Run pytest with -v

* Create django.yml

* Fix working directory

* ..

* .

* ..

* a.

* ..

* .

* Fix typo

* Install hunspell

* maxfail

* Fix install

* .

* Reduce number of typos

* Even less typos

* Postgres debug

* Spelling fixes, yet again

* Postgres with PW

* Fix failing test

* New workflows

* Fix syntax error

* Install gettext

* Test aginst python 3.6 as well

* Clean up strategies

* Add badge, do not ignore migrations

* Use pip cache

.github/workflows/docs.yml

@@ -0,0 +1,42 @@
+name: Documentation
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - 'src/pretix/locale/**'
+      - 'src/pretix/static/**'
+      - 'src/tests/**'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - 'src/pretix/locale/**'
+      - 'src/pretix/static/**'
+      - 'src/tests/**'
+
+jobs:
+  spelling:
+    name: Spellcheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.8
+      - uses: actions/cache@v1
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install system packages
+        run: sudo apt install enchant hunspell aspell-en
+      - name: Install Dependencies
+        run: pip3 install --no-use-pep517 -Ur doc/requirements.txt
+      - name: Spellcheck docs
+        run: make spelling
+        working-directory: ./doc
+      - name:
+        run: '[ ! -s _build/spelling/output.txt ]'
+        working-directory: ./doc

.github/workflows/strings.yml

@@ -0,0 +1,60 @@
+name: Strings
+
+on:
+  push:
+    branches: [ master ]
+    paths:
+      - 'src/pretix/locale/**'
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'src/pretix/locale/**'
+
+jobs:
+  compile:
+    runs-on: ubuntu-latest
+    name: Check gettext syntax
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.8
+      - uses: actions/cache@v1
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install system packages
+        run: sudo apt install gettext
+      - name: Install Dependencies
+        run: pip3 install --no-use-pep517 -Ur src/requirements.txt
+      - name: Compile messages
+        run: python manage.py compilemessages
+        working-directory: ./src
+      - name: Compile jsi18n
+        run: python manage.py compilejsi18n
+        working-directory: ./src
+  spelling:
+    runs-on: ubuntu-latest
+    name: Spellcheck
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.8
+      - uses: actions/cache@v1
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install system packages
+        run: sudo apt install enchant hunspell hunspell-de-de aspell-en aspell-de
+      - name: Install Dependencies
+        run: pip3 install --no-use-pep517 -Ur src/requirements/dev.txt
+      - name: Spellcheck translations
+        run: potypo
+        working-directory: ./src

.github/workflows/style.yml

@@ -0,0 +1,55 @@
+name: Code Style
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - 'src/pretix/locale/**'
+      - 'src/pretix/static/**'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - 'src/pretix/locale/**'
+      - 'src/pretix/static/**'
+
+jobs:
+  isort:
+    name: isort
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.8
+      - uses: actions/cache@v1
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install Dependencies
+        run: pip3 install --no-use-pep517 -Ur src/requirements/dev.txt
+      - name: Run isort
+        run: isort -c -rc -df .
+        working-directory: ./src
+  flake:
+    name: flake8
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.8
+      - uses: actions/cache@v1
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install Dependencies
+        run: pip3 install -r src/requirements.txt --no-use-pep517 -Ur src/requirements/dev.txt
+      - name: Run flake8
+        run: flake8 .
+        working-directory: ./src

.github/workflows/tests.yml

@@ -0,0 +1,73 @@
+name: Tests
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - 'doc/**'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - 'doc/**'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Tests
+    strategy:
+      matrix:
+        python-version: [3.6, 3.7, 3.8]
+        database: [sqlite, postgres, mysql]
+        exclude:
+          - database: mysql
+            python-version: 3.7
+          - database: sqlite
+            python-version: 3.7
+          - database: mysql
+            python-version: 3.6
+          - database: sqlite
+            python-version: 3.6
+    steps:
+      - uses: actions/checkout@v2
+      - uses: getong/mariadb-action@v1.1
+        with:
+          mariadb version: '10.4'
+          mysql database: 'pretix'
+          mysql root password: ''
+        if: matrix.database == 'mysql'
+      - uses: harmon758/postgresql-action@v1
+        with:
+          postgresql version: '11'
+          postgresql db: 'pretix'
+          postgresql user: 'postgres'
+          postgresql password: 'postgres'
+        if: matrix.database == 'postgres'
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v1
+        with:
+          python-version: ${{ matrix.python-version }}
+      - uses: actions/cache@v1
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install system dependencies
+        run: sudo apt install gettext mysql-client
+      - name: Install Python dependencies
+        run: pip3 install -r src/requirements.txt --no-use-pep517 -Ur src/requirements/dev.txt mysqlclient psycopg2-binary
+      - name: Run checks
+        run: python manage.py check
+        working-directory: ./src
+      - name: Compile
+        working-directory: ./src
+        run: make all compress
+      - name: Run tests
+        working-directory: ./src
+        run: PRETIX_CONFIG_FILE=tests/travis_${{ matrix.database }}.cfg py.test -v -n 3 -p no:sugar --cov=./ --cov-report=xml --reruns 3 tests --maxfail=100
+      - name: Upload coverage
+        uses: codecov/codecov-action@v1
+        with:
+          file: src/coverage.xml
+          fail_ci_if_error: true
+        if: matrix.database == 'postgres' && matrix.python-version == '3.8'

.gitlab-ci.yml

@@ -5,7 +5,11 @@ tests:
         - virtualenv env
         - source env/bin/activate
         - pip install -U pip wheel setuptools
-        - XDG_CACHE_HOME=/cache bash .travis.sh tests
+        - XDG_CACHE_HOME=/cache pip3 install -r src/requirements.txt --no-use-pep517 -Ur src/requirements/dev.txt
+        - cd src
+        - python manage.py check
+        - make all compress
+        - py.test --reruns 3 -n 3 tests
     tags:
         - python3
     except:

.travis.sh

@@ -1,68 +0,0 @@
-#!/bin/bash
-set -e
-set -x
-
-echo "Executing job $1"
-
-if [ "$PRETIX_CONFIG_FILE" == "tests/travis_mysql.cfg" ]; then
-    mysql -u root -e 'CREATE DATABASE pretix DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;'
-    pip3 install -Ur src/requirements/mysql.txt
-fi
-
-if [ "$PRETIX_CONFIG_FILE" == "tests/travis_postgres.cfg" ]; then
-    psql -c 'create database travis_ci_test;' -U postgres
-fi
-
-if [ "$1" == "style" ]; then
-	XDG_CACHE_HOME=/cache pip3 install -Ur src/requirements.txt -r src/requirements/dev.txt
-	cd src
-    flake8 .
-    isort -c -rc -df .
-fi
-if [ "$1" == "doctests" ]; then
-	XDG_CACHE_HOME=/cache pip3 install -Ur doc/requirements.txt
-	cd doc
-	make doctest
-fi
-if [ "$1" == "doc-spelling" ]; then
-	XDG_CACHE_HOME=/cache pip3 install -Ur doc/requirements.txt
-	cd doc
-	make spelling
-	if [ -s _build/spelling/output.txt ]; then
-		exit 1
-	fi
-fi
-if [ "$1" == "translation-spelling" ]; then
-	XDG_CACHE_HOME=/cache pip3 install -Ur src/requirements/dev.txt
-	cd src
-	potypo
-fi
-if [ "$1" == "tests" ]; then
-	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt
-	cd src
-	python manage.py check
-	make all compress
-	py.test --reruns 5 -n 3 tests
-fi
-if [ "$1" == "tests-cov" ]; then
-	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt
-	cd src
-	python manage.py check
-	make all compress
-	coverage run -m py.test --reruns 5 tests && codecov
-fi
-if [ "$1" == "plugins" ]; then
-	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt
-	cd src
-	python setup.py develop
-	make all compress
-
-	pushd ~
-    git clone --depth 1 https://github.com/pretix/pretix-cartshare.git
-    cd pretix-cartshare
-    python setup.py develop
-    make
-	py.test --reruns 5 tests
-    popd
-
-fi

.travis.yml

@@ -1,46 +0,0 @@
-language: python
-sudo: false
-install:
-  - pip install -U pip wheel setuptools
-script:
-  - bash .travis.sh $JOB
-cache:
-  directories:
-    - $HOME/.cache/pip
-services:
-  - mysql
-  - postgresql
-matrix:
-  include:
-    - python: 3.6
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
-    - python: 3.6
-      env: JOB=tests-cov PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.6
-      env: JOB=style
-    - python: 3.6
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
-    - python: 3.6
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.5
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.6
-      env: JOB=plugins
-    - python: 3.6
-      env: JOB=doc-spelling
-    - python: 3.6
-      env: JOB=translation-spelling
-addons:
-  postgresql: "9.4"
-  mariadb: '10.3'
-  apt:
-      packages:
-          - enchant
-          - myspell-de-de
-          - aspell-en
-          - sqlite3
-  sources:
-    - travis-ci/sqlite3
-branches:
-  except:
-  - /^weblate-.*/

CONTRIBUTING.md

@@ -3,7 +3,7 @@ Contributing to pretix
 
 Hey there and welcome to pretix!
 
-We've got an contributors guide in [our documentation](https://docs.pretix.eu/en/latest/development/contribution/)
+We've got a contributors guide in [our documentation](https://docs.pretix.eu/en/latest/development/contribution/)
 together with notes on the [development setup](https://docs.pretix.eu/en/latest/development/setup.html).
 
 Please note that we have a [Code of Conduct](https://docs.pretix.eu/en/latest/development/contribution/codeofconduct.html)

Dockerfile

@@ -57,6 +57,8 @@ COPY deployment/docker/nginx.conf /etc/nginx/nginx.conf
 COPY deployment/docker/production_settings.py /pretix/src/production_settings.py
 COPY src /pretix/src
 
+RUN cd /pretix/src && pip3 install .
+
 RUN chmod +x /usr/local/bin/pretix && \
     rm /etc/nginx/sites-enabled/default && \
     cd /pretix/src && \

README.rst

@@ -4,11 +4,10 @@ pretix
 .. image:: https://img.shields.io/pypi/v/pretix.svg
    :target: https://pypi.python.org/pypi/pretix
 
-.. image:: https://readthedocs.org/projects/pretix/badge/?version=latest
+.. image:: https://github.com/pretix/pretix/workflows/Documentation/badge.svg
    :target: https://docs.pretix.eu/en/latest/
 
-.. image:: https://travis-ci.org/pretix/pretix.svg?branch=master
-   :target: https://travis-ci.org/pretix/pretix
+.. image:: https://github.com/pretix/pretix/workflows/Tests/badge.svg
 
 .. image:: https://codecov.io/gh/pretix/pretix/branch/master/graph/badge.svg
    :target: https://codecov.io/gh/pretix/pretix

deployment/docker/nginx.conf

@@ -4,7 +4,7 @@ pid /var/run/nginx.pid;
 daemon off;
 
 events {
-	worker_connections 768;
+	worker_connections 4096;
 }
 
 http {
@@ -39,7 +39,7 @@ http {
 	include /etc/nginx/conf.d/*.conf;
 
     server {
-        listen 80 default_server;
+        listen 80 backlog=4096 default_server;
         listen [::]:80 ipv6only=on default_server;
         server_name _;
         index index.php index.html;

doc/admin/config.rst

@@ -57,6 +57,9 @@ Example::
     A comma-separated list of plugins that are not available even though they are installed.
     Defaults to an empty string.
 
+``auth_backends``
+    A comma-separated list of available auth backends. Defaults to ``pretix.base.auth.NativeAuthBackend``.
+
 ``cookie_domain``
     The cookie domain to be set. Defaults to ``None``.
 
@@ -78,6 +81,20 @@ Example::
     Enables or disables nagging staff users for leaving comments on their sessions for auditability.
     Defaults to ``off``.
 
+``obligatory_2fa``
+    Enables or disables obligatory usage of Two-Factor Authentication for users of the pretix backend.
+    Defaults to ``False``
+
+``trust_x_forwarded_for``
+    Specifies whether the ``X-Forwarded-For`` header can be trusted. Only set to ``on`` if you have a reverse
+    proxy that actively removes and re-adds the header to make sure the correct client IP is the first value.
+    Defaults to ``off``.
+
+``trust_x_forwarded_proto``
+    Specifies whether the ``X-Forwarded-Proto`` header can be trusted. Only set to ``on`` if you have a reverse
+    proxy that actively removes and re-adds the header to make sure the correct client IP is the first value.
+    Defaults to ``off``.
+
 
 Locale settings
 ---------------
@@ -125,6 +142,8 @@ Example::
     Indicates if the database backend is a MySQL/MariaDB Galera cluster and
     turns on some optimizations/special case handlers. Default: ``False``
 
+.. _`config-replica`:
+
 Database replica settings
 -------------------------
 
@@ -142,6 +161,8 @@ Example::
     [replica]
     host=192.168.0.2
 
+.. _`config-urls`:
+
 URLs
 ----
 
@@ -269,6 +290,24 @@ to speed up various operations::
 If redis is not configured, pretix will store sessions and locks in the database. If memcached
 is configured, memcached will be used for caching instead of redis.
 
+Translations
+------------
+
+pretix comes with a number of translations. Some of them are marked as "incubating", which means
+they can usually only be selected in development mode. If you want to use them nevertheless, you
+can activate them like this::
+
+    [languages]
+    allow_incubating=pt-br,da
+
+You can also tell pretix about additional paths where it will search for translations::
+
+    [languages]
+    path=/path/to/my/translations
+
+For a given language (e.g. ``pt-br``), pretix will then look in the
+specific sub-folder, e.g. ``/path/to/my/translations/pt_BR/LC_MESSAGES/django.po``.
+
 Celery task queue
 -----------------
 

doc/admin/index.rst

@@ -11,3 +11,4 @@ This documentation is for everyone who wants to install pretix on a server.
    installation/index
    config
    maintainance
+   scaling

doc/admin/installation/docker_smallscale.rst

@@ -58,16 +58,29 @@ Database
 --------
 
 Next, we need a database and a database user. We can create these with any kind of database managing tool or directly on
-our database's shell, e.g. for MySQL::
+our database's shell. For PostgreSQL, we would do::
 
-    $ mysql -u root -p
-    mysql> CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
-    mysql> GRANT ALL PRIVILEGES ON pretix.* TO pretix@'localhost' IDENTIFIED BY '*********';
-    mysql> FLUSH PRIVILEGES;
+    # sudo -u postgres createuser -P pretix
+    # sudo -u postgres createdb -O pretix pretix
 
-Replace the asterisks with a password of your own. For MySQL, we will use a unix domain socket to connect to the
-database. For PostgreSQL, be sure to configure the interface binding and your firewall so that the docker container
-can reach PostgreSQL.
+Make sure that your database listens on the network. If PostgreSQL on the same same host as docker, but not inside a docker container, we recommend that you just listen on the Docker interface by changing the following line in ``/etc/postgresql/<version>/main/postgresql.conf``::
+
+    listen_addresses = 'localhost,172.17.0.1'
+
+You also need to add a new line to ``/etc/postgresql/<version>/main/pg_hba.conf`` to allow network connections to this user and database::
+
+    host    pretix          pretix          172.17.0.1/16           md5
+
+Restart PostgreSQL after you changed these files::
+
+    # systemctl restart postgresql
+
+If you have a firewall running, you should also make sure that port 5432 is reachable from the ``172.17.0.1/16`` subnet.
+
+For MySQL, you can either also use network-based connections or mount the ``/var/run/mysqld/mysqld.sock`` socket into the docker container.
+When using MySQL, make sure you set the character set of the database to ``utf8mb4``, e.g. like this::
+
+    mysql > CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
 
 Redis
 -----
@@ -112,15 +125,20 @@ Fill the configuration file ``/etc/pretix/pretix.cfg`` with the following conten
     ; DO NOT change the following value, it has to be set to the location of the
     ; directory *inside* the docker container
     datadir=/data
+    trust_x_forwarded_for=on
+    trust_x_forwarded_proto=on
 
     [database]
-    ; Replace mysql with postgresql_psycopg2 for PostgreSQL
-    backend=mysql
+    ; Replace postgresql with mysql for MySQL
+    backend=postgresql
     name=pretix
     user=pretix
+    ; Replace with the password you chose above
     password=*********
-    ; Replace with host IP address for PostgreSQL
-    host=/var/run/mysqld/mysqld.sock
+    ; In most docker setups, 172.17.0.1 is the address of the docker host. Adjuts
+    ; this to wherever your database is running, e.g. the name of a linked container
+    ; or of a mounted MySQL socket.
+    host=172.17.0.1
 
     [mail]
     ; See config file documentation for more options
@@ -164,14 +182,16 @@ named ``/etc/systemd/system/pretix.service`` with the following content::
         -v /var/pretix-data:/data \
         -v /etc/pretix:/etc/pretix \
         -v /var/run/redis:/var/run/redis \
-        -v /var/run/mysqld:/var/run/mysqld \
+        --sysctl net.core.somaxconn=4096 \
         pretix/standalone:stable all
     ExecStop=/usr/bin/docker stop %n
 
     [Install]
     WantedBy=multi-user.target
 
-You can leave the MySQL socket volume out if you're using PostgreSQL. You can now run the following commands
+When using MySQL and socket mounting, you'll need the additional flag ``-v /var/run/mysqld:/var/run/mysqld`` in the command.
+
+You can now run the following commands
 to enable and start the service::
 
     # systemctl daemon-reload
@@ -259,7 +279,7 @@ choice)::
 
 Then, go to that directory and build the image::
 
-    $ docker build -t mypretix
+    $ docker build . -t mypretix
 
 You can now use that image ``mypretix`` instead of ``pretix/standalone`` in your service file (see above). Be sure
 to re-build your custom image after you pulled ``pretix/standalone`` if you want to perform an update.

doc/admin/installation/enterprise.rst

@@ -68,7 +68,7 @@ generated key and installs the plugin from the URL we told you::
         mkdir -p /etc/ssh && \
         ssh-keyscan -t rsa -p 10022 code.rami.io >> /root/.ssh/known_hosts && \
         echo StrictHostKeyChecking=no >> /root/.ssh/config && \
-        pip3 install -Ue "git+ssh://git@code.rami.io:10022/pretix/pretix-slack.git@stable#egg=pretix-slack" && \
+        DJANGO_SETTINGS_MODULE=pretix.settings pip3 install -U "git+ssh://git@code.rami.io:10022/pretix/pretix-slack.git@stable#egg=pretix-slack" && \
         cd /pretix/src && \
         sudo -u pretixuser make production
     USER pretixuser

doc/admin/installation/index.rst

@@ -1,3 +1,5 @@
+.. _`installation`:
+
 Installation guide
 ==================
 

doc/admin/installation/manual_smallscale.rst

@@ -12,7 +12,7 @@ solution with many things readily set-up, look at :ref:`dockersmallscale`.
              get it right. If you're not feeling comfortable managing a Linux server, check out our hosting and service
              offers at `pretix.eu`_.
 
-We tested this guide on the Linux distribution **Debian 8.0** but it should work very similar on other
+We tested this guide on the Linux distribution **Debian 10.0** but it should work very similar on other
 modern distributions, especially on all systemd-based ones.
 
