nginx proxy for pretix
         ssl_certificate /path/to/cert.chain.pem;
         ssl_certificate_key /path/to/key.pem;
 
-        add_header Referrer-Options same-origin;
+        add_header Referrer-Policy same-origin;
         add_header X-Content-Type-Options nosniff;
 
         location / {
@@ -276,6 +276,8 @@ To upgrade to a new pretix release, pull the latest code changes and run the fol
     # systemctl restart pretix-web pretix-worker
 
 
+.. _`manual_plugininstall`:
+
 Install a plugin
 ----------------
 

doc/api/resources/checkinlists.rst

@@ -0,0 +1,402 @@
+Check-in lists
+==============
+
+Resource description
+--------------------
+
+You can create check-in lists that you can use e.g. at the entrance of your event to track who is coming and if they
+actually bought a ticket.
+
+You can create multiple check-in lists to separate multiple parts of your event, for example if you have separate
+entries for multiple ticket types. Different check-in lists are completely independent: If a ticket shows up on two
+lists, it is valid once on every list. This might be useful if you run a festival with festival passes that allow
+access to every or multiple performances as well as tickets only valid for single performances.
+
+The check-in list resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the check-in list
+name                                  string                     The internal name of the check-in list
+all_products                          boolean                    If ``True``, the check-in lists contains tickets of all products in this event. The ``limit_products`` field is ignored in this case.
+limit_products                        list of integers           List of item IDs to include in this list.
+subevent                              integer                    ID of the date inside an event series this list belongs to (or ``null``).
+position_count                        integer                    Number of tickets that match this list (read-only).
+checkin_count                         integer                    Number of check-ins performed on this list (read-only).
+===================================== ========================== =======================================================
+
+.. versionchanged:: 1.10
+
+   This resource has been added.
+
+.. versionchanged:: 1.11
+
+   The ``positions`` endpoints have been added.
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/
+
+   Returns a list of all check-in lists within a given event.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/checkinlists/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "name": "Default list",
+            "checkin_count": 123,
+            "position_count": 456,
+            "all_products": true,
+            "limit_products": [],
+            "subevent": null
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :query integer subevent: Only return check-in lists of the sub-event with the given ID
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(id)/
+
+   Returns information on one check-in list, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/checkinlists/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "Default list",
+        "checkin_count": 123,
+        "position_count": 456,
+        "all_products": true,
+        "limit_products": [],
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param id: The ``id`` field of the check-in list to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/
+
+   Creates a new check-in list.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/checkinlists/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "name": "VIP entry",
+        "all_products": false,
+        "limit_products": [1, 2],
+        "subevent": null
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "name": "VIP entry",
+        "checkin_count": 0,
+        "position_count": 0,
+        "all_products": false,
+        "limit_products": [1, 2],
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event/item to create a list for
+   :param event: The ``slug`` field of the event to create a list for
+   :statuscode 201: no error
+   :statuscode 400: The list could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(id)/
+
+   Update a check-in list. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``id`` field and the ``checkin_count`` and ``position_count``
+   fields.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/checkinlists/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "name": "Backstage",
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "name": "Backstage",
+        "checkin_count": 23,
+        "position_count": 42,
+        "all_products": false,
+        "limit_products": [1, 2],
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the list to modify
+   :statuscode 200: no error
+   :statuscode 400: The list could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/checkinlist/(id)/
+
+   Delete a check-in list. Note that this also deletes the information on all check-ins performed via this list.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/checkinlist/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the check-in list to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.
+
+
+Order position endpoints
+------------------------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(list)/positions/
+
+   Returns a list of all order positions within a given event. The result is the same as
+   the :ref:`order-position-resource`, with one important difference: the ``checkins`` value will only include
+   check-ins for the selected list.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/checkinlists/1/positions/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 23442,
+            "order": "ABC12",
+            "positionid": 1,
+            "item": 1345,
+            "variation": null,
+            "price": "23.00",
+            "attendee_name": "Peter",
+            "attendee_email": null,
+            "voucher": null,
+            "tax_rate": "0.00",
+            "tax_rule": null,
+            "tax_value": "0.00",
+            "secret": "z3fsn8jyufm5kpk768q69gkbyr5f4h6w",
+            "addon_to": null,
+            "subevent": null,
+            "checkins": [
+              {
+                "list": 1,
+                "datetime": "2017-12-25T12:45:23Z"
+              }
+            ],
+            "answers": [
+              {
+                "question": 12,
+                "answer": "Foo",
+                "options": []
+              }
+            ],
+            "downloads": [
+              {
+                "output": "pdf",
+                "url": "https://pretix.eu/api/v1/organizers/bigevents/events/sampleconf/orderpositions/23442/download/pdf/"
+              }
+            ]
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``order__code``,
+                           ``order__datetime``, ``positionid``, ``attendee_name``, ``last_checked_in`` and ``order__email``. Default:
+                           ``attendee_name,positionid``
+   :query string order: Only return positions of the order with the given order code
+   :query integer item: Only return positions with the purchased item matching the given ID.
+   :query integer variation: Only return positions with the purchased item variation matching the given ID.
+   :query string attendee_name: Only return positions with the given value in the attendee_name field. Also, add-on
+                                products positions are shown if they refer to an attendee with the given name.
+   :query string secret: Only return positions with the given ticket secret.
+   :query bollean has_checkin: If set to ``true`` or ``false``, only return positions that have or have not been
+                               checked in already on this list.
+   :query integer subevent: Only return positions of the sub-event with the given ID
+   :query integer addon_to: Only return positions that are add-ons to the position with the given ID.
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param list: The ID of the check-in list to look for
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested check-in list does not exist.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(list)/positions/(id)
+
+   Returns information on one order position, identified by its internal ID.
+   The result format is the same as the :ref:`order-position-resource`, with one important difference: the
+   ``checkins`` value will only include check-ins for the selected list.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/checkinlists/1/positions/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 23442,
+        "order": "ABC12",
+        "positionid": 1,
+        "item": 1345,
+        "variation": null,
+        "price": "23.00",
+        "attendee_name": "Peter",
+        "attendee_email": null,
+        "voucher": null,
+        "tax_rate": "0.00",
+        "tax_rule": null,
+        "tax_value": "0.00",
+        "secret": "z3fsn8jyufm5kpk768q69gkbyr5f4h6w",
+        "addon_to": null,
+        "subevent": null,
+        "checkins": [
+          {
+            "list": 1,
+            "datetime": "2017-12-25T12:45:23Z"
+          }
+        ],
+        "answers": [
+          {
+            "question": 12,
+            "answer": "Foo",
+            "options": []
+          }
+        ],
+        "downloads": [
+          {
+            "output": "pdf",
+            "url": "https://pretix.eu/api/v1/organizers/bigevents/events/sampleconf/orderpositions/23442/download/pdf/"
+          }
+        ]
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param list: The ID of the check-in list to look for
+   :param id: The ``id`` field of the order position to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order position or check-in list does not exist.

doc/api/resources/index.rst

@@ -10,9 +10,12 @@ Resources and endpoints
    taxrules
    categories
    items
+   item_variations
+   item_add-ons
    questions
    quotas
    orders
    invoices
    vouchers
+   checkinlists
    waitinglist

doc/api/resources/invoices.rst

@@ -125,7 +125,7 @@ Endpoints
    :query boolean is_cancellation: If set to ``true`` or ``false``, only invoices with this value for the field
                                    ``is_cancellation`` will be returned.
    :query string order: If set, only invoices belonging to the order with the given order code will be returned.
-   :query string refers: If set, only invoices refering to the given invoice will be returned.
+   :query string refers: If set, only invoices referring to the given invoice will be returned.
    :query string locale: If set, only invoices with the given locale will be returned.
    :query string ordering: Manually set the ordering of results. Valid fields to be used are ``date`` and
                            ``nr`` (equals to ``number``). Default: ``nr``
@@ -221,5 +221,5 @@ Endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
-   :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting vor a few
+   :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting for a few
                     seconds.

doc/api/resources/item_add-ons.rst

@@ -0,0 +1,246 @@
+Item add-ons
+============
+
+Resource description
+--------------------
+
+With add-ons, you can specify products that can be bought as an addition to this specific product. For example, if you
+host a conference with a base conference ticket and a number of workshops, you could define the workshops as add-ons to
+the conference ticket. With this configuration, the workshops cannot be bought on their own but only in combination with
+a conference ticket. You can here specify categories of products that can be used as add-ons to this product. You can
+also specify the minimum and maximum number of add-ons of the given category that can or need to be chosen. The user can
+buy every add-on from the category at most once. If an add-on product has multiple variations, only one of them can be
+bought.
+The add-ons resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the add-on
+addon_category                        integer                    Internal ID of the item category the add-on can be
+                                                                 chosen from.
+min_count                             integer                    The minimal number of add-ons that need to be chosen.
+max_count                             integer                    The maximal number of add-ons that can be chosen.
+position                              integer                    An integer, used for sorting
+price_included                        boolean                    Adding this add-on to the item is free
+===================================== ========================== =======================================================
+
+.. versionchanged:: 1.12
+
+   This resource has been added.
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/addons/
+
+   Returns a list of all add-ons for a given item.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/items/11/addons/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 2,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 3,
+            "addon_category": 1,
+            "min_count": 0,
+            "max_count": 10,
+            "position": 0,
+            "price_included": true
+          },
+          {
+            "id": 4,
+            "addon_category": 2,
+            "min_count": 0,
+            "max_count": 10,
+            "position": 1,
+            "price_included": true
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param item: The ``id`` field of the item to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/item does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/addons/(id)/
+
+   Returns information on one add-on, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/items/1/addons/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "addon_category": 1,
+        "min_count": 0,
+        "max_count": 10,
+        "position": 1,
+        "price_included": true
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param item: The ``id`` field of the item to fetch
+   :param id: The ``id`` field of the add-on to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/bigevents/events/sampleconf/items/1/addons/
+
+   Creates a new add-on
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/(organizer)/events/(event)/items/(item)/addons/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "addon_category": 1,
+        "min_count": 0,
+        "max_count": 10,
+        "position": 1,
+        "price_included": true
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "addon_category": 1,
+        "min_count": 0,
+        "max_count": 10,
+        "position": 1,
+        "price_included": true
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event/item to create a add-on for
+   :param event: The ``slug`` field of the event to create a add-on for
+   :param item: The ``id`` field of the item to create a add-on for
+   :statuscode 201: no error
+   :statuscode 400: The add-on could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/addon/(id)/
+
+   Update an add-on. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``id`` field.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/items/1/addons/3/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "min_count": 0,
+        "max_count": 10,
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "addon_category": 1,
+        "min_count": 0,
+        "max_count": 10,
+        "position": 1,
+        "price_included": true
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param item: The ``id`` field of the item to modify
+   :param id: The ``id`` field of the add-on to modify
+   :statuscode 200: no error
+   :statuscode 400: The add-on could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/items/(id)/addons/(id)/
+
+   Delete an add-on.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/items/1/addons/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the item to modify
+   :param id: The ``id`` field of the add-on to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.

doc/api/resources/item_variations.rst

@@ -0,0 +1,258 @@
+Item variations
+===============
+
+Resource description
+--------------------
+
+Variations of items can be use for products (items) that are available in different sizes, colors or other variations
+of the same product.
+The addons resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the variation
+default_price                         money (string)             The price set directly for this variation or ``null``
+price                                 money (string)             The price used for this variation. This is either the
+                                                                 same as ``default_price`` if that value is set or equal
+                                                                 to the item's ``default_price`` (read-only).
+active                                boolean                    If ``False``, this variation will not be sold or shown.
+description                           multi-lingual string       A public description of the variation. May contain
+                                                                 Markdown syntax or can be ``null``.
+position                              integer                    An integer, used for sorting
+===================================== ========================== =======================================================
+
+.. versionchanged:: 1.12
+
+   This resource has been added.
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/variations/
+
+   Returns a list of all variations for a given item.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/items/11/variations/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 2,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "value": {
+              "en": "S"
+            },
+            "active": true,
+            "description": {
+              "en": "Test2"
+            },
+            "position": 0,
+            "default_price": "223.00",
+            "price": 223.0
+          },
+          {
+            "id": 3,
+            "value": {
+              "en": "L"
+            },
+            "active": true,
+            "description": {},
+            "position": 1,
+            "default_price": null,
+            "price": 15.0
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :query boolean active: If set to ``true`` or ``false``, only items with this value for the field ``active`` will be
+                          returned.
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param item: The ``id`` field of the item to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/item does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/variations/(id)/
+
+   Returns information on one variation, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/items/1/variations/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "value": {
+              "en": "Student"
+        },
+        "default_price": "10.00",
+        "price": "10.00",
+        "active": true,
+        "description": null,
+        "position": 0
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param item: The ``id`` field of the item to fetch
+   :param id: The ``id`` field of the variation to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/variations/
+
+   Creates a new variation
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/items/1/variations/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "value": {"en": "Student"},
+        "default_price": "10.00",
+        "active": true,
+        "description": null,
+        "position": 0
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "value": {"en": "Student"},
+        "default_price": "10.00",
+        "price": "10.00",
+        "active": true,
+        "description": null,
+        "position": 0
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event/item to create a variation for
+   :param event: The ``slug`` field of the event to create a variation for
+   :param item: The ``id`` field of the item to create a variation for
+   :statuscode 201: no error
+   :statuscode 400: The variation could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/variations/(id)/
+
+   Update a variation. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``id`` and the ``price`` field.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/items/1/variations/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "active": false,
+        "position": 1
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "value": {"en": "Student"},
+        "default_price": "10.00",
+        "price": "10.00",
+        "active": false,
+        "description": null,
+        "position": 1
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the item to modify
+   :param id: The ``id`` field of the variation to modify
+   :statuscode 200: no error
+   :statuscode 400: The variation could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/items/(id)/variations/(id)/
+
+   Delete a variation.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/items/1/variations/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the item to modify
+   :param id: The ``id`` field of the variation to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.

doc/api/resources/items.rst

@@ -33,6 +33,7 @@ admission                             boolean                    ``True`` for it
                                                                  (such as add-ons or merchandise).
 position                              integer                    An integer, used for sorting
 picture                               string                     A product picture to be displayed in the shop
+                                                                 (read-only).
 available_from                        datetime                   The first date time at which this item can be bought
                                                                  (or ``null``).
 available_until                       datetime                   The last date time at which this item can be bought
@@ -53,10 +54,9 @@ max_per_order                         integer                    This product ca
 checkin_attention                     boolean                    If ``True``, the check-in app should show a warning
                                                                  that this ticket requires special attention if such
                                                                  a product is being scanned.
-has_variations                        boolean                    Shows whether or not this item has variations
-                                                                 (read-only).
+has_variations                        boolean                    Shows whether or not this item has variations.
 variations                            list of objects            A list with one object for each variation of this item.
-                                                                 Can be empty.
+                                                                 Can be empty. Only writable on POST.
 ├ id                                  integer                    Internal ID of the variation
 ├ default_price                       money (string)             The price set directly for this variation or ``null``
 ├ price                               money (string)             The price used for this variation. This is either the
@@ -66,12 +66,14 @@ variations                            list of objects            A list with one
 ├ description                         multi-lingual string       A public description of the variation. May contain
                                                                  Markdown syntax or can be ``null``.
 └ position                            integer                    An integer, used for sorting
-addons                                list of objects            Definition of add-ons that can be chosen for this item
+addons                                list of objects            Definition of add-ons that can be chosen for this item.
+                                                                 Only writable on POST.
 ├ addon_category                      integer                    Internal ID of the item category the add-on can be
                                                                  chosen from.
 ├ min_count                           integer                    The minimal number of add-ons that need to be chosen.
-├ max_count                           integer                    The maxima number of add-ons that can be chosen.
+├ max_count                           integer                    The maximal number of add-ons that can be chosen.
 └ position                            integer                    An integer, used for sorting
+└ price_included                      boolean                    Adding this add-on to the item is free
 ===================================== ========================== =======================================================
 
 .. versionchanged:: 1.7
@@ -79,6 +81,20 @@ addons                                list of objects            Definition of a
    The attribute ``tax_rule`` has been added. ``tax_rate`` is kept for compatibility. The attribute
    ``checkin_attention`` has been added.
 
+.. versionchanged:: 1.12
+
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
+   The attribute ``price_included`` has been added to ``addons``.
+
+Notes
+-----
+Please note that an item either always has variations or never has. Once created with variations the item can never
+change to an item without and vice versa. To create an item with variations ensure that you POST an item with at least
+one variation.
+
+Also note that ``variations`` and ``addons`` are only supported on ``POST``. To update/delete variations and add-ons please
+use the dedicated nested endpoints. By design this endpoint does not support ``PATCH`` and ``PUT`` with nested
+``variations`` and/or ``addons``.
 
 Endpoints
 ---------
@@ -239,3 +255,226 @@ Endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/
+
+   Creates a new item
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/items/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "id": 1,
+        "name": {"en": "Standard ticket"},
+        "default_price": "23.00",
+        "category": null,
+        "active": true,
+        "description": null,
+        "free_price": false,
+        "tax_rate": "0.00",
+        "tax_rule": 1,
+        "admission": false,
+        "position": 0,
+        "picture": null,
+        "available_from": null,
+        "available_until": null,
+        "require_voucher": false,
+        "hide_without_voucher": false,
+        "allow_cancel": true,
+        "min_per_order": null,
+        "max_per_order": null,
+        "checkin_attention": false,
+        "variations": [
+          {
+             "value": {"en": "Student"},
+             "default_price": "10.00",
+             "price": "10.00",
+             "active": true,
+             "description": null,
+             "position": 0
+          },
+          {
+             "value": {"en": "Regular"},
+             "default_price": null,
+             "price": "23.00",
+             "active": true,
+             "description": null,
+             "position": 1
+          }
+        ],
+        "addons": []
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": {"en": "Standard ticket"},
+        "default_price": "23.00",
+        "category": null,
+        "active": true,
+        "description": null,
+        "free_price": false,
+        "tax_rate": "0.00",
+        "tax_rule": 1,
+        "admission": false,
+        "position": 0,
+        "picture": null,
+        "available_from": null,
+        "available_until": null,
+        "require_voucher": false,
+        "hide_without_voucher": false,
+        "allow_cancel": true,
+        "min_per_order": null,
+        "max_per_order": null,
+        "checkin_attention": false,
+        "has_variations": true,
+        "variations": [
+          {
+             "value": {"en": "Student"},
+             "default_price": "10.00",
+             "price": "10.00",
+             "active": true,
+             "description": null,
+             "position": 0
+          },
+          {
+             "value": {"en": "Regular"},
+             "default_price": null,
+             "price": "23.00",
+             "active": true,
+             "description": null,
+             "position": 1
+          }
+        ],
+        "addons": []
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event to create an item for
+   :param event: The ``slug`` field of the event to create an item for
+   :statuscode 201: no error
+   :statuscode 400: The item could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/
+
+   Update an item. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``has_variations``, ``variations`` and the ``addon`` field. If
+   you need to update/delete variations or add-ons please use the nested dedicated endpoints.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/items/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "name": {"en": "Ticket"},
+        "default_price": "25.00"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": {"en": "Ticket"},
+        "default_price": "25.00",
+        "category": null,
+        "active": true,
+        "description": null,
+        "free_price": false,
+        "tax_rate": "0.00",
+        "tax_rule": 1,
+        "admission": false,
+        "position": 0,
+        "picture": null,
+        "available_from": null,
+        "available_until": null,
+        "require_voucher": false,
+        "hide_without_voucher": false,
+        "allow_cancel": true,
+        "min_per_order": null,
+        "max_per_order": null,
+        "checkin_attention": false,
+        "has_variations": true,
+        "variations": [
+          {
+             "value": {"en": "Student"},
+             "default_price": "10.00",
+             "price": "10.00",
+             "active": true,
+             "description": null,
+             "position": 0
+          },
+          {
+             "value": {"en": "Regular"},
+             "default_price": null,
+             "price": "23.00",
+             "active": true,
+             "description": null,
+             "position": 1
+          }
+        ],
+        "addons": []
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the item to modify
+   :statuscode 200: no error
+   :statuscode 400: The item could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/items/(id)/
+
+   Delete an item.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/items/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the item to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.
+

doc/api/resources/orders.rst

@@ -1,3 +1,5 @@
+.. spelling:: checkins
+
 Orders
 ======
 
@@ -24,7 +26,7 @@ email                                 string                     The customer em
 locale                                string                     The locale used for communication with this customer
 datetime                              datetime                   Time of order creation
 expires                               datetime                   The order will expire, if it is still pending by this time
-payment_date                          date                       Date of payment receival
+payment_date                          date                       Date of payment receipt
 payment_provider                      string                     Payment provider used for this order
 payment_fee                           money (string)             Payment fee included in this order's total
 payment_fee_tax_rate                  decimal (string)           Tax rate applied to the payment fee
@@ -79,13 +81,15 @@ downloads                             list of objects            List of ticket
 
    The attributes ``invoice_address.vat_id_validated`` and ``invoice_address.is_business`` have been added.
    The attributes ``order.payment_fee``, ``order.payment_fee_tax_rate`` and ``order.payment_fee_tax_value`` have been
-   deprecated in favour of the new ``fees`` attribute but will still be served and removed in 1.9.
+   deprecated in favor of the new ``fees`` attribute but will still be served and removed in 1.9.
 