 Requirements
@@ -50,21 +50,23 @@ Database
 --------
 
 Having the database server installed, we still need a database and a database user. We can create these with any kind
-of database managing tool or directly on our database's shell, e.g. for MySQL::
+of database managing tool or directly on our database's shell. For PostgreSQL, we would do::
 
-    $ mysql -u root -p
-    mysql> CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
-    mysql> GRANT ALL PRIVILEGES ON pretix.* TO pretix@'localhost' IDENTIFIED BY '*********';
-    mysql> FLUSH PRIVILEGES;
+    # sudo -u postgres createuser pretix
+    # sudo -u postgres createdb -O pretix pretix
+
+When using MySQL, make sure you set the character set of the database to ``utf8mb4``, e.g. like this::
+
+    mysql > CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
 
 Package dependencies
 --------------------
 
 To build and run pretix, you will need the following debian packages::
 
-    # apt-get install git build-essential python-dev python-virtualenv python3 python3-pip \
+    # apt-get install git build-essential python-dev python3-venv python3 python3-pip \
                       python3-dev libxml2-dev libxslt1-dev libffi-dev zlib1g-dev libssl-dev \
-                      gettext libpq-dev libmysqlclient-dev libjpeg-dev libopenjp2-7-dev
+                      gettext libpq-dev libmariadbclient-dev libjpeg-dev libopenjp2-7-dev
 
 Config file
 -----------
@@ -83,15 +85,22 @@ Fill the configuration file ``/etc/pretix/pretix.cfg`` with the following conten
     url=https://pretix.mydomain.com
     currency=EUR
     datadir=/var/pretix/data
+    trust_x_forwarded_for=on
+    trust_x_forwarded_proto=on
 
     [database]
-    ; Replace mysql with postgresql_psycopg2 for PostgreSQL
-    backend=mysql
+    ; For MySQL, replace with "mysql"
+    backend=postgresql
     name=pretix
     user=pretix
-    password=*********
-    ; Replace with host IP address for PostgreSQL
-    host=/var/run/mysqld/mysqld.sock
+    ; For MySQL, enter the user password. For PostgreSQL on the same host,
+    ; we don't need one because we can use peer authentification if our
+    ; PostgreSQL user matches our unix user.
+    password=
+    ; For MySQL, use local socket, e.g. /var/run/mysqld/mysqld.sock
+    ; For a remote host, supply an IP address
+    ; For local postgres authentication, you can leave it empty
+    host=
 
     [mail]
     ; See config file documentation for more options
@@ -115,16 +124,16 @@ Now we will install pretix itself. The following steps are to be executed as the
 actually install pretix, we will create a virtual environment to isolate the python packages from your global
 python installation::
 
-    $ virtualenv -p python3 /var/pretix/venv
+    $ python3 -m venv /var/pretix/venv
     $ source /var/pretix/venv/bin/activate
     (venv)$ pip3 install -U pip setuptools wheel
 
-We now install pretix, its direct dependencies and gunicorn. Replace ``mysql`` with ``postgres`` in the following
-command if you're running PostgreSQL::
+We now install pretix, its direct dependencies and gunicorn. Replace ``postgres`` with ``mysql`` in the following
+command if you're running MySQL::
 
-    (venv)$ pip3 install "pretix[mysql]" gunicorn
+    (venv)$ pip3 install "pretix[postgres]" gunicorn
 
-Note that you need Python 3.5 or newer. You can find out your Python version using ``python -V``.
+Note that you need Python 3.6 or newer. You can find out your Python version using ``python -V``.
 
 We also need to create a data directory::
 
@@ -268,10 +277,10 @@ Updates
 .. warning:: While we try hard not to break things, **please perform a backup before every upgrade**.
 
 To upgrade to a new pretix release, pull the latest code changes and run the following commands (again, replace
-``mysql`` with ``postgres`` if necessary)::
+``postgres`` with ``mysql`` if necessary)::
 
     $ source /var/pretix/venv/bin/activate
-    (venv)$ pip3 install -U pretix[mysql] gunicorn
+    (venv)$ pip3 install -U pretix[postgres] gunicorn
     (venv)$ python -m pretix migrate
     (venv)$ python -m pretix rebuild
     (venv)$ python -m pretix updatestyles

doc/admin/scaling.rst

@@ -0,0 +1,236 @@
+.. _`scaling`:
+
+Scaling guide
+=============
+
+Our :ref:`installation guide <installation>` only covers "small-scale" setups, by which we mostly mean
+setups that run on a **single (virtual) machine** and do not encounter large traffic peaks.
+
+We do not offer an installation guide for larger-scale setups of pretix, mostly because we believe that
+there is no one-size-fits-all solution for this and the desired setup highly depends on your use case,
+the platform you run pretix on, and your technical capabilities. We do not recommend trying set up pretix
+in a multi-server environment if you do not already have experience with managing server clusters.
+
+This document is intended to give you a general idea on what issues you will encounter when you scale up
+and what you should think of.
+
+.. tip::
+
+   If you require more help on this, we're happy to help. Our pretix Enterprise support team has built
+   and helped building, scaling and load-testing pretix installations at any scale and we're looking
+   forward to work with you on fine-tuning your system. If you intend to sell **more than a thousand
+   tickets in a very short amount of time**, we highly recommend reaching out and at least talking this
+   through. Just get in touch at sales@pretix.eu!
+
+Scaling reasons
+---------------
+
+There's mainly two reasons to scale up a pretix installation beyond a single server:
+
+* **Availability:** Distributing pretix over multiple servers can allow you to survive failure of one or more single machines, leading to a higher uptime and reliability of your system.
+
+* **Traffic and throughput:** Distributing pretix over multiple servers can allow you to process more web requests and ticket sales at the same time.
+
+You are very unlikely to require scaling for other reasons, such as having too much data in your database.
+
+Components
+----------
+
+A pretix installation usually consists of the following components which run performance-relevant processes:
+
+* ``pretix-web`` is the Django-based web application that serves all user interaction.
+
+* ``pretix-worker`` is a Celery-based application that processes tasks that should be run asynchronously outside of the web application process.
+
+* A **SQL database** keeps all the important data and processes the actual transactions. We recommend using PostgreSQL, but MySQL/MariaDB works as well.
+
+* A **web server** that terminates TLS and HTTP connections and forwards them to ``pretix-web``. In some cases, e.g. when serving static files, the web servers might return a response directly. We recommend using ``nginx``.
+
+* A **redis** server responsible for the communication between ``pretix-web`` and ``pretix-worker``, as well as for caching.
+
+* A directory of **media files** such as user-uploaded files or generated files (tickets, invoices, …) that are created and used by ``pretix-web``, ``pretix-worker`` and the web server.
+
+In the following, we will discuss the scaling behavior of every component individually. In general, you can run all of the components
+on the same server, but you can just as well distribute every component to its own server, or even use multiple servers for some single
+components.
+
+.. warning::
+
+   When setting up your system, don't forget about security. In a multi-server environment,
+   you need to take special care to ensure that no unauthorized access to your database
+   is possible through the network and that it's not easy to wiretap your connections. We
+   recommend a rigorous use of firewalls and encryption on all communications. You can
+   ensure this either on an application level (such as using the TLS support in your
+   database) or on a network level with a VPN solution.
+
+Web server
+""""""""""
+
+Your web server is at the very front of your installation. It will need to absorb all of the traffic, and it should be able to
+at least show a decent error message, even when everything else fails. Luckily, web servers are really fast these days, so this
+can be achieved without too much work.
+
+We recommend reading up on tuning your web server for high concurrency. For nginx, this means thinking about the number of worker
+processes and the number of connections each worker process accepts. Double-check that TLS session caching works, because TLS
+handshakes can get really expensive.
+
+During a traffic peak, your web server will be able to make us of more CPU resources, while memory usage will stay comparatively low,
+so if you invest in more hardware here, invest in more and faster CPU cores.
+
+Make sure that pretix' static files (such as CSS and JavaScript assets) as well as user-uploaded media files (event logos, etc)
+are served directly by your web server and your web server caches them in-memory (nginx does it by default) and sets useful
+headers for client-side caching. As an additional performance improvement, you can turn of access logging for these types of files.
+If you want, you can even farm out serving static files to a different web server entirely and :ref:`configure pretix to reference
+them from a different URL <config-urls>`.
+
+.. tip::
+
+   If you expect *really high traffic* for your very popular event, you might want to do some rate limiting on this layer, or,
+   if you want to ensure a fair and robust first-come-first-served experience and prefer letting users wait over showing them
+   errors, consider a queuing solution. We're happy to provide you with such systems, just get in touch at sales@pretix.eu.
+
+pretix-web
+""""""""""
+
+The ``pretix-web`` process does not carry any internal state can be easily started on as many machines as you like, and you can
+use the load balancing features of your frontend web server to redirect to all of them.
+
+You can adjust the number of processes in the ``gunicorn`` command line, and we recommend choosing roughly two times the number
+of CPU cores available. Under load, the memory consumption of ``pretix-web`` will stay comparatively constant, while the CPU usage
+will increase a lot. Therefore, if you can add more or faster CPU cores, you will be able to serve more users.
+
+pretix-worker
+"""""""""""""
+
+The ``pretix-worker`` process performs all operations that are not directly executed in the request-response-cycle of ``pretix-web``.
+Just like ``pretix-web`` you can easily start up as many instances as you want on different machines to share the work. As long as they
+all talk to the same redis server, they will all receive tasks from ``pretix-web``, work on them and post their result back.
+You can configure the number of threads that run tasks in parallel through the ``--concurrency`` command line option of ``celery``.
+
+Just like ``pretix-web``, this process is mostly heavy on CPU, disk IO and network IO, although memory peaks can occur e.g. during the
+generation of large PDF files, so we recommend having some reserves here.
+
+``pretix-worker`` performs a variety of tasks which are of different importance.
+Some of them are mission-critical and need to be run quickly even during high load (such as
+creating a cart or an order), others are irrelevant and can easily run later (such as
+distributing tickets on the waiting list). You can fine-tune the capacity you assign to each
+of these tasks by running ``pretix-worker`` processes that only work on a specific **queue**.
+For example, you could have three servers dedicated only to process order creations and one
+server dedicated only to sending emails. This allows you to set priorities and also protects
+you from e.g. a slow email server lowering your ticket throughput.
+
+You can do so by specifying one or more queues on the ``celery`` command line of this process, such as ``celery -A pretix.celery_app worker -Q notifications,mail``. Currently,
+the following queues exist:
+
+* ``checkout`` -- This queue handles everything related to carts and orders and thereby everything required to process a sale. This includes adding and deleting items from carts as well as creating and canceling orders.
+
+* ``mail`` -- This queue handles sending of outgoing emails.
+
+* ``notifications`` -- This queue handles the processing of any outgoing notifications, such as email notifications to admin users (except for the actual sending) or API notifications to registered webhooks.
+
+* ``background`` -- This queue handles tasks that are expected to take long or have no human waiting for their result immediately, such as refreshing caches, re-generating CSS files, assigning tickets on the waiting list or parsing bank data files.
+
+* ``default`` -- This queue handles everything else with "medium" or unassigned priority, most prominently the generation of files for tickets, invoices, badges, admin exports, etc.
+
+Media files
+"""""""""""
+
+Both ``pretix-web``, ``pretix-worker`` and in some cases your webserver need to work with
+media files. Media files are all files generated *at runtime* by the software. This can
+include files uploaded by the event organizers, such as the event logo, files uploaded by
+ticket buyers (if you use such features) or files generated by the software, such as
+ticket files, invoice PDFs, data exports or customized CSS files.
+
+Those files are by default stored to the ``media/`` sub-folder of the data directory given
+in the ``pretix.cfg`` configuration file. Inside that ``media/`` folder, you will find a
+``pub/`` folder containing the subset of files that should be publicly accessible through
+the web server. Everything else only needs to be accessible by ``pretix-web`` and
+``pretix-worker`` themselves.
+
+If you distribute ``pretix-web`` or ``pretix-worker`` across more than one machine, you
+**must** make sure that they all have access to a shared storage to read and write these
+files, otherwise you **will** run into errors with the user interface.
+
+The easiest solution for this is probably to store them on a NFS server that you mount
+on each of the other servers.
+
+Since we use Django's file storage mechanism internally, you can in theory also use a object-storage solution like Amazon S3, Ceph, or Minio to store these files, although we currently do not expose this through pretix' configuration file and this would require you to ship your own variant of ``pretix/settings.py`` and reference it through the ``DJANGO_SETTINGS_MODULE`` environment variable.
+
+At pretix.eu, we use a custom-built `object storage cluster`_.
+
+SQL database
+""""""""""""
+
+One of the most critical parts of the whole setup is the SQL database -- and certainly the
+hardest to scale. Tuning relational databases is an art form, and while there's lots of
+material on it on the internet, there's not a single recipe that you can apply to every case.
+
+As a general rule of thumb, the more resources you can give your databases, the better.
+Most databases will happily use all CPU cores available, but only use memory up to an amount
+you configure, so make sure to set this memory usage as high as you can afford. Having more
+memory available allows your database to make more use of caching, which is usually good.
+
+Scaling your database to multiple machines needs to be treated with great caution. It's a
+good to have a replica of your database for availability reasons. In case your primary
+database server fails, you can easily switch over to the replica and continue working.
+
+However, using database replicas for performance gains is much more complicated. When using
+replicated database systems, you are always trading in consistency or availability to get
+additional performance and the consequences of this can be subtle and it is important
+that you have a deep understanding of the semantics of your replication mechanism.
+
+.. warning::
+
+   Using an off-the-shelf database proxy solution that redirects read queries to your
+   replicas and write queries to your primary database **will lead to very nasty bugs.**
+
+   As an example, if you buy a ticket, pretix first needs to calculate how many tickets
+   are left to sell. If this calculation is done on a database replica that lags behind
+   even for fractions of a second, the decision to allow selling the ticket will be made
+   on out-of-data data and you can end up with more tickets sold than configured. Similarly,
+   you could imagine situations leading to double payments etc.
+
+If you do have a replica, you *can* tell pretix about it :ref:`in your configuration <config-replica>`.
+This way, pretix can offload complex read-only queries to the replica when it is safe to do so.
+As of pretix 2.7, this is mainly used for search queries in the backend and for rendering the
+product list and event lists in the frontend, but we plan on expanding this in the future.
+
+Therefore, for now our clear recommendation is: Try to scale your database vertically and put
+it on the most powerful machine you have available.
+
+redis
+"""""
+
+While redis is a very important part that glues together some of the components, it isn't used
+heavily and can usually handle a fairly large pretix installation easily on a single modern
+CPU core.
+Having some memory available is good in case of e.g. lots of tasks queuing up during a traffic peak, but we wouldn't expect ever needing more than a gigabyte of it.
+
+Feel free to set up a redis cluster for availability – but you won't need it for performance in a long time.
+
+The limitations
+---------------
+
+Up to a certain point, pretix scales really well. However, there are a few things that we consider
+even more important than scalability, and those are correctness and reliability. We want you to be
+able to trust that pretix will not sell more tickets than you intended or run into similar error
+cases.
+
+Combined with pretix' flexibility and complexity, especially around vouchers and quotas, this creates
+some hard issues. In many cases, we need to fall back to event-global locking for some actions which
+are likely to run with high concurrency and cause harm.
+
+For every event, only one of these locking actions can be run at the same time. Examples for this are
+adding products limited by a quota to a cart, adding items to a cart using a voucher or placing an order
+consisting of cart positions that don't have a valid reservation for much longer. In these cases, it is
+currently not realistically possible to exceed selling **approx. 500 orders per minute per event**, even
+if you add more hardware.
+If you have an unlimited number of tickets, we can apply fewer locking and we've reached **approx.
+1500 orders per minute per event** in benchmarks, although even more should be possible.
+
+We're working to reduce the number of cases in which this is relevant and thereby improve the possible
+throughput. If you want to use pretix for an event with 10,000+ tickets that are likely to be sold out
+within minutes, please get in touch to discuss possible solutions. We'll work something out for you!
+
+
+.. _object storage cluster: https://behind.pretix.eu/2018/03/20/high-available-cdn/

doc/api/fundamentals.rst

@@ -170,6 +170,19 @@ Date                  String in ISO 8601 format    ``2017-12-27``
 Multi-lingual string  Object of strings            ``{"en": "red", "de": "rot", "de_Informal": "rot"}``
 Money                 String with decimal number   ``"23.42"``
 Currency              String with ISO 4217 code    ``"EUR"``, ``"USD"``
+Relative datetime     *either* String in ISO 8601  ``"2017-12-27T10:00:00.596934Z"``,
+                      format *or* specification of ``"RELDATE/3/12:00:00/presale_start/"``
+                      a relative datetime,
+                      constructed from a number of
+                      days before the base point,
+                      a time of day, and the base
+                      point.
+Relative date         *either* String in ISO 8601  ``"2017-12-27"``,
+                      format *or* specification of ``"RELDATE/3/-/presale_start/"``
+                      a relative date,
+                      constructed from a number of
+                      days before the base point
+                      and the base point.
 ===================== ============================ ===================================
 
 Query parameters
@@ -181,4 +194,37 @@ as the string values ``true`` and ``false``.
 If the ``ordering`` parameter is documented for a resource, you can use it to sort the result set by one of the allowed
 fields. Prepend a ``-`` to the field name to reverse the sort order.
 
+
+Idempotency
+-----------
+
+Our API supports an idempotency mechanism to make sure you can safely retry operations without accidentally performing
+them twice. This is useful if an API call experiences interruptions in transit, e.g. due to a network failure, and you
+do not know if it completed successfully.
+
+To perform an idempotent request, add a ``X-Idempotency-Key`` header with a random string value (we recommend a version
+4 UUID) to your request. If we see a second request with the same ``X-Idempotency-Key`` and the same ``Authorization``
+and ``Cookie`` headers, we will not perform the action for a second time but return the exact same response instead.
+
+Please note that this also goes for most error responses. For example, if we returned you a ``403 Permission Denied``
+error and you retry with the same ``X-Idempotency-Key``, you will get the same error again, even if you were granted
+permission in the meantime! This includes internal server errors on our side that might have been fixed in the meantime.
+
+There are only three exceptions to the rule:
+
+* Responses with status code ``409 Conflict`` are not cached. If you send the request again, it will be executed as a
+  new request, since these responses are intended to be retried.
+
+* Rate-limited responses with status code ``429 Too Many Requests`` are not cached and you can safely retry them.
+
+* Responses with status code ``503 Service Unavailable`` are not cached and you can safely retry them.
+
+If you send a request with an ``X-Idempotency-Key`` header that we have seen before but that has not yet received a
+response, you will receive a response with status code ``409 Conflict`` and are asked to retry after five seconds.
+
+We store idempotency keys for 24 hours, so you should never retry a request after a longer time period.
+
+All ``POST``, ``PUT``, ``PATCH``, or ``DELETE`` api calls support idempotency keys. Adding an idempotency key to a
+``GET``, ``HEAD``, or ``OPTIONS`` request has no effect.
+
 .. _CSRF policies: https://docs.djangoproject.com/en/1.11/ref/csrf/#ajax

doc/api/guides/custom_checkout.rst

@@ -0,0 +1,132 @@
+Creating an external checkout process
+=====================================
+
+Occasionally, we get asked whether it is possible to just use pretix' powerful backend as a ticketing engine but use
+a fully-customized checkout process that only communicates via the API. This is possible, but with a few limitations.
+If you go down this route, you will miss out on many of pretix features and safeguards, as well as the added flexibility
+by most of pretix' plugins. We strongly recommend to talk this through with us before you decide this is the way to go.
+
+However, this is really useful if you need to tightly integrate pretix into existing web applications that e.g. control
+the pricing of your products in a way that cannot be mapped to pretix' product structures.
+
+Creating orders
+---------------
+
+After letting your user select the products to  buy in your application, you should create a new order object inside
+pretix. Below, you can see an example of such an order, but most fields are optional and there are some more features
+supported. Read :ref:`rest-orders-create` to learn more about this endpoint.
+
+Please note that this endpoint assumes trustworthy input for the most part. By default, the endpoint checks that
+you do not exceed any quotas, do not sell any seats twice, or do not use any redeemed vouchers. However, it will not
+complain about violation of any other availability constraints, such as violation of time frames or minimum/maximum
+amounts of either your product or event. Bundled products will not be added in automatically and fees will not be
+calculated automatically.
+
+.. sourcecode:: http
+
+    POST /api/v1/organizers/democon/events/3vjrh/orders/ HTTP/1.1
+    Host: test.pretix.eu
+    Accept: application/json, text/javascript
+    Content-Type: application/json
+    Authorization: …
+
+    {
+      "email": "dummy@example.org",
+      "locale": "en",
+      "sales_channel": "web",
+      "payment_provider": "banktransfer",
+      "invoice_address": {
+        "is_business": false,
+        "company": "Sample company",
+        "name_parts": {"full_name": "John Doe"},
+        "street": "Sesam Street 12",
+        "zipcode": "12345",
+        "city": "Sample City",
+        "country": "US",
+        "state": "NY",
+        "internal_reference": "",
+        "vat_id": ""
+      },
+      "positions": [
+        {
+          "item": 21,
+          "variation": null,
+          "attendee_name_parts": {
+            "full_name": "Peter"
+          },
+          "answers": [
+            {
+              "question": 1,
+              "answer": "23",
+              "options": []
+            }
+          ],
+          "subevent": null
+        }
+      ],
+      "fees": []
+    }
+
+You will be returned a full order object that you can inspect, store, or use to build emails or confirmation pages for
+the user. If you don't want to do that yourself, it will also contain the URL to our confirmation page in the ``url``
+attribute. If you pass the ``"send_mail": true`` option, pretix will also send order confirmations for you.
+
+Handling payments yourself
+--------------------------
+
+If you want to handle payments in your application, you can either just create the orders with status "paid" or you can
+create them in "pending" state (the default) and later confirm the payment. We strongly advise to use the payment
+provider ``"manual"`` in this case to avoid interference with payment code with pretix.
+
+However, it is often unfeasible to implement the payment process yourself, and it also requires you to give up a
+lot of pretix functionality, such as automatic refunds. Therefore, it is also possible to utilize pretix' native
+payment process even in this case:
+
+Using pretix payment providers
+------------------------------
+
+If you passed a ``payment_provider`` during order creation above, pretix will have created a payment object with state
+``created`` that you can see in the returned order object. This payment object will have an attribute ``payment_url``
+that you can use to let the user pay. For example, you could link or redirect to this page.
+
+If you want the user to return to your application after the payment is complete, you can pass a query parameter
+``return_url``. To prepare your event for this, open your event in the pretix backend and go to "Settings", then
+"Plugins". Enable the plugin "Redirection from order page". Then, go to the new page "Settings", then "Redirection".
+Enter the base URL of your web application. This will allow you to redirect to pages under this base URL later on.
+For example, if you want users to be redirected to ``https://example.org/order/return?tx_id=1234``, you could now
+either enter ``https://example.org`` or ``https://example.org/order/``.
+
+The user will be redirected back to your page instead of pretix' order confirmation page after the payment,
+**regardless of whether it was successful or not**. Make sure you use our API to check if the payment actually
+worked! Your final URL could look like this::
+
+    https://test.pretix.eu/democon/3vjrh/order/NSLEZ/ujbrnsjzbq4dzhck/pay/123/?return_url=https%3A%2F%2Fexample.org%2Forder%2Freturn%3Ftx_id%3D1234
+
+You can also embed this page in an ``<iframe>`` instead. Note, however, that this causes problems with some payment
+methods such as PayPal which do not allow being opened in an iframe. pretix can partly work around these issues by
+opening a new window, but will only to so if you also append an ``iframe=1`` parameter to the URL::
+
+    https://test.pretix.eu/democon/3vjrh/order/NSLEZ/ujbrnsjzbq4dzhck/pay/123/?return_url=https%3A%2F%2Fexample.org%2Forder%2Freturn%3Ftx_id%3D1234&iframe=1
+
+If you did **not** pass a payment method since you want us to ask the user which payment method they want to use, you
+need to construct the URL from the ``url`` attribute of the order and the sub-path ``pay/change```. For example, you
+would end up with the following URL::
+
+    https://test.pretix.eu/democon/3vjrh/order/NSLEZ/ujbrnsjzbq4dzhck/pay/change
+
+Of course, you can also use the ``iframe`` and ``return_url`` parameters here.
+
+Optional: Cart reservations
+---------------------------
+
+Creating orders is an atomic operation: The order is either created as a whole or not at all. However, pretix'
+built-in checkout automatically reserves tickets in a user's cart for a configurable amount of time to ensure users
+will actually get their tickets once they started entering all their details. If you want a similar behavior in your
+application, you need to create :ref:`rest-carts` through the API.
+
+When creating your order, you can pass a ``consume_carts`` parameter with the cart ID(s) of your user. This way, the
+quota reserved by the cart will be credited towards the order and the carts will be destroyed if (and only if) the
+order creation succeeds.
+
+Cart creation is currently even more limited than the order creation endpoints, as cart creation currently does not
+support vouchers or automatic price calculation. If you require these features, please get in touch with us.

doc/api/guides/index.rst

@@ -0,0 +1,11 @@
+.. _`rest-api-guides`:
+
+API Usage Guides
+================
+
+This part of the documentation contains how-to guides on some special use cases of our API.
+
+.. toctree::
+   :maxdepth: 2
+
+   custom_checkout

doc/api/index.rst

@@ -18,3 +18,4 @@ in functionality over time.
    resources/index
    ratelimit
    webhooks
+   guides/index

doc/api/oauth.rst

@@ -61,7 +61,7 @@ access to the API. The ``token`` endpoint expects you to authenticate using `HTT
 ID as a username and your client secret as a password. You are also required to again supply the same ``redirect_uri``
 parameter that you used for the authorization.
 
-.. http:get:: /api/v1/oauth/token
+.. http:post:: /api/v1/oauth/token
 
    Request a new access token
 

doc/api/resources/billing_invoices.rst

@@ -0,0 +1,131 @@
+pretix Hosted billing invoices
+==============================
+
+This endpoint allows you to access invoices you received for pretix Hosted. It only contains invoices created starting
+November 2017.
+
+.. note:: Only available on pretix Hosted, not on self-hosted pretix instances.
+
+Resource description
+--------------------
+
+The resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+invoice_number                        string                     Invoice number
+date_issued                           date                       Invoice date
+===================================== ========================== =======================================================
+
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/billing_invoices/
+
+   Returns a list of all invoices to a given organizer.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/billing_invoices/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "invoice_number": "R2019002",
+            "date_issued": "2019-06-03"
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``date_issued`` and
+                           its reverse, ``-date_issued``. Default: ``date_issued``.
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/billing_invoices/(invoice_number)/
+
+   Returns information on one invoice, identified by its invoice number.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/billing_invoices/R2019002/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "invoice_number": "R2019002",
+        "date_issued": "2019-06-03"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param invoice_number: The ``invoice_number`` field of the invoice to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/billing_invoices/(invoice_number)/download/
+
+   Download an invoice in PDF format.
+
+   .. warning:: After we created the invoices, they are placed in review with our accounting department. You will
+                already see them in the API at this point, but you are not able to download them until they completed
+                review and are sent to you via email. This usually takes a few hours. If you try to download them
+                in this time frame, you will receive a status code :http:statuscode:`423`.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/billing_invoices/R2019002/download/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/pdf
+
+      ...
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param invoice_number: The ``invoice_number`` field of the invoice to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 423: The file is not yet ready and will now be prepared. Retry the request after waiting for a few
+                    seconds.

doc/api/resources/billing_var.rst

@@ -0,0 +1,148 @@
+pretix Hosted reseller API
+==========================
+
+This API is only accessible to our `value-added reseller partners`_ on pretix Hosted.
+
+.. note:: This API is only accessible with user-level permissions, not with API tokens. Therefore, you will need to
+          create an :ref:`OAuth application <rest-oauth>` and obtain an OAuth access token for a user account that has
+          permission to your reseller account.
+
+Reseller account resource
+-------------------------
+
+The resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Your reseller ID
+name                                  string                     Internal name of your reseller account
+public_name                           string                     Public name of your reseller account
+public_url                            string                     Public URL of your company
+support_email                         string                     Your support email address
+support_phone                         string                     Your support phone number
+communication_language                string                     Language code we use to communicate with you
+===================================== ========================== =======================================================
+
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/var/
+
+   Returns a list of all reseller accounts you have access to.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/var/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "name": "ticketshop.live Ltd & Co. KG",
+            "public_name": "ticketshop.live",
+            "public_url": "https://ticketshop.live",
+            "support_email": "support@ticketshop.live",
+            "support_phone": "+4962213217750",
+            "communication_language": "de"
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+
+.. http:get:: /api/v1/var/(id)/
+
+   Returns information on one reseller account, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/var/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "ticketshop.live Ltd & Co. KG",
+        "public_name": "ticketshop.live",
+        "public_url": "https://ticketshop.live",
+        "support_email": "support@ticketshop.live",
+        "support_phone": "+4962213217750",
+        "communication_language": "de"
+      }
+
+   :param id: The ``id`` field of the reseller account to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 404: The requested account does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/var/(id)/create_organizer/
+
+   Creates a new organizer account that will be associated with a given reseller account.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/var/1/create_organizer/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 123
+
+      {
+        "name": "My new client",
+        "slug": "New client"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "My new client",
+        "slug": "New client"
+      }
+
+   :param id: The ``id`` field of the reseller account to fetch
+   :statuscode 201: no error
+   :statuscode 400: Invalid request body, usually the slug is invalid or already taken.
+   :statuscode 401: Authentication failure
+   :statuscode 404: The requested account does not exist **or** you have no permission to view this resource.
+
+.. _value-added reseller partners: https://pretix.eu/about/en/var

doc/api/resources/carts.rst

@@ -36,12 +36,20 @@ answers                               list of objects            Answers to user
 ├ question_identifier                 string                     The question's ``identifier`` field
 ├ options                             list of integers           Internal IDs of selected option(s)s (only for choice types)
 └ option_identifiers                  list of strings            The ``identifier`` fields of the selected option(s)s
+seat                                  objects                    The assigned seat. Can be ``null``.
+├ id                                  integer                    Internal ID of the seat instance
+├ name                                string                     Human-readable seat name
+└ seat_guid                           string                     Identifier of the seat within the seating plan
 ===================================== ========================== =======================================================
 
 .. versionchanged:: 1.17
 
    This resource has been added.
 
+.. versionchanged:: 3.0
+
+   This ``seat`` attribute has been added.
+
 
 Cart position endpoints
 -----------------------
@@ -87,6 +95,7 @@ Cart position endpoints
             "datetime": "2018-06-11T10:00:00Z",
             "expires": "2018-06-11T10:00:00Z",
             "includes_tax": true,
+            "seat": null,
             "answers": []
           }
         ]
@@ -132,6 +141,7 @@ Cart position endpoints
         "datetime": "2018-06-11T10:00:00Z",
         "expires": "2018-06-11T10:00:00Z",
         "includes_tax": true,
+        "seat": null,
         "answers": []
       }
 
@@ -178,11 +188,13 @@ Cart position endpoints
    * ``item``
    * ``variation`` (optional)
    * ``price``
+   * ``seat`` (The ``seat_guid`` attribute of a seat. Required when the specified ``item`` requires a seat, otherwise must be ``null``.)
    * ``attendee_name`` **or** ``attendee_name_parts`` (optional)
    * ``attendee_email`` (optional)
    * ``subevent`` (optional)
    * ``expires`` (optional)
    * ``includes_tax`` (optional)
+   * ``sales_channel`` (optional)
    * ``answers``
 
       * ``question``
@@ -196,7 +208,7 @@ Cart position endpoints
       POST /api/v1/organizers/bigevents/events/sampleconf/cartpositions/ HTTP/1.1
       Host: pretix.eu
       Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
 
       {
         "item": 1,

doc/api/resources/categories.rst

@@ -20,7 +20,7 @@ internal_name                         string                     An optional nam
 description                           multi-lingual string       A public description (might include markdown, can
                                                                  be ``null``)
 position                              integer                    An integer, used for sorting the categories
-is_addon                              boolean                    If ``True``, items within this category are not on sale
+is_addon                              boolean                    If ``true``, items within this category are not on sale
                                                                  on their own but the category provides a source for
                                                                  defining add-ons for other products.
 ===================================== ========================== =======================================================
@@ -131,7 +131,7 @@ Endpoints
       POST /api/v1/organizers/bigevents/events/sampleconf/categories/ HTTP/1.1
       Host: pretix.eu
       Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
 
       {
         "name": {"en": "Tickets"},

doc/api/resources/checkinlists.rst

@@ -1,3 +1,5 @@
+.. spelling:: checkin
+
 Check-in lists
 ==============
 
@@ -27,6 +29,7 @@ subevent                              integer                    ID of the date
 position_count                        integer                    Number of tickets that match this list (read-only).
 checkin_count                         integer                    Number of check-ins performed on this list (read-only).
 include_pending                       boolean                    If ``true``, the check-in list also contains tickets from orders in pending state.
+auto_checkin_sales_channels           list of strings            All items on the check-in list will be automatically marked as checked-in when purchased through any of the listed sales channels.
 ===================================== ========================== =======================================================
 
 .. versionchanged:: 1.10
@@ -41,6 +44,10 @@ include_pending                       boolean                    If ``true``, th
 
    The ``include_pending`` field has been added.
 
+.. versionchanged:: 3.2
+
+    The ``auto_checkin_sales_channels`` field has been added.
+
 Endpoints
 ---------
 
@@ -81,7 +88,10 @@ Endpoints
             "all_products": true,
             "limit_products": [],
             "include_pending": false,
-            "subevent": null
+            "subevent": null,
+            "auto_checkin_sales_channels": [
+              "pretixpos"
+            ]
           }
         ]
       }
@@ -122,7 +132,10 @@ Endpoints
         "all_products": true,
         "limit_products": [],
         "include_pending": false,
-        "subevent": null
+        "subevent": null,
+        "auto_checkin_sales_channels": [
+          "pretixpos"
+        ]
       }
 
    :param organizer: The ``slug`` field of the organizer to fetch
@@ -156,14 +169,14 @@ Endpoints
         "checkin_count": 17,
         "position_count": 42,
         "event": {
-          "name": "Demo Converence",
+          "name": "Demo Conference"
         },
         "items": [
           {
             "name": "T-Shirt",
             "id": 1,
             "checkin_count": 1,
-            "admission": False,
+            "admission": false,
             "position_count": 1,
             "variations": [
               {
@@ -184,7 +197,7 @@ Endpoints
             "name": "Ticket",
             "id": 2,
             "checkin_count": 15,
-            "admission": True,
+            "admission": true,
             "position_count": 22,
             "variations": []
           }
@@ -209,13 +222,16 @@ Endpoints
       POST /api/v1/organizers/bigevents/events/sampleconf/checkinlists/ HTTP/1.1
       Host: pretix.eu
       Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
 
       {
         "name": "VIP entry",
         "all_products": false,
         "limit_products": [1, 2],
-        "subevent": null
+        "subevent": null,
+        "auto_checkin_sales_channels": [
+          "pretixpos"
+        ]
       }
 
    **Example response**:
@@ -234,7 +250,10 @@ Endpoints
         "all_products": false,
         "limit_products": [1, 2],
         "include_pending": false,
-        "subevent": null
+        "subevent": null,
+        "auto_checkin_sales_channels": [
+          "pretixpos"
+        ]
       }
 
    :param organizer: The ``slug`` field of the organizer of the event/item to create a list for
@@ -283,7 +302,10 @@ Endpoints
         "all_products": false,
         "limit_products": [1, 2],
         "include_pending": false,
-        "subevent": null
+        "subevent": null,
+        "auto_checkin_sales_channels": [
+          "pretixpos"
+        ]
       }
 
    :param organizer: The ``slug`` field of the organizer to modify
@@ -336,11 +358,29 @@ Order position endpoints
 
    The order positions endpoint has been extended by the filter queries ``voucher`` and ``voucher__code``.
 
+.. versionchanged:: 2.7
+
+   The resource now contains the new attributes ``require_attention`` and ``order__status`` and accepts the new
+   ``ignore_status`` filter. The ``attendee_name`` field is now "smart" (see below) and the redemption endpoint
+   returns ``400`` instead of ``404`` on tickets which are known but not paid.
+
+.. versionchanged:: 3.2
+
+    The ``checkins`` dict now also contains a ``auto_checked_in`` value to indicate if the check-in has been performed
+    automatically by the system.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(list)/positions/
 
    Returns a list of all order positions within a given event. The result is the same as
-   the :ref:`order-position-resource`, with one important difference: the ``checkins`` value will only include
-   check-ins for the selected list.
+   the :ref:`order-position-resource`, with the following differences:
+
+   * The ``checkins`` value will only include check-ins for the selected list.
+
+   * An additional boolean property ``require_attention`` will inform you whether either the order or the item
+     have the ``checkin_attention`` flag set.
+
+   * If ``attendee_name`` is empty, it will automatically fall back to values from a parent product or from invoice
+     addresses.
 
    **Example request**:
 
@@ -383,10 +423,12 @@ Order position endpoints
             "addon_to": null,
             "subevent": null,
             "pseudonymization_id": "MQLJvANO3B",
+            "seat": null,
             "checkins": [
               {
                 "list": 1,
-                "datetime": "2017-12-25T12:45:23Z"
+                "datetime": "2017-12-25T12:45:23Z",
+                "auto_checked_in": true
               }
             ],
             "answers": [
@@ -407,6 +449,8 @@ Order position endpoints
       }
 
    :query integer page: The page number in case of a multi-page result set, default is 1
+   :query string ignore_status: If set to ``true``, results will be returned regardless of the state of
+                                 the order they belong to and you will need to do your own filtering by order status.
    :query string ordering: Manually set the ordering of results. Valid fields to be used are ``order__code``,
                            ``order__datetime``, ``positionid``, ``attendee_name``, ``last_checked_in`` and ``order__email``. Default:
                            ``attendee_name,positionid``
@@ -442,8 +486,15 @@ Order position endpoints
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(list)/positions/(id)/
 
    Returns information on one order position, identified by its internal ID.
-   The result format is the same as the :ref:`order-position-resource`, with one important difference: the
-   ``checkins`` value will only include check-ins for the selected list.
+   The result is the same as the :ref:`order-position-resource`, with the following differences:
+
+   * The ``checkins`` value will only include check-ins for the selected list.
+
+   * An additional boolean property ``require_attention`` will inform you whether either the order or the item
+     have the ``checkin_attention`` flag set.
+
+   * If ``attendee_name`` is empty, it will automatically fall back to values from a parent product or from invoice
+     addresses.
 