 .. versionchanged:: 1.9
 
    First write operations (``…/mark_paid/``, ``…/mark_pending/``, ``…/mark_canceled/``, ``…/mark_expired/``) have been added.
    The attribute ``invoice_address.internal_reference`` has been added.
 
+.. _order-position-resource:
+
 Order position resource
 -----------------------
 
@@ -94,7 +98,7 @@ Order position resource
 ===================================== ========================== =======================================================
 Field                                 Type                       Description
 ===================================== ========================== =======================================================
-id                                    integer                    Internal ID of the order positon
+id                                    integer                    Internal ID of the order position
 code                                  string                     Order code of the order the position belongs to
 positionid                            integer                    Number of the position within the order
 item                                  integer                    ID of the purchased item
@@ -110,6 +114,7 @@ secret                                string                     Secret code pri
 addon_to                              integer                    Internal ID of the position this position is an add-on for (or ``null``)
 subevent                              integer                    ID of the date inside an event series this position belongs to (or ``null``).
 checkins                              list of objects            List of check-ins with this ticket
+├ list                                integer                    Internal ID of the check-in list
 └ datetime                            datetime                   Time of check-in
 downloads                             list of objects            List of ticket download options
 ├ output                              string                     Ticket output provider (e.g. ``pdf``, ``passbook``)
@@ -124,6 +129,10 @@ answers                               list of objects            Answers to user
 
    The attribute ``tax_rule`` has been added.
 
+.. versionchanged:: 1.11
+
+   The attribute ``checkins.list`` has been added.
+
 
 Order endpoints
 ---------------
@@ -198,6 +207,7 @@ Order endpoints
                 "subevent": null,
                 "checkins": [
                   {
+                    "list": 44,
                     "datetime": "2017-12-25T12:45:23Z"
                   }
                 ],
@@ -304,6 +314,7 @@ Order endpoints
             "subevent": null,
             "checkins": [
               {
+                "list": 44,
                 "datetime": "2017-12-25T12:45:23Z"
               }
             ],
@@ -342,7 +353,7 @@ Order endpoints
 
    Download tickets for an order, identified by its order code. Depending on the chosen output, the response might
    be a ZIP file, PDF file or something else. The order details response contains a list of output options for this
-   partictular order.
+   particular order.
 
    Tickets can be only downloaded if the order is paid and if ticket downloads are active. Note that in some cases the
    ticket file might not yet have been created. In that case, you will receive a status code :http:statuscode:`409` and
@@ -373,10 +384,10 @@ Order endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource
-                    **or** downlodas are not available for this order at this time. The response content will
+                    **or** downloads are not available for this order at this time. The response content will
                     contain more details.
    :statuscode 404: The requested order or output provider does not exist.
-   :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting vor a few
+   :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting for a few
                           seconds.
 
 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_paid/
@@ -622,6 +633,7 @@ Order position endpoints
             "subevent": null,
             "checkins": [
               {
+                "list": 44,
                 "datetime": "2017-12-25T12:45:23Z"
               }
             ],
@@ -701,6 +713,7 @@ Order position endpoints
         "subevent": null,
         "checkins": [
           {
+            "list": 44,
             "datetime": "2017-12-25T12:45:23Z"
           }
         ],
@@ -731,7 +744,7 @@ Order position endpoints
 
    Download tickets for one order position, identified by its internal ID.
    Depending on the chosen output, the response might be a ZIP file, PDF file or something else. The order details
-   response contains a list of output options for this partictular order position.
+   response contains a list of output options for this particular order position.
 
    Tickets can be only downloaded if the order is paid and if ticket downloads are active. Also, depending on event
    configuration downloads might be only unavailable for add-on products or non-admission products.
@@ -763,8 +776,8 @@ Order position endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource
-                    **or** downlodas are not available for this order position at this time. The response content will
+                    **or** downloads are not available for this order position at this time. The response content will
                     contain more details.
    :statuscode 404: The requested order position or download provider does not exist.
-   :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting vor a few
+   :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting for a few
                     seconds.

doc/api/resources/questions.rst

@@ -1,3 +1,5 @@
+.. spelling:: checkin
+
 Questions
 =========
 
@@ -23,15 +25,25 @@ type                                  string                     The expected ty
                                                                  * ``C`` – choice from a list
                                                                  * ``M`` – multiple choice from a list
                                                                  * ``F`` – file upload
+                                                                 * ``D`` – date
+                                                                 * ``H`` – time
+                                                                 * ``W`` – date and time
 required                              boolean                    If ``True``, the question needs to be filled out.
 position                              integer                    An integer, used for sorting
 items                                 list of integers           List of item IDs this question is assigned to.
+ask_during_checkin                    boolean                    If ``True``, this question will not be asked while
+                                                                 buying the ticket, but will show up when redeeming
+                                                                 the ticket instead.
 options                               list of objects            In case of question type ``C`` or ``M``, this lists the
                                                                  available objects.
 ├ id                                  integer                    Internal ID of the option
 └ answer                              multi-lingual string       The displayed value of this option
 ===================================== ========================== =======================================================
 
+.. versionchanged:: 1.12
+
+  The values ``D``, ``H``, and ``W`` for the field ``type`` are now allowed and the ``ask_during_checkin`` field has
+  been added.
 
 Endpoints
 ---------
@@ -68,6 +80,7 @@ Endpoints
             "required": false,
             "items": [1, 2],
             "position": 1,
+            "ask_during_checkin": false,
             "options": [
               {
                 "id": 1,
@@ -121,6 +134,7 @@ Endpoints
         "type": "C",
         "required": false,
         "items": [1, 2],
+        "ask_during_checkin": false,
         "position": 1,
         "options": [
           {

doc/api/resources/quotas.rst

@@ -4,7 +4,7 @@ Quotas
 Resource description
 --------------------
 
-Questions define how many times an item can be sold.
+Quotas define how many times an item can be sold.
 The quota resource contains the following public fields:
 
 .. rst-class:: rest-resource-table
@@ -20,6 +20,10 @@ variations                            list of integers           List of item va
 subevent                              integer                    ID of the date inside an event series this quota belongs to (or ``null``).
 ===================================== ========================== =======================================================
 
+.. versionchanged:: 1.10
+
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
+
 
 Endpoints
 ---------
@@ -106,6 +110,131 @@ Endpoints
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
 
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/quotas/
+
+   Creates a new quota
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/quotas/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "name": "Ticket Quota",
+        "size": 200,
+        "items": [1, 2],
+        "variations": [1, 4, 5, 7],
+        "subevent": null
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "Ticket Quota",
+        "size": 200,
+        "items": [1, 2],
+        "variations": [1, 4, 5, 7],
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event/item to create a quota for
+   :param event: The ``slug`` field of the event to create a quota for
+   :statuscode 201: no error
+   :statuscode 400: The quota could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/quotas/(id)/
+
+   Update a quota. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``id`` field.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/quotas/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "name": "New Ticket Quota",
+        "size": 100,
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "name": "New Ticket Quota",
+        "size": 100,
+        "items": [
+          1,
+          2
+        ],
+        "variations": [
+          1,
+          2
+        ],
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the quota rule to modify
+   :statuscode 200: no error
+   :statuscode 400: The quota could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/quota/(id)/
+
+   Delete a quota. Note that if you delete a quota the items the quota acts on might no longer be available for sale.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/quotas/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the quotas to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/quotas/(id)/availability/
 
    Returns availability information on one quota, identified by its ID.

doc/api/resources/taxrules.rst

@@ -162,7 +162,7 @@ Endpoints
 .. http:patch:: /api/v1/organizers/(organizer)/events/(event)/taxrules/(id)/
 
    Update a tax rule. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
-   the resource, other fields will be resetted to default. With ``PATCH``, you only need to provide the fields that you
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
    want to change.
 
    **Example request**:

doc/api/resources/vouchers.rst

@@ -234,9 +234,8 @@ Endpoints
 .. http:patch:: /api/v1/organizers/(organizer)/events/(event)/vouchers/(id)/
 
    Update a voucher. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
-   the resource, other fields will be resetted to default. With ``PATCH``, you only need to provide the fields that you
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
    want to change.
-her.
 
    You can change all fields of the resource except the ``id`` and ``redeemed`` fields.
 
@@ -283,7 +282,7 @@ her.
 
    :param organizer: The ``slug`` field of the organizer to modify
    :param event: The ``slug`` field of the event to modify
-   :param id: The ``id`` field of the tax rule to modify
+   :param id: The ``id`` field of the voucher to modify
    :statuscode 200: no error
    :statuscode 400: The voucher could not be modified due to invalid submitted data
    :statuscode 401: Authentication failure
@@ -311,7 +310,7 @@ her.
 
    :param organizer: The ``slug`` field of the organizer to modify
    :param event: The ``slug`` field of the event to modify
-   :param id: The ``id`` field of the tax rule to delete
+   :param id: The ``id`` field of the voucher to delete
    :statuscode 204: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.

doc/checkin_filter.py

@@ -0,0 +1,11 @@
+from enchant.tokenize import get_tokenizer, Filter, unit_tokenize
+
+class CheckinFilter(Filter):
+    """ If a word looks like checkin_count, it refers to a so-called variable in
+    the code, and is treated as being spelled right."""
+
+    def _split(self, word):
+        if word[:8] == "checkin_":
+            return unit_tokenize(word[8:])
+
+        return unit_tokenize(word)

doc/conf.py

@@ -45,6 +45,7 @@ extensions = [
     'sphinx.ext.coverage',
     'sphinxcontrib.httpdomain',
     'sphinxcontrib.images',
+    'sphinxcontrib.spelling',
 ]
 
 # Add any paths that contain templates here, relative to this directory.
@@ -290,3 +291,22 @@ texinfo_documents = [
 images_config = {
     'default_image_width': '250px'
 }
+
+# -- Options for Spelling output ------------------------------------------
+
+# String specifying the language, as understood by PyEnchant and enchant.
+# Defaults to en_US for US English.
+spelling_lang = 'en_US'
+
+# String specifying a file containing a list of words known to be spelled
+# correctly but that do not appear in the language dictionary selected by
+# spelling_lang. The file should contain one word per line.
+spelling_word_list_filename='spelling_wordlist.txt'
+
+# Boolean controlling whether suggestions for misspelled words are printed.
+# Defaults to False.
+spelling_show_suggestions=True
+
+# List of filter classes to be added to the tokenizer that produces words to be checked. 
+from checkin_filter import CheckinFilter
+spelling_filters=[CheckinFilter]

doc/development/api/customview.rst

@@ -25,7 +25,7 @@ If you want to add a custom view to the control area of an event, just register
             views.admin_view, name='backend'),
     ]
 
-It is required that your URL paramaters are called ``organizer`` and ``event``. If you want to
+It is required that your URL parameters are called ``organizer`` and ``event``. If you want to
 install a view on organizer level, you can leave out the ``event``.
 
 You can then implement the view as you would normally do. Our middleware will automatically

doc/development/api/exporter.rst

@@ -21,10 +21,10 @@ that we'll provide in this plugin::
 
     from django.dispatch import receiver
 
-    from pretix.base.signals import register_data_exporter
+    from pretix.base.signals import register_data_exporters
 
 
-    @receiver(register_data_exporter, dispatch_uid="exporter_myexporter")
+    @receiver(register_data_exporters, dispatch_uid="exporter_myexporter")
     def register_data_exporter(sender, **kwargs):
         from .exporter import MyExporter
         return MyExporter

doc/development/api/general.rst

@@ -11,7 +11,7 @@ Core
 ----
 
 .. automodule:: pretix.base.signals
-   :members: periodic_task, event_live_issues, event_copy_data
+   :members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types
 
 Order events
 """"""""""""

doc/development/implementation/logging.rst

@@ -1,5 +1,5 @@
-Logging
-=======
+Logging and notifications
+=========================
 
 As pretix is handling monetary transactions, we are very careful to make it possible to review all changes
 in the system that lead to the current state.
@@ -19,7 +19,7 @@ To actually log an action, you can just call the ``log_action`` method on your o
    order.log_action('pretix.event.order.canceled', user=user, data={})
 
 The positional ``action`` argument should represent the type of action and should be globally unique, we
-recomment do prefix it with your packagename, e.g. ``paypal.payment.rejected``. The ``user`` argument is
+recommend to prefix it with your package name, e.g. ``paypal.payment.rejected``. The ``user`` argument is
 optional and may contain the user who performed the action. The optional ``data`` argument can contain
 additional information about this action.
 
@@ -81,6 +81,61 @@ implementation could look like::
         if logentry.action_type in plains:
             return plains[logentry.action_type]
 
+Sending notifications
+---------------------
+
+If you think that the logged information might be important or urgent enough to send out a notification to interested
+organizers. In this case, you should listen for the :py:attr:`pretix.base.signals.register_notification_types` signal
+to register a notification type::
+
+    @receiver(register_notification_types)
+    def register_my_notification_types(sender, **kwargs):
+        return [MyNotificationType(sender)]
+
+Note that this event is different than other events send out by pretix: ``sender`` may be an event or ``None``. The
+latter case is required to let the user define global notification preferences for all events.
+
+You also need to implement a custom class that specifies how notifications should be handled for your notification type.
+You should subclass the base ``NotificationType`` class and implement all its members:
+
+.. autoclass:: pretix.base.notifications.NotificationType
+   :members: action_type, verbose_name, required_permission, build_notification
+
+A simple implementation could look like this::
+
+    class MyNotificationType(NotificationType):
+        required_permission = "can_view_orders"
+        action_type = "pretix.event.order.paid"
+        verbose_name = _("Order has been paid")
+
+        def build_notification(self, logentry: LogEntry):
+            order = logentry.content_object
+
+            order_url = build_absolute_uri(
+                'control:event.order',
+                kwargs={
+                    'organizer': logentry.event.organizer.slug,
+                    'event': logentry.event.slug,
+                    'code': order.code
+                }
+            )
+
+            n = Notification(
+                event=logentry.event,
+                title=_('Order {code} has been marked as paid').format(code=order.code),
+                url=order_url
+            )
+            n.add_attribute(_('Order code'), order.code)
+            n.add_action(_('View order details'), order_url)
+            return n
+
+As you can see, the relevant code is in the ``build_notification`` method that is supposed to create a ``Notification``
+method that has a title, description, URL, attributes, and actions. The full definition of ``Notification`` is the
+following:
+
+.. autoclass:: pretix.base.notifications.Notification
+   :members: add_action, add_attribute
+
 
 Logging technical information
 -----------------------------

doc/development/implementation/models.rst

@@ -1,6 +1,8 @@
 .. highlight:: python
    :linenothreshold: 5
 
+.. spelling:: answ contrib
+
 Data model
 ==========
 

doc/development/implementation/settings.rst

@@ -35,7 +35,7 @@ Forms
 -----
 
 Hierarkey also provides a base class for forms that allow the modification of settings. pretix contains a
-subclass that also adds suport for internationalized fields:
+subclass that also adds support for internationalized fields:
 
 .. autoclass:: pretix.base.forms.SettingsForm
 
@@ -65,4 +65,4 @@ Plugins can add custom hardcoded defaults in the following way::
 Make sure that you include this code in a module that is imported at app loading time.
 
 .. _django-hierarkey: https://github.com/raphaelm/django-hierarkey
-.. _documentation: https://django-hierarkey.readthedocs.io/en/latest/
+.. _documentation: https://django-hierarkey.readthedocs.io/en/latest/

doc/development/implementation/urlconfig.rst

@@ -67,7 +67,7 @@ available as ``plugins:sendmail:send``.
 Generating a URL for the frontend is a complicated task, because you need to know whether the event's
 organizer uses a custom URL or not and then generate the URL with a different domain and different
 arguments based on this information. pretix provides some helpers to make this easier. The first helper
-is a python method that emulates a behaviour similar to ``reverse``:
+is a python method that emulates a behavior similar to ``reverse``:
 
 .. autofunction:: pretix.multidomain.urlreverse.eventreverse
 
@@ -82,5 +82,5 @@ Implementation details
 ----------------------
 
 There are some other caveats when using a design like this, e.g. you have to care about cookie domains
-and referer verification yourself. If you want to see how we built this, look into the ``pretix/multidomain/``
+and referrer verification yourself. If you want to see how we built this, look into the ``pretix/multidomain/``
 sub-tree.

doc/development/setup.rst

@@ -86,7 +86,7 @@ and head to http://localhost:8000/
 
 As we did not implement an overall front page yet, you need to go directly to
 http://localhost:8000/control/ for the admin view or, if you imported the test
-data as suggested above, to the event page at http://localhost:8000/bigevents/2018/
+data as suggested above, to the event page at http://localhost:8000/bigevents/2019/
 
 .. note:: If you want the development server to listen on a different interface or
           port (for example because you develop on `pretixdroid`_), you can check
@@ -106,7 +106,7 @@ Execute the following commands to check for code style errors::
     isort -c -rc .
     python manage.py check
 
-Execute the following command to run pretix' test suite (might take a coumple of minutes)::
+Execute the following command to run pretix' test suite (might take a couple of minutes)::
 
     py.test
 
@@ -122,7 +122,7 @@ for example::
     flake8 . || exit 1
     isort -q -rc -c . || exit 1
 
-This keeps you from accidentally creating commits violating the sdtyle guide.
+This keeps you from accidentally creating commits violating the style guide.
 
 Working with mails
 ^^^^^^^^^^^^^^^^^^

doc/plugins/list.rst

@@ -1,3 +1,6 @@
+.. spelling::
+   Analytics
+
 List of plugins
 ===============
 

doc/plugins/pretixdroid.rst

@@ -9,6 +9,13 @@ uses to communicate with the pretix server.
              general-purpose :ref:`rest-api` that not yet provides all features that this API provides, but will do
              so in the future.
 
+.. versionchanged:: 1.12
+
+   Support for check-in-time questions has been added. The new API features are fully backwards-compatible and
+   negotiated live, so clients which do not need this feature can ignore the change. For this reason, the API version
+   has not been increased and is still set to 3.
+
+
 .. http:post:: /pretixdroid/api/(organizer)/(event)/redeem/
 
    Redeems a ticket, i.e. checks the user in.
@@ -22,18 +29,30 @@ uses to communicate with the pretix server.
       Accept: application/json, text/javascript
       Content-Type: application/x-www-form-urlencoded
 
-      secret=az9u4mymhqktrbupmwkvv6xmgds5dk3
+      secret=az9u4mymhqktrbupmwkvv6xmgds5dk3&questions_supported=true
 
-   You can optionally include the additional parameter ``datetime`` in the body containing an ISO8601-encoded
-   datetime of the entry attempt. If you don't, the current date and time will be used.
+   You **must** set the parameter secret.
 
-   You can optionally include the additional parameter ``force`` to indicate that the request should be logged
+   You **must** set the parameter ``questions_supported`` to ``true`` **if** you support asking questions
+   back to the app operator. You **must not** set it if you do not support this feature. In that case, questions
+   will just be ignored.
+
+   You **may** set the additional parameter ``datetime`` in the body containing an ISO8601-encoded
+   datetime of the entry attempt. If you don"t, the current date and time will be used.
+
+   You **may** set the additional parameter ``force`` to indicate that the request should be logged
    regardless of previous check-ins for the same ticket. This might be useful if you made the entry decision offline.
+   Questions will also always be ignored in this case (i.e. supplied answers will be saved, but no error will be
+   thrown if they are missing or invalid).
 
-   You can optionally include the additional parameter ``nonce`` with a globally unique random value to identify this
+   You **may** set the additional parameter ``nonce`` with a globally unique random value to identify this
    check-in. This is meant to be used to prevent duplicate check-ins when you are just retrying after a connection
    failure.
 
+   If questions are supported and required, you will receive a dictionary ``questions`` containing details on the
+   particular questions to ask. To answer them, just re-send your redemption request with additional parameters of
+   the form ``answer_<question>=<answer>``, e.g. ``answer_12=24``.
+
    **Example successful response**:
 
    .. sourcecode:: http
@@ -43,10 +62,66 @@ uses to communicate with the pretix server.
 