    **Instead of an ID, you can also use the ``secret`` field as the lookup parameter.**
 
@@ -483,10 +534,12 @@ Order position endpoints
         "addon_to": null,
         "subevent": null,
         "pseudonymization_id": "MQLJvANO3B",
+        "seat": null,
         "checkins": [
           {
             "list": 1,
-            "datetime": "2017-12-25T12:45:23Z"
+            "datetime": "2017-12-25T12:45:23Z",
+            "auto_checked_in": true
           }
         ],
         "answers": [
@@ -524,11 +577,14 @@ Order position endpoints
                                        you do not implement question handling in your user interface, you **must**
                                        set this to ``false``. In that case, questions will just be ignored. Defaults
                                        to ``true``.
+   :<json boolean canceled_supported: When this parameter is set to ``true``, the response code ``canceled`` may be
+                                      returned. Otherwise, canceled orders will return ``unpaid``.
    :<json datetime datetime: Specifies the datetime of the check-in. If not supplied, the current time will be used.
    :<json boolean force: Specifies that the check-in should succeed regardless of previous check-ins or required
                          questions that have not been filled. Defaults to ``false``.
    :<json boolean ignore_unpaid: Specifies that the check-in should succeed even if the order is in pending state.
-                                 Defaults to ``false``.
+                                 Defaults to ``false`` and only works when ``include_pending`` is set on the check-in
+                                 list.
    :<json string nonce: You can set this parameter to a unique random value to identify this check-in. If you're sending
                         this request twice with the same nonce, the second request will also succeed but will always
                         create only one check-in object even when the previous request was successful as well. This
@@ -551,6 +607,7 @@ Order position endpoints
         "nonce": "Pvrk50vUzQd0DhdpNRL4I4OcXsvg70uA",
         "datetime": null,
         "questions_supported": true,
+        "canceled_supported": true,
         "answers": {
           "4": "XS"
         }
@@ -634,7 +691,9 @@ Order position endpoints
 
    Possible error reasons:
 
-   * ``unpaid`` - Ticket is not paid for or has been refunded
+   * ``unpaid`` - Ticket is not paid for
+   * ``canceled`` – Ticket is canceled or expired. This reason is only sent when your request sets
+     ``canceled_supported`` to ``true``, otherwise these orders return ``unpaid``.
    * ``already_redeemed`` - Ticket already has been redeemed
    * ``product`` - Tickets with this product may not be scanned at this device
 

doc/api/resources/events.rst

@@ -1,3 +1,9 @@
+.. spelling::
+
+   geo
+   lat
+   lon
+
 Events
 ======
 
@@ -25,11 +31,19 @@ is_public                             boolean                    If ``true``, th
 presale_start                         datetime                   The date at which the ticket shop opens (or ``null``)
 presale_end                           datetime                   The date at which the ticket shop closes (or ``null``)
 location                              multi-lingual string       The event location (or ``null``)
-has_subevents                         boolean                    ``True`` if the event series feature is active for this
+geo_lat                               float                      Latitude of the location (or ``null``)
+geo_lon                               float                      Longitude of the location (or ``null``)
+has_subevents                         boolean                    ``true`` if the event series feature is active for this
                                                                  event. Cannot change after event is created.
-meta_data                             dict                       Values set for organizer-specific meta data parameters.
+meta_data                             object                     Values set for organizer-specific meta data parameters.
 plugins                               list                       A list of package names of the enabled plugins for this
                                                                  event.
+seating_plan                          integer                    If reserved seating is in use, the ID of a seating
+                                                                 plan. Otherwise ``null``.
+seat_category_mapping                 object                     An object mapping categories of the seating plan
+                                                                 (strings) to items in the event (integers or ``null``).
+timezone                              string                     Event timezone name
+item_meta_properties                  object                     Item-specific meta data parameters and default values.
 ===================================== ========================== =======================================================
 
 
@@ -50,9 +64,33 @@ plugins                               list                       A list of packa
 
    The ``testmode`` attribute has been added.
 
+.. versionchanged:: 2.8
+
+    When cloning events, the ``testmode`` attribute will now be cloned, too.
+
+.. versionchanged:: 3.0
+
+   The attributes ``seating_plan`` and ``seat_category_mapping`` have been added.
+
+.. versionchanged:: 3.3
+
+   The attributes ``geo_lat`` and ``geo_lon`` have been added.
+
+.. versionchanged:: 3.4
+
+   The attribute ``timezone`` has been added.
+
+.. versionchanged:: 3.7
+
+   The attribute ``item_meta_properties`` has been added.
+
 Endpoints
 ---------
 
+.. versionchanged:: 3.3
+
+    The events resource can now be filtered by meta data attributes.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/
 
    Returns a list of all events within a given organizer the authenticated user/token has access to.
@@ -93,8 +131,14 @@ Endpoints
             "presale_start": null,
             "presale_end": null,
             "location": null,
+            "geo_lat": null,
+            "geo_lon": null,
             "has_subevents": false,
             "meta_data": {},
+            "seating_plan": null,
+            "seat_category_mapping": {},
+            "timezone": "Europe/Berlin",
+            "item_meta_properties": {},
             "plugins": [
               "pretix.plugins.banktransfer"
               "pretix.plugins.stripe"
@@ -112,6 +156,13 @@ Endpoints
    :query is_future: If set to ``true`` (``false``), only events that happen currently or in the future are (not) returned. Event series are never (always) returned.
    :query is_past: If set to ``true`` (``false``), only events that are over are (not) returned. Event series are never (always) returned.
    :query ends_after: If set to a date and time, only events that happen during of after the given time are returned. Event series are never returned.
+   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``date_from`` and
+                           ``slug``. Keep in mind that ``date_from`` of event series does not really tell you anything.
+                           Default: ``slug``.
+   :query array attr[meta_data_key]: By providing the key and value of a meta data attribute, the list of events will
+        only contain the events matching the set criteria. Providing ``?attr[Format]=Seminar`` would return only those
+        events having set their ``Format`` meta data to ``Seminar``, ``?attr[Format]=`` only those, that have no value
+        set. Please note that this filter will respect default values set on organizer level.
    :param organizer: The ``slug`` field of a valid organizer
    :statuscode 200: no error
    :statuscode 401: Authentication failure
@@ -152,8 +203,14 @@ Endpoints
         "presale_start": null,
         "presale_end": null,
         "location": null,
+        "geo_lat": null,
+        "geo_lon": null,
         "has_subevents": false,
+        "seating_plan": null,
+        "seat_category_mapping": {},
         "meta_data": {},
+        "timezone": "Europe/Berlin",
+        "item_meta_properties": {},
         "plugins": [
           "pretix.plugins.banktransfer"
           "pretix.plugins.stripe"
@@ -184,7 +241,7 @@ Endpoints
       POST /api/v1/organizers/bigevents/events/ HTTP/1.1
       Host: pretix.eu
       Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
 
       {
         "name": {"en": "Sample Conference"},
@@ -198,9 +255,15 @@ Endpoints
         "is_public": false,
         "presale_start": null,
         "presale_end": null,
+        "seating_plan": null,
+        "seat_category_mapping": {},
         "location": null,
+        "geo_lat": null,
+        "geo_lon": null,
         "has_subevents": false,
         "meta_data": {},
+        "timezone": "Europe/Berlin",
+        "item_meta_properties": {},
         "plugins": [
           "pretix.plugins.stripe",
           "pretix.plugins.paypal"
@@ -228,8 +291,14 @@ Endpoints
         "presale_start": null,
         "presale_end": null,
         "location": null,
+        "geo_lat": null,
+        "geo_lon": null,
+        "seating_plan": null,
+        "seat_category_mapping": {},
         "has_subevents": false,
         "meta_data": {},
+        "timezone": "Europe/Berlin",
+        "item_meta_properties": {},
         "plugins": [
           "pretix.plugins.stripe",
           "pretix.plugins.paypal"
@@ -245,11 +314,11 @@ Endpoints
 
 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/clone/
 
-   Creates a new event with properties as set in the request body. The properties that are copied are: 'is_public',
-   settings, plugin settings, items, variations, add-ons, quotas, categories, tax rules, questions.
+   Creates a new event with properties as set in the request body. The properties that are copied are: ``is_public``,
+   ``testmode``, ``has_subevents``, settings, plugin settings, items, variations, add-ons, quotas, categories, tax rules, questions.
 
-   If the 'plugins' and/or 'is_public' fields are present in the post body this will determine their value. Otherwise
-   their value will be copied from the existing event.
+   If the ``plugins``, ``has_subevents`` and/or ``is_public`` fields are present in the post body this will determine their
+   value. Otherwise their value will be copied from the existing event.
 
    Please note that you can only copy from events under the same organizer.
 
@@ -262,7 +331,7 @@ Endpoints
       POST /api/v1/organizers/bigevents/events/sampleconf/clone/ HTTP/1.1
       Host: pretix.eu
       Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
 
       {
         "name": {"en": "Sample Conference"},
@@ -277,8 +346,14 @@ Endpoints
         "presale_start": null,
         "presale_end": null,
         "location": null,
+        "geo_lat": null,
+        "geo_lon": null,
+        "seating_plan": null,
+        "seat_category_mapping": {},
         "has_subevents": false,
         "meta_data": {},
+        "timezone": "Europe/Berlin",
+        "item_meta_properties": {},
         "plugins": [
           "pretix.plugins.stripe",
           "pretix.plugins.paypal"
@@ -306,8 +381,14 @@ Endpoints
         "presale_start": null,
         "presale_end": null,
         "location": null,
+        "geo_lat": null,
+        "geo_lon": null,
         "has_subevents": false,
+        "seating_plan": null,
+        "seat_category_mapping": {},
         "meta_data": {},
+        "timezone": "Europe/Berlin",
+        "item_meta_properties": {},
         "plugins": [
           "pretix.plugins.stripe",
           "pretix.plugins.paypal"
@@ -335,7 +416,7 @@ Endpoints
       PATCH /api/v1/organizers/bigevents/events/sampleconf/ HTTP/1.1
       Host: pretix.eu
       Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
 
       {
         "plugins": [
@@ -367,8 +448,14 @@ Endpoints
         "presale_start": null,
         "presale_end": null,
         "location": null,
+        "geo_lat": null,
+        "geo_lon": null,
         "has_subevents": false,
+        "seating_plan": null,
+        "seat_category_mapping": {},
         "meta_data": {},
+        "timezone": "Europe/Berlin",
+        "item_meta_properties": {},
         "plugins": [
           "pretix.plugins.banktransfer",
           "pretix.plugins.stripe",
@@ -379,7 +466,7 @@ Endpoints
 
    :param organizer: The ``slug`` field of the organizer of the event to update
    :param event: The ``slug`` field of the event to update
-   :statuscode 201: no error
+   :statuscode 200: no error
    :statuscode 400: The event could not be created due to invalid submitted data.
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
@@ -411,3 +498,123 @@ Endpoints
    :statuscode 204: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.
+
+Event settings
+--------------
+
+pretix events have lots and lots of parameters of different types that are stored in a key-value store on our system.
+Since many of these settings depend on each other in complex ways, we can not give direct access to all of these
+settings through the API. However, we do expose many of the simple and useful flags through the API.
+
+Please note that the available settings flags change between pretix versions and also between events, depending on the
+installed plugins, and we do not give a guarantee on backwards-compatibility like with other parts of the API.
+Therefore, we're also not including a list of the options here, but instead recommend to look at the endpoint output
+to see available options. The ``explain=true`` flag enables a verbose mode that provides you with human-readable
+information about the properties.
+
+.. note:: Please note that this is not a complete representation of all event settings. You will find more settings
+          in the web interface.
+
+.. warning:: This API is intended for advanced users. Even though we take care to validate your input, you will be
+             able to break your event using this API by creating situations of conflicting settings. Please take care.
+
+.. versionchanged:: 3.6
+
+   Initial support for settings has been added to the API.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/settings/
+
+   Get current values of event settings.
+
+   Permission required: "Can change event settings"
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/settings/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example standard response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "imprint_url": "https://pretix.eu",
+        …
+      }
+
+   **Example verbose response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "imprint_url":
+          {
+            "value": "https://pretix.eu",
+            "label": "Imprint URL",
+            "help_text": "This should point e.g. to a part of your website that has your contact details and legal information."
+          }
+        },
+        …
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event to access
+   :param event: The ``slug`` field of the event to access
+   :query explain: Set to ``true`` to enable verbose response mode
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/settings/
+
+   Updates event settings. Note that ``PUT`` is not allowed here, only ``PATCH``.
+
+    .. warning::
+
+       Settings can be stored at different levels in pretix. If a value is not set on event level, a default setting
+       from a higher level (organizer, global) will be returned. If you explicitly set a setting on event level, it
+       will no longer be inherited from the higher levels. Therefore, we recommend you to send only settings that you
+       explicitly want to set on event level. To unset a settings, pass ``null``.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/settings/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "imprint_url": "https://example.org/imprint/"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "imprint_url": "https://example.org/imprint/",
+        …
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event to update
+   :param event: The ``slug`` field of the event to update
+   :statuscode 200: no error
+   :statuscode 400: The event could not be updated due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.

doc/api/resources/giftcards.rst

@@ -0,0 +1,251 @@
+.. _`rest-giftcards`:
+
+Gift cards
+==========
+
+Resource description
+--------------------
+
+The gift card resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the gift card
+secret                                string                     Gift card code (can not be modified later)
+value                                 money (string)             Current gift card value
+currency                              string                     Currency of the value (can not be modified later)
+testmode                              boolean                    Whether this is a test gift card
+expires                               datetime                   Expiry date (or ``null``)
+conditions                            string                     Special terms and conditions for this card (or ``null``)
+===================================== ========================== =======================================================
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/giftcards/
+
+   Returns a list of all gift cards issued by a given organizer.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/giftcards/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "secret": "HLBYVELFRC77NCQY",
+            "currency": "EUR",
+            "testmode": false,
+            "expires": null,
+            "conditions": null,
+            "value": "13.37"
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :query string secret: Only show gift cards with the given secret.
+   :query boolean testmode: Filter for gift cards that are (not) in test mode.
+   :query boolean include_accepted: Also show gift cards issued by other organizers that are accepted by this organizer.
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/giftcards/(id)/
+
+   Returns information on one gift card, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/giftcards/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "secret": "HLBYVELFRC77NCQY",
+        "currency": "EUR",
+        "testmode": false,
+        "expires": null,
+        "conditions": null,
+        "value": "13.37"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param id: The ``id`` field of the gift card to fetch
+   :query boolean include_accepted: Also show gift cards issued by other organizers that are accepted by this organizer.
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/giftcards/
+
+   Creates a new gift card
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/giftcards/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "secret": "HLBYVELFRC77NCQY",
+        "currency": "EUR",
+        "value": "13.37"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "secret": "HLBYVELFRC77NCQY",
+        "testmode": false,
+        "currency": "EUR",
+        "expires": null,
+        "conditions": null,
+        "value": "13.37"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a gift card for
+   :statuscode 201: no error
+   :statuscode 400: The gift card could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/giftcards/(id)/
+
+   Update a gift card. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``id``, ``secret``, ``testmode``, and ``currency`` fields. Be
+   careful when modifying the ``value`` field to avoid race conditions. We recommend to use the ``transact`` method
+   described below.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/giftcards/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "value": "14.00"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "secret": "HLBYVELFRC77NCQY",
+        "testmode": false,
+        "currency": "EUR",
+        "expires": null,
+        "conditions": null,
+        "value": "14.00"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param id: The ``id`` field of the gift card to modify
+   :statuscode 200: no error
+   :statuscode 400: The gift card could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to change this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/giftcards/(id)/transact/
+
+   Atomically change the value of a gift card. A positive amount will increase the value of the gift card,
+   a negative amount will decrease it.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/giftcards/1/transact/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "value": "2.00"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "secret": "HLBYVELFRC77NCQY",
+        "currency": "EUR",
+        "testmode": false,
+        "expires": null,
+        "conditions": null,
+        "value": "15.37"
+      }
+
+   .. versionchanged:: 3.5
+
+      This endpoint now returns status code ``409`` if the transaction would lead to a negative gift card value.
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param id: The ``id`` field of the gift card to modify
+   :query boolean include_accepted: Also show gift cards issued by other organizers that are accepted by this organizer.
+   :statuscode 200: no error
+   :statuscode 400: The gift card could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to change this resource.
+   :statuscode 409: There is not sufficient credit on the gift card.

doc/api/resources/index.rst

@@ -11,6 +11,7 @@ Resources and endpoints
    categories
    items
    item_variations
+   item_bundles
    item_add-ons
    questions
    question_options
@@ -20,5 +21,10 @@ Resources and endpoints
    vouchers
    checkinlists
    waitinglist
+   giftcards
    carts
+   teams
    webhooks
+   seatingplans
+   billing_invoices
+   billing_var

doc/api/resources/invoices.rst

@@ -13,7 +13,7 @@ Field                                 Type                       Description
 ===================================== ========================== =======================================================
 number                                string                     Invoice number (with prefix)
 order                                 string                     Order code of the order this invoice belongs to
-is_cancellation                       boolean                    ``True``, if this invoice is the cancellation of a
+is_cancellation                       boolean                    ``true``, if this invoice is the cancellation of a
                                                                  different invoice.
 invoice_from                          string                     Sender address
 invoice_to                            string                     Receiver address
@@ -28,6 +28,7 @@ payment_provider_text                 string                     Text to be prin
                                                                  payment information
 footer_text                           string                     Text to be printed in the page footer area
 lines                                 list of objects            The actual invoice contents
+├ position                            integer                    Number of the line within an invoice.
 ├ description                         string                     Text representing the invoice line (e.g. product name)
 ├ gross_value                         money (string)             Price including taxes
 ├ tax_value                           money (string)             Tax amount included
@@ -63,6 +64,11 @@ internal_reference                    string                     Customer's refe
    The attribute ``internal_reference`` has been added.
 