       {
         "status": "ok"
-        "version": 2
+        "version": 3,
+        "data": {
+          "secret": "az9u4mymhqktrbupmwkvv6xmgds5dk3",
+          "order": "ABCDE",
+          "item": "Standard ticket",
+          "item_id": 1,
+          "variation": null,
+          "variation_id": null,
+          "attendee_name": "Peter Higgs",
+          "attention": false,
+          "redeemed": true,
+          "paid": true
+        }
       }
 
-   **Example error response**:
+   **Example response with required questions**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Content-Type: text/json
+
+      {
+        "status": "incomplete"
+        "version": 3
+        "data": {
+          "secret": "az9u4mymhqktrbupmwkvv6xmgds5dk3",
+          "order": "ABCDE",
+          "item": "Standard ticket",
+          "item_id": 1,
+          "variation": null,
+          "variation_id": null,
+          "attendee_name": "Peter Higgs",
+          "attention": false,
+          "redeemed": true,
+          "paid": true
+        },
+        "questions": [
+          {
+            "id": 12,
+            "type": "C",
+            "question": "Choose a shirt size",
+            "required": true,
+            "position": 2,
+            "items": [1],
+            "options": [
+              {
+                "id": 24,
+                "answer": "M"
+              },
+              {
+                "id": 25,
+                "answer": "L"
+              }
+            ]
+          }
+        ]
+      }
+
+   **Example error response with data**:
 
    .. sourcecode:: http
 
@@ -56,13 +131,39 @@ uses to communicate with the pretix server.
       {
         "status": "error",
         "reason": "already_redeemed",
-        "version": 2
+        "version": 3,
+        "data": {
+          "secret": "az9u4mymhqktrbupmwkvv6xmgds5dk3",
+          "order": "ABCDE",
+          "item": "Standard ticket",
+          "item_id": 1,
+          "variation": null,
+          "variation_id": null,
+          "attendee_name": "Peter Higgs",
+          "attention": false,
+          "redeemed": true,
+          "paid": true
+        }
+      }
+
+   **Example error response without data**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Content-Type: text/json
+
+      {
+        "status": "error",
+        "reason": "unkown_ticket",
+        "version": 3
       }
 
    Possible error reasons:
 
    * ``unpaid`` - Ticket is not paid for or has been refunded
    * ``already_redeemed`` - Ticket already has been redeemed
+   * ``product`` - Tickets with this product may not be scanned at this device
    * ``unknown_ticket`` - Secret does not match a ticket in the database
 
    :query key: Secret API key
@@ -104,7 +205,7 @@ uses to communicate with the pretix server.
           },
           ...
         ],
-        "version": 2
+        "version": 3
       }
 
    :query query: Search query
@@ -133,6 +234,7 @@ uses to communicate with the pretix server.
       Content-Type: text/json
 
       {
+        "version": 3,
         "results": [
           {
             "secret": "az9u4mymhqktrbupmwkvv6xmgds5dk3",
@@ -146,7 +248,26 @@ uses to communicate with the pretix server.
           },
           ...
         ],
-        "version": 2
+        "questions": [
+          {
+            "id": 12,
+            "type": "C",
+            "question": "Choose a shirt size",
+            "required": true,
+            "position": 2,
+            "items": [1],
+            "options": [
+              {
+                "id": 24,
+                "answer": "M"
+              },
+              {
+                "id": 25,
+                "answer": "L"
+              }
+            ]
+          }
+        ]
       }
 
    :query key: Secret API key
@@ -157,7 +278,7 @@ uses to communicate with the pretix server.
 .. http:get:: /pretixdroid/api/(organizer)/(event)/status/
 
    Returns status information, such as the total number of tickets and the
-   number of performed checkins.
+   number of performed check-ins.
 
    **Example request**:
 
@@ -177,7 +298,7 @@ uses to communicate with the pretix server.
       {
         "checkins": 17,
         "total": 42,
-        "version": 2,
+        "version": 3,
         "event": {
           "name": "Demo Converence",
           "slug": "democon",

doc/requirements.txt

@@ -3,3 +3,5 @@ sphinx
 sphinx-rtd-theme
 sphinxcontrib-httpdomain
 sphinxcontrib-images
+sphinxcontrib-spelling
+pyenchant

doc/spelling_wordlist.txt

@@ -0,0 +1,119 @@
+addon
+addons
+api
+auth
+autobuild
+backend
+backends
+banktransfer
+boolean
+booleans
+cancelled
+casted
+checkbox
+checksum
+config
+contenttypes
+contextmanager
+cron
+cronjob
+debian
+deduplication
+discoverable
+django
+dockerfile
+durations
+eu
+filename
+filesystem
+fontawesome
+frontend
+frontpage
+gettext
+gunicorn
+hardcoded
+hostname
+invalidations
+iterable
+libsass
+linters
+memcached
+metadata
+middleware
+mixin
+mixins
+multi
+multidomain
+namespace
+namespaced
+namespaces
+namespacing
+natively
+nginx
+NotificationType
+ons
+optimizations
+param
+percental
+positionid
+pre
+prepend
+prepended
+prepending
+preprocessor
+presale
+pretix
+pretixdroid
+pretixpresale
+prometheus
+proxied
+proxying
+queryset
+redemptions
+redis
+refactored
+regex
+renderer
+renderers
+reportlab
+screenshot
+serializers
+serializers
+sexualized
+startup
+stdout
+stylesheet
+subdirectories
+subdirectory
+subdomain
+subdomains
+subevent
+subevents
+submodule
+subpath
+systemd
+testutils
+timestamp
+un
+unconfigured
+unix
+unprefixed
+untrusted
+username
+url
+versa
+viewset
+viewsets
+webhook
+webhooks
+webserver
+webservice
+workflow
+zipcode
+Datetime
+Embeddable
+Hierarkey
+OAuth
+SSL
+Uptime
+Yay

doc/user/events/create.rst

@@ -1,3 +1,5 @@
+.. _event_create:
+
 Creating an event
 =================
 
@@ -26,15 +28,15 @@ is useful if you have a large number of events that are very similar to each oth
 (i.e. users should be able to buy tickets for multiple events at the same time). Those single events can differ in
 available products, quotas, prices and some meta information, but most settings need to be the same for all of them.
 We recommend to use this feature only if you really know that you need it and if you really run a lot of events, not if
-you run e.g. a yearly conference.
+you run e.g. a yearly conference. You can read more on this feature :ref:`here <subevents>`.
 
-Once you set these values, you can procede to the next step:
+Once you set these values, you can proceed to the next step:
 
 .. thumbnail:: ../../screens/event/create_step2.png
    :align: center
    :class: screenshot
 
-In this step, you will be asked more detailled questions about your event. In particular, you can fill in the
+In this step, you will be asked more detailed questions about your event. In particular, you can fill in the
 following fields:
 
 Name

doc/user/events/display.rst

@@ -0,0 +1,42 @@
+Display settings
+================
+
+The settings at "Settings" → "Display" allow you to customize the appearance of your ticket shop.
+
+.. thumbnail:: ../../screens/event/settings_display.png
+   :align: center
+   :class: screenshot
+
+The upper part of the page contains settings that you always need to set specifically for your event. Those are
+currently:
+
+Logo image
+    This logo will be shown as a banner above your shop. If you set it, the event name and date will no longer be
+    displayed by the shop, so we suggest to include them in the image yourself. The maximal height of the image is
+    120 pixels and if you want to use the full width, make your image 1140 pixels wide. If the user's screen is
+    smaller, the logo will be scaled down automatically, so it should still be legible at smaller sizes.
+
+Frontpage text
+    This text will be shown on the front page of your ticket shop, above the list of products. You can use it to explain
+    your product types, give more information on the event or for other general notices.
+    You can use :ref:`Markdown syntax <markdown-guide>` in this field.
+
+Show variations of a product expanded by default
+    If this is not checked, a product with variations will be shown as one row in the show by default and will expand
+    into multiple rows once it is clicked on. With this box checked, the variations will be shown as multiple rows
+    right from the beginning.
+
+
+The lower part of the page contains settings that you can **either** set on organizer-level for all your events **or**
+override for this single event individually. Those are:
+
+Primary color
+    This color will be used for links, buttons, and other design elements throughout your shop and emails sent to your
+    customers. We suggest not choosing something to light, since text in that color should be readable on a white
+    background and white text should be readable on a background of this color.
+
+Font
+    Choose one of multiple fonts to use for your web shop.
+
+.. note:: Both the color and font settings can take a few seconds up to a few minutes before they become active on your
+          shop.

doc/user/events/email.rst

@@ -0,0 +1,129 @@
+E-mail settings
+===============
+
+The settings at "Settings" → "E-mail" allow you to customize the emails that pretix sends to the participants of your
+event.
+
+.. thumbnail:: ../../screens/event/settings_email.png
+   :align: center
+   :class: screenshot
+
+The page is separated into three parts: "E-mail settings", "E-mail content" and "SMTP settings". We will explain all
+of them in detail on this page.
+
+E-mail settings
+---------------
+
+The upper part of the page contains settings that are relevant for the generation of all e-mails alike. Those are
+currently:
+
+Subject prefix
+    This text will be prepended to the subject of all e-mails that are related to your event. For example, if you
+    set this to "dc2018" all subjects will be formatted like "[dc2018] Your payment was successful".
+
+Sender address
+    All e-mails will be sent with this address in the "From" field. If you use an email address at a custom domain,
+    we strongly recommend to use the SMTP settings below as well, otherwise your e-mails might be detected as spam
+    due to the `Sender Policy Framework`_ and similar mechanisms.
+
+Signature
+    This text will be appended to all e-mails in form of a signature. This might be useful e.g. to add your contact
+    details or any legal information that needs to be included with the e-mails.
+
+E-mail content
+--------------
+
+The middle part of the page allows you to customize the exact texts of all e-mails sent by the system automatically.
+You can click on the different boxes to expand them and see the texts.
+
+Within the texts, you can use placeholders that will later by replaced by values depending on the event or order. Below
+every text box is a list of supported placeholders, but currently the following are defined (not every placeholder
+is valid in every text):
+
+============================== ===============================================================================
+Placeholder                    Description
+============================== ===============================================================================
+event                          The event name
+total                          The order's total value
+currency                       The currency used for the event (three-letter code)
+payment_info                   Information text specific to the payment method (e.g. banking details)
+url                            An URL pointing to the download/status page of the order
+invoice_name                   The name field of the invoice address
+invoice_company                The company field of the invoice address
+expire_date                    The order's expiration date
+date                           The same as ``expire_date``, but in a different e-mail (for backwards
+                               compatibility)
+orders                         A list of orders including links to their status pages, specific to the "resend
+                               link (requested by user)" e-mail
+code                           In case of the waiting list, the voucher code to redeem
+hours                          In case of the waiting list, the number of hours the voucher code is valid
+============================== ===============================================================================
+
+The different e-mails are explained in the following:
+
+Placed Order
+    This e-mail is sent out to every order directly after the order has been received, except if the order total
+    is zero (see below). It should specify that/how the order is to be paid.
+
+Paid Order
+    This e-mail is sent out as soon as the payment for an order has been received and should give the customer
+    more information on how to proceed, e.g. by downloading their ticket.
+
+Free Order
+    This e-mail is sent out instead of "Placed Order" and "Paid Order" if the order total is zero. It therefore should
+    tell the same information, except asking the customer for completing their payment.
+
+Resend link
+    Sent by admin
+        This e-mail will be sent out if you click the "Resend link" next to the e-mail address field on the order detail
+        page. It should include the link to the order and can be sent to users e.g. if they lost their original e-mails.
+
+    Requested by user
+        Customers can also request a link to all orders they created using their e-mail address themselves by filling
+        out a form on the website. In this case, they will receive an e-mail containing a list of all orders they created
+        with the respective links.
+
+Order changed
+    This e-mail is sent out if you change the content of the order and choose to notify the user about it.
+
+Payment reminder
+    This e-mail is sent out a certain number of days before the order's expiry date. You can specify the number of days
+    before the expiry date that this should happen and the e-mail will only ever be sent if you do specify such a
+    number. The text should ask the customer to complete the payment, tell the options on how to do so and the
+    consequences if no payment is received (ticket gone, depending on your other settings). You should also include
+    a way to contact you in case of questions.
+
+Waiting list notification
+    If you enable the waiting list feature, this is the mail that will be sent out if a ticket is assigned to a person on
+    the waiting list. It should include the voucher that needs to be redeemed to get the free spot and tell how long
+    that voucher is valid and where to redeem it.
+
+Order canceled
+    This e-mail is sent to a customer if their order has been canceled.
+
+
+Order custom mail
+    You can use pretix' admin interface to directly send an e-mail with a custom text to the customer of a specific
+    order. In this case, this will be the default text and might save you time by not having to re-type all of it every
+    time.
+
+Reminder to download tickets
+    If you want, you can configure an email that will be send out a number of days before your event to remind
+    attendees to download their tickets. The e-mail should include a link to the ticket download. This e-mail will only
+    ever be sent if you specify a number of days.
+
+SMTP settings
+-------------
+
+If you want to send your e-mails via your own e-mail address, we strongly recommend to use SMTP for this purpose.
+SMTP is a protocol that is used by e-mail clients to communicate with e-mail servers. Using SMTP, pretix can talk to
+your e-mail service provider the same way that e.g. the e-mail app on your phone can.
+
+Your e-mail provider will most likely have a document that tells you the settings for the various fields to fill in
+here (hostname, port, username, password, encryption).
+
+With the checkbox "Use custom SMTP server" you can turn using your SMTP server on or off completely. With the
+button "Save and test custom SMTP connection", you can test if the connection and authentication to your SMTP server
+succeeds, even before turning that checkbox on.
+
+.. _Sender Policy Framework: https://en.wikipedia.org/wiki/Sender_Policy_Framework

doc/user/events/invoicing.rst

@@ -0,0 +1,96 @@
+Invoice settings
+================
+
+.. spelling:: Inv
+
+The settings at "Settings" → "Invoice" allow you to specify if and how pretix should generate invoices for your orders.
+
+.. thumbnail:: ../../screens/event/settings_invoice.png
+   :align: center
+   :class: screenshot
+
+In particular, you can configure the following things:
+
+Ask for invoice address
+    If this checkbox is enabled, customers will be able to enter an invoice address during checkout. If you only enable
+    this box, the invoice address will be optional to fill in.
+
+Require invoice address
+    If this checkbox is enabled, entering an invoice address will be obligatory for all customers and it will not be
+    able to create an order without entering an address.
+
+Require customer name
+    If this checkbox is enabled, the street, city, and country fields of the invoice address will still be optional but
+    the name field will be obligatory.
+
+Generate invoices
+    This field controls whether pretix should generate an invoice for an order. You have the following options:
+
+    No
+        pretix will never generate an invoice. If you want to issue invoices, you need to do it yourself based on the
+        collected address data.
+
+    Manually in admin panel
+        pretix will not create invoices automatically, but the order detail view will show a button that allows you to
+        manually generate one for specific orders.
+
+    Automatically on user request
+        pretix will not create invoices on its own, but both the panel as well as the customer view of the order will
+        show a button that instantly generates an invoice for the specified order.
+
+    Automatically for all created orders
+        pretix will automatically create an invoice every time an order is placed.
+
+    Automatically on payment
+        pretix will automatically create an invoice for an order, as soon as the payment for the order is received.
+
+    pretix will never generate invoices for free orders, even though it might ask for the invoice address.
+
+Attach invoices to emails
+    If enabled, invoices will be attached to order confirmation e-mails if the "Generate invoices" setting is set to
+    "Automatically for all created orders" or to the payment confirmation e-mails if it is set to "Automatically on
+    payment".
+
+Ask for VAT ID
+    If enabled, the invoice address form will not only ask for a postal address, but also for a VAT ID. The VAT ID will
+    always be an optional field.
+
+Generate invoices with consecutive numbers
+    If enabled, invoices will be created with numerical invoice numbers in the order of their creation, i.e.
+    PREFIX-00001, PREFIX-00002, and so on. If disabled, invoice numbers will instead be generated from the order code,
+    i.e. PREFIX-YHASD-1. When in doubt, keep this option enabled since it might be legally required in your country,
+    but disabling it has the advantage that your customers can not estimate the number of tickets sold by looking at
+    the invoice numbers.
+
+Invoice number prefix
+    This is the prefix that will be prepended to all your invoice numbers. For example, if you set this to "Inv", your
+    invoices will be numbered Inv00001, Inv00002, etc. If you leave this field empty, your event slug will be used,
+    followed by a dash, e.g. DEMOCON-00001.
+
+    Within one organizer account, events with the same number prefix will share their number range. For example, if you
+    set this to "Inv" for all of your events, there will be only one invoice numbered Inv00007 across all your events
+    and the numbers will have gaps within one event.
+
+Show free products on invoices
+    If enabled, products that do not cost anything will still show up on invoices. Note that the order needs to contain
+    at least one non-free product in order to generate an invoice.
+
+Show attendee names on invoices
+    If enabled, the attendee name will be printed on the invoice for admission tickets.
+
+Your address
+    This should be set to the address of the entity issuing the invoice (read: you) and will be printed inside
+    the header of the invoice.
+
+Introductory text
+    A free custom text that will be printed above the list of products on the invoice.
+
+Additional text
+    A free custom text that will be printed below the list of products and the invoice total.
+
+Footer
+    A text that will be printed in the foot line of the invoice. This could contain your contact details or legal
+    information on the issuing entity, e.g. registration numbers, your VAT ID, etc.
+
+Logo image
+    A square image that will be printed in the invoice header, currently with a width of 2.5cm.

doc/user/events/plugins.rst

@@ -0,0 +1,20 @@
+Configuring plugins
+===================
+
+Plugins are optional parts of pretix that can be installed to extend the available functionality and that can be turned
+on or off completely for every event. For your event, a number of plugins might be active already, but you can unlock
+even more functionality by going to "Settings" → "Plugins" and enable more of them, if you need.
+
+.. thumbnail:: ../../screens/event/settings_plugins.png
+   :align: center
+   :class: screenshot
+
+For each plugin, you will find a short description as well as an Enable/Disable button. The pretix website has
+`an overview`_ of available plugins and more details of them. If you are on the pretix.eu hosted service, look for
+the "pretix Hosted" badge in the plugin list to learn which ones are supported there.
+
+If you are running pretix on your own server, refer to the installation manual of your installation type to learn
+how to install additional plugins (:ref:`manual <manual_plugininstall>` or :ref:`Docker <docker_plugininstall>`).
+
+.. _an overview: https://pretix.eu/about/en/plugins
+

doc/user/events/settings.rst

@@ -0,0 +1,14 @@
+Configuring an event
+====================
+
+.. toctree::
+   :maxdepth: 2
+
+   subevents
+   ../payments/index
+   plugins
+   display
+   tickets
+   email
+   taxes
+   invoicing

doc/user/events/subevents.rst

@@ -0,0 +1,111 @@
+.. _subevents:
+
+Event series
+============
+
+During creation of a new event, you can choose that you want to create this event as an event series.
+By event series, we mean a group of events that are similar in their structure and that you want to
+sell within a single shop. An event series consists of **dates**. Each date represents one "event"
+within the series.
+
+For example, we think good examples to use the event series feature are:
+
+* A theater or theater group that shows the same play on five evenings.
+
+* A band on tour that hosts the same show in different locations.
+
+* A workshop that is given multiple times in different locations or at different times.
+
+We **don't** think that the feature is well-suited for events like the following:
+
+* Event series distributed over a large timescale like annual conferences. We suggest using multiple events in this
+  case. You can avoid having to configure everything twice since you can copy settings from an existing event during
+  creation of the new event.
+
+* Multiple parts of a conference or festival (e.g. different days) if a significant number of attendees will visit
+  more than one of them. We suggest just using different products in this case.
+
+When using an event series, the single dates of the series are using the same settings in most places. They can
+**only** differ in the following aspects:
+
+* They can have different date, time, and location parameters.
+
+* They can use different text on the shop front page.
+
+* They can have different prices for the various products.
+
+* They always have distinct quotas, which allows you to assign different amounts of tickets or to enable or disable
+  some products completely.
+
+* They can have different rules for check-in.
+
+Therefore, if your events are likely to need more different settings, this is probably not the feature for you. The
+benefits of using event series, on the other hand, are:
+
+* You only need to set most settings once, as the multiple dates live in the same shop.
+
+* Your customers can build mixed orders, i.e. they can order tickets for multiple dates at once.
+
+
+Creating and modifying dates in the series
+------------------------------------------
+
+Click on "Dates" in the left navigation menu of your event. This page shows you the list of currently existing event
+dates and allows you to create, edit, clone and delete them.
+
+If "Dates" is missing from the navigation menu, you have insufficient permission or your event has not been set up as
+an event series and you need to create a new event.
+
+.. thumbnail:: ../../screens/event/subevent_list.png
+   :align: center
+   :class: screenshot
+
+If you click on one of them or create a new one, you will see the following form:
+
+.. thumbnail:: ../../screens/event/subevent_create.png
+   :align: center
+   :class: screenshot
+
+Here, you can make changes to the following fields, most of which are optional:
+
+Name
+  This is the public name of your date. It should be descriptive enough to tell the user which date to select in
+  a calendar.
+
+Active
+  This date will only show up for customers if you check this box. In this sense, it corresponds to the "live" setting
+  of events.
+
+
+Event start time
+  The date and time that this date starts at.
+
+Event end time
+  The date and time this date ends at.
+
+Location
+  This is the location of your date in a human-readable format. We will show this on the ticket shop frontpage, but
+  it might also be used e.g. in Wallet tickets.
+
+Admission time
+  The admission date and time to show on the ticket shop page or on the tickets.
+
+Frontpage text
+  A text to show on the front page of the ticket shop for this date.
+
+Start of presale
+  If you set this, no ticket will be sold before the time you set. If you set this on event series level as well,
+  both dates must be in the past for the tickets to be available.
+
+End of presale
+  If you set this, no ticket will be sold after the time you set. If you set this on event series level as well,
+  both dates must be in the future for the tickets to be available.
+
+Quotas
+  As for all events, no tickets will be available unless there is a quota created for them that specifies the number
+  of tickets available. You can create multiple quotas that are assigned to this date directly from this interface.
+
+Item prices
+  This is a table of all products configured for your shop. If you want, you can enter a new price for each one of them
+  in the right column to make them cheaper or more expensive for this date. If you leave a field empty, the price will
+  follow the product's default price.