 
+.. versionchanged:: 3.4
+
+   The attribute ``lines.number`` has been added.
+
+
 Endpoints
 ---------
 
@@ -107,6 +113,7 @@ Endpoints
             "footer_text": "Big Events LLC - Registration No. 123456 - VAT ID: EU0987654321",
             "lines": [
               {
+                "position": 1,
                 "description": "Budget Ticket",
                 "gross_value": "23.00",
                 "tax_value": "0.00",
@@ -171,6 +178,7 @@ Endpoints
         "footer_text": "Big Events LLC - Registration No. 123456 - VAT ID: EU0987654321",
         "lines": [
           {
+            "position": 1,
             "description": "Budget Ticket",
             "gross_value": "23.00",
             "tax_value": "0.00",

doc/api/resources/item_add-ons.rst

@@ -134,7 +134,7 @@ Endpoints
       POST /api/v1/organizers/(organizer)/events/(event)/items/(item)/addons/ HTTP/1.1
       Host: pretix.eu
       Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
 
       {
         "addon_category": 1,
@@ -189,7 +189,7 @@ Endpoints
 
       {
         "min_count": 0,
-        "max_count": 10,
+        "max_count": 10
       }
 
    **Example response**:

doc/api/resources/item_bundles.rst

@@ -0,0 +1,242 @@
+Item bundles
+============
+
+Resource description
+--------------------
+
+With bundles, you can specify products that are included within other products. There are two premier use cases of this:
+
+* Package discounts. For example, you could offer a discounted package that includes three tickets but can only be
+  bought as a whole. With a bundle including three times the usual product, the package will automatically pull three
+  sub-items into the cart, making sure of correct quota calculation and issuance of the correct number of tickets.
+
+* Tax splitting. For example, if your conference ticket includes a part that is subject to different taxation and that
+  you need to put on the invoice separately. When you putting a "designated price" on a bundled sub-item, pretix will
+  use that price to show a split taxation.
+
+The bundles resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the bundling configuration
+bundled_item                          integer                    Internal ID of the item that is included.
+bundled_variation                     integer                    Internal ID of the variation of the item (or ``null``).
+count                                 integer                    Number of items included
+designated_price                      money (string)             Designated price of the bundled product. This will be
+                                                                 used to split the price of the base item e.g. for mixed
+                                                                 taxation. This is not added to the price.
+===================================== ========================== =======================================================
+
+.. versionchanged:: 2.6
+
+   This resource has been added.
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/bundles/
+
+   Returns a list of all bundles for a given item.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/items/11/bundles/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 2,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 3,
+            "bundled_item": 3,
+            "bundled_variation": null,
+            "count": 1,
+            "designated_price": "0.00"
+          },
+          {
+            "id": 3,
+            "bundled_item": 3,
+            "bundled_variation": null,
+            "count": 2,
+            "designated_price": "1.50"
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param item: The ``id`` field of the item to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/item does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/bundles/(id)/
+
+   Returns information on one bundle configuration, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/items/1/bundles/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "bundled_item": 3,
+        "bundled_variation": null,
+        "count": 2,
+        "designated_price": "1.50"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param item: The ``id`` field of the item to fetch
+   :param id: The ``id`` field of the bundle to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/bigevents/events/sampleconf/items/1/bundles/
+
+   Creates a new bundle configuration
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/(organizer)/events/(event)/items/(item)/bundles/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "bundled_item": 3,
+        "bundled_variation": null,
+        "count": 2,
+        "designated_price": "1.50"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "bundled_item": 3,
+        "bundled_variation": null,
+        "count": 2,
+        "designated_price": "1.50"
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event/item to create a bundle-configuration for
+   :param event: The ``slug`` field of the event to create a bundle configuration for
+   :param item: The ``id`` field of the item to create a bundle configuration for
+   :statuscode 201: no error
+   :statuscode 400: The bundle could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/bundles/(id)/
+
+   Update a bundle configuration. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all
+   fields of the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields
+   that you want to change.
+
+   You can change all fields of the resource except the ``id`` field.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/items/1/bundles/3/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "count": 2
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "bundled_item": 3,
+        "bundled_variation": null,
+        "count": 2,
+        "designated_price": "1.50"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param item: The ``id`` field of the item to modify
+   :param id: The ``id`` field of the bundle to modify
+   :statuscode 200: no error
+   :statuscode 400: The bundle configuration could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/items/(id)/bundles/(id)/
+
+   Delete a bundle configuration.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/items/1/bundles/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the item to modify
+   :param id: The ``id`` field of the bundle to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.

doc/api/resources/item_variations.rst

@@ -18,12 +18,18 @@ default_price                         money (string)             The price set d
 price                                 money (string)             The price used for this variation. This is either the
                                                                  same as ``default_price`` if that value is set or equal
                                                                  to the item's ``default_price`` (read-only).
-active                                boolean                    If ``False``, this variation will not be sold or shown.
+original_price                        money (string)             An original price, shown for comparison, not used
+                                                                 for price calculations (or ``null``).
+active                                boolean                    If ``false``, this variation will not be sold or shown.
 description                           multi-lingual string       A public description of the variation. May contain
                                                                  Markdown syntax or can be ``null``.
 position                              integer                    An integer, used for sorting
 ===================================== ========================== =======================================================
 
+.. versionchanged:: 2.7
+
+   The attribute ``original_price`` has been added.
+
 .. versionchanged:: 1.12
 
    This resource has been added.
@@ -67,7 +73,8 @@ Endpoints
             },
             "position": 0,
             "default_price": "223.00",
-            "price": 223.0
+            "price": 223.0,
+            "original_price": null,
           },
           {
             "id": 3,
@@ -120,6 +127,7 @@ Endpoints
         },
         "default_price": "10.00",
         "price": "10.00",
+        "original_price": null,
         "active": true,
         "description": null,
         "position": 0
@@ -144,7 +152,7 @@ Endpoints
       POST /api/v1/organizers/bigevents/events/sampleconf/items/1/variations/ HTTP/1.1
       Host: pretix.eu
       Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
 
       {
         "value": {"en": "Student"},
@@ -167,6 +175,7 @@ Endpoints
         "value": {"en": "Student"},
         "default_price": "10.00",
         "price": "10.00",
+        "original_price": null,
         "active": true,
         "description": null,
         "position": 0
@@ -216,6 +225,7 @@ Endpoints
         "value": {"en": "Student"},
         "default_price": "10.00",
         "price": "10.00",
+        "original_price": null,
         "active": false,
         "description": null,
         "position": 1

doc/api/resources/items.rst

@@ -21,34 +21,38 @@ default_price                         money (string)             The item price
                                                                  overwritten by variations or other options.
 category                              integer                    The ID of the category this item belongs to
                                                                  (or ``null``).
-active                                boolean                    If ``False``, the item is hidden from all public lists
+active                                boolean                    If ``false``, the item is hidden from all public lists
                                                                  and will not be sold.
 description                           multi-lingual string       A public description of the item. May contain Markdown
                                                                  syntax or can be ``null``.
-free_price                            boolean                    If ``True``, customers can change the price at which
+free_price                            boolean                    If ``true``, customers can change the price at which
                                                                  they buy the product (however, the price can't be set
                                                                  lower than the price defined by ``default_price`` or
                                                                  otherwise).
-tax_rate                              decimal (string)           The VAT rate to be applied for this item.
+tax_rate                              decimal (string)           The VAT rate to be applied for this item (read-only,
+                                                                 set through ``tax_rule``).
 tax_rule                              integer                    The internal ID of the applied tax rule (or ``null``).
-admission                             boolean                    ``True`` for items that grant admission to the event
-                                                                 (such as primary tickets) and ``False`` for others
+admission                             boolean                    ``true`` for items that grant admission to the event
+                                                                 (such as primary tickets) and ``false`` for others
                                                                  (such as add-ons or merchandise).
 position                              integer                    An integer, used for sorting
 picture                               string                     A product picture to be displayed in the shop
-                                                                 (read-only).
+                                                                 (read-only, can be ``null``).
 sales_channels                        list of strings            Sales channels this product is available on, such as
                                                                  ``"web"`` or ``"resellers"``. Defaults to ``["web"]``.
 available_from                        datetime                   The first date time at which this item can be bought
                                                                  (or ``null``).
 available_until                       datetime                   The last date time at which this item can be bought
                                                                  (or ``null``).
-require_voucher                       boolean                    If ``True``, this item can only be bought using a
+hidden_if_available                   integer                    The internal ID of a quota object, or ``null``. If
+                                                                 set, this item won't be shown publicly as long as this
+                                                                 quota is available.
+require_voucher                       boolean                    If ``true``, this item can only be bought using a
                                                                  voucher that is specifically assigned to this item.
-hide_without_voucher                  boolean                    If ``True``, this item is only shown during the voucher
+hide_without_voucher                  boolean                    If ``true``, this item is only shown during the voucher
                                                                  redemption process, but not in the normal shop
                                                                  frontend.
-allow_cancel                          boolean                    If ``False``, customers cannot cancel orders containing
+allow_cancel                          boolean                    If ``false``, customers cannot cancel orders containing
                                                                  this item.
 min_per_order                         integer                    This product can only be bought if it is included at
                                                                  least this many times in the order (or ``null`` for no
@@ -56,20 +60,26 @@ min_per_order                         integer                    This product ca
 max_per_order                         integer                    This product can only be bought if it is included at
                                                                  most this many times in the order (or ``null`` for no
                                                                  limitation).
-checkin_attention                     boolean                    If ``True``, the check-in app should show a warning
+checkin_attention                     boolean                    If ``true``, the check-in app should show a warning
                                                                  that this ticket requires special attention if such
                                                                  a product is being scanned.
 original_price                        money (string)             An original price, shown for comparison, not used
-                                                                 for price calculations.
-require_approval                      boolean                    If ``True``, orders with this product will need to be
+                                                                 for price calculations (or ``null``).
+require_approval                      boolean                    If ``true``, orders with this product will need to be
                                                                  approved by the event organizer before they can be
                                                                  paid.
-generate_tickets                      boolean                    If ``False``, tickets are never generated for this
-                                                                 product, regardless of other settings. If ``True``,
+require_bundling                      boolean                    If ``true``, this item is only available as part of bundles.
+generate_tickets                      boolean                    If ``false``, tickets are never generated for this
+                                                                 product, regardless of other settings. If ``true``,
                                                                  tickets are generated even if this is a
                                                                  non-admission or add-on product, regardless of event
                                                                  settings. If this is ``null``, regular ticketing
                                                                  rules apply.
+allow_waitinglist                     boolean                    If ``false``, no waiting list will be shown for this
+                                                                 product when it is sold out.
+issue_giftcard                        boolean                    If ``true``, buying this product will yield a gift card.
+show_quota_left                       boolean                    Publicly show how many tickets are still available.
+                                                                 If this is ``null``, the event default is used.
 has_variations                        boolean                    Shows whether or not this item has variations.
 variations                            list of objects            A list with one object for each variation of this item.
                                                                  Can be empty. Only writable during creation,
@@ -80,7 +90,9 @@ variations                            list of objects            A list with one
 ├ price                               money (string)             The price used for this variation. This is either the
                                                                  same as ``default_price`` if that value is set or equal
                                                                  to the item's ``default_price``.
-├ active                              boolean                    If ``False``, this variation will not be sold or shown.
+├ original_price                      money (string)             An original price, shown for comparison, not used
+                                                                 for price calculations (or ``null``).
+├ active                              boolean                    If ``false``, this variation will not be sold or shown.
 ├ description                         multi-lingual string       A public description of the variation. May contain
                                                                  Markdown syntax or can be ``null``.
 └ position                            integer                    An integer, used for sorting
@@ -91,10 +103,24 @@ addons                                list of objects            Definition of a
                                                                  chosen from.
 ├ min_count                           integer                    The minimal number of add-ons that need to be chosen.
 ├ max_count                           integer                    The maximal number of add-ons that can be chosen.
-└ position                            integer                    An integer, used for sorting
+├ position                            integer                    An integer, used for sorting
 └ price_included                      boolean                    Adding this add-on to the item is free
+bundles                               list of objects            Definition of bundles that are included in this item.
+                                                                 Only writable during creation,
+                                                                 use separate endpoint to modify this later.
+├ bundled_item                        integer                    Internal ID of the item that is included.
+├ bundled_variation                   integer                    Internal ID of the variation of the item (or ``null``).
+├ count                               integer                    Number of items included
+└ designated_price                    money (string)             Designated price of the bundled product. This will be
+                                                                 used to split the price of the base item e.g. for mixed
+                                                                 taxation. This is not added to the price.
+meta_data                             object                     Values set for event-specific meta data parameters.
 ===================================== ========================== =======================================================
 
+.. versionchanged:: 2.7
+
+   The attribute ``original_price`` has been added for ``variations``.
+
 .. versionchanged:: 1.7
 
    The attribute ``tax_rule`` has been added. ``tax_rate`` is kept for compatibility. The attribute
@@ -121,15 +147,28 @@ addons                                list of objects            Definition of a
 
    The ``generate_tickets`` attribute has been added.
 
+.. versionchanged:: 2.6
+
+   The ``bundles`` and ``require_bundling`` attributes have been added.
+
+.. versionchanged:: 3.0
+
+   The ``show_quota_left``, ``allow_waitinglist``, and ``hidden_if_available`` attributes have been added.
+
+.. versionchanged:: 3.7
+
+   The attribute ``meta_data`` has been added.
+
 Notes
 -----
+
 Please note that an item either always has variations or never has. Once created with variations the item can never
 change to an item without and vice versa. To create an item with variations ensure that you POST an item with at least
 one variation.
 
-Also note that ``variations`` and ``addons`` are only supported on ``POST``. To update/delete variations and add-ons please
-use the dedicated nested endpoints. By design this endpoint does not support ``PATCH`` and ``PUT`` with nested
-``variations`` and/or ``addons``.
+Also note that ``variations``, ``bundles``, and  ``addons`` are only supported on ``POST``. To update/delete variations,
+bundles, and add-ons please use the dedicated nested endpoints. By design this endpoint does not support ``PATCH`` and ``PUT``
+with nested ``variations``, ``bundles`` and/or ``addons``.
 
 Endpoints
 ---------
@@ -173,10 +212,13 @@ Endpoints
             "tax_rate": "0.00",
             "tax_rule": 1,
             "admission": false,
+            "issue_giftcard": false,
+            "meta_data": {},
             "position": 0,
             "picture": null,
             "available_from": null,
             "available_until": null,
+            "hidden_if_available": null,
             "require_voucher": false,
             "hide_without_voucher": false,
             "allow_cancel": true,
@@ -185,12 +227,16 @@ Endpoints
             "checkin_attention": false,
             "has_variations": false,
             "generate_tickets": null,
+            "allow_waitinglist": true,
+            "show_quota_left": null,
             "require_approval": false,
+            "require_bundling": false,
             "variations": [
               {
                  "value": {"en": "Student"},
                  "default_price": "10.00",
                  "price": "10.00",
+                 "original_price": null,
                  "active": true,
                  "description": null,
                  "position": 0
@@ -199,12 +245,14 @@ Endpoints
                  "value": {"en": "Regular"},
                  "default_price": null,
                  "price": "23.00",
+                 "original_price": null,
                  "active": true,
                  "description": null,
                  "position": 1
               }
             ],
-            "addons": []
+            "addons": [],
+            "bundles": []
           }
         ]
       }
@@ -260,24 +308,31 @@ Endpoints
         "tax_rate": "0.00",
         "tax_rule": 1,
         "admission": false,
+        "issue_giftcard": false,
+        "meta_data": {},
         "position": 0,
         "picture": null,
         "available_from": null,
         "available_until": null,
+        "hidden_if_available": null,
         "require_voucher": false,
         "hide_without_voucher": false,
         "allow_cancel": true,
         "generate_tickets": null,
+        "allow_waitinglist": true,
+        "show_quota_left": null,
         "min_per_order": null,
         "max_per_order": null,
         "checkin_attention": false,
         "has_variations": false,
         "require_approval": false,
+        "require_bundling": false,
         "variations": [
           {
              "value": {"en": "Student"},
              "default_price": "10.00",
              "price": "10.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 0
@@ -286,12 +341,14 @@ Endpoints
              "value": {"en": "Regular"},
              "default_price": null,
              "price": "23.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 1
           }
         ],
-        "addons": []
+        "addons": [],
+        "bundles": []
       }
 
    :param organizer: The ``slug`` field of the organizer to fetch
@@ -312,7 +369,7 @@ Endpoints
       POST /api/v1/organizers/bigevents/events/sampleconf/items/ HTTP/1.1
       Host: pretix.eu
       Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
 
       {
         "id": 1,
@@ -328,23 +385,30 @@ Endpoints
         "tax_rate": "0.00",
         "tax_rule": 1,
         "admission": false,
+        "issue_giftcard": false,
+        "meta_data": {},
         "position": 0,
         "picture": null,
         "available_from": null,
         "available_until": null,
+        "hidden_if_available": null,
         "require_voucher": false,
         "hide_without_voucher": false,
         "allow_cancel": true,
         "generate_tickets": null,
+        "allow_waitinglist": true,
+        "show_quota_left": null,
         "min_per_order": null,
         "max_per_order": null,
         "checkin_attention": false,
         "require_approval": false,
+        "require_bundling": false,
         "variations": [
           {
              "value": {"en": "Student"},
              "default_price": "10.00",
              "price": "10.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 0
@@ -353,12 +417,14 @@ Endpoints
              "value": {"en": "Regular"},
              "default_price": null,
              "price": "23.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 1
           }
         ],
-        "addons": []
+        "addons": [],
+        "bundles": []
       }
 
    **Example response**:
@@ -383,24 +449,31 @@ Endpoints
         "tax_rate": "0.00",
         "tax_rule": 1,
         "admission": false,
+        "issue_giftcard": false,
+        "meta_data": {},
         "position": 0,
         "picture": null,
         "available_from": null,
         "available_until": null,
+        "hidden_if_available": null,
         "require_voucher": false,
         "hide_without_voucher": false,
         "allow_cancel": true,
         "min_per_order": null,
         "max_per_order": null,
         "generate_tickets": null,
+        "allow_waitinglist": true,
+        "show_quota_left": null,
         "checkin_attention": false,
         "has_variations": true,
         "require_approval": false,
+        "require_bundling": false,
         "variations": [
           {
              "value": {"en": "Student"},
              "default_price": "10.00",
              "price": "10.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 0
@@ -409,12 +482,14 @@ Endpoints
              "value": {"en": "Regular"},
              "default_price": null,
              "price": "23.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 1
           }
         ],
-        "addons": []
+        "addons": [],
+        "bundles": []
       }
 
    :param organizer: The ``slug`` field of the organizer of the event to create an item for
@@ -470,24 +545,31 @@ Endpoints
         "tax_rate": "0.00",
         "tax_rule": 1,
         "admission": false,
+        "issue_giftcard": false,
+        "meta_data": {},
         "position": 0,
         "picture": null,
         "available_from": null,
         "available_until": null,
+        "hidden_if_available": null,
         "require_voucher": false,
         "hide_without_voucher": false,
         "generate_tickets": null,
+        "allow_waitinglist": true,
+        "show_quota_left": null,
         "allow_cancel": true,
         "min_per_order": null,
         "max_per_order": null,
         "checkin_attention": false,
         "has_variations": true,
         "require_approval": false,
+        "require_bundling": false,
         "variations": [
           {
              "value": {"en": "Student"},
              "default_price": "10.00",
              "price": "10.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 0
@@ -496,12 +578,14 @@ Endpoints
              "value": {"en": "Regular"},
              "default_price": null,
              "price": "23.00",
+             "original_price": null,
              "active": true,
              "description": null,
              "position": 1
           }
         ],
-        "addons": []
+        "addons": [],
+        "bundles": []
       }
 
    :param organizer: The ``slug`` field of the organizer to modify

doc/api/resources/orders.rst

@@ -26,7 +26,7 @@ status                                string                     Order status, o
                                                                  * ``p`` – paid
                                                                  * ``e`` – expired
                                                                  * ``c`` – canceled
-testmode                              boolean                    If ``True``, this order was created when the event was in
+testmode                              boolean                    If ``true``, this order was created when the event was in
                                                                  test mode. Only orders in test mode can be deleted.
 secret                                string                     The secret contained in the link sent to the customer
 email                                 string                     The customer email address
@@ -39,13 +39,13 @@ payment_date                          date                       **DEPRECATED AN
 payment_provider                      string                     **DEPRECATED AND INACCURATE** Payment provider used for this order
 total                                 money (string)             Total value of this order
 comment                               string                     Internal comment on this order
-checkin_attention                     boolean                    If ``True``, the check-in app should show a warning
+checkin_attention                     boolean                    If ``true``, the check-in app should show a warning
                                                                  that this ticket requires special attention if a ticket
                                                                  of this order is scanned.
 invoice_address                       object                     Invoice address information (can be ``null``)
 ├ last_modified                       datetime                   Last modification date of the address
 ├ company                             string                     Customer company name
-├ is_business                         boolean                    Business or individual customers (always ``False``
+├ is_business                         boolean                    Business or individual customers (always ``false``
                                                                  for orders created before pretix 1.7, do not rely on
                                                                  it).
 ├ name                                string                     Customer name
@@ -53,15 +53,18 @@ invoice_address                       object                     Invoice address
 ├ street                              string                     Customer street
 ├ zipcode                             string                     Customer ZIP code
 ├ city                                string                     Customer city
-├ country                             string                     Customer country
+├ country                             string                     Customer country code
+├ state                               string                     Customer state (ISO 3166-2 code). Only supported in
+                                                                 AU, BR, CA, CN, MY, MX, and US.
 ├ internal_reference                  string                     Customer's internal reference to be printed on the invoice
 ├ vat_id                              string                     Customer VAT ID
-└ vat_id_validated                    string                     ``True``, if the VAT ID has been validated against the
+└ vat_id_validated                    string                     ``true``, if the VAT ID has been validated against the
                                                                  EU VAT service and validation was successful. This only
                                                                  happens in rare cases.
-positions                             list of objects            List of non-canceled order positions (see below)
-fees                                  list of objects            List of non-canceled fees included in the order total
-                                                                 (i.e. payment fees)
+positions                             list of objects            List of order positions (see below). By default, only
+                                                                 non-canceled positions are included.
+fees                                  list of objects            List of fees included in the order total. By default, only
+                                                                 non-canceled fees are included.
 ├ fee_type                            string                     Type of fee (currently ``payment``, ``passbook``,
                                                                  ``other``)
 ├ value                               money (string)             Fee amount
@@ -70,7 +73,8 @@ fees                                  list of objects            List of non-can
                                                                  can be empty
 ├ tax_rate                            decimal (string)           VAT rate applied for this fee
 ├ tax_value                           money (string)             VAT included in this fee
-└ tax_rule                            integer                    The ID of the used tax rule (or ``null``)
+├ tax_rule                            integer                    The ID of the used tax rule (or ``null``)
+└ canceled                            boolean                    Whether or not this fee has been canceled.
 downloads                             list of objects            List of ticket download options for order-wise ticket
                                                                  downloading. This might be a multi-page PDF or a ZIP
                                                                  file of tickets for outputs that do not support
@@ -78,10 +82,11 @@ downloads                             list of objects            List of ticket
                                                                  download options.
 ├ output                              string                     Ticket output provider (e.g. ``pdf``, ``passbook``)
 └ url                                 string                     Download URL
-require_approval                      boolean                    If ``True`` and the order is pending, this order
+require_approval                      boolean                    If ``true`` and the order is pending, this order
                                                                  needs approval by an organizer before it can
-                                                                 continue. If ``True`` and the order is canceled,
+                                                                 continue. If ``true`` and the order is canceled,
                                                                  this order has been denied by the event organizer.
+url                                   string                     The full URL to the order confirmation page
 payments                              list of objects            List of payment processes (see below)
 refunds                               list of objects            List of refund processes (see below)
 last_modified                         datetime                   Last modification of this object
@@ -128,15 +133,29 @@ last_modified                         datetime                   Last modificati
 
    The ``sales_channel`` attribute has been added.
 
-.. versionchanged:: 2.4:
+.. versionchanged:: 2.4
 
    ``order.status`` can no longer be ``r``, ``…/mark_canceled/`` now accepts a ``cancellation_fee`` parameter and
    ``…/mark_refunded/`` has been deprecated.
 
-.. versionchanged:: 2.5:
+.. versionchanged:: 2.5
 
    The ``testmode`` attribute has been added and ``DELETE`` has been implemented for orders.
 
+.. versionchanged:: 3.1
+
+   The ``invoice_address.state`` and ``url`` attributes have been added. When creating orders through the API,
+   vouchers are now supported and many fields are now optional.
+
+.. versionchanged:: 3.5
+
+   The ``order.fees.canceled`` attribute has been added.
+
+.. versionchanged:: 3.8
+
+   The ``reactivate`` operation has been added.
+
+
 .. _order-position-resource:
 
 Order position resource
@@ -150,12 +169,21 @@ Field                                 Type                       Description
 id                                    integer                    Internal ID of the order position
 order                                 string                     Order code of the order the position belongs to
 positionid                            integer                    Number of the position within the order
+canceled                              boolean                    Whether or not this position has been canceled. Note that
+                                                                 by default, only non-canceled positions are shown.
 item                                  integer                    ID of the purchased item
 variation                             integer                    ID of the purchased variation (or ``null``)
 price                                 money (string)             Price of this position
 attendee_name                         string                     Specified attendee name for this position (or ``null``)
 attendee_name_parts                   object of strings          Decomposition of attendee name (i.e. given name, family name)
 attendee_email                        string                     Specified attendee email address for this position (or ``null``)
+company                               string                     Attendee company name (or ``null``)
+street                                string                     Attendee street (or ``null``)
+zipcode                               string                     Attendee ZIP code (or ``null``)
+city                                  string                     Attendee city (or ``null``)
+country                               string                     Attendee country code (or ``null``)
+state                                 string                     Attendee state (ISO 3166-2 code). Only supported in
+                                                                 AU, BR, CA, CN, MY, MX, and US, otherwise ``null``.
 voucher                               integer                    Internal ID of the voucher used for this position (or ``null``)
 tax_rate                              decimal (string)           VAT rate applied for this position
 tax_value                             money (string)             VAT included in this position
@@ -166,7 +194,8 @@ subevent                              integer                    ID of the date
 pseudonymization_id                   string                     A random ID, e.g. for use in lead scanning apps
 checkins                              list of objects            List of check-ins with this ticket
 ├ list                                integer                    Internal ID of the check-in list
-└ datetime                            datetime                   Time of check-in
+├ datetime                            datetime                   Time of check-in
+└ auto_checked_in                     boolean                    Indicates if this check-in been performed automatically by the system
 downloads                             list of objects            List of ticket download options
 ├ output                              string                     Ticket output provider (e.g. ``pdf``, ``passbook``)
 └ url                                 string                     Download URL
@@ -176,6 +205,10 @@ answers                               list of objects            Answers to user
 ├ question_identifier                 string                     The question's ``identifier`` field
 ├ options                             list of integers           Internal IDs of selected option(s)s (only for choice types)
 └ option_identifiers                  list of strings            The ``identifier`` fields of the selected option(s)s
+seat                                  objects                    The assigned seat. Can be ``null``.
+├ id                                  integer                    Internal ID of the seat instance
+├ name                                string                     Human-readable seat name
+└ seat_guid                           string                     Identifier of the seat within the seating plan
 pdf_data                              object                     Data object required for ticket PDF generation. By default,
                                                                  this field is missing. It will be added only if you add the
                                                                  ``pdf_data=true`` query parameter to your request.
@@ -197,6 +230,27 @@ pdf_data                              object                     Data object req
 
   The attributes ``pseudonymization_id`` and ``pdf_data`` have been added.
 
+.. versionchanged:: 3.0
+
+  The attribute ``seat`` has been added.
+
+.. versionchanged:: 3.2
+
+  The value ``auto_checked_in`` has been added to the ``checkins``-attribute.
+
+.. versionchanged:: 3.3
+
+  The ``url`` of a ticket ``download`` can now also return a ``text/uri-list`` instead of a file. See
+  :ref:`order-position-ticket-download` for details.
+
+.. versionchanged:: 3.5
+
+  The attribute ``canceled`` has been added.
+
+.. versionchanged:: 3.8
+
+  The attributes ``company``, ``street``, ``zipcode``, ``city``, ``country``, and ``state`` have been added.
+
 .. _order-payment-resource:
 
 Order payment resource
@@ -213,13 +267,27 @@ amount                                money (string)             Payment amount
 created                               datetime                   Date and time of creation of this payment
 payment_date                          datetime                   Date and time of completion of this payment (or ``null``)
 provider                              string                     Identification string of the payment provider
+payment_url                           string                     The URL where an user can continue with the payment (or ``null``)
+details                               object                     Payment-specific information. This is a dictionary
+                                                                 with various fields that can be different between
+                                                                 payment providers, versions, payment states, etc. If
+                                                                 you read this field, you always need to be able to
+                                                                 deal with situations where values that you expect are
+                                                                 missing. Mostly, the field contains various IDs that
+                                                                 can be used for matching with other systems. If a
+                                                                 payment provider does not implement this feature,
+                                                                 the object is empty.
 ===================================== ========================== =======================================================
 
 .. versionchanged:: 2.0
 
   This resource has been added.
 
-.. _order-payment-resource:
+.. versionchanged:: 3.1
+
+  The attributes ``payment_url`` and ``details`` have been added.
+
+.. _order-refund-resource:
 
 Order refund resource
 ---------------------
@@ -249,6 +317,10 @@ List of all orders
 
    Filtering for emails or order codes is now case-insensitive.
 
+.. versionchanged:: 3.5
+
+   The ``include_canceled_positions`` and ``include_canceled_fees`` query parameters have been added.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/
 
    Returns a list of all orders within a given event.
@@ -280,6 +352,7 @@ List of all orders
             "status": "p",
             "testmode": false,
             "secret": "k24fiuwvu8kxz3y1",
+            "url": "https://test.pretix.eu/dummy/dummy/order/ABC12/k24fiuwvu8kxz3y1/",
             "email": "tester@example.org",
             "locale": "en",
             "sales_channel": "web",
@@ -295,23 +368,25 @@ List of all orders
             "require_approval": false,
             "invoice_address": {
                 "last_modified": "2017-12-01T10:00:00Z",
-                "is_business": True,
+                "is_business": true,
                 "company": "Sample company",
                 "name": "John Doe",
                 "name_parts": {"full_name": "John Doe"},
                 "street": "Test street 12",
                 "zipcode": "12345",
                 "city": "Testington",
-                "country": "Testikistan",
+                "country": "DE",
+                "state": "",
                 "internal_reference": "",
                 "vat_id": "EU123456789",
-                "vat_id_validated": False
+                "vat_id_validated": false
             },
             "positions": [
               {
                 "id": 23442,
                 "order": "ABC12",
                 "positionid": 1,
+                "canceled": false,
                 "item": 1345,
                 "variation": null,
                 "price": "23.00",
@@ -320,6 +395,12 @@ List of all orders
                   "full_name": "Peter",
                 },
                 "attendee_email": null,
+                "company": "Sample company",
+                "street": "Test street 12",
+                "zipcode": "12345",
+                "city": "Testington",
+                "country": "DE",
+                "state": null,
                 "voucher": null,
                 "tax_rate": "0.00",
                 "tax_value": "0.00",
@@ -328,10 +409,12 @@ List of all orders
                 "addon_to": null,
                 "subevent": null,
                 "pseudonymization_id": "MQLJvANO3B",
+                "seat": null,
                 "checkins": [
                   {
                     "list": 44,
-                    "datetime": "2017-12-25T12:45:23Z"
+                    "datetime": "2017-12-25T12:45:23Z",
+                    "auto_checked_in": false
                   }
                 ],
                 "answers": [
@@ -364,6 +447,8 @@ List of all orders
                 "amount": "23.00",
                 "created": "2017-12-01T10:00:00Z",
                 "payment_date": "2017-12-04T12:13:12Z",
+                "payment_url": null,
+                "details": {},
                 "provider": "banktransfer"
               }
             ],
@@ -373,18 +458,22 @@ List of all orders
       }
 
    :query integer page: The page number in case of a multi-page result set, default is 1
-   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``datetime``, ``code`` and
-                           ``status``. Default: ``datetime``
+   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``datetime``, ``code``,
+                           ``last_modified``, and ``status``. Default: ``datetime``
    :query string code: Only return orders that match the given order code
    :query string status: Only return orders in the given order status (see above)
    :query boolean testmode: Only return orders with ``testmode`` set to ``true`` or ``false``
    :query boolean require_approval: If set to ``true`` or ``false``, only categories with this value for the field
                                     ``require_approval`` will be returned.
+   :query include_canceled_positions: If set to ``true``, the output will contain canceled order positions. Note that this
+                                      only affects position-level cancellations, not fully-canceled orders.
+   :query include_canceled_fees: If set to ``true``, the output will contain canceled order fees.
    :query string email: Only return orders created with the given email address
    :query string locale: Only return orders with the given customer locale
    :query datetime modified_since: Only return orders that have changed since the given date. Be careful: We only
        recommend using this in combination with ``testmode=false``, since test mode orders can vanish at any time and
        you will not notice it using this method.
+   :query datetime created_since: Only return orders that have been created since the given date.
    :param organizer: The ``slug`` field of the organizer to fetch
    :param event: The ``slug`` field of the event to fetch
    :resheader X-Page-Generated: The server time at the beginning of the operation. If you're using this API to fetch
@@ -396,6 +485,10 @@ List of all orders
 Fetching individual orders
 --------------------------
 
+.. versionchanged:: 3.5
+
+   The ``include_canceled_positions`` and ``include_canceled_fees`` query parameters have been added.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/
 
    Returns information on one order, identified by its order code.
@@ -421,6 +514,7 @@ Fetching individual orders
         "status": "p",
         "testmode": false,
         "secret": "k24fiuwvu8kxz3y1",
+        "url": "https://test.pretix.eu/dummy/dummy/order/ABC12/k24fiuwvu8kxz3y1/",
         "email": "tester@example.org",
         "locale": "en",
         "sales_channel": "web",
@@ -437,22 +531,24 @@ Fetching individual orders
         "invoice_address": {
             "last_modified": "2017-12-01T10:00:00Z",
             "company": "Sample company",
-            "is_business": True,
+            "is_business": true,
             "name": "John Doe",
             "name_parts": {"full_name": "John Doe"},
             "street": "Test street 12",
             "zipcode": "12345",
             "city": "Testington",
-            "country": "Testikistan",
+            "country": "DE",
+            "state": "",
             "internal_reference": "",
             "vat_id": "EU123456789",
-            "vat_id_validated": False
+            "vat_id_validated": false
         },
         "positions": [
           {
             "id": 23442,
             "order": "ABC12",
             "positionid": 1,
+            "canceled": false,
             "item": 1345,
             "variation": null,
             "price": "23.00",
@@ -461,6 +557,12 @@ Fetching individual orders
               "full_name": "Peter",
             },
             "attendee_email": null,
+            "company": "Sample company",
+            "street": "Test street 12",
+            "zipcode": "12345",
+            "city": "Testington",
+            "country": "DE",
+            "state": null,
             "voucher": null,
             "tax_rate": "0.00",
             "tax_rule": null,
@@ -469,10 +571,12 @@ Fetching individual orders
             "addon_to": null,
             "subevent": null,
             "pseudonymization_id": "MQLJvANO3B",
+            "seat": null,
             "checkins": [
               {
                 "list": 44,
-                "datetime": "2017-12-25T12:45:23Z"
+                "datetime": "2017-12-25T12:45:23Z",
+                "auto_checked_in": false
               }
             ],
             "answers": [
@@ -505,6 +609,8 @@ Fetching individual orders
             "amount": "23.00",
             "created": "2017-12-01T10:00:00Z",
             "payment_date": "2017-12-04T12:13:12Z",
+            "payment_url": null,
+            "details": {},
             "provider": "banktransfer"
           }
         ],
@@ -514,6 +620,9 @@ Fetching individual orders
    :param organizer: The ``slug`` field of the organizer to fetch
    :param event: The ``slug`` field of the event to fetch
    :param code: The ``code`` field of the order to fetch
+   :query include_canceled_positions: If set to ``true``, the output will contain canceled order positions. Note that this
+                                      only affects position-level cancellations, not fully-canceled orders.
+   :query include_canceled_fees: If set to ``true``, the output will contain canceled order fees.
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
@@ -563,6 +672,92 @@ Order ticket download
    :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting for a few
                           seconds.
 
+Updating order fields
+---------------------
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/
+
+   Updates specific fields on an order. Currently, only the following fields are supported:
+
+   * ``email``
+
+   * ``checkin_attention``
+
+   * ``locale``
+
+   * ``comment``
+
+   * ``invoice_address`` (you always need to supply the full object, or ``null`` to delete the current address)
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "email": "other@example.org",
+        "locale": "de",
+        "comment": "Foo",
+        "checkin_attention": true
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      (Full order resource, see above.)
+
+   :param organizer: The ``slug`` field of the organizer of the event
+   :param event: The ``slug`` field of the event
+   :param code: The ``code`` field of the order to update
+
+   :statuscode 200: no error
+   :statuscode 400: The order could not be updated due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to update this order.
+
+Generating new secrets
+----------------------
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/regenerate_secrets/
+
+   Triggers generation of new ``secret`` attributes for both the order and all order positions.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/regenerate_secrets/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      (Full order resource, see above.)
+
+   :param organizer: The ``slug`` field of the organizer of the event
+   :param event: The ``slug`` field of the event
+   :param code: The ``code`` field of the order to update
+
+   :statuscode 200: no error
+   :statuscode 400: The order could not be updated due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to update this order.
+
 Deleting orders
 ---------------
 
@@ -594,6 +789,8 @@ Deleting orders
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource **or** the order may not be deleted.
    :statuscode 404: The requested order does not exist.
 
+.. _rest-orders-create:
+
 Creating orders
 ---------------
 
@@ -601,8 +798,6 @@ Creating orders
 
    Creates a new order.
 
-   .. warning:: This endpoint is considered **experimental**. It might change at any time without prior notice.
-
    .. warning::
 
        This endpoint is intended for advanced users. It is not designed to be used to build your own shop frontend,
@@ -621,25 +816,21 @@ Creating orders
 
        * does not validate the number of items per order or the number of times an item can be included in an order
 
-       * does not validate any requirements related to add-on products
+       * does not validate any requirements related to add-on products and does not add bundled products automatically
 
-       * does not check or calculate prices but believes any prices you send
-
-       * does not support the redemption of vouchers
+       * does not check prices but believes any prices you send
 
        * does not prevent you from buying items that can only be bought with a voucher
 
-       * does not calculate fees
+       * does not calculate fees automatically
 
        * does not allow to pass data to plugins and will therefore cause issues with some plugins like the shipping
          module
 
-       * does not send order confirmations via email
-
-       * does not support reverse charge taxation
-
        * does not support file upload questions
 
+       * does not support redeeming gift cards
+
    You can supply the following fields of the resource:
 
    * ``code`` (optional)
@@ -650,19 +841,21 @@ Creating orders
      then call the ``mark_paid`` API method.
    * ``testmode`` (optional) – Defaults to ``false``
    * ``consume_carts`` (optional) – A list of cart IDs. All cart positions with these IDs will be deleted if the
-     order creation is successful. Any quotas that become free by this operation will be credited to your order
+     order creation is successful. Any quotas or seats that become free by this operation will be credited to your order
      creation.
-   * ``email``
+   * ``email`` (optional)
    * ``locale``
-   * ``sales_channel``
-   * ``payment_provider`` – The identifier of the payment provider set for this order. This needs to be an existing
-     payment provider. You should use ``"free"`` for free orders, and we strongly advise to use ``"manual"`` for all
-     orders you create as paid.
+   * ``sales_channel`` (optional)
+   * ``payment_provider`` (optional) – The identifier of the payment provider set for this order. This needs to be an
+     existing payment provider. You should use ``"free"`` for free orders, and we strongly advise to use ``"manual"``
+     for all orders you create as paid. This field is optional when the order status is ``"n"`` or the order total is
+     zero, otherwise it is required.
    * ``payment_info`` (optional) – You can pass a nested JSON object that will be set as the internal ``info``
      value of the payment object that will be created. How this value is handled is up to the payment provider and you
      should only use this if you know the specific payment provider in detail. Please keep in mind that the payment
      provider will not be called to do anything about this (i.e. if you pass a bank account to a debit provider, *no*
      charge will be created), this is just informative in case you *handled the payment already*.
+   * ``payment_date`` (optional) – Date and time of the completion of the payment.
    * ``comment`` (optional)
    * ``checkin_attention`` (optional)
    * ``invoice_address`` (optional)
@@ -674,20 +867,32 @@ Creating orders
       * ``zipcode``
       * ``city``
       * ``country``
+      * ``state``
       * ``internal_reference``
       * ``vat_id``
+      * ``vat_id_validated`` (optional) – If you need support for reverse charge (rarely the case), you need to check
+       yourself if the passed VAT ID is a valid EU VAT ID. In that case, set this to ``true``. Only valid VAT IDs will
+       trigger reverse charge taxation. Don't forget to set ``is_business`` as well!
 