doc/user/events/taxes.rst

@@ -1,5 +1,7 @@
-Tax rules
-=========
+.. _taxes:
+
+Configuring taxes
+=================
 
 In most countries, you will be required to pay some form of sales tax for your event tickets. If you don't know about
 the exact rules, you should consult a professional tax consultant right now.
@@ -16,7 +18,7 @@ your event, go to the respective section in your event's settings:
    :class: screenshot
 
 On this page, you can create, edit and delete your tax rules. Clicking on the name of a tax rule will take you to its
-detailled settings:
+detailed settings:
 
 .. thumbnail:: ../../screens/event/tax_detail.png
    :align: center

doc/user/events/tickets.rst

@@ -0,0 +1,30 @@
+Ticket settings
+===============
+
+At "Settings" → "Tickets", you can configure the ticket download options that will be presented to your customers:
+
+.. thumbnail:: ../../screens/event/settings_tickets.png
+   :align: center
+   :class: screenshot
+
+The top of this page shows a short list of options relevant for all download formats:
+
+Use feature
+  This can be used to completely enable or disable ticket downloads all over your ticket shop.
+
+Download date
+  If you set a date here, no ticket download will be offered before this date. If no date is set, tickets can be
+  downloaded immediately after the payment for an order has been received.
+
+Offer to download tickets separately for add-on products
+  By default, tickets can not be downloaded for order positions which are only an add-on to other order positions. If
+  you enable this, this behavior will be changed and add-on products will get their own tickets as well. If disabled,
+  you can still print a list of chosen add-ons e.g. on the PDF tickets.
+
+Generate tickets for non-admission products
+  By default, tickets will only be generated for products that are marked as admission products. Enable this option to
+  generate tickets for all products instead.
+
+Below these settings, the detail settings for the various ticket file formats are offered. They differ from format to
+format and only share the common "Enable" setting that can be used to turn them on. By default, pretix ships with
+a PDF output plugin that you can configure through a visual design editor.

doc/user/events/widget.rst

@@ -67,7 +67,7 @@ SSL
 ---
 
 Since buying a ticket normally involves entering sensitive data, we strongly suggest that you use SSL/HTTPS for the page
-that includes the widget. Initiatives like `Let's Encrypt`_ allow you to obtain a SSL certificat free of charge.
+that includes the widget. Initiatives like `Let's Encrypt`_ allow you to obtain a SSL certificate free of charge.
 
 All data transferred to pretix will be made over SSL, even if using the widget on a non-SSL site. However, without
 using SSL for your site, a man-in-the-middle attacker could potentially alter the widget in dangerous ways. Moreover,
@@ -75,7 +75,7 @@ using SSL is becoming standard practice and your customers might want expect see
 granted to SSL-enabled web pages.
 
 By default, the checkout process will open in a new tab in your customer's browsers if you don't use SSL for your
-website. If you confident to have a good reason for not using SSL, you can override this behaviour with the
+website. If you confident to have a good reason for not using SSL, you can override this behavior with the
 ``skip-ssl-check`` attribute::
 
    <pretix-widget event="https://pretix.eu/demo/democon/" skip-ssl-check></pretix-widget>

doc/user/faq.rst

@@ -0,0 +1,53 @@
+FAQ and Troubleshooting
+=======================
+
+How can I test my shop before taking it live?
+---------------------------------------------
+
+There are multiple ways to do this.
+
+First, you could just create some orders in your real shop and cancel/refund them later. If you don't want to process
+real payments for the tests, you can either use a "manual" payment method like bank transfer and just mark the orders
+as paid with the button in the backend, or if you want to use e.g. Stripe, you can configure pretix to use your keys
+for the Stripe test system and use their test credit cars. Read our :ref:`Stripe documentation <stripe>` for more
+information.
+
+Second, you could create a separate event, just for testing. In the last step of the :ref:`event creation process <event_create>`,
+you can specify that you want to copy all settings from your real event, so you don't have to do all of it twice.
+
+We are planning to add a dedicated test mode in a later version of pretix.
+
+If you are using the hosted service at pretix.eu and want to get rid of the test orders completely, contact us at
+support@pretix.eu and we can remove them for you. Please note that we only are able to do that *before* you have
+received any real orders (i.e. taken the shop public). We won't charge any fees for test orders or test events.
+
+How do I delete an event?
+-------------------------
+
+You can find the event deletion button at the bottom of the event settings page. Note however, that it is not possible
+to delete an event once any order or invoice has been created, as those likely contain information on financial
+transactions which legally may not be tampered with and needs to be kept on record for multiple years in most
+countries. In this case, you can just disable the shop by clicking the first square on your event
+dashboard.
+
+If you are using the hosted service at pretix.eu and want to get rid of an event that you only used for testing, contact
+us at support@pretix.eu and we can remove it for you.
+
+Why doesn't my product show up in the ticket shop?
+--------------------------------------------------
+
+If you created a product and it doesn't show up, please follow the following steps to find out why:
+
+1. Check if the product's "active" checkbox is enabled.
+2. Check if the product is in a category that has the "Products in this category are add-on products" checkbox enabled.
+   If this is the case, the product won't show up on the shop front page, but only in the first step of checkout when
+   a product in the cart allows to add add-on products from this category.
+3. Check if the product's "Available from" or "Available until" settings restrict it to a date range.
+4. Check if the product's checkbox "This product will only be shown if a voucher matching the product is redeemed." is
+   enabled. If this is the case, the product will only be shown if the customer redeems a voucher that *directly* matches
+   to this product. It will not be shown if the voucher only is configured to match a quota that contains the product.
+5. Check that a quota exists that contains this product. If your product has variations, check that at least one
+   variation is contained in a quota. If your event is an event series, make sure that the product is contained in a
+   quota that is assigned to the series date that you access the shop for.
+6. If the sale period has not started yet or is already over, check the "Show items outside presale period" setting of
+   your event.

doc/user/index.rst

@@ -9,6 +9,7 @@ wanting to use pretix to sell tickets.
 
    organizers/index
    events/create
-   events/taxes
-   payments/index
+   events/settings
    events/widget
+   faq
+   markdown

doc/user/markdown.rst

@@ -0,0 +1,166 @@
+.. _markdown-guide:
+
+Markdown Guide
+==============
+
+What is markdown?
+-----------------
+
+In many places of your shop, like frontpage texts, product descriptions and email texts, you can use
+`Markdown`_ to create links, bold text, and other formatted content. Markdown is a good middle-ground
+since it is way easier to learn than languages like HTML but allows all basic formatting options required
+for text in those places.
+
+Formatting rules
+----------------
+
+Simple text formatting
+""""""""""""""""""""""
+
+To set a text in italics, you can put it in asterisks or underscores. For example,
+
+.. code-block:: markdown
+
+    Please *really* pay your _ticket_.
+
+will become:
+
+    Please *really* pay your *ticket*.
+
+If you set double asterisks or underscores, the text will be printed in bold. For example,
+
+.. code-block:: markdown
+
+    This is **important**.
+
+will become:
+
+    This is **important**.
+
+You can also display, for example:
+
+.. code-block:: markdown
+
+    Input this `exactly like this`.
+
+You will get:
+
+    Input this ``exactly like this``.
+
+Links
+"""""
+
+You can create a link by just pasting it in, e.g.
+
+.. code-block:: markdown
+
+    Check this on https://en.wikipedia.org
+
+will become:
+
+    Check this on https://en.wikipedia.org
+
+However, if you want to control the text of the link, you can put the text of the link in ``[]`` brackets and the
+link target in ``()`` parentheses, like this:
+
+.. code-block:: markdown
+
+    Check this on [Wikipedia](https://en.wikipedia.org).
+
+This will yield:
+
+    Check this on `Wikipedia`_
+
+All links created with pretix Markdown syntax will open in a new tab.
+
+Lists
+"""""
+
+You can create un-numbered lists by prepending the lines with asterisks.
+
+.. code-block:: markdown
+
+    * First item
+    * Second item with a text that is too long to
+      fit in a line
+    * Third item
+
+will become:
+
+    * First item
+    * Second item with a text that is too long to
+      fit in a line
+    * Third item
+
+You can also use numbers as list items
+
+.. code-block:: markdown
+
+    1.  Red
+    2.  Green
+    3.  Blue
+
+to get
+
+    1.  Red
+    2.  Green
+    3.  Blue
+
+Headlines
+"""""""""
+
+To create a headline, prepend it with ``#`` for the main headline, ``##`` for a headline of the second level,
+and so on. For example:
+
+.. code-block:: markdown
+
+    # Headline 1
+    ## Headline 2
+    ### Headline 3
+    #### Headline 4
+    ##### Headline 5
+    ###### Headline 6
+
+We do not recommend using headlines of the first level, as pretix will already set the name of your event as a level-1
+headline of the page and HTML pages should have only one headline on the first level.
+
+You can also use
+
+.. code-block:: markdown
+
+    *****
+
+to create a horizontal line, like the following:
+
+.. raw:: html
+
+    <hr>
+
+Using HTML
+----------
+
+You can also directly embed HTML code, if you want, although we recommend
+using Markdown, as it enables e.g. people using text-based email clients
+to get a better plain text representation of your text. Note however, that for
+security reasons you can only use the following HTML elements::
+
+    a, abbr, acronym, b, br, code, div, em, h1, h2,
+    h3, h4, h5, h6, hr, i, li, ol, p, pre, span, strong,
+    table, tbody, td, thead, tr, ul
+
+Additionally, only the following attributes are allowed on them::
+
+    <a href="…" title="…">
+    <abbr title="…">
+    <acronym title="…">
+    <table width="…">
+    <td width="…" align="…">
+    <div class="…">
+    <p class="…">
+    <span class="…">
+
+All other elements and attributes will be stripped during parsing.
+
+
+.. _Markdown: https://en.wikipedia.org/wiki/Markdown
+.. _Wikipedia: https://en.wikipedia.org

doc/user/organizers/account.rst

@@ -0,0 +1,43 @@
+Organizer account
+=================
+
+The basis of all your operations within pretix is your organizer account. It represents an entity that is running
+events, for example a company, yourself or any other institution.
+Every event belongs to one organizer account and events within the same organizer account are assumed to belong together
+in some sense, whereas events in different organizer accounts are completely isolated.
+
+If you want to use the hosted pretix service, you can create an organizer account on our `Get started`_ page. Otherwise,
+ask your pretix administrator for access to an organizer account.
+
+You can find out all organizer accounts you have access to by going to your global dashboard (click on the pretix logo
+in the top-left corner) and then select "Organizers" from the navigation bar on the left side. Then, choose one of the
+organizer accounts presented, if there are multiple of them:
+
+.. thumbnail:: ../../screens/organizer/list.png
+   :align: center
+   :class: screenshot
+
+This overview shows you all event that belong to the organizer and you have access to:
+
+.. thumbnail:: ../../screens/organizer/event_list.png
+   :align: center
+   :class: screenshot
+
+With the "Edit" button at the top, next to the organizer account name, you can modify properties of the organizer
+account such as its name and display settings for the public profile page of the organizer account:
+
+.. thumbnail:: ../../screens/organizer/edit.png
+   :align: center
+   :class: screenshot
+
+.. tip::
+
+   The profile page will be shown as ``https://pretix.eu/slug/`` where ``slug`` is to be replaced by the short form of
+   the organizer name that you entered during account creation and ``pretix.eu`` is to be replaced by your
+   installation's domain name if you are not using our hosted service.
+
+   Instead, you can also use a custom domain for the profile page and your events, for example
+   ``https://tickets.example.com/`` if ``example.com`` is a domain that you own.  Head to :ref:`custom_domain` to learn
+   more.
+
+.. _Get started: https://pretix.eu/about/en/setup

doc/user/organizers/domain.rst

@@ -0,0 +1,54 @@
+.. _custom_domain:
+
+Using a custom domain
+=====================
+
+By default, event shops built with pretix are accessible at ``https://<domain>/<organizer>/<event>/``, where
+``<domain>`` is ``pretix.eu`` if you are using our hosted service and ``<organizer>`` and ``<event>`` are the short
+form versions of your organizer account name and event name, respectively.
+
+However, you are also able to use a custom domain for your ticket shops! If you work for "Awesome Party Corporation"
+and your website is ``awesomepartycorp.com``, you might want to sell your tickets at ``tickets.awesomepartycorp.com``
+and with pretix, you can do this. On this page, you find out the necessary steps to take.
+
+With the pretix.eu hosted service
+---------------------------------
+
+Step 1: DNS Configuration
+#########################
+
+Go to the website of the provider you registered your domain name with. Look for the "DNS" settings page in their
+interface. Unfortunately, we can't tell you exactly how that is named and how it looks, since it is different for every
+domain provider.
+
+Use this interface to add a new subdomain record, e.g. ``tickets`` of the type ``CNAME`` (might also be called "alias").
+The value of the record should be ``www.pretix.eu``.
+
+Step 2: Wait for the DNS entry to propagate
+###########################################
+
+Submit your changes and wait a bit, it can regularly take up to three hours for DNS changes to propagate to the caches
+of all DNS servers. You can try checking by accessing your new subdomain, ``http://tickets.awesomepartycorp.com``.
+If DNS was changed successfully, you should see a SSL certificate error. If you ignore the error and access the page
+anyways, you should get a pretix-themed error page with the headline "Unknown domain".
+
+Step 3: Tell us
+###############
+
+Write an email to support@pretix.eu, naming your new domain and your organizer account. We will then generate a SSL
+certificate for you (for free!) and configure the domain.
+
+
+With a custom pretix installation
+---------------------------------
+
+If you installed pretix on a server yourself, you can also use separate domains for separate organizers.
+First of all, configure your webserver or reverse proxy to pass requests to the new domain to pretix as well.
+Then, go to the organizer account in pretix and click the "Edit" button. Enter the new domain in the "Custom Domain"
+field, then you're done!
+
+.. thumbnail:: ../../screens/organizer/edit_sysadmin.png
+   :align: center
+   :class: screenshot
+
+Note that this field only shows up if you are logged in as a system administrator of your pretix installation.

doc/user/organizers/index.rst

@@ -1,112 +1,9 @@
 Organizer accounts and teams
 ============================
 
-Organizer account
------------------
+.. toctree::
+   :maxdepth: 2
 
-The basis of all your operations within pretix is your organizer account. It represents an entity that is running
-events, for example a company, yourself or any other institution.
-Every event belongs to one organizer account and events within the same organizer account are assumed to belong together
-in some sense, whereas events in different organizer accounts are completely isolated.
-
-If you want to use the hosted pretix service, you can create an organizer account on our `Get started`_ page. Otherwise,
-ask your pretix administrator for access to an organizer account.
-
-You can find out all organizer accounts you have access to by going to your global dashboard (click on the pretix logo
-in the top-left corner) and then select "Organizers" from the navigation bar on the left side. Then, choose one of the
-organizer accounts presented, if there are multiple of them:
-
-.. thumbnail:: ../../screens/organizer/list.png
-   :align: center
-   :class: screenshot
-
-This overview shows you all event that belong to the organizer and you have access to:
-
-.. thumbnail:: ../../screens/organizer/event_list.png
-   :align: center
-   :class: screenshot
-
-With the "Edit" button at the top, next to the organizer account name, you can modify properties of the organizer
-account such as its name and display settings for the public profile page of the organizer account:
-
-.. thumbnail:: ../../screens/organizer/edit.png
-   :align: center
-   :class: screenshot
-
-.. tip::
-
-   The profile page will be shown as ``https://pretix.eu/slug/`` where ``slug`` is to be replaced by the short form of
-   the organizer name that you entered during account creation and ``pretix.eu`` is to be replaced by your
-   installation's domain name if you are not using our hosted service.
-
-   Instead, you can also use a custom domain for the profile page and your events, for example
-   ``https://tickets.example.com/`` if ``example.com`` is a domain that you own. In this case, please contact the pretix
-   hosted support or your system administrator to set up the custom domain.
-
-Teams
------
-
-We don't expect you to work on your events all by yourself and therefore, pretix comes with ways to invite your fellow
-team members to access your pretix organizer account. To manage teams, click on the "Teams" link on your organizer
-settings page (see above how to find it). This shows you a list of teams that should contain at least one team already:
-
-.. thumbnail:: ../../screens/organizer/team_list.png
-   :align: center
-   :class: screenshot
-
-If you click on a team name, you get to a page that shows you the current members of the team:
-
-.. thumbnail:: ../../screens/organizer/team_detail.png
-   :align: center
-   :class: screenshot
-
-You see that there is a list of pretix user accounts (i.e. email addresses), who are part of the team. To add a user to
-the team, just enter their email address in the text box next to the "Add" button. If the user already has an account
-in the pretix system they will instantly get access to the team. Otherwise, they will be sent an email with an invitation
-link that can be used to create an account. This account will then instantly have access to the team. Users can be part
-of as many teams as you want.
-
-In the section below, you can also create access tokens for our :ref:`rest-api`. You can read more on this topic in the
-section :ref:`rest-auth` of the API documentation.
-
-Next to the team name, you again see a button called "Edit" that allows you to modify the permissions of the team.
-Permissions separate into two areas:
-
-* **Organizer permissions** allow actions on the level of an organizer account, in particular:
-
-   * Can create events – To create a new event under this organizer account, users need to have this permission
-
-   * Can change teams and permissions – This permission is required to perform the kind of action you are doing right now.
-     Anyone with this permission can assign arbitrary other permissions to themselves, so this is the most powerful
-     permission there is to give.
-
-   * Can change organizer settings – This permission is required to perform changes to the settings of the organizer
-     account, e.g. its name or display settings.
-
-* **Event permissions** allow actions on the level of an event. You can give the team access to all events of the
-  organizer (including future ones that are not yet created) or just a selected set of events. The specific permissions to choose from are:
-
-   * Can change event settings – This permission gives access to most areas of the control panel that are not controlled
-     by one of the other event permissions, especially those that are related to setting up and configuring the event.
-
-   * Can change product settings – This permission allows to create and modify products and objects that are closely
-     related to products, such as product categories, quotas, and questions.
-
-   * Can view orders – This permission allows viewing the list of orders and allindividual order details, but not
-     changing anything about it. This also includes the various exports offered.
-
-   * Can change orders – This permission allows all actions that involve changing an order, such as changing the products
-     in an order, marking an order as paid or refunden, importing banking data, etc. This only works properly if the
-     same users also have the "Can view orders" permission.
-
-   * Can view vouchers – This permission allows viewing the list of vouchers including the voucher codes themselves and
-     their redemption status.
-
-   * Can change vouchers – This permission allows to create and modify vouchers in all their details. It only works
-     properly if the same users also have the "Can view vouchers" permission.
-
-.. thumbnail:: ../../screens/organizer/team_edit.png
-   :align: center
-   :class: screenshot
-
-.. _Get started: https://pretix.eu/about/en/setup
+   account
+   teams
+   domain

doc/user/organizers/teams.rst

@@ -0,0 +1,65 @@
+Teams
+=====
+
+We don't expect you to work on your events all by yourself and therefore, pretix comes with ways to invite your fellow
+team members to access your pretix organizer account. To manage teams, click on the "Teams" link on your organizer
+settings page (see above how to find it). This shows you a list of teams that should contain at least one team already:
+
+.. thumbnail:: ../../screens/organizer/team_list.png
+   :align: center
+   :class: screenshot
+
+If you click on a team name, you get to a page that shows you the current members of the team:
+
+.. thumbnail:: ../../screens/organizer/team_detail.png
+   :align: center
+   :class: screenshot
+
+You see that there is a list of pretix user accounts (i.e. email addresses), who are part of the team. To add a user to
+the team, just enter their email address in the text box next to the "Add" button. If the user already has an account
+in the pretix system they will instantly get access to the team. Otherwise, they will be sent an email with an invitation
+link that can be used to create an account. This account will then instantly have access to the team. Users can be part
+of as many teams as you want.
+
+In the section below, you can also create access tokens for our :ref:`rest-api`. You can read more on this topic in the
+section :ref:`rest-auth` of the API documentation.
+
+Next to the team name, you again see a button called "Edit" that allows you to modify the permissions of the team.
+Permissions separate into two areas:
+
+* **Organizer permissions** allow actions on the level of an organizer account, in particular:
+
+   * Can create events – To create a new event under this organizer account, users need to have this permission
+
+   * Can change teams and permissions – This permission is required to perform the kind of action you are doing right now.
+     Anyone with this permission can assign arbitrary other permissions to themselves, so this is the most powerful
+     permission there is to give.
+
+   * Can change organizer settings – This permission is required to perform changes to the settings of the organizer
+     account, e.g. its name or display settings.
+
+* **Event permissions** allow actions on the level of an event. You can give the team access to all events of the
+  organizer (including future ones that are not yet created) or just a selected set of events. The specific permissions to choose from are:
+
+   * Can change event settings – This permission gives access to most areas of the control panel that are not controlled
+     by one of the other event permissions, especially those that are related to setting up and configuring the event.
+
+   * Can change product settings – This permission allows to create and modify products and objects that are closely
+     related to products, such as product categories, quotas, and questions.
+
+   * Can view orders – This permission allows viewing the list of orders and all individual order details, but not
+     changing anything about it. This also includes the various exports offered.
+
+   * Can change orders – This permission allows all actions that involve changing an order, such as changing the products
+     in an order, marking an order as paid or refunded, importing banking data, etc. This only works properly if the
+     same users also have the "Can view orders" permission.
+
+   * Can view vouchers – This permission allows viewing the list of vouchers including the voucher codes themselves and
+     their redemption status.
+
+   * Can change vouchers – This permission allows to create and modify vouchers in all their details. It only works
+     properly if the same users also have the "Can view vouchers" permission.
+
+.. thumbnail:: ../../screens/organizer/team_edit.png
+   :align: center
+   :class: screenshot

doc/user/payments/banktransfer.rst

@@ -30,3 +30,9 @@ many orders could be processed correctly and how many could not. You can then go
 transfers from your bank statement that are not yet matched to an order. Using the input field and the buttons on the
 left of each transaction, you can manually enter an order code to match it to or just discard it from the list, e.g.
 if the transaction is not related to the event at all.
+
+
+.. tip:: If you aren't afraid of getting a bit more technical and your bank supports the HBCI/FinTS protocol (as most
+         German banks do), you can use `pretix-banktool`_ to fully automate this process.
+
+.. _pretix-banktool: https://github.com/pretix/pretix-banktool

doc/user/payments/fees.rst

@@ -1,3 +1,5 @@
+.. _payment-fees:
+
 Payment method fees
 ===================
 
@@ -18,6 +20,9 @@ might also decide to go for option one to make it easier for customers who don't
              legislation might already be in place or become relevant from January 2018 the latest. This is not
              legal advice. If in doubt, consult a lawyer or refrain from charging payment fees.
 
+If you go for the first option (as you should in the EU), you can just leave the payment fee fields in pretix' settings
+empty.
+
 If you go for the second option, you can configure pretix to charge the payment method fees to your user. You can
 define both an absolute fee as well as a percental fee based on the order total. If you do so, there are two
 different ways in which pretix can calculate the fee. Normally, it is fine to just go with the default setting, but
@@ -55,4 +60,4 @@ same 5 %, such that for a ticket with a list price of 100 € you will get your
     ===================================================== =============
 
     Due to the various rounding steps performed by pretix and by the payment provider, the end total on
-    your bank account might stil vary by one cent.
+    your bank account might still vary by one cent.

doc/user/payments/index.rst

@@ -1,9 +1,10 @@
-Accepting payments
-==================
+Payment settings
+================
 
 .. toctree::
    :maxdepth: 2
 
+   settings
    overview
    fees
    paypal

doc/user/payments/overview.rst

@@ -2,33 +2,15 @@ Payment method overview
 =======================
 
 pretix allows you to accept payments using a variety of payment methods to fit the needs of very different events.
-This page gives you a short overview over them and links to more detailled descriptions in some cases.
+This page gives you a short overview over them and links to more detailed descriptions in some cases.
 
 Payment methods are built as pretix plugins. For this reason, you might first need to enable a certain plugin at
-"Settings" → "Plugins" in your event settings. Then, you can configure them in detail at "Settings" -> "Payment".
+"Settings" → "Plugins" in your event settings. Then, you can configure them in detail at "Settings" → "Payment".
 
 If you host pretix on your own server, you might need to install a plugin first for some of the payment methods listed
 on this page as well as for additional ones.
 
-:ref:`stripe`
-    Stripe is a US-based company that offers you an easy way to accept credit card payments from all over the world.
-    To accept payments with Stripe, you need to have a Stripe merchant account that is easy to create. Click on the link
-    above to get more details about the Stripe integration into pretix.
-
-:ref:`paypal`
-    If you want to accept online payments via PayPal, you can do so using pretix. You will need a PayPal merchant
-    account and it is a little bit complicated to obtain the required technical details, but we've got you covered.
-    Click on the link above to learn more.
-
-:ref:`banktransfer`
-    Classical IBAN wire transfers are a common payment method in central Europe that has the large benefit that it
-    often does not cause any additional fees. However, it requires you to invest some more effort as you need to
-    check your bank account for incoming payments regularly. We provide some tools to make this easier for you.
-
-SEPA debit
-    In some Europen countries, a very popular online payment method is SEPA direct debit. If you want to offer this
-    option in your pretix ticket shop, we provide a convenient plugin that allows users to enter their SEPA bank
-    account details and issue a SEPA mandate. You will then need to regularly download a SEPA XML file from pretix
-    and upload it to your bank's interface to actually perform the debits.
-
+To get an overview of the officially supported payment methods and their pros and cons, head to the `pretix website`_.
+On these pages, you get more information on how to configure :ref:`stripe`, :ref:`paypal`, and :ref:`banktransfer`.
 
+.. _pretix website: https://pretix.eu/about/en/features/payment

doc/user/payments/settings.rst

@@ -0,0 +1,65 @@
+General settings
+================
+
+At "Settings" → "Pages", you can configure every aspect related to the payments you want to accept. The upper part
+of the page shows a number of general settings that affect all payment methods:
+
+.. thumbnail:: ../../screens/event/settings_payment.png
+   :align: center
+   :class: screenshot
+
+In particular, these are:
+
+Payment term in days
+  If a order has been created, it is supposed to be paid within this number of days. Of course, some payment methods
+  (like credit card) succeed immediately in most cases, but others don't (like bank transfer) and even credit card
+  payments might fail and you might want to give the customer a chance to try another credit card before losing their
+  ticket. Therefore, we recommend setting a few days here. If you are accepting bank transfers, we wouldn't recommend
+  less than 10 days.
+
+Last date of payments
+  There is probably no use for payments received after your event, so you can set a date that the payment deadline of
+  a new order will never exceed. This has precedence over the number of days configured above, so if I create an order
+  two days before the configured last date of payments, my payment term will only be two days, not ten. If you have
+  payment methods that always require some time (like bank transfer), you will later be able to selectively disable them
+  once the event comes closer.
+
+Only end payment terms on weekdays
+  If you check this box, the payment term calculated by the number of days configured above will never end on a Saturday
+  or a Sunday. If it technically would do so, the term is extended to the next Monday. Note that this currently does not
+  take into account national or bank holidays in your country.
+
+Automatically expire unpaid orders
+  If you check this box, orders will automatically go into "expired" state if the payment term is over and no payment
+  has been received. This means that the tickets will no longer be reserved for the customer and someone else can buy
+  them from the shop again. If you do not check this box, tickets do not become available again automatically, but you
+  can mark orders as expired manually.
+
+Accept late payments
+  If you check this box, incoming payments will accepted even if the order is in "expired" state -- as long as there
+  still is sufficient quota available and the last date of payments is not yet over. We recommend to check this in most
+  cases.
+
+Tax rule for payment fees
+  If you pass on the payment method fees to your customers, you will most likely also need to pay sales tax on those
+  fees. Here, you can configure the tax rate. Read :ref:`taxes` for more information.
+
+Below, you can configure the details of the various payment methods. You can find information on their different settings
+on the next pages of this documentation, but there are a few things most of them have in common:
+
+Enable payment method
+  Check this box to allow customers to use this method. At least one method needs to be active to process non-free orders.
+
+Additional fee (absolute and percentage), Calculate the fee from the total value including the fee
+  These fields allow you to pass fees on to your customers instead of paying them yourselves. Read :ref:`payment-fees`
+  for documentation on how this behaves.
+
+Available until
+  This allows you to set a date at which this payment method will automatically become disabled. This is useful if you
+  want people to be able to pay by card on the day before your event, but not by bank transfer, because it would not
+  arrive in time.
+
+Text on invoices
+  If you are using pretix' invoicing feature, this is a text that will be printed on every invoice for an order that
+  uses this payment method. You could use this to tell the accounting department of the invoice receiver that the payment
+  has already been received online or that it should be performed via bank transfer.

res/logo.svg

@@ -9,15 +9,16 @@
    xmlns="http://www.w3.org/2000/svg"
    xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
    xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="294.15625"
-   height="149.59375"
+   width="600"
+   height="400"
    id="svg2"
    version="1.1"
-   inkscape:version="0.91 r13725"
+   inkscape:version="0.92.1 r"
    sodipodi:docname="logo.svg"
-   inkscape:export-filename="/home/raphael/proj/pretix/pretix/logo_draft.png"
-   inkscape:export-xdpi="88.529999"
-   inkscape:export-ydpi="88.529999">
+   inkscape:export-filename="/tmp/LOGO.png"
+   inkscape:export-xdpi="96"
+   inkscape:export-ydpi="96"
+   viewBox="0 0 562.50001 375.00002">
   <defs
      id="defs4" />
   <sodipodi:namedview
@@ -28,14 +29,14 @@
      inkscape:pageopacity="0.0"
      inkscape:pageshadow="2"
      inkscape:zoom="0.9899495"
-     inkscape:cx="134.70089"
-     inkscape:cy="277.43904"
+     inkscape:cx="133.36756"
+     inkscape:cy="276.10571"
      inkscape:document-units="px"
      inkscape:current-layer="layer1"
      showgrid="false"
-     inkscape:window-width="636"
+     inkscape:window-width="1916"
      inkscape:window-height="1041"
-     inkscape:window-x="3200"
+     inkscape:window-x="1920"
      inkscape:window-y="18"
      inkscape:window-maximized="0"
      fit-margin-top="20"
@@ -58,11 +59,14 @@
      inkscape:label="Ebene 1"
      inkscape:groupmode="layer"
      id="layer1"
-     transform="translate(-257.78125,-548.75)">
+     transform="translate(-259.03125,-322.09374)">
     <path
-       style="color:#000000;display:inline;overflow:visible;visibility:visible;fill:#3b1c4a;fill-opacity:1;fill-rule:nonzero;stroke:none;marker:none;enable-background:accumulate"
-       d="M 20 20 L 20 54.09375 C 31.43679 54.09375 40.71875 63.37571 40.71875 74.8125 C 40.71875 86.24928 31.43679 95.5 20 95.5 L 20 129.59375 L 166.6875 129.59375 L 166.6875 120.09375 L 169.6875 120.09375 L 169.6875 129.59375 L 274.15625 129.59375 L 274.15625 95.5 C 274.14575 95.50002 274.1354 95.5 274.125 95.5 C 262.68822 95.5 253.40625 86.24928 253.40625 74.8125 C 253.40625 63.37571 262.68822 54.09375 274.125 54.09375 C 274.1355 54.09375 274.14585 54.09373 274.15625 54.09375 L 274.15625 20 L 169.6875 20 L 169.6875 29.09375 L 166.6875 29.09375 L 166.6875 20 L 20 20 z M 166.6875 36.09375 L 169.6875 36.09375 L 169.6875 50.09375 L 166.6875 50.09375 L 166.6875 36.09375 z M 208.12891 48.927734 C 210.91958 48.927734 213.15234 50.855474 213.15234 53.240234 C 213.15234 55.624994 210.91958 57.603516 208.12891 57.603516 C 205.38897 57.603516 203.15625 55.624994 203.15625 53.240234 C 203.15625 50.855474 205.38897 48.927734 208.12891 48.927734 z M 194.90039 53.138672 L 194.90039 61.15625 L 198.85938 61.15625 L 198.85938 67.447266 L 194.90039 67.447266 L 194.90039 79.726562 C 194.90039 81.756152 195.61054 82.517578 197.03125 82.517578 C 197.7416 82.517578 198.09828 82.415768 198.85938 82.111328 L 198.85938 88.046875 C 198.14902 88.452785 196.47277 89.011719 194.24023 89.011719 C 188.10074 89.011719 185.25977 85.257843 185.25977 80.539062 L 185.25977 67.447266 L 182.41797 67.447266 L 182.41797 61.15625 L 185.25977 61.15625 L 185.25977 55.574219 L 194.90039 53.138672 z M 166.6875 57.09375 L 169.6875 57.09375 L 169.6875 71.09375 L 166.6875 71.09375 L 166.6875 57.09375 z M 92.119141 60.648438 C 100.59265 60.648438 106.32617 65.164126 106.32617 74.753906 C 106.32617 83.379636 101.30281 88.859375 94.25 88.859375 C 92.52486 88.859375 91.102928 88.656085 90.392578 88.453125 L 90.392578 99.414062 L 80.751953 99.414062 L 80.751953 62.728516 C 83.339673 61.510766 86.842221 60.648435 92.119141 60.648438 z M 141.98242 60.648438 C 150.55741 60.648438 154.61678 66.583801 154.10938 75.869141 L 138.17773 78.103516 C 138.78661 81.046406 140.35834 82.517578 143.85938 82.517578 C 147.1067 82.517578 149.64383 81.806022 151.16602 81.044922 L 153.29688 86.931641 C 150.91212 88.098651 147.71654 89.011719 142.64258 89.011719 C 133.71241 89.011719 128.99414 82.973726 128.99414 74.753906 C 128.99414 66.534096 133.40743 60.648438 141.98242 60.648438 z M 124.06055 60.654297 C 124.95335 60.667874 125.8885 60.69926 126.86523 60.75 L 125.18945 67.447266 C 123.41356 66.584696 121.68841 66.533574 120.41992 66.990234 L 120.41992 88.503906 L 110.7793 88.503906 L 110.7793 62.728516 C 113.57632 61.352202 117.81096 60.559256 124.06055 60.654297 z M 203.30859 61.15625 L 212.94922 61.15625 L 212.94922 88.503906 L 203.30859 88.503906 L 203.30859 61.15625 z M 216.54297 61.15625 L 226.58984 61.15625 L 229.88867 68.005859 L 229.99023 68.005859 L 233.5918 61.15625 L 242.57227 61.15625 L 234.60742 73.789062 L 243.33398 88.503906 L 232.67969 88.503906 L 229.17773 80.943359 L 229.07617 80.943359 L 225.42383 88.503906 L 215.68164 88.503906 L 224.25586 74.398438 L 216.54297 61.15625 z M 141.57617 66.179688 C 138.73475 66.179688 137.16236 68.765636 137.4668 73.535156 L 145.23047 72.369141 C 145.23047 68.208501 144.01167 66.179687 141.57617 66.179688 z M 92.068359 66.279297 C 91.358009 66.279297 90.849228 66.380983 90.392578 66.533203 L 90.392578 82.972656 C 90.747748 83.124866 91.256406 83.226562 91.916016 83.226562 C 95.366316 83.226562 96.787109 80.386048 96.787109 74.804688 C 96.787109 69.071117 95.569389 66.279297 92.068359 66.279297 z M 166.6875 78.09375 L 169.6875 78.09375 L 169.6875 92.09375 L 166.6875 92.09375 L 166.6875 78.09375 z M 166.6875 99.09375 L 169.6875 99.09375 L 169.6875 113.09375 L 166.6875 113.09375 L 166.6875 99.09375 z "
-       transform="translate(257.78125,548.75)"
-       id="rect3888" />
+       style="color:#000000;display:inline;overflow:visible;visibility:visible;fill:#3b1c4a;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1.91138947;marker:none;enable-background:accumulate"
+       d="m 297.38548,404.85558 v 65.16643 c 21.86016,0 39.6016,17.74144 39.6016,39.60159 0,21.86015 -17.74144,39.54187 -39.6016,39.54187 v 65.16644 h 280.37693 v -18.1582 h 5.73417 v 18.1582 h 199.68046 v -65.16644 c -0.02,4e-5 -0.0397,0 -0.0596,0 -21.86015,0 -39.6016,-17.68172 -39.6016,-39.54187 0,-21.86015 17.74145,-39.60159 39.6016,-39.60159 0.02,0 0.0397,-4e-5 0.0596,0 V 404.85558 H 583.49658 v 17.38169 h -5.73417 V 404.85558 Z M 577.76241,435.617 h 5.73417 v 26.75945 h -5.73417 z m 79.21068,24.53074 c 5.33405,0 9.60172,3.68466 9.60172,8.24287 0,4.5582 -4.26767,8.33993 -9.60172,8.33993 -5.2371,0 -9.50469,-3.78173 -9.50469,-8.33993 0,-4.55821 4.26759,-8.24287 9.50469,-8.24287 z m -25.28486,8.04874 v 15.32472 h 7.56717 v 12.02458 h -7.56717 v 23.47051 c 0,3.87934 1.35737,5.33473 4.0729,5.33473 1.35775,0 2.03951,-0.19461 3.49427,-0.77651 v 11.34514 c -1.35777,0.77585 -4.56174,1.84419 -8.829,1.84419 -11.73495,0 -17.16515,-7.17511 -17.16515,-16.19455 v -25.02351 h -5.43179 V 483.5212 h 5.43179 v -10.66944 z m -53.92582,7.5597 h 5.73417 v 26.75945 h -5.73417 z m -142.52917,6.79439 c 16.19618,0 27.15517,8.63124 27.15517,26.96104 0,16.48713 -9.6016,26.96105 -23.08227,26.96105 -3.29741,0 -6.01528,-0.38857 -7.37304,-0.77651 v 20.95062 H 413.50612 V 486.5264 c 4.94614,-2.32759 11.64087,-3.97583 21.72712,-3.97583 z m 95.30815,0 c 16.39014,0 24.14917,11.34479 23.17933,29.09269 l -30.45158,4.27076 c 1.1638,5.62501 4.16799,8.437 10.85985,8.437 6.20689,0 11.05633,-1.36007 13.96583,-2.81482 l 4.0729,11.2518 c -4.5582,2.23062 -10.6662,3.97584 -20.36451,3.97584 -17.06903,0 -26.08749,-11.54096 -26.08749,-27.25223 0,-15.71126 8.43552,-26.96104 24.82567,-26.96104 z m -34.25568,0.0113 c 1.70649,0.026 3.49392,0.0859 5.36084,0.18292 l -3.20307,12.80108 c -3.39442,-1.6487 -6.69185,-1.74642 -9.11643,-0.87356 v 41.121 h -18.42698 v -49.2668 c 5.3462,-2.63068 13.44024,-4.1463 25.38564,-3.96465 z m 151.47387,0.95943 h 18.42699 v 52.27202 h -18.42699 z m 25.29605,0 h 19.20348 l 6.30535,13.09227 h 0.19412 l 6.884,-13.09227 h 17.16517 l -15.22393,24.14622 16.67986,28.1258 h -20.3645 l -6.69361,-14.45115 h -0.19412 l -6.98104,14.45115 h -18.62112 l 16.38867,-26.96104 z m -143.29075,9.60175 c -5.43106,0 -8.43651,4.94275 -7.85461,14.05916 l 14.8394,-2.22871 c 0,-7.9526 -2.3296,-11.83045 -6.98479,-11.83045 z m -94.6287,0.19038 c -1.35776,0 -2.33024,0.19437 -3.20308,0.48532 v 31.4222 c 0.67888,0.29093 1.65112,0.48531 2.91189,0.48531 6.59487,0 9.31055,-5.42933 9.31055,-16.09748 0,-10.95908 -2.32753,-16.29535 -9.01936,-16.29535 z m 142.62623,22.58194 h 5.73417 v 26.75946 h -5.73417 z m 0,40.13918 h 5.73417 v 26.75946 h -5.73417 z"
+       id="rect3888"
+       inkscape:connector-curvature="0"
+       inkscape:export-filename="/tmp/LOGO.png"
+       inkscape:export-xdpi="88"
+       inkscape:export-ydpi="88" />
   </g>
 </svg>

src/pretix/__init__.py

@@ -1 +1 @@
-__version__ = "1.9.0"
+__version__ = "1.12.1"

src/pretix/api/auth/permission.py

@@ -1,3 +1,7 @@
+import time
+
+from django.conf import settings
+from django.contrib.auth import logout
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import SAFE_METHODS, BasePermission
 