    * ``positions``
 
       * ``positionid`` (optional, see below)
       * ``item``
-      * ``variation``
-      * ``price``
-      * ``attendee_name`` **or** ``attendee_name_parts``
-      * ``attendee_email``
+      * ``variation`` (optional)
+      * ``price`` (optional, if set to ``null`` or missing the price will be computed from the given product)
+      * ``seat`` (The ``seat_guid`` attribute of a seat. Required when the specified ``item`` requires a seat, otherwise must be ``null``.)
+      * ``attendee_name`` **or** ``attendee_name_parts`` (optional)
+      * ``voucher`` (optional, the ``code`` attribute of a valid voucher)
+      * ``attendee_email`` (optional)
+      * ``company`` (optional)
+      * ``street`` (optional)
+      * ``zipcode`` (optional)
+      * ``city`` (optional)
+      * ``country`` (optional)
+      * ``state`` (optional)
       * ``secret`` (optional)
       * ``addon_to`` (optional, see below)
-      * ``subevent``
+      * ``subevent`` (optional)
       * ``answers``
 
         * ``question``
@@ -701,12 +906,31 @@ Creating orders
       * ``description``
       * ``internal_type``
       * ``tax_rule``
+      * ``_treat_value_as_percentage`` (Optional convenience flag. If set to ``true``, your ``value`` parameter will
+        be treated as a percentage and the fee will be calculated using that percentage and the sum of all product
+        prices. Note that this will not include other fees and is calculated once during order generation and will not
+        be respected automatically when the order changes later.)
+      * ``_split_taxes_like_products`` (Optional convenience flag. If set to ``true``, your ``tax_rule`` will be ignored
+        and the fee will be taxed like the products in the order. If the products have multiple tax rates, multiple fees
+        will be generated with weights adjusted to the net price of the products. Note that this will be calculated once
+        during order generation and is not respected automatically when the order changes later.)
+
+   * ``force`` (optional). If set to ``true``, quotas will be ignored.
+   * ``send_mail`` (optional). If set to ``true``, the same emails will be sent as for a regular order. Defaults to
+     ``false``.
 
    If you want to use add-on products, you need to set the ``positionid`` fields of all positions manually
    to incrementing integers starting with ``1``. Then, you can reference one of these
    IDs in the ``addon_to`` field of another position. Note that all add_ons for a specific position need to come
    immediately after the position itself.
 
+   Starting with pretix 3.7, you can add ``"simulate": true`` to the body to do a "dry run" of your order. This will
+   validate your order and return you an order object with the resulting prices, but will not create an actual order.
+   You can use this for testing or to look up prices. In this case, some attributes are ignored, such as whether
+   to send an email or what payment provider will be used. Note that some returned fields will contain empty values
+   (e.g. all ``id`` fields of positions will be zero) and some will contain fake values (e.g. the order code will
+   always be ``PREVIEW``). pretix plugins will not be triggered, so some special behavior might be missing as well.
+
    **Example request**:
 
    .. sourcecode:: http
@@ -714,7 +938,7 @@ Creating orders
       POST /api/v1/organizers/bigevents/events/sampleconf/orders/ HTTP/1.1
       Host: pretix.eu
       Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
 
       {
         "email": "dummy@example.org",
@@ -731,13 +955,14 @@ Creating orders
         ],
         "payment_provider": "banktransfer",
         "invoice_address": {
-          "is_business": False,
+          "is_business": false,
           "company": "Sample company",
           "name_parts": {"full_name": "John Doe"},
           "street": "Sesam Street 12",
           "zipcode": "12345",
           "city": "Sample City",
           "country": "UK",
+          "state": "",
           "internal_reference": "",
           "vat_id": ""
         },
@@ -761,7 +986,7 @@ Creating orders
             ],
             "subevent": null
           }
-        ],
+        ]
       }
 
    **Example response**:
@@ -774,10 +999,10 @@ Creating orders
 
       (Full order resource, see above.)
 
-   :param organizer: The ``slug`` field of the organizer of the event to create an item for
-   :param event: The ``slug`` field of the event to create an item for
+   :param organizer: The ``slug`` field of the organizer of the event to create an order for
+   :param event: The ``slug`` field of the event to create an order for
    :statuscode 201: no error
-   :statuscode 400: The item could not be created due to invalid submitted data or lack of quota.
+   :statuscode 400: The order could not be created due to invalid submitted data or lack of quota.
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this
          order.
@@ -865,6 +1090,42 @@ Order state operations
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
    :statuscode 404: The requested order does not exist.
 
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/reactivate/
+
+   Reactivates a canceled order. This will set the order to pending or paid state. Only possible if all products are
+   still available.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/reactivate/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "code": "ABC12",
+        "status": "n",
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to modify
+   :statuscode 200: no error
+   :statuscode 400: The order cannot be reactivated
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+
 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_pending/
 
    Marks a paid order as unpaid.
@@ -902,7 +1163,7 @@ Order state operations
 
 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_expired/
 
-   Marks a unpaid order as expired.
+   Marks an unpaid order as expired.
 
    **Example request**:
 
@@ -1061,9 +1322,82 @@ Order state operations
    :statuscode 200: no error
    :statuscode 400: The order cannot be marked as denied since the current order status does not allow it.
    :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to update this resource.
+   :statuscode 404: The requested order does not exist.
+
+Generating invoices
+-------------------
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/create_invoice/
+
+   Creates an invoice for an order which currently does not have an invoice. Returns the
+   invoice object.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/create_invoice/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "order": "FOO",
+        "number": "DUMMY-00001",
+        "is_cancellation": false,
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to create an invoice for
+   :statuscode 200: no error
+   :statuscode 400: The invoice can not be created (invoicing disabled, the order already has an invoice, …)
+   :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
    :statuscode 404: The requested order does not exist.
 
+Sending e-mails
+---------------
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/resend_link/
+
+   Sends an email to the buyer with the link to the order page.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/resend_link/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to send an email for
+   :statuscode 200: no error
+   :statuscode 400: The order does not have an email address associated
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+   :statuscode 503: The email could not be sent.
 
 List of all order positions
 ---------------------------
@@ -1079,7 +1413,13 @@ List of all order positions
    The order positions endpoint has been extended by the filter queries ``voucher``, ``voucher__code`` and
    ``pseudonymization_id``.
 
-.. note:: Individually canceled order positions are currently not visible via the API at all.
+.. versionchanged:: 3.2
+
+  The value ``auto_checked_in`` has been added to the ``checkins``-attribute.
+
+.. versionchanged:: 3.5
+
+   The ``include_canceled_positions`` and ``include_canceled_fees`` query parameters have been added.
 
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orderpositions/
 
@@ -1110,6 +1450,7 @@ List of all order positions
             "id": 23442,
             "order": "ABC12",
             "positionid": 1,
+            "canceled": false,
             "item": 1345,
             "variation": null,
             "price": "23.00",
@@ -1124,12 +1465,14 @@ List of all order positions
             "tax_value": "0.00",
             "secret": "z3fsn8jyufm5kpk768q69gkbyr5f4h6w",
             "pseudonymization_id": "MQLJvANO3B",
+            "seat": null,
             "addon_to": null,
             "subevent": null,
             "checkins": [
               {
                 "list": 44,
-                "datetime": "2017-12-25T12:45:23Z"
+                "datetime": "2017-12-25T12:45:23Z",
+                "auto_checked_in": false
               }
             ],
             "answers": [
@@ -1177,6 +1520,8 @@ List of all order positions
                                 comma-separated IDs.
    :query string voucher: Only return positions with a specific voucher.
    :query string voucher__code: Only return positions with a specific voucher code.
+   :query include_canceled_positions: If set to ``true``, the output will contain canceled order positions. Note that this
+                                      only affects position-level cancellations, not fully-canceled orders.
    :param organizer: The ``slug`` field of the organizer to fetch
    :param event: The ``slug`` field of the event to fetch
    :statuscode 200: no error
@@ -1210,6 +1555,7 @@ Fetching individual positions
         "id": 23442,
         "order": "ABC12",
         "positionid": 1,
+        "canceled": false,
         "item": 1345,
         "variation": null,
         "price": "23.00",
@@ -1226,10 +1572,12 @@ Fetching individual positions
         "addon_to": null,
         "subevent": null,
         "pseudonymization_id": "MQLJvANO3B",
+        "seat": null,
         "checkins": [
           {
             "list": 44,
-            "datetime": "2017-12-25T12:45:23Z"
+            "datetime": "2017-12-25T12:45:23Z",
+            "auto_checked_in": false
           }
         ],
         "answers": [
@@ -1252,11 +1600,14 @@ Fetching individual positions
    :param organizer: The ``slug`` field of the organizer to fetch
    :param event: The ``slug`` field of the event to fetch
    :param id: The ``id`` field of the order position to fetch
+   :query include_canceled_positions: If set to ``true``, canceled positions may be returned (otherwise, they return 404).
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
    :statuscode 404: The requested order position does not exist.
 
+.. _`order-position-ticket-download`:
+
 Order position ticket download
 ------------------------------
 
@@ -1266,6 +1617,11 @@ Order position ticket download
    Depending on the chosen output, the response might be a ZIP file, PDF file or something else. The order details
    response contains a list of output options for this particular order position.
 
+   Be aware that the output does not have to be a file, but can also be a regular HTTP response with a ``Content-Type``
+   set to ``text/uri-list``. In this case, the user is expected to navigate to that URL in order to access their ticket.
+   The referenced URL can provide a download or a regular, human-viewable website - so it is advised to open this URL
+   in a webbrowser and leave it up to the user to handle the result.
+
    Tickets can be only downloaded if the order is paid and if ticket downloads are active. Also, depending on event
    configuration downloads might be only unavailable for add-on products or non-admission products.
    Note that in some cases the ticket file might not yet have been created. In that case, you will receive a status
@@ -1341,6 +1697,10 @@ Order payment endpoints
 
   These endpoints have been added.
 
+.. versionchanged:: 3.6
+
+   Payments can now be created through the API.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/payments/
 
    Returns a list of all payments for an order.
@@ -1372,6 +1732,8 @@ Order payment endpoints
             "amount": "23.00",
             "created": "2017-12-01T10:00:00Z",
             "payment_date": "2017-12-04T12:13:12Z",
+            "payment_url": null,
+            "details": {},
             "provider": "banktransfer"
           }
         ]
@@ -1412,6 +1774,8 @@ Order payment endpoints
         "amount": "23.00",
         "created": "2017-12-01T10:00:00Z",
         "payment_date": "2017-12-04T12:13:12Z",
+        "payment_url": null,
+        "details": {},
         "provider": "banktransfer"
       }
 
@@ -1545,6 +1909,61 @@ Order payment endpoints
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
    :statuscode 404: The requested order or payment does not exist.
 
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/payments/
+
+   Creates a new payment.
+
+   Be careful with the ``info`` parameter: You can pass a nested JSON object that will be set as the internal ``info``
+   value of the payment object that will be created. How this value is handled is up to the payment provider and you
+   should only use this if you know the specific payment provider in detail. Please keep in mind that the payment
+   provider will not be called to do anything about this (i.e. if you pass a bank account to a debit provider, *no*
+   charge will be created), this is just informative in case you *handled the payment already*.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/payments/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "state": "confirmed",
+        "amount": "23.00",
+        "payment_date": "2017-12-04T12:13:12Z",
+        "info": {},
+        "provider": "banktransfer"
+      }
+
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "local_id": 1,
+        "state": "confirmed",
+        "amount": "23.00",
+        "created": "2017-12-01T10:00:00Z",
+        "payment_date": "2017-12-04T12:13:12Z",
+        "payment_url": null,
+        "details": {},
+        "provider": "banktransfer"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to access
+   :param event: The ``slug`` field of the event to access
+   :param order: The ``code`` field of the order to access
+   :statuscode 201: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+
 
 Order refund endpoints
 ----------------------
@@ -1663,7 +2082,8 @@ Order refund endpoints
         "payment": 1,
         "execution_date": null,
         "provider": "manual",
-        "mark_canceled": false
+        "mark_canceled": false,
+        "mark_pending": true
       }
 
    **Example response**:

doc/api/resources/organizers.rst

@@ -56,6 +56,8 @@ Endpoints
       }
 
    :query page: The page number in case of a multi-page result set, default is 1
+   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``slug`` and
+                           ``name``. Default: ``slug``.
    :statuscode 200: no error
    :statuscode 401: Authentication failure
 

doc/api/resources/questions.rst

@@ -18,6 +18,7 @@ Field                                 Type                       Description
 ===================================== ========================== =======================================================
 id                                    integer                    Internal ID of the question
 question                              multi-lingual string       The field label shown to the customer
+help_text                             multi-lingual string       The help text shown to the customer
 type                                  string                     The expected type of answer. Valid options:
 
                                                                  * ``N`` – number
@@ -30,14 +31,20 @@ type                                  string                     The expected ty
                                                                  * ``D`` – date
                                                                  * ``H`` – time
                                                                  * ``W`` – date and time
-required                              boolean                    If ``True``, the question needs to be filled out.
+                                                                 * ``CC`` – country code (ISO 3666-1 alpha-2)
+                                                                 * ``TEL`` – telephone number
+required                              boolean                    If ``true``, the question needs to be filled out.
 position                              integer                    An integer, used for sorting
 items                                 list of integers           List of item IDs this question is assigned to.
 identifier                            string                     An arbitrary string that can be used for matching with
                                                                  other sources.
-ask_during_checkin                    boolean                    If ``True``, this question will not be asked while
+ask_during_checkin                    boolean                    If ``true``, this question will not be asked while
                                                                  buying the ticket, but will show up when redeeming
                                                                  the ticket instead.
+hidden                                boolean                    If ``true``, the question will only be shown in the
+                                                                 backend.
+print_on_invoice                      boolean                    If ``true``, the question will only be shown on
+                                                                 invoices.
 options                               list of objects            In case of question type ``C`` or ``M``, this lists the
                                                                  available objects. Only writable during creation,
                                                                  use separate endpoint to modify this later.
@@ -46,6 +53,17 @@ options                               list of objects            In case of ques
 ├ identifier                          string                     An arbitrary string that can be used for matching with
                                                                  other sources.
 └ answer                              multi-lingual string       The displayed value of this option
+dependency_question                   integer                    Internal ID of a different question. The current
+                                                                 question will only be shown if the question given in
+                                                                 this attribute is set to the value given in
+                                                                 ``dependency_value``. This cannot be combined with
+                                                                 ``ask_during_checkin``.
+dependency_values                     list of strings            If ``dependency_question`` is set to a boolean
+                                                                 question, this should be ``["True"]`` or ``["False"]``.
+                                                                 Otherwise, it should be a list of ``identifier`` values
+                                                                 of question options.
+dependency_value                      string                     An old version of ``dependency_values`` that only allows
+                                                                 for one value. **Deprecated.**
 ===================================== ========================== =======================================================
 
 .. versionchanged:: 1.12
@@ -58,6 +76,22 @@ options                               list of objects            In case of ques
   Write methods have been added. The attribute ``identifier`` has been added to both the resource itself and the
   options resource. The ``position`` attribute has been added to the options resource.
 