@@ -10,8 +14,6 @@ class EventPermission(BasePermission):
 
     def has_permission(self, request, view):
         if not request.user.is_authenticated and not isinstance(request.auth, TeamAPIToken):
-            if request.method in SAFE_METHODS and request.path.startswith('/api/v1/docs/'):
-                return True
             return False
 
         if request.method not in SAFE_METHODS and hasattr(view, 'write_permission'):
@@ -21,6 +23,18 @@ class EventPermission(BasePermission):
         else:
             required_permission = None
 
+        if request.user.is_authenticated:
+            # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
+            if not settings.PRETIX_LONG_SESSIONS or not request.session.get('pretix_auth_long_session', False):
+                last_used = request.session.get('pretix_auth_last_used', time.time())
+                if time.time() - request.session.get('pretix_auth_login_time', time.time()) > settings.PRETIX_SESSION_TIMEOUT_ABSOLUTE:
+                    logout(request)
+                    request.session['pretix_auth_login_time'] = 0
+                    return False
+                if time.time() - last_used > settings.PRETIX_SESSION_TIMEOUT_RELATIVE:
+                    return False
+                request.session['pretix_auth_last_used'] = int(time.time())
+
         perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken)
                        else request.user)
         if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs:

src/pretix/api/serializers/checkin.py

@@ -0,0 +1,37 @@
+from django.utils.translation import ugettext as _
+from rest_framework import serializers
+from rest_framework.exceptions import ValidationError
+
+from pretix.api.serializers.i18n import I18nAwareModelSerializer
+from pretix.base.models import CheckinList
+
+
+class CheckinListSerializer(I18nAwareModelSerializer):
+    checkin_count = serializers.IntegerField(read_only=True)
+    position_count = serializers.IntegerField(read_only=True)
+
+    class Meta:
+        model = CheckinList
+        fields = ('id', 'name', 'all_products', 'limit_products', 'subevent', 'checkin_count', 'position_count')
+
+    def validate(self, data):
+        data = super().validate(data)
+        event = self.context['event']
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        for item in full_data.get('limit_products'):
+            if event != item.event:
+                raise ValidationError(_('One or more items do not belong to this event.'))
+
+        if event.has_subevents:
+            if not full_data.get('subevent'):
+                raise ValidationError(_('Subevent cannot be null for event series.'))
+            if event != full_data.get('subevent').event:
+                raise ValidationError(_('The subevent does not belong to this event.'))
+        else:
+            if full_data.get('subevent'):
+                raise ValidationError(_('The subevent does not belong to this event.'))
+
+        return data

src/pretix/api/serializers/item.py

@@ -1,5 +1,8 @@
 from decimal import Decimal
 
+from django.core.exceptions import ValidationError
+from django.db import transaction
+from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
@@ -16,11 +19,44 @@ class InlineItemVariationSerializer(I18nAwareModelSerializer):
                   'position', 'default_price', 'price')
 
 
+class ItemVariationSerializer(I18nAwareModelSerializer):
+    class Meta:
+        model = ItemVariation
+        fields = ('id', 'value', 'active', 'description',
+                  'position', 'default_price', 'price')
+
+
 class InlineItemAddOnSerializer(serializers.ModelSerializer):
     class Meta:
         model = ItemAddOn
         fields = ('addon_category', 'min_count', 'max_count',
-                  'position')
+                  'position', 'price_included')
+
+
+class ItemAddOnSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = ItemAddOn
+        fields = ('id', 'addon_category', 'min_count', 'max_count',
+                  'position', 'price_included')
+
+    def validate(self, data):
+        data = super().validate(data)
+
+        ItemAddOn.clean_max_min_count(data.get('max_count'), data.get('min_count'))
+
+        return data
+
+    def validate_min_count(self, value):
+        ItemAddOn.clean_min_count(value)
+        return value
+
+    def validate_max_count(self, value):
+        ItemAddOn.clean_max_count(value)
+        return value
+
+    def validate_addon_category(self, value):
+        ItemAddOn.clean_categories(self.context['event'], self.context['item'], self.instance, value)
+        return value
 
 
 class ItemTaxRateField(serializers.Field):
@@ -32,8 +68,8 @@ class ItemTaxRateField(serializers.Field):
 
 
 class ItemSerializer(I18nAwareModelSerializer):
-    addons = InlineItemAddOnSerializer(many=True)
-    variations = InlineItemVariationSerializer(many=True)
+    addons = InlineItemAddOnSerializer(many=True, required=False)
+    variations = InlineItemVariationSerializer(many=True, required=False)
     tax_rate = ItemTaxRateField(source='*', read_only=True)
 
     class Meta:
@@ -44,6 +80,55 @@ class ItemSerializer(I18nAwareModelSerializer):
                   'require_voucher', 'hide_without_voucher', 'allow_cancel',
                   'min_per_order', 'max_per_order', 'checkin_attention', 'has_variations',
                   'variations', 'addons')
+        read_only_fields = ('has_variations', 'picture')
+
+    def get_serializer_context(self):
+        return {"has_variations": self.kwargs['has_variations']}
+
+    def validate(self, data):
+        data = super().validate(data)
+
+        Item.clean_per_order(data.get('min_per_order'), data.get('max_per_order'))
+        Item.clean_available(data.get('available_from'), data.get('available_until'))
+
+        return data
+
+    def validate_category(self, value):
+        Item.clean_category(value, self.context['event'])
+        return value
+
+    def validate_tax_rule(self, value):
+        Item.clean_tax_rule(value, self.context['event'])
+        return value
+
+    def validate_variations(self, value):
+        if self.instance is not None:
+            raise ValidationError(_('Updating variations via PATCH/PUT is not supported. Please use the dedicated'
+                                    ' nested endpoint.'))
+        return value
+
+    def validate_addons(self, value):
+        if self.instance is not None:
+            raise ValidationError(_('Updating add-ons via PATCH/PUT is not supported. Please use the dedicated'
+                                    ' nested endpoint.'))
+        else:
+            for addon_data in value:
+                ItemAddOn.clean_categories(self.context['event'], None, self.instance, addon_data['addon_category'])
+                ItemAddOn.clean_min_count(addon_data['min_count'])
+                ItemAddOn.clean_max_count(addon_data['max_count'])
+                ItemAddOn.clean_max_min_count(addon_data['max_count'], addon_data['min_count'])
+        return value
+
+    @transaction.atomic
+    def create(self, validated_data):
+        variations_data = validated_data.pop('variations') if 'variations' in validated_data else {}
+        addons_data = validated_data.pop('addons') if 'addons' in validated_data else {}
+        item = Item.objects.create(**validated_data)
+        for variation_data in variations_data:
+            ItemVariation.objects.create(item=item, **variation_data)
+        for addon_data in addons_data:
+            ItemAddOn.objects.create(base_item=item, **addon_data)
+        return item
 
 
 class ItemCategorySerializer(I18nAwareModelSerializer):
@@ -65,7 +150,8 @@ class QuestionSerializer(I18nAwareModelSerializer):
 
     class Meta:
         model = Question
-        fields = ('id', 'question', 'type', 'required', 'items', 'options', 'position')
+        fields = ('id', 'question', 'type', 'required', 'items', 'options', 'position',
+                  'ask_during_checkin')
 
 
 class QuotaSerializer(I18nAwareModelSerializer):
@@ -73,3 +159,16 @@ class QuotaSerializer(I18nAwareModelSerializer):
     class Meta:
         model = Quota
         fields = ('id', 'name', 'size', 'items', 'variations', 'subevent')
+
+    def validate(self, data):
+        data = super().validate(data)
+        event = self.context['event']
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        Quota.clean_variations(full_data.get('items'), full_data.get('variations'))
+        Quota.clean_items(event, full_data.get('items'), full_data.get('variations'))
+        Quota.clean_subevent(event, full_data.get('subevent'))
+
+        return data

src/pretix/api/serializers/order.py

@@ -38,7 +38,7 @@ class AnswerSerializer(I18nAwareModelSerializer):
 class CheckinSerializer(I18nAwareModelSerializer):
     class Meta:
         model = Checkin
-        fields = ('datetime',)
+        fields = ('datetime', 'list')
 
 
 class OrderDownloadsField(serializers.Field):

src/pretix/api/templates/rest_framework/api.html

@@ -1,19 +0,0 @@
-{% extends "rest_framework/base.html" %}
-{% load staticfiles %}
-{% load compress %}
-
-{% block bootstrap_theme %}
-    {% compress css %}
-        <link rel="stylesheet" type="text/x-scss" href="{% static "rest_framework/scss/main.scss" %}" />
-    {% endcompress %}
-{% endblock %}
-{% block branding %}
-    <a class="navbar-brand" href="/api/v1/">pretix REST API</a>
-{% endblock %}
-{% block description %}
-    <div class="alert alert-info alert-docs-link">
-        <a href="https://docs.pretix.eu/en/latest/api/index.html">
-            You can find documentation on our REST API on docs.pretix.eu.
-        </a>
-    </div>
-{% endblock %}

src/pretix/api/urls.py

@@ -4,7 +4,7 @@ from django.apps import apps
 from django.conf.urls import include, url
 from rest_framework import routers
 
-from .views import event, item, order, organizer, voucher, waitinglist
+from .views import checkin, event, item, order, organizer, voucher, waitinglist
 
 router = routers.DefaultRouter()
 router.register(r'organizers', organizer.OrganizerViewSet)
@@ -24,6 +24,14 @@ event_router.register(r'orderpositions', order.OrderPositionViewSet)
 event_router.register(r'invoices', order.InvoiceViewSet)
 event_router.register(r'taxrules', event.TaxRuleViewSet)
 event_router.register(r'waitinglistentries', waitinglist.WaitingListViewSet)
+event_router.register(r'checkinlists', checkin.CheckinListViewSet)
+
+checkinlist_router = routers.DefaultRouter()
+checkinlist_router.register(r'positions', checkin.CheckinListPositionViewSet)
+
+item_router = routers.DefaultRouter()
+item_router.register(r'variations', item.ItemVariationViewSet)
+item_router.register(r'addons', item.ItemAddOnViewSet)
 
 # Force import of all plugins to give them a chance to register URLs with the router
 for app in apps.get_app_configs():
@@ -35,4 +43,7 @@ urlpatterns = [
     url(r'^', include(router.urls)),
     url(r'^organizers/(?P<organizer>[^/]+)/', include(orga_router.urls)),
     url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/', include(event_router.urls)),
+    url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/items/(?P<item>[^/]+)/', include(item_router.urls)),
+    url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/checkinlists/(?P<list>[^/]+)/',
+        include(checkinlist_router.urls)),
 ]

src/pretix/api/views/__init__.py

@@ -0,0 +1,23 @@
+from rest_framework.filters import OrderingFilter
+
+
+class RichOrderingFilter(OrderingFilter):
+
+    def filter_queryset(self, request, queryset, view):
+        ordering = self.get_ordering(request, queryset, view)
+
+        if ordering:
+            if hasattr(view, 'ordering_custom'):
+                newo = []
+                for ordering_part in ordering:
+                    ob = view.ordering_custom.get(ordering_part)
+                    if ob:
+                        ob = dict(ob)
+                        newo.append(ob.pop('_order'))
+                        queryset = queryset.annotate(**ob)
+                    else:
+                        newo.append(ordering_part)
+                ordering = newo
+            return queryset.order_by(*ordering)
+
+        return queryset

src/pretix/api/views/checkin.py

@@ -0,0 +1,143 @@
+import django_filters
+from django.db.models import F, Max, OuterRef, Prefetch, Q, Subquery
+from django.db.models.functions import Coalesce
+from django.shortcuts import get_object_or_404
+from django.utils.functional import cached_property
+from django_filters.rest_framework import DjangoFilterBackend, FilterSet
+from rest_framework import viewsets
+
+from pretix.api.serializers.checkin import CheckinListSerializer
+from pretix.api.serializers.order import OrderPositionSerializer
+from pretix.api.views import RichOrderingFilter
+from pretix.base.models import Checkin, CheckinList, Order, OrderPosition
+from pretix.base.models.organizer import TeamAPIToken
+from pretix.helpers.database import FixedOrderBy
+
+
+class CheckinListFilter(FilterSet):
+    class Meta:
+        model = CheckinList
+        fields = ['subevent']
+
+
+class CheckinListViewSet(viewsets.ModelViewSet):
+    serializer_class = CheckinListSerializer
+    queryset = CheckinList.objects.none()
+    filter_backends = (DjangoFilterBackend,)
+    filter_class = CheckinListFilter
+    permission = 'can_view_orders'
+    write_permission = 'can_change_event_settings'
+
+    def get_queryset(self):
+        qs = self.request.event.checkin_lists.prefetch_related(
+            'limit_products',
+        )
+        qs = CheckinList.annotate_with_numbers(qs, self.request.event)
+        return qs
+
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.checkinlist.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        return ctx
+
+    def perform_update(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.checkinlist.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def perform_destroy(self, instance):
+        instance.log_action(
+            'pretix.event.checkinlist.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+        super().perform_destroy(instance)
+
+
+class OrderPositionFilter(FilterSet):
+    order = django_filters.CharFilter(name='order', lookup_expr='code')
+    has_checkin = django_filters.rest_framework.BooleanFilter(method='has_checkin_qs')
+    attendee_name = django_filters.CharFilter(method='attendee_name_qs')
+
+    def has_checkin_qs(self, queryset, name, value):
+        return queryset.filter(last_checked_in__isnull=not value)
+
+    def attendee_name_qs(self, queryset, name, value):
+        return queryset.filter(Q(attendee_name=value) | Q(addon_to__attendee_name=value))
+
+    class Meta:
+        model = OrderPosition
+        fields = ['item', 'variation', 'attendee_name', 'secret', 'order', 'has_checkin', 'addon_to', 'subevent']
+
+
+class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
+    serializer_class = OrderPositionSerializer
+    queryset = OrderPosition.objects.none()
+    filter_backends = (DjangoFilterBackend, RichOrderingFilter)
+    ordering = ('attendee_name', 'positionid')
+    ordering_fields = (
+        'order__code', 'order__datetime', 'positionid', 'attendee_name',
+        'last_checked_in', 'order__email',
+    )
+    ordering_custom = {
+        'attendee_name': {
+            '_order': F('display_name').asc(nulls_first=True),
+            'display_name': Coalesce('attendee_name', 'addon_to__attendee_name')
+        },
+        '-attendee_name': {
+            '_order': F('display_name').desc(nulls_last=True),
+            'display_name': Coalesce('attendee_name', 'addon_to__attendee_name')
+        },
+        'last_checked_in': {
+            '_order': FixedOrderBy(F('last_checked_in'), nulls_first=True),
+        },
+        '-last_checked_in': {
+            '_order': FixedOrderBy(F('last_checked_in'), nulls_last=True, descending=True),
+        },
+    }
+
+    filter_class = OrderPositionFilter
+    permission = 'can_view_orders'
+
+    @cached_property
+    def checkinlist(self):
+        return get_object_or_404(CheckinList, event=self.request.event, pk=self.kwargs.get("list"))
+
+    def get_queryset(self):
+        cqs = Checkin.objects.filter(
+            position_id=OuterRef('pk'),
+            list_id=self.checkinlist.pk
+        ).order_by().values('position_id').annotate(
+            m=Max('datetime')
+        ).values('m')
+
+        qs = OrderPosition.objects.filter(
+            order__event=self.request.event,
+            order__status=Order.STATUS_PAID,
+            subevent=self.checkinlist.subevent
+        ).annotate(
+            last_checked_in=Subquery(cqs)
+        ).prefetch_related(
+            Prefetch(
+                lookup='checkins',
+                queryset=Checkin.objects.filter(list_id=self.checkinlist.pk)
+            )
+        ).select_related('item', 'variation', 'order', 'addon_to')
+
+        if not self.checkinlist.all_products:
+            qs = qs.filter(item__in=self.checkinlist.limit_products.values_list('id', flat=True))
+
+        return qs

src/pretix/api/views/item.py

@@ -1,16 +1,22 @@
 import django_filters
 from django.db.models import Q
+from django.shortcuts import get_object_or_404
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import viewsets
 from rest_framework.decorators import detail_route
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.filters import OrderingFilter
 from rest_framework.response import Response
 
 from pretix.api.serializers.item import (
-    ItemCategorySerializer, ItemSerializer, QuestionSerializer,
-    QuotaSerializer,
+    ItemAddOnSerializer, ItemCategorySerializer, ItemSerializer,
+    ItemVariationSerializer, QuestionSerializer, QuotaSerializer,
 )
-from pretix.base.models import Item, ItemCategory, Question, Quota
+from pretix.base.models import (
+    Item, ItemAddOn, ItemCategory, ItemVariation, Question, Quota,
+)
+from pretix.base.models.organizer import TeamAPIToken
+from pretix.helpers.dicts import merge_dicts
 
 
 class ItemFilter(FilterSet):
@@ -27,7 +33,7 @@ class ItemFilter(FilterSet):
         fields = ['active', 'category', 'admission', 'tax_rate', 'free_price']
 
 
-class ItemViewSet(viewsets.ReadOnlyModelViewSet):
+class ItemViewSet(viewsets.ModelViewSet):
     serializer_class = ItemSerializer
     queryset = Item.objects.none()
     filter_backends = (DjangoFilterBackend, OrderingFilter)
@@ -35,10 +41,159 @@ class ItemViewSet(viewsets.ReadOnlyModelViewSet):
     ordering = ('position', 'id')
     filter_class = ItemFilter
     permission = 'can_change_items'
+    write_permission = 'can_change_items'
 
     def get_queryset(self):
         return self.request.event.items.select_related('tax_rule').prefetch_related('variations', 'addons').all()
 
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.item.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        ctx['has_variations'] = self.request.data.get('has_variations')
+        return ctx
+
+    def perform_update(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.item.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def perform_destroy(self, instance):
+        if not instance.allow_delete():
+            raise PermissionDenied('This item cannot be deleted because it has already been ordered '
+                                   'by a user or currently is in a users\'s cart. Please set the item as '
+                                   '"inactive" instead.')
+
+        instance.log_action(
+            'pretix.event.item.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+        super().perform_destroy(instance)
+
+
+class ItemVariationViewSet(viewsets.ModelViewSet):
+    serializer_class = ItemVariationSerializer
+    queryset = ItemVariation.objects.none()
+    filter_backends = (DjangoFilterBackend, OrderingFilter,)
+    ordering_fields = ('id', 'position')
+    ordering = ('id',)
+    permission = 'can_change_items'
+    write_permission = 'can_change_items'
+
+    def get_queryset(self):
+        item = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        return item.variations.all()
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['item'] = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        return ctx
+
+    def perform_create(self, serializer):
+        item = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        if not item.has_variations:
+            raise PermissionDenied('This variation cannot be created because the item does not have variations. '
+                                   'Changing a product without variations to a product with variations is not allowed.')
+        serializer.save(item=item)
+        item.log_action(
+            'pretix.event.item.variation.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=merge_dicts(self.request.data, {'ORDER': serializer.instance.position}, {'id': serializer.instance.pk},
+                             {'value': serializer.instance.value})
+        )
+
+    def perform_update(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.item.log_action(
+            'pretix.event.item.variation.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=merge_dicts(self.request.data, {'ORDER': serializer.instance.position}, {'id': serializer.instance.pk},
+                             {'value': serializer.instance.value})
+        )
+
+    def perform_destroy(self, instance):
+        if not instance.allow_delete():
+            raise PermissionDenied('This variation cannot be deleted because it has already been ordered '
+                                   'by a user or currently is in a users\'s cart. Please set the variation as '
+                                   '\'inactive\' instead.')
+        if instance.is_only_variation():
+            raise PermissionDenied('This variation cannot be deleted because it is the only variation. Changing a '
+                                   'product with variations to a product without variations is not allowed.')
+        super().perform_destroy(instance)
+        instance.item.log_action(
+            'pretix.event.item.variation.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data={
+                'value': instance.value,
+                'id': self.kwargs['pk']
+            }
+        )
+
+
+class ItemAddOnViewSet(viewsets.ModelViewSet):
+    serializer_class = ItemAddOnSerializer
+    queryset = ItemAddOn.objects.none()
+    filter_backends = (DjangoFilterBackend, OrderingFilter,)
+    ordering_fields = ('id', 'position')
+    ordering = ('id',)
+    permission = 'can_change_items'
+    write_permission = 'can_change_items'
+
+    def get_queryset(self):
+        item = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        return item.addons.all()
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        ctx['item'] = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        return ctx
+
+    def perform_create(self, serializer):
+        item = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        category = get_object_or_404(ItemCategory, pk=self.request.data['addon_category'])
+        serializer.save(base_item=item, addon_category=category)
+        item.log_action(
+            'pretix.event.item.addons.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=merge_dicts(self.request.data, {'ORDER': serializer.instance.position}, {'id': serializer.instance.pk})
+        )
+
+    def perform_update(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.base_item.log_action(
+            'pretix.event.item.addons.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=merge_dicts(self.request.data, {'ORDER': serializer.instance.position}, {'id': serializer.instance.pk})
+        )
+
+    def perform_destroy(self, instance):
+        super().perform_destroy(instance)
+        instance.base_item.log_action(
+            'pretix.event.item.addons.removed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data={'category': instance.addon_category.pk}
+        )
+
 
 class ItemCategoryFilter(FilterSet):
     class Meta:
@@ -77,7 +232,7 @@ class QuotaFilter(FilterSet):
         fields = ['subevent']
 
 
-class QuotaViewSet(viewsets.ReadOnlyModelViewSet):
+class QuotaViewSet(viewsets.ModelViewSet):
     serializer_class = QuotaSerializer
     queryset = Quota.objects.none()
     filter_backends = (DjangoFilterBackend, OrderingFilter,)
@@ -85,10 +240,80 @@ class QuotaViewSet(viewsets.ReadOnlyModelViewSet):
     ordering_fields = ('id', 'size')
     ordering = ('id',)
     permission = 'can_change_items'
+    write_permission = 'can_change_items'
 
     def get_queryset(self):
         return self.request.event.quotas.all()
 
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.quota.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+        if serializer.instance.subevent:
+            serializer.instance.subevent.log_action(
+                'pretix.subevent.quota.added',
+                user=self.request.user,
+                api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+                data=self.request.data
+            )
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        return ctx
+
+    def perform_update(self, serializer):
+        current_subevent = serializer.instance.subevent
+        serializer.save(event=self.request.event)
+        request_subevent = serializer.instance.subevent
+        serializer.instance.log_action(
+            'pretix.event.quota.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+        if current_subevent == request_subevent:
+            if current_subevent is not None:
+                current_subevent.log_action(
+                    'pretix.subevent.quota.changed',
+                    user=self.request.user,
+                    api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+                    data=self.request.data
+                )
+        else:
+            if request_subevent is not None:
+                request_subevent.log_action(
+                    'pretix.subevent.quota.added',
+                    user=self.request.user,
+                    api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+                    data=self.request.data
+                )
+            if current_subevent is not None:
+                current_subevent.log_action(
+                    'pretix.subevent.quota.deleted',
+                    user=self.request.user,
+                    api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+                )
+        serializer.instance.rebuild_cache()
+
+    def perform_destroy(self, instance):
+        instance.log_action(
+            'pretix.event.quota.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+        if instance.subevent:
+            instance.subevent.log_action(
+                'pretix.subevent.quota.deleted',
+                user=self.request.user,
+                api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            )
+        super().perform_destroy(instance)
+
     @detail_route(methods=['get'])
     def availability(self, request, *args, **kwargs):
         quota = self.get_object()

src/pretix/api/views/order.py

@@ -21,7 +21,8 @@ from pretix.base.models.organizer import TeamAPIToken
 from pretix.base.services.invoices import invoice_pdf
 from pretix.base.services.mail import SendMailException
 from pretix.base.services.orders import (
-    OrderError, cancel_order, extend_order, mark_order_paid,
+    OrderError, cancel_order, extend_order, mark_order_expired,
+    mark_order_paid,
 )
 from pretix.base.services.tickets import (
     get_cachedticket_for_order, get_cachedticket_for_position,
@@ -109,9 +110,9 @@ class OrderViewSet(viewsets.ReadOnlyModelViewSet):
         send_mail = request.data.get('send_email', True)
 
         order = self.get_object()
-        if order.status != Order.STATUS_PENDING:
+        if not order.cancel_allowed():
             return Response(
-                {'detail': 'The order is not pending.'},
+                {'detail': 'The order is not allowed to be canceled.'},
                 status=status.HTTP_400_BAD_REQUEST
             )
 
@@ -153,10 +154,8 @@ class OrderViewSet(viewsets.ReadOnlyModelViewSet):
                 status=status.HTTP_400_BAD_REQUEST
             )
 
-        order.status = Order.STATUS_EXPIRED
-        order.save()
-        order.log_action(
-            'pretix.event.order.expired',
+        mark_order_expired(
+            order,
             user=request.user if request.user.is_authenticated else None,
             api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
         )

src/pretix/base/__init__.py

@@ -11,7 +11,8 @@ class PretixBaseConfig(AppConfig):
         from . import payment  # NOQA
         from . import exporters  # NOQA
         from . import invoice  # NOQA
-        from .services import export, mail, tickets, cart, orders, invoices, cleanup, update_check, quotas  # NOQA
+        from . import notifications  # NOQA
+        from .services import export, mail, tickets, cart, orders, invoices, cleanup, update_check, quotas, notifications  # NOQA
 
         try:
             from .celery_app import app as celery_app  # NOQA

src/pretix/base/exporter.py

@@ -25,7 +25,7 @@ class BaseExporter:
         """
         A short and unique identifier for this exporter.
         This should only contain lowercase letters and in most
-        cases will be the same as your packagename.
+        cases will be the same as your package name.
         """
         raise NotImplementedError()  # NOQA
 

src/pretix/base/exporters/invoices.py

@@ -1,7 +1,10 @@
 import os
 import tempfile
+from collections import OrderedDict
 from zipfile import ZipFile
 
+import dateutil.parser
+from django import forms
 from django.dispatch import receiver
 from django.utils.translation import ugettext_lazy as _
 
@@ -15,9 +18,26 @@ class InvoiceExporter(BaseExporter):
     verbose_name = _('All invoices')
 
     def render(self, form_data: dict):
+        qs = self.event.invoices.all()
+
+        if form_data.get('payment_provider'):
+            qs = qs.filter(order__payment_provider=form_data.get('payment_provider'))
+
+        if form_data.get('date_from'):
+            date_value = form_data.get('date_from')
+            if isinstance(date_value, str):
+                date_value = dateutil.parser.parse(date_value).date()
+            qs = qs.filter(date__gte=date_value)
+
+        if form_data.get('date_to'):
+            date_value = form_data.get('date_to')
+            if isinstance(date_value, str):
+                date_value = dateutil.parser.parse(date_value).date()
+            qs = qs.filter(date__lte=date_value)
+
         with tempfile.TemporaryDirectory() as d:
             with ZipFile(os.path.join(d, 'tmp.zip'), 'w') as zipf:
-                for i in self.event.invoices.all():
+                for i in qs:
                     if not i.file:
                         invoice_pdf_task.apply(args=(i.pk,))
                         i.refresh_from_db()
@@ -26,7 +46,44 @@ class InvoiceExporter(BaseExporter):
                     i.file.close()
 
             with open(os.path.join(d, 'tmp.zip'), 'rb') as zipf:
-                return 'invoices.zip', 'application/zip', zipf.read()
+                return '{}_invoices.zip'.format(self.event.slug), 'application/zip', zipf.read()
+
+    @property
+    def export_form_fields(self):
+        return OrderedDict(
+            [
+                ('date_from',
+                 forms.DateField(
+                     label=_('Start date'),
+                     widget=forms.DateInput(attrs={'class': 'datepickerfield'}),
+                     required=False,
+                     help_text=_('Only include invoices issued on or after this date. Note that the invoice date does '
+                                 'not always correspond to the order or payment date.')
+                 )),
+                ('date_to',
+                 forms.DateField(
+                     label=_('End date'),
+                     widget=forms.DateInput(attrs={'class': 'datepickerfield'}),
+                     required=False,
+                     help_text=_('Only include invoices issued on or before this date. Note that the invoice date '
+                                 'does not always correspond to the order or payment date.')
+                 )),
+                ('payment_provider',
+                 forms.ChoiceField(
+                     label=_('Payment provider'),
+                     choices=[
+                         ('', _('All payment providers')),
+                     ] + [
+                         (k, v.verbose_name) for k, v in self.event.get_payment_providers().items()
+                     ],
+                     required=False,
+                     help_text=_('Only include invoices for orders that are currently set to this payment provider. '
+                                 'Note that this might include some invoices of other payment providers or misses '
+                                 'some invoices if the payment provider of an order has been changed and a new invoice '
+                                 'has been generated.')
+                 )),
+            ]
+        )
 
 
 @receiver(register_data_exporters, dispatch_uid="exporter_invoices")

src/pretix/base/exporters/json.py

@@ -101,7 +101,7 @@ class JSONExporter(BaseExporter):
             }
         }
 
-        return 'pretixdata.json', 'application/json', json.dumps(jo, cls=DjangoJSONEncoder)
+        return '{}_pretixdata.json'.format(self.event.slug), 'application/json', json.dumps(jo, cls=DjangoJSONEncoder)
 
 
 @receiver(register_data_exporters, dispatch_uid="exporter_json")

src/pretix/base/exporters/mail.py

@@ -23,7 +23,7 @@ class MailExporter(BaseExporter):
         ).values('attendee_email')
         data = "\r\n".join(set(a['email'] for a in addrs)
                            | set(a['attendee_email'] for a in pos if a['attendee_email']))
-        return 'pretixemails.txt', 'text/plain', data.encode("utf-8")
+        return '{}_pretixemails.txt'.format(self.event.slug), 'text/plain', data.encode("utf-8")
 
     @property
     def export_form_fields(self):

src/pretix/base/exporters/orderlist.py

@@ -171,7 +171,7 @@ class QuotaListExporter(BaseExporter):
             ]
             writer.writerow(row)
 
-        return 'quotas.csv', 'text/csv', output.getvalue().encode("utf-8")
+        return '{}_quotas.csv'.format(self.event.slug), 'text/csv', output.getvalue().encode("utf-8")
 
 
 @receiver(register_data_exporters, dispatch_uid="exporter_orderlist")

src/pretix/base/forms/questions.py

@@ -0,0 +1,236 @@
+import logging
+from decimal import Decimal
+
+import dateutil.parser
+import pytz
+import vat_moss.errors
+import vat_moss.id
+from django import forms
+from django.contrib import messages
+from django.core.exceptions import ValidationError
+from django.utils.translation import ugettext_lazy as _
+
+from pretix.base.forms.widgets import (
+    BusinessBooleanRadio, DatePickerWidget, SplitDateTimePickerWidget,
+    TimePickerWidget, UploadedFileWidget,
+)
+from pretix.base.models import InvoiceAddress, Question
+from pretix.base.models.tax import EU_COUNTRIES
+from pretix.helpers.i18n import get_format_without_seconds
+from pretix.presale.signals import question_form_fields
+
+logger = logging.getLogger(__name__)
+
+
+class BaseQuestionsForm(forms.Form):
+    """
+    This form class is responsible for asking order-related questions. This includes
+    the attendee name for admission tickets, if the corresponding setting is enabled,
+    as well as additional questions defined by the organizer.
+    """
+
+    def __init__(self, *args, **kwargs):
+        """
+        Takes two additional keyword arguments:
+
+        :param cartpos: The cart position the form should be for
+        :param event: The event this belongs to
+        """
+        cartpos = self.cartpos = kwargs.pop('cartpos', None)
+        orderpos = self.orderpos = kwargs.pop('orderpos', None)
+        pos = cartpos or orderpos
+        item = pos.item
+        questions = pos.item.questions_to_ask
+        event = kwargs.pop('event')
+
+        super().__init__(*args, **kwargs)
+
+        if item.admission and event.settings.attendee_names_asked:
+            self.fields['attendee_name'] = forms.CharField(
+                max_length=255, required=event.settings.attendee_names_required,
+                label=_('Attendee name'),
+                initial=(cartpos.attendee_name if cartpos else orderpos.attendee_name),
+            )
+        if item.admission and event.settings.attendee_emails_asked:
+            self.fields['attendee_email'] = forms.EmailField(
+                required=event.settings.attendee_emails_required,
+                label=_('Attendee email'),
+                initial=(cartpos.attendee_email if cartpos else orderpos.attendee_email)
+            )
+
+        for q in questions:
+            # Do we already have an answer? Provide it as the initial value
+            answers = [a for a in pos.answerlist if a.question_id == q.id]
+            if answers:
+                initial = answers[0]
+            else:
+                initial = None
+            tz = pytz.timezone(event.settings.timezone)
+            if q.type == Question.TYPE_BOOLEAN:
+                if q.required:
+                    # For some reason, django-bootstrap3 does not set the required attribute
+                    # itself.
+                    widget = forms.CheckboxInput(attrs={'required': 'required'})
+                else:
+                    widget = forms.CheckboxInput()
+
+                if initial:
+                    initialbool = (initial.answer == "True")
+                else:
+                    initialbool = False
+
+                field = forms.BooleanField(
+                    label=q.question, required=q.required,
+                    help_text=q.help_text,
+                    initial=initialbool, widget=widget,
+                )
+            elif q.type == Question.TYPE_NUMBER:
+                field = forms.DecimalField(
+                    label=q.question, required=q.required,
+                    help_text=q.help_text,
+                    initial=initial.answer if initial else None,
+                    min_value=Decimal('0.00'),
+                )
+            elif q.type == Question.TYPE_STRING:
+                field = forms.CharField(
+                    label=q.question, required=q.required,
+                    help_text=q.help_text,
+                    initial=initial.answer if initial else None,
+                )
+            elif q.type == Question.TYPE_TEXT:
+                field = forms.CharField(
+                    label=q.question, required=q.required,
+                    help_text=q.help_text,
+                    widget=forms.Textarea,
+                    initial=initial.answer if initial else None,
+                )
+            elif q.type == Question.TYPE_CHOICE:
+                field = forms.ModelChoiceField(
+                    queryset=q.options,
+                    label=q.question, required=q.required,
+                    help_text=q.help_text,
+                    widget=forms.Select,
+                    empty_label='',
+                    initial=initial.options.first() if initial else None,
+                )
+            elif q.type == Question.TYPE_CHOICE_MULTIPLE:
+                field = forms.ModelMultipleChoiceField(
+                    queryset=q.options,
+                    label=q.question, required=q.required,
+                    help_text=q.help_text,
+                    widget=forms.CheckboxSelectMultiple,
+                    initial=initial.options.all() if initial else None,
+                )
+            elif q.type == Question.TYPE_FILE:
+                field = forms.FileField(
+                    label=q.question, required=q.required,
+                    help_text=q.help_text,
+                    initial=initial.file if initial else None,
+                    widget=UploadedFileWidget(position=pos, event=event, answer=initial),
+                )
+            elif q.type == Question.TYPE_DATE:
+                field = forms.DateField(
+                    label=q.question, required=q.required,
+                    help_text=q.help_text,
+                    initial=dateutil.parser.parse(initial.answer).date() if initial and initial.answer else None,
+                    widget=DatePickerWidget(),
+                )
+            elif q.type == Question.TYPE_TIME:
+                field = forms.TimeField(
+                    label=q.question, required=q.required,
+                    help_text=q.help_text,
+                    initial=dateutil.parser.parse(initial.answer).time() if initial and initial.answer else None,
+                    widget=TimePickerWidget(time_format=get_format_without_seconds('TIME_INPUT_FORMATS')),
+                )
+            elif q.type == Question.TYPE_DATETIME:
+                field = forms.SplitDateTimeField(
+                    label=q.question, required=q.required,
+                    help_text=q.help_text,
+                    initial=dateutil.parser.parse(initial.answer).astimezone(tz) if initial and initial.answer else None,
+                    widget=SplitDateTimePickerWidget(time_format=get_format_without_seconds('TIME_INPUT_FORMATS')),
+                )
+            field.question = q
+            if answers:
+                # Cache the answer object for later use
+                field.answer = answers[0]
+            self.fields['question_%s' % q.id] = field
+
+        responses = question_form_fields.send(sender=event, position=pos)
+        data = pos.meta_info_data
+        for r, response in sorted(responses, key=lambda r: str(r[0])):
+            for key, value in response.items():
+                # We need to be this explicit, since OrderedDict.update does not retain ordering
+                self.fields[key] = value
+                value.initial = data.get('question_form_data', {}).get(key)
+
+
+class BaseInvoiceAddressForm(forms.ModelForm):
+    vat_warning = False
+
+    class Meta:
+        model = InvoiceAddress
+        fields = ('is_business', 'company', 'name', 'street', 'zipcode', 'city', 'country', 'vat_id',
+                  'internal_reference')
+        widgets = {
+            'is_business': BusinessBooleanRadio,
+            'street': forms.Textarea(attrs={'rows': 2, 'placeholder': _('Street and Number')}),
+            'company': forms.TextInput(attrs={'data-display-dependency': '#id_is_business_1'}),
+            'name': forms.TextInput(attrs={}),
+            'vat_id': forms.TextInput(attrs={'data-display-dependency': '#id_is_business_1'}),
+            'internal_reference': forms.TextInput,
+        }
+        labels = {
+            'is_business': ''
+        }
+
+    def __init__(self, *args, **kwargs):
+        self.event = event = kwargs.pop('event')
+        self.request = kwargs.pop('request', None)
+        self.validate_vat_id = kwargs.pop('validate_vat_id')
+        super().__init__(*args, **kwargs)
+        if not event.settings.invoice_address_vatid:
+            del self.fields['vat_id']
+        if not event.settings.invoice_address_required:
+            for k, f in self.fields.items():
+                f.required = False
+                f.widget.is_required = False
+                if 'required' in f.widget.attrs:
+                    del f.widget.attrs['required']
+
+            if event.settings.invoice_name_required:
+                self.fields['name'].required = True
+        else:
+            self.fields['company'].widget.attrs['data-required-if'] = '#id_is_business_1'
+            self.fields['name'].widget.attrs['data-required-if'] = '#id_is_business_0'
+
+    def clean(self):
+        data = self.cleaned_data
+        if not data.get('name') and not data.get('company') and self.event.settings.invoice_address_required:
+            raise ValidationError(_('You need to provide either a company name or your name.'))
+
+        if 'vat_id' in self.changed_data or not data.get('vat_id'):
+            self.instance.vat_id_validated = False
+
+        if self.validate_vat_id and self.instance.vat_id_validated and 'vat_id' not in self.changed_data:
+            pass
+        elif self.validate_vat_id and data.get('is_business') and data.get('country') in EU_COUNTRIES and data.get('vat_id'):
+            if data.get('vat_id')[:2] != str(data.get('country')):
+                raise ValidationError(_('Your VAT ID does not match the selected country.'))
+            try:
+                result = vat_moss.id.validate(data.get('vat_id'))
+                if result:
+                    country_code, normalized_id, company_name = result
+                    self.instance.vat_id_validated = True
+                    self.instance.vat_id = normalized_id
+            except vat_moss.errors.InvalidError:
+                raise ValidationError(_('This VAT ID is not valid. Please re-check your input.'))
+            except vat_moss.errors.WebServiceUnavailableError:
+                logger.exception('VAT ID checking failed for country {}'.format(data.get('country')))
+                self.instance.vat_id_validated = False
+                if self.request and self.vat_warning:
+                    messages.warning(self.request, _('Your VAT ID could not be checked, as the VAT checking service of '
+                                                     'your country is currently not available. We will therefore '
+                                                     'need to charge VAT on your invoice. You can get the tax amount '
+                                                     'back via the VAT reimbursement process.'))
+        else:
+            self.instance.vat_id_validated = False

src/pretix/base/forms/validators.py

@@ -23,6 +23,12 @@ class PlaceholderValidator(BaseValidator):
                 self.__call__(v)
             return
 
+        if value.count('{') != value.count('}'):
+            raise ValidationError(
+                _('Invalid placeholder syntax: You used a different number of "{" than of "}".'),
+                code='invalid',
+            )
+
         data_placeholders = list(re.findall(r'({[\w\s]*})', value, re.X))
         invalid_placeholders = []
         for placeholder in data_placeholders:

src/pretix/base/forms/widgets.py

@@ -0,0 +1,135 @@
+import os
+
+from django import forms
+from django.utils.formats import get_format
+from django.utils.timezone import now
+from django.utils.translation import ugettext_lazy as _
+
+from pretix.base.models import OrderPosition
+from pretix.multidomain.urlreverse import eventreverse
+
+
+class DatePickerWidget(forms.DateInput):
+    def __init__(self, attrs=None, date_format=None):
+        attrs = attrs or {}
+        if 'placeholder' in attrs:
+            del attrs['placeholder']
+        date_attrs = dict(attrs)
+        date_attrs.setdefault('class', 'form-control')
+        date_attrs['class'] += ' datepickerfield'
+
+        df = date_format or get_format('DATE_INPUT_FORMATS')[0]
+        date_attrs['placeholder'] = now().replace(
+            year=2000, month=12, day=31, hour=18, minute=0, second=0, microsecond=0
+        ).strftime(df)
+
+        forms.DateInput.__init__(self, date_attrs, date_format)
+
+
+class TimePickerWidget(forms.TimeInput):
+    def __init__(self, attrs=None, time_format=None):
+        attrs = attrs or {}
+        if 'placeholder' in attrs:
+            del attrs['placeholder']
+        time_attrs = dict(attrs)
+        time_attrs.setdefault('class', 'form-control')
+        time_attrs['class'] += ' timepickerfield'
+
+        tf = time_format or get_format('TIME_INPUT_FORMATS')[0]
+        time_attrs['placeholder'] = now().replace(
+            year=2000, month=12, day=31, hour=18, minute=0, second=0, microsecond=0
+        ).strftime(tf)
+
+        forms.TimeInput.__init__(self, time_attrs, time_format)
+
+
+class UploadedFileWidget(forms.ClearableFileInput):
+    def __init__(self, *args, **kwargs):
+        self.position = kwargs.pop('position')
+        self.event = kwargs.pop('event')
+        self.answer = kwargs.pop('answer')
+        super().__init__(*args, **kwargs)
+
+    class FakeFile:
+        def __init__(self, file, position, event, answer):
+            self.file = file
+            self.position = position
+            self.event = event
+            self.answer = answer
+
+        def __str__(self):
+            return os.path.basename(self.file.name).split('.', 1)[-1]
+
+        @property
+        def url(self):
+            if isinstance(self.position, OrderPosition):
+                return eventreverse(self.event, 'presale:event.order.download.answer', kwargs={
+                    'order': self.position.order.code,
+                    'secret': self.position.order.secret,
+                    'answer': self.answer.pk,
+                })
+            else:
+                return eventreverse(self.event, 'presale:event.cart.download.answer', kwargs={
+                    'answer': self.answer.pk,
+                })
+
+    def format_value(self, value):
+        if self.is_initial(value):
+            return self.FakeFile(value, self.position, self.event, self.answer)
+
+
+class SplitDateTimePickerWidget(forms.SplitDateTimeWidget):
+    template_name = 'pretixbase/forms/widgets/splitdatetime.html'
+
+    def __init__(self, attrs=None, date_format=None, time_format=None):
+        attrs = attrs or {}
+        if 'placeholder' in attrs:
+            del attrs['placeholder']
+        date_attrs = dict(attrs)
+        time_attrs = dict(attrs)
+        date_attrs.setdefault('class', 'form-control splitdatetimepart')
+        time_attrs.setdefault('class', 'form-control splitdatetimepart')
+        date_attrs['class'] += ' datepickerfield'
+        time_attrs['class'] += ' timepickerfield'
+
+        df = date_format or get_format('DATE_INPUT_FORMATS')[0]
+        date_attrs['placeholder'] = now().replace(
+            year=2000, month=12, day=31, hour=18, minute=0, second=0, microsecond=0
+        ).strftime(df)
+        tf = time_format or get_format('TIME_INPUT_FORMATS')[0]
+        time_attrs['placeholder'] = now().replace(
+            year=2000, month=1, day=1, hour=0, minute=0, second=0, microsecond=0
+        ).strftime(tf)
+
+        widgets = (
+            forms.DateInput(attrs=date_attrs, format=date_format),
+            forms.TimeInput(attrs=time_attrs, format=time_format),
+        )
+        # Skip one hierarchy level
+        forms.MultiWidget.__init__(self, widgets, attrs)
+
+
+class BusinessBooleanRadio(forms.RadioSelect):
+    def __init__(self, attrs=None):
+        choices = (
+            ('individual', _('Individual customer')),
+            ('business', _('Business customer')),
+        )
+        super().__init__(attrs, choices)
+
+    def format_value(self, value):
+        try:
+            return {True: 'business', False: 'individual'}[value]
+        except KeyError:
+            return 'individual'
+
+    def value_from_datadict(self, data, files, name):
+        value = data.get(name)
+        return {
+            'business': True,
+            True: True,
+            'True': True,
+            'individual': False,
+            'False': False,
+            False: False,
+        }.get(value)

src/pretix/base/invoice.py

@@ -321,6 +321,8 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
         ]
 
     def _get_story(self, doc):
+        has_taxes = any(il.tax_value for il in self.invoice.lines.all())
+
         story = [
             NextPageTemplate('FirstPage'),
             Paragraph(pgettext('invoice', 'Invoice')
@@ -352,28 +354,52 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
             ('LEFTPADDING', (0, 0), (0, -1), 0),
             ('RIGHTPADDING', (-1, 0), (-1, -1), 0),
         ]
-        tdata = [(
-            pgettext('invoice', 'Description'),
-            pgettext('invoice', 'Tax rate'),
-            pgettext('invoice', 'Net'),
-            pgettext('invoice', 'Gross'),
-        )]
+        if has_taxes:
+            tdata = [(
+                pgettext('invoice', 'Description'),
+                pgettext('invoice', 'Qty'),
+                pgettext('invoice', 'Tax rate'),
+                pgettext('invoice', 'Net'),
+                pgettext('invoice', 'Gross'),
+            )]
+        else:
+            tdata = [(
+                pgettext('invoice', 'Description'),
+                pgettext('invoice', 'Qty'),
+                pgettext('invoice', 'Amount'),
+            )]
+
         total = Decimal('0.00')
         for line in self.invoice.lines.all():
-            tdata.append((
-                Paragraph(line.description, self.stylesheet['Normal']),
-                localize(line.tax_rate) + " %",
-                localize(line.net_value) + " " + self.invoice.event.currency,
-                localize(line.gross_value) + " " + self.invoice.event.currency,
-            ))
+            if has_taxes:
+                tdata.append((
+                    Paragraph(line.description, self.stylesheet['Normal']),
+                    "1",
+                    localize(line.tax_rate) + " %",
+                    localize(line.net_value) + " " + self.invoice.event.currency,
+                    localize(line.gross_value) + " " + self.invoice.event.currency,
+                ))
+            else:
+                tdata.append((
+                    Paragraph(line.description, self.stylesheet['Normal']),
+                    "1",
+                    localize(line.gross_value) + " " + self.invoice.event.currency,
+                ))
             taxvalue_map[line.tax_rate, line.tax_name] += line.tax_value
             grossvalue_map[line.tax_rate, line.tax_name] += line.gross_value
             total += line.gross_value
 
-        tdata.append([
-            pgettext('invoice', 'Invoice total'), '', '', localize(total) + " " + self.invoice.event.currency
-        ])
-        colwidths = [a * doc.width for a in (.55, .15, .15, .15)]
+        if has_taxes:
+            tdata.append([
+                pgettext('invoice', 'Invoice total'), '', '', '', localize(total) + " " + self.invoice.event.currency
+            ])
+            colwidths = [a * doc.width for a in (.50, .05, .15, .15, .15)]
+        else:
+            tdata.append([
+                pgettext('invoice', 'Invoice total'), '', localize(total) + " " + self.invoice.event.currency
+            ])
+            colwidths = [a * doc.width for a in (.65, .05, .30)]
+
         table = Table(tdata, colWidths=colwidths, repeatRows=1)
         table.setStyle(TableStyle(tstyledata))
         story.append(table)
@@ -422,7 +448,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
             except ValueError:
                 return localize(val) + ' ' + self.invoice.foreign_currency_display
 
-        if len(tdata) > 1:
+        if len(tdata) > 1 and has_taxes:
             colwidths = [a * doc.width for a in (.25, .15, .15, .15, .3)]
             table = Table(tdata, colWidths=colwidths, repeatRows=2, hAlign=TA_LEFT)
             table.setStyle(TableStyle(tstyledata))

src/pretix/base/middleware.py

@@ -7,7 +7,6 @@ from django.core.urlresolvers import get_script_prefix
 from django.http import HttpRequest, HttpResponse
 from django.utils import timezone, translation
 from django.utils.cache import patch_vary_headers
-from django.utils.crypto import get_random_string
 from django.utils.deprecation import MiddlewareMixin
 from django.utils.translation import LANGUAGE_SESSION_KEY
 from django.utils.translation.trans_real import (
@@ -166,9 +165,6 @@ class SecurityMiddleware(MiddlewareMixin):
         '/api/v1/docs/',
     )
 
-    def process_request(self, request):
-        request.csp_nonce = get_random_string(length=32)
-
     def process_response(self, request, resp):
         if settings.DEBUG and resp.status_code >= 400:
             # Don't use CSP on debug error page as it breaks of Django's fancy error
@@ -183,7 +179,7 @@ class SecurityMiddleware(MiddlewareMixin):
             # frame-src is deprecated but kept for compatibility with CSP 1.0 browsers, e.g. Safari 9
             'frame-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
             'child-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
-            'style-src': ["{static}", "{media}", "'nonce-{nonce}'"],
+            'style-src': ["{static}", "{media}"],
             'connect-src': ["{dynamic}", "{media}", "https://checkout.stripe.com"],
             'img-src': ["{static}", "{media}", "data:", "https://*.stripe.com"],
             'font-src': ["{static}"],
@@ -222,10 +218,9 @@ class SecurityMiddleware(MiddlewareMixin):
 
         if request.path not in self.CSP_EXEMPT and not getattr(resp, '_csp_ignore', False):
             resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain,
-                                                                    media=mediadomain, nonce=request.csp_nonce)
+                                                                    media=mediadomain)
             for k, v in h.items():
-                h[k] = ' '.join(v).format(static=staticdomain, dynamic=dynamicdomain, media=mediadomain,
-                                          nonce=request.csp_nonce).split(' ')
+                h[k] = ' '.join(v).format(static=staticdomain, dynamic=dynamicdomain, media=mediadomain).split(' ')
             resp['Content-Security-Policy'] = _render_csp(h)
         elif 'Content-Security-Policy' in resp:
             del resp['Content-Security-Policy']

src/pretix/base/migrations/0077_auto_20171124_1629.py

@@ -0,0 +1,106 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.2 on 2017-11-24 16:29
+from __future__ import unicode_literals
+
+import django.core.validators
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+from django.utils.translation import ugettext as _
+
+import pretix.base.validators
+from pretix.base.i18n import language
+
+
+def create_checkin_lists(apps, schema_editor):
+    Event = apps.get_model('pretixbase', 'Event')
+    Checkin = apps.get_model('pretixbase', 'Checkin')
+    EventSettingsStore = apps.get_model('pretixbase', 'Event_SettingsStore')
+    for e in Event.objects.all():
+        locale = EventSettingsStore.objects.filter(object=e, key='locale').first()
+        if locale:
+            locale = locale.value
+        else:
+            locale = settings.LANGUAGE_CODE
+
+        if e.has_subevents:
+            for se in e.subevents.all():
+                with language(locale):
+                    cl = e.checkin_lists.create(name=se.name, subevent=se, all_products=True)
+                Checkin.objects.filter(position__subevent=se, position__order__event=e).update(list=cl)
+        else:
+            with language(locale):
+                cl = e.checkin_lists.create(name=_('Default list'), all_products=True)
+            Checkin.objects.filter(position__order__event=e).update(list=cl)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0076_orderfee_squashed_0082_invoiceaddress_internal_reference'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='event',
+            name='slug',
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters, numbers, dots, and dashes, and must be unique among your events. We recommend some kind of abbreviation or a date with less than 10 characters that can be easily remembered, but you can also choose to use a random value. This will be used in URLs, order codes, invoice numbers, and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.EventSlugBlacklistValidator()], verbose_name='Short form'),
+        ),
+        migrations.AlterField(
+            model_name='eventmetaproperty',
+            name='name',
+            field=models.CharField(db_index=True, help_text='Can not contain spaces or special characters except underscores', max_length=50, validators=[django.core.validators.RegexValidator(message='The property name may only contain letters, numbers and underscores.', regex='^[a-zA-Z0-9_]+$')], verbose_name='Name'),
+        ),
+        migrations.AlterField(
+            model_name='organizer',
+            name='slug',
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters, numbers, dots, and dashes. Every slug can only be used once. This is being used in URLs to refer to your organizer accounts and your events.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBlacklistValidator()], verbose_name='Short form'),
+        ),
+        migrations.CreateModel(
+            name='CheckinList',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.CharField(max_length=190)),
+                ('all_products', models.BooleanField(default=True, verbose_name='All products (including newly created ones)')),
+            ],
+        ),
+        migrations.AddField(
+            model_name='checkinlist',
+            name='event',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='checkin_lists', to='pretixbase.Event'),
+        ),
+        migrations.AddField(
+            model_name='checkinlist',
+            name='subevent',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, null=True, blank=True, related_name='checkin_lists', to='pretixbase.SubEvent'),
+        ),
+        migrations.AddField(
+            model_name='checkinlist',
+            name='limit_products',
+            field=models.ManyToManyField(blank=True, to='pretixbase.Item', verbose_name='Limit to products'),
+        ),
+        migrations.AddField(
+            model_name='checkin',
+            name='list',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.PROTECT, related_name='checkins', to='pretixbase.CheckinList'),
+        ),
+        migrations.AlterField(
+            model_name='checkin',
+            name='list',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, related_name='checkins', to='pretixbase.CheckinList'),
+        ),
+        migrations.AlterField(
+            model_name='checkinlist',
+            name='subevent',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='pretixbase.SubEvent', verbose_name='Date'),
+        ),
+        migrations.RunPython(
+            create_checkin_lists,
+            migrations.RunPython.noop
+        ),
+        migrations.AlterField(
+            model_name='checkin',
+            name='list',
+            field=models.ForeignKey(null=False, on_delete=django.db.models.deletion.PROTECT, related_name='checkins', to='pretixbase.CheckinList'),
+        ),
+    ]

src/pretix/base/migrations/0078_auto_20171206_1603.py

@@ -0,0 +1,59 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.2 on 2017-12-06 16:03
+from __future__ import unicode_literals
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+import pretix.base.models.auth
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0077_auto_20171124_1629'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='NotificationSetting',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('action_type', models.CharField(max_length=255)),
+                ('method', models.CharField(choices=[('mail', 'E-mail')], max_length=255)),
+                ('event', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='pretixbase.Event')),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+                ('enabled', models.BooleanField(default=True)),
+            ],
+        ),
+        migrations.AlterUniqueTogether(
+            name='notificationsetting',
+            unique_together=set([('user', 'action_type', 'event', 'method')]),
+        ),
+        migrations.AddField(
+            model_name='logentry',
+            name='visible',
+            field=models.BooleanField(default=True),
+        ),
+        migrations.AlterField(
+            model_name='notificationsetting',
+            name='event',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='notification_settings', to='pretixbase.Event'),
+        ),
+        migrations.AlterField(
+            model_name='notificationsetting',
+            name='user',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='notification_settings', to=settings.AUTH_USER_MODEL),
+        ),
+        migrations.AddField(
+            model_name='user',
+            name='notifications_send',
+            field=models.BooleanField(default=True, help_text='If turned off, you will not get any notifications.', verbose_name='Receive notifications according to my settings below'),
+        ),
+        migrations.AddField(
+            model_name='user',
+            name='notifications_token',
+            field=models.CharField(default=pretix.base.models.auth.generate_notifications_token, max_length=255),
+        ),
+    ]

src/pretix/base/migrations/0079_auto_20180115_0855.py

@@ -0,0 +1,39 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.8 on 2018-01-15 08:55
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+from django.db.models import F
+from django.db.models.functions import Concat
+
+
+def set_full_invoice_no(app, schema_editor):
+    Invoice = app.get_model('pretixbase', 'Invoice')
+    Invoice.objects.all().update(
+        full_invoice_no=Concat(F('prefix'), F('invoice_no'))
+    )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0078_auto_20171206_1603'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='invoice',
+            name='full_invoice_no',
+            field=models.CharField(db_index=True, default='', max_length=190),
+            preserve_default=False,
+        ),
+        migrations.AlterField(
+            model_name='question',
+            name='type',
+            field=models.CharField(choices=[('N', 'Number'), ('S', 'Text (one line)'), ('T', 'Multiline text'), ('B', 'Yes/No'), ('C', 'Choose one from a list'), ('M', 'Choose multiple from a list'), ('F', 'File upload'), ('D', 'Date'), ('H', 'Time'), ('W', 'Date and time')], max_length=5, verbose_name='Question type'),
+        ),
+        migrations.RunPython(
+            set_full_invoice_no,
+            migrations.RunPython.noop
+        )
+    ]

src/pretix/base/migrations/0080_question_ask_during_checkin.py

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.8 on 2018-01-15 14:26
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0079_auto_20180115_0855'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='question',
+            name='ask_during_checkin',
+            field=models.BooleanField(default=False, help_text='Supported by pretixdroid 1.8 and newer or pretixdesk 0.2 and newer.', verbose_name='Ask during check-in instead of during registration'),
+        ),
+    ]

src/pretix/base/models/__init__.py

@@ -1,7 +1,7 @@
 from ..settings import GlobalSettingsObject_SettingsStore
 from .auth import U2FDevice, User
 from .base import CachedFile, LoggedModel, cachedfile_name
-from .checkin import Checkin
+from .checkin import Checkin, CheckinList
 from .event import (
     Event, Event_SettingsStore, EventLock, EventMetaProperty, EventMetaValue,
     RequiredAction, SubEvent, SubEventMetaValue, generate_invite_token,
@@ -12,6 +12,7 @@ from .items import (
     Quota, SubEventItem, SubEventItemVariation, itempicture_upload_to,
 )
 from .log import LogEntry
+from .notifications import NotificationSetting
 from .orders import (
     AbstractPosition, CachedCombinedTicket, CachedTicket, CartPosition,
     InvoiceAddress, Order, OrderPosition, QuestionAnswer,

src/pretix/base/models/auth.py

@@ -4,9 +4,11 @@ from django.conf import settings
 from django.contrib.auth.models import (
     AbstractBaseUser, BaseUserManager, PermissionsMixin,
 )
+from django.contrib.auth.tokens import default_token_generator
 from django.contrib.contenttypes.models import ContentType
 from django.db import models
 from django.db.models import Q
+from django.utils.crypto import get_random_string
 from django.utils.translation import ugettext_lazy as _
 from django_otp.models import Device
 
@@ -40,6 +42,10 @@ class UserManager(BaseUserManager):
         return user
 
 
+def generate_notifications_token():
+    return get_random_string(length=32)
+
+
 class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
     """
     This is the user model used by pretix for authentication.
@@ -80,7 +86,16 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
     timezone = models.CharField(max_length=100,
                                 default=settings.TIME_ZONE,
                                 verbose_name=_('Timezone'))
-    require_2fa = models.BooleanField(default=False)
+    require_2fa = models.BooleanField(
+        default=False,
+        verbose_name=_('Two-factor authentification is required to log in')
+    )
+    notifications_send = models.BooleanField(
+        default=True,
+        verbose_name=_('Receive notifications according to my settings below'),
+        help_text=_('If turned off, you will not get any notifications.')
+    )
+    notifications_token = models.CharField(max_length=255, default=generate_notifications_token)
 
     objects = UserManager()
 
@@ -147,6 +162,19 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         except SendMailException:
             pass  # Already logged
 
+    def send_password_reset(self):
+        from pretix.base.services.mail import mail
+
+        mail(
+            self.email, _('Password recovery'), 'pretixcontrol/email/forgot.txt',
+            {
+                'user': self,
+                'url': (build_absolute_uri('control:auth.forgot.recover')
+                        + '?id=%d&token=%s' % (self.id, default_token_generator.make_token(self)))
+            },
+            None, locale=self.locale
+        )
+
     @property
     def all_logentries(self):
         from pretix.base.models import LogEntry