+.. versionchanged:: 2.7
+
+  The attribute ``hidden`` and the question type ``CC`` have been added.
+
+.. versionchanged:: 3.0
+
+  The attribute ``dependency_values`` has been added.
+
+.. versionchanged:: 3.1
+
+  The attribute ``print_on_invoice`` has been added.
+
+.. versionchanged:: 3.5
+
+  The attribute ``help_text`` has been added.
+
 Endpoints
 ---------
 
@@ -94,12 +128,18 @@ Endpoints
           {
             "id": 1,
             "question": {"en": "T-Shirt size"},
+            "help_text": {"en": "Choose your preferred t-shirt-size"},
             "type": "C",
             "required": false,
             "items": [1, 2],
             "position": 1,
             "identifier": "WY3TP9SL",
             "ask_during_checkin": false,
+            "hidden": false,
+            "print_on_invoice": false,
+            "dependency_question": null,
+            "dependency_value": null,
+            "dependency_values": [],
             "options": [
               {
                 "id": 1,
@@ -159,12 +199,18 @@ Endpoints
       {
         "id": 1,
         "question": {"en": "T-Shirt size"},
+        "help_text": {"en": "Choose your preferred t-shirt-size"},
         "type": "C",
         "required": false,
         "items": [1, 2],
         "position": 1,
         "identifier": "WY3TP9SL",
         "ask_during_checkin": false,
+        "hidden": false,
+        "print_on_invoice": false,
+        "dependency_question": null,
+        "dependency_value": null,
+        "dependency_values": [],
         "options": [
           {
             "id": 1,
@@ -205,15 +251,20 @@ Endpoints
       POST /api/v1/organizers/bigevents/events/sampleconf/questions/ HTTP/1.1
       Host: pretix.eu
       Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
 
       {
         "question": {"en": "T-Shirt size"},
+        "help_text": {"en": "Choose your preferred t-shirt-size"},
         "type": "C",
         "required": false,
         "items": [1, 2],
         "position": 1,
         "ask_during_checkin": false,
+        "hidden": false,
+        "print_on_invoice": false,
+        "dependency_question": null,
+        "dependency_values": [],
         "options": [
           {
             "answer": {"en": "S"}
@@ -239,12 +290,18 @@ Endpoints
       {
         "id": 1,
         "question": {"en": "T-Shirt size"},
+        "help_text": {"en": "Choose your preferred t-shirt-size"},
         "type": "C",
         "required": false,
         "items": [1, 2],
         "position": 1,
         "identifier": "WY3TP9SL",
         "ask_during_checkin": false,
+        "hidden": false,
+        "print_on_invoice": false,
+        "dependency_question": null,
+        "dependency_value": null,
+        "dependency_values": [],
         "options": [
           {
             "id": 1,
@@ -308,12 +365,18 @@ Endpoints
       {
         "id": 1,
         "question": {"en": "T-Shirt size"},
+        "help_text": {"en": "Choose your preferred t-shirt-size"},
         "type": "C",
         "required": false,
         "items": [1, 2],
         "position": 2,
         "identifier": "WY3TP9SL",
         "ask_during_checkin": false,
+        "hidden": false,
+        "print_on_invoice": false,
+        "dependency_question": null,
+        "dependency_value": null,
+        "dependency_values": [],
         "options": [
           {
             "id": 1,

doc/api/resources/quotas.rst

@@ -20,12 +20,22 @@ size                                  integer                    The size of the
 items                                 list of integers           List of item IDs this quota acts on.
 variations                            list of integers           List of item variation IDs this quota acts on.
 subevent                              integer                    ID of the date inside an event series this quota belongs to (or ``null``).
+close_when_sold_out                   boolean                    If ``true``, the quota will "close" as soon as it is
+                                                                 sold out once. Even if tickets become available again,
+                                                                 they will not be sold unless the quota is set to open
+                                                                 again.
+closed                                boolean                    Whether the quota is currently closed (see above
+                                                                 field).
 ===================================== ========================== =======================================================
 
 .. versionchanged:: 1.10
 
    The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
 
+.. versionchanged:: 3.0
+
+   The attributes ``close_when_sold_out`` and ``closed`` have been added.
+
 
 Endpoints
 ---------
@@ -61,7 +71,9 @@ Endpoints
             "size": 200,
             "items": [1, 2],
             "variations": [1, 4, 5, 7],
-            "subevent": null
+            "subevent": null,
+            "close_when_sold_out": false,
+            "closed": false
           }
         ]
       }
@@ -102,7 +114,9 @@ Endpoints
         "size": 200,
         "items": [1, 2],
         "variations": [1, 4, 5, 7],
-        "subevent": null
+        "subevent": null,
+        "close_when_sold_out": false,
+        "closed": false
       }
 
    :param organizer: The ``slug`` field of the organizer to fetch
@@ -123,14 +137,16 @@ Endpoints
       POST /api/v1/organizers/bigevents/events/sampleconf/quotas/ HTTP/1.1
       Host: pretix.eu
       Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
 
       {
         "name": "Ticket Quota",
         "size": 200,
         "items": [1, 2],
         "variations": [1, 4, 5, 7],
-        "subevent": null
+        "subevent": null,
+        "close_when_sold_out": false,
+        "closed": false
       }
 
    **Example response**:
@@ -147,7 +163,9 @@ Endpoints
         "size": 200,
         "items": [1, 2],
         "variations": [1, 4, 5, 7],
-        "subevent": null
+        "subevent": null,
+        "close_when_sold_out": false,
+        "closed": false
       }
 
    :param organizer: The ``slug`` field of the organizer of the event/item to create a quota for
@@ -200,7 +218,9 @@ Endpoints
           1,
           2
         ],
-        "subevent": null
+        "subevent": null,
+        "close_when_sold_out": false,
+        "closed": false
       }
 
    :param organizer: The ``slug`` field of the organizer to modify

doc/api/resources/seatingplans.rst

@@ -0,0 +1,209 @@
+.. _`rest-seatingplans`:
+
+Seating plans
+=============
+
+Resource description
+--------------------
+
+The seating plan resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the plan
+name                                  string                     Human-readable name of the plan
+layout                                object                     JSON representation of the seating plan. These
+                                                                 representations follow a JSON schema that currently
+                                                                 still evolves. The version in use can be found `here`_.
+===================================== ========================== =======================================================
+
+.. versionchanged:: 3.0
+
+   This endpoint has been added.
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/seatingplans/
+
+   Returns a list of all seating plans within a given organizer.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/seatingplans/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 2,
+            "name": "Main plan",
+            "layout": { … }
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/seatingplans/(id)/
+
+   Returns information on one plan, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/seatingplans/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "name": "Main plan",
+        "layout": { … }
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param id: The ``id`` field of the seating plan to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/seatingplans/
+
+   Creates a new seating plan
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/seatingplans/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "name": "Main plan",
+        "layout": { … }
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "name": "Main plan",
+        "layout": { … }
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a seating plan for
+   :statuscode 201: no error
+   :statuscode 400: The seating plan could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/seatingplans/(id)/
+
+   Update a plan. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``id`` field. **You can not change a plan while it is in use for
+   any events.**
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/seatingplans/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "name": "Old plan"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "Old plan",
+        "layout": { … }
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param id: The ``id`` field of the plan to modify
+   :statuscode 200: no error
+   :statuscode 400: The plan could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to change this resource **or** the plan is currently in use.
+
+.. http:delete:: /api/v1/organizers/(organizer)/seatingplans/(id)/
+
+   Delete a plan. You can not delete plans which are currently in use by any events.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/seatingplans/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param id: The ``id`` field of the plan to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to delete this resource **or** the plan is currently in use.
+
+
+.. _here: https://github.com/pretix/pretix/blob/master/src/pretix/static/seating/seating-plan.schema.json

doc/api/resources/subevents.rst

@@ -1,3 +1,9 @@
+.. spelling::
+
+   geo
+   lat
+   lon
+
 .. _rest-subevents:
 
 Event series dates / Sub-events
@@ -20,12 +26,16 @@ name                                  multi-lingual string       The sub-event's
 event                                 string                     The slug of the parent event
 active                                boolean                    If ``true``, the sub-event ticket shop is publicly
                                                                  available.
+is_public                             boolean                    If ``true``, the sub-event ticket shop is publicly
+                                                                 shown in lists.
 date_from                             datetime                   The sub-event's start date
 date_to                               datetime                   The sub-event's end date (or ``null``)
 date_admission                        datetime                   The sub-event's admission date (or ``null``)
 presale_start                         datetime                   The sub-date at which the ticket shop opens (or ``null``)
 presale_end                           datetime                   The sub-date at which the ticket shop closes (or ``null``)
 location                              multi-lingual string       The sub-event location (or ``null``)
+geo_lat                               float                      Latitude of the location (or ``null``)
+geo_lon                               float                      Longitude of the location (or ``null``)
 item_price_overrides                  list of objects            List of items for which this sub-event overrides the
                                                                  default price
 ├ item                                integer                    The internal item ID
@@ -34,7 +44,11 @@ variation_price_overrides             list of objects            List of variati
                                                                  the default price
 ├ variation                           integer                    The internal variation ID
 └ price                               money (string)             The price or ``null`` for the default price
-meta_data                             dict                       Values set for organizer-specific meta data parameters.
+meta_data                             object                     Values set for organizer-specific meta data parameters.
+seating_plan                          integer                    If reserved seating is in use, the ID of a seating
+                                                                 plan. Otherwise ``null``.
+seat_category_mapping                 object                     An object mapping categories of the seating plan
+                                                                 (strings) to items in the event (integers or ``null``).
 ===================================== ========================== =======================================================
 
 .. versionchanged:: 1.7
@@ -45,10 +59,28 @@ meta_data                             dict                       Values set for
 
    The ``event`` field has been added, together with filters on the list of dates and an organizer-level list.
 
+.. versionchanged:: 2.6
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
+
+.. versionchanged:: 2.7
+
+   The attribute ``is_public`` has been added.
+
+.. versionchanged:: 3.0
+
+   The attributes ``seating_plan`` and ``seat_category_mapping`` have been added.
+
+.. versionchanged:: 3.3
+
+   The attributes ``geo_lat`` and ``geo_lon`` have been added.
 
 Endpoints
 ---------
 
+.. versionchanged:: 3.3
+
+    The sub-events resource can now be filtered by meta data attributes.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/subevents/
 
    Returns a list of all sub-events of an event.
@@ -79,12 +111,17 @@ Endpoints
             "name": {"en": "First Sample Conference"},
             "event": "sampleconf",
             "active": false,
+            "is_public": true,
             "date_from": "2017-12-27T10:00:00Z",
             "date_to": null,
             "date_admission": null,
             "presale_start": null,
             "presale_end": null,
+            "seating_plan": null,
+            "seat_category_mapping": {},
             "location": null,
+            "geo_lat": null,
+            "geo_lon": null,
             "item_price_overrides": [
               {
                 "item": 2,
@@ -103,11 +140,98 @@ Endpoints
    :query is_past: If set to ``true`` (``false``), only events that are over are (not) returned.
    :query ends_after: If set to a date and time, only events that happen during of after the given time are returned.
    :param organizer: The ``slug`` field of a valid organizer
-   :param event: The ``slug`` field of the event to fetch
+   :param event: The ``slug`` field of the main event
+   :query array attr[meta_data_key]: By providing the key and value of a meta data attribute, the list of sub-events
+        will only contain the sub-events matching the set criteria. Providing ``?attr[Format]=Seminar`` would return
+        only those sub-events having set their ``Format`` meta data to ``Seminar``, ``?attr[Format]=`` only those, that
+        have no value set. Please note that this filter will respect default values set on 
+        organizer or event level.
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer does not exist **or** you have no permission to view it.
 
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/subevents/
+
+   Creates a new subevent.
+
+   Permission required: "Can create events"
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/subevents/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "name": {"en": "First Sample Conference"},
+        "active": false,
+        "is_public": true,
+        "date_from": "2017-12-27T10:00:00Z",
+        "date_to": null,
+        "date_admission": null,
+        "presale_start": null,
+        "presale_end": null,
+        "location": null,
+        "geo_lat": null,
+        "geo_lon": null,
+        "seating_plan": null,
+        "seat_category_mapping": {},
+        "item_price_overrides": [
+          {
+            "item": 2,
+            "price": "12.00"
+          }
+        ],
+        "variation_price_overrides": [],
+        "meta_data": {}
+      }
+
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": {"en": "First Sample Conference"},
+        "active": false,
+        "is_public": true,
+        "date_from": "2017-12-27T10:00:00Z",
+        "date_to": null,
+        "date_admission": null,
+        "presale_start": null,
+        "presale_end": null,
+        "location": null,
+        "geo_lat": null,
+        "geo_lon": null,
+        "seating_plan": null,
+        "seat_category_mapping": {},
+        "item_price_overrides": [
+          {
+            "item": 2,
+            "price": "12.00"
+          }
+        ],
+        "variation_price_overrides": [],
+        "meta_data": {}
+      }
+
+
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the main event
+   :statuscode 201: no error
+   :statuscode 400: The sub-event could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/subevents/(id)/
 
    Returns information on one sub-event, identified by its ID.
@@ -133,12 +257,17 @@ Endpoints
         "name": {"en": "First Sample Conference"},
         "event": "sampleconf",
         "active": false,
+        "is_public": true,
         "date_from": "2017-12-27T10:00:00Z",
         "date_to": null,
         "date_admission": null,
         "presale_start": null,
         "presale_end": null,
         "location": null,
+        "geo_lat": null,
+        "geo_lon": null,
+        "seating_plan": null,
+        "seat_category_mapping": {},
         "item_price_overrides": [
           {
             "item": 2,
@@ -149,13 +278,111 @@ Endpoints
         "meta_data": {}
       }
 
-   :param organizer: The ``slug`` field of the organizer to fetch
-   :param event: The ``slug`` field of the event to fetch
-   :param id: The ``slug`` field of the sub-event to fetch
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the main event
+   :param id: The ``id`` field of the sub-event to fetch
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view it.
 
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/subevents/(id)/
+
+   Updates a sub-event, identified by its ID. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to
+   provide all fields of the resource, other fields will be reset to default. With ``PATCH``, you only need to provide
+   the fields that you want to change.
+
+   Permission required: "Can change event settings"
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/subevents/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "name": {"en": "New Subevent Name"},
+        "item_price_overrides": [
+          {
+            "item": 2,
+            "price": "23.42"
+          }
+        ],
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": {"en": "New Subevent Name"},
+        "event": "sampleconf",
+        "active": false,
+        "is_public": true,
+        "date_from": "2017-12-27T10:00:00Z",
+        "date_to": null,
+        "date_admission": null,
+        "presale_start": null,
+        "presale_end": null,
+        "location": null,
+        "geo_lat": null,
+        "geo_lon": null,
+        "seating_plan": null,
+        "seat_category_mapping": {},
+        "item_price_overrides": [
+          {
+            "item": 2,
+            "price": "23.42"
+          }
+        ],
+        "variation_price_overrides": [],
+        "meta_data": {}
+      }
+
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the main event
+   :param id: The ``id`` field of the sub-event to update
+   :statuscode 200: no error
+   :statuscode 400: The sub-event could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/sub-event does not exist **or** you have no permission to update this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/subevents/(id)/
+
+   Delete a sub-event. Note that events with orders cannot be deleted to ensure data integrity.
+
+   Permission required: "Can change event settings"
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/subevents/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the main event
+   :param id: The ``id`` field of the sub-event to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/sub-event does not exist **or** you have no permission to delete this resource.
+
+
 .. http:get:: /api/v1/organizers/(organizer)/subevents/
 
    Returns a list of all sub-events of any event series you have access to within an organizer account.
@@ -186,12 +413,17 @@ Endpoints
             "name": {"en": "First Sample Conference"},
             "event": "sampleconf",
             "active": false,
+            "is_public": true,
             "date_from": "2017-12-27T10:00:00Z",
             "date_to": null,
             "date_admission": null,
             "presale_start": null,
             "presale_end": null,
             "location": null,
+            "geo_lat": null,
+            "geo_lon": null,
+            "seating_plan": null,
+            "seat_category_mapping": {},
             "item_price_overrides": [
               {
                 "item": 2,

doc/api/resources/teams.rst

@@ -0,0 +1,671 @@
+.. spelling:: fullname
+
+.. _`rest-teams`:
+
+Teams
+=====
+
+.. warning:: Unlike our user interface, the team API **does** allow you to lock yourself out by deleting or modifying
+             the team your user or API key belongs to. Be careful around here!
+
+Team resource
+-------------
+
+The team resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the team
+name                                  string                     Team name
+all_events                            boolean                    Whether this team has access to all events
+limit_events                          list                       List of event slugs this team has access to
+can_create_events                     boolean
+can_change_teams                      boolean
+can_change_organizer_settings         boolean
+can_manage_gift_cards                 boolean
+can_change_event_settings             boolean
+can_change_items                      boolean
+can_view_orders                       boolean
+can_change_orders                     boolean
+can_view_vouchers                     boolean
+can_change_vouchers                   boolean
+===================================== ========================== =======================================================
+
+Team member resource
+--------------------
+
+The team member resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the user
+email                                 string                     The user's email address
+fullname                              string                     The user's full name (or ``null``)
+require_2fa                           boolean                    Whether this user uses two-factor-authentication
+===================================== ========================== =======================================================
+
+Team invite resource
+--------------------
+
+The team invite resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the invite
+email                                 string                     The invitee's email address
+===================================== ========================== =======================================================
+
+Team API token resource
+-----------------------
+
+The team API token resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the invite
+name                                  string                     Name of this API token
+active                                boolean                    Whether this API token is active (can never be set to
+                                                                 ``true`` again once ``false``)
+token                                 string                     The actual API token. Will only be sent back during
+                                                                 token creation.
+===================================== ========================== =======================================================
+
+Team endpoints
+--------------
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/
+
+   Returns a list of all teams within a given organizer.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "name": "Admin team",
+            "all_events": true,
+            "limit_events": [],
+            "can_create_events": true,
+            ...
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/(id)/
+
+   Returns information on one team, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "Admin team",
+        "all_events": true,
+        "limit_events": [],
+        "can_create_events": true,
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param id: The ``id`` field of the team to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/teams/
+
+   Creates a new team
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/teams/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "name": "Admin team",
+        "all_events": true,
+        "limit_events": [],
+        "can_create_events": true,
+        ...
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "name": "Admin team",
+        "all_events": true,
+        "limit_events": [],
+        "can_create_events": true,
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a team for
+   :statuscode 201: no error
+   :statuscode 400: The team could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/teams/(id)/
+
+   Update a team. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/teams/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "can_create_events": true
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "Admin team",
+        "all_events": true,
+        "limit_events": [],
+        "can_create_events": true,
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param id: The ``id`` field of the team to modify
+   :statuscode 200: no error
+   :statuscode 400: The team could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/teams/(id)/
+
+   Deletes a team.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/teams/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param id: The ``id`` field of the team to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to change this resource.
+
+Team member endpoints
+---------------------
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/(team)/members/
+
+   Returns a list of all members of a team.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/1/members/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "fullname": "John Doe",
+            "email": "john@example.com",
+            "require_2fa": true
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param team: The ``id`` field of the team to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested team does not exist
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/(team)/members/(id)/
+
+   Returns information on one team member, identified by their ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/1/members/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "fullname": "John Doe",
+        "email": "john@example.com",
+        "require_2fa": true
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param team: The ``id`` field of the team to fetch
+   :param id: The ``id`` field of the member to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested team or member does not exist
+
+.. http:delete:: /api/v1/organizers/(organizer)/teams/(team)/members/(id)/
+
+   Removes a member from the team.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/teams/1/members/1/ HTTP/1.1
+      Host: pretix.eu
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param team: The ``id`` field of the team to modify
+   :param id: The ``id`` field of the member to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+   :statuscode 404: The requested team or member does not exist
+
+Team invite endpoints
+---------------------
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/(team)/invites/
+
+   Returns a list of all invitations to a team.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/1/invites/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "email": "john@example.com"
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param team: The ``id`` field of the team to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested team does not exist
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/(team)/invites/(id)/
+
+   Returns information on one invite, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/1/invites/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "email": "john@example.org"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param team: The ``id`` field of the team to fetch
+   :param id: The ``id`` field of the invite to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested team or invite does not exist
+
+.. http:post:: /api/v1/organizers/(organizer)/teams/(team)/invites/
+
+   Invites someone into the team. Note that if the user already has a pretix account, you will receive a response without
+   an ``id`` and instead of an invite being created, the user will be directly added to the team.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/teams/1/invites/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "email": "mark@example.org"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "email": "mark@example.org"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param team: The ``id`` field of the team to modify
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+   :statuscode 404: The requested team does not exist
+
+.. http:delete:: /api/v1/organizers/(organizer)/teams/(team)/invites/(id)/
+
+   Revokes an invite.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/teams/1/invites/1/ HTTP/1.1
+      Host: pretix.eu
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param team: The ``id`` field of the team to modify
+   :param id: The ``id`` field of the invite to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+   :statuscode 404: The requested team or invite does not exist
+
+Team API token endpoints
+------------------------
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/(team)/tokens/
+
+   Returns a list of all API tokens of a team.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/1/tokens/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "active": true,
+            "name": "Test token"
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param team: The ``id`` field of the team to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested team does not exist
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/(team)/tokens/(id)/
+
+   Returns information on one token, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/1/tokens/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "active": true,
+        "name": "Test token"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param team: The ``id`` field of the team to fetch
+   :param id: The ``id`` field of the token to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested team or token does not exist
+
+.. http:post:: /api/v1/organizers/(organizer)/teams/(team)/tokens/
+
+   Creates a new token.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/teams/1/tokens/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "name": "New token"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "name": "New token",
+        "active": true,
+        "token": "",
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param team: The ``id`` field of the team to create a token for
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+   :statuscode 404: The requested team does not exist
+
+.. http:delete:: /api/v1/organizers/(organizer)/teams/(team)/tokens/(id)/
+
+   Disables a token.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/teams/1/tokens/1/ HTTP/1.1
+      Host: pretix.eu
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "My token",
+        "active": false
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param team: The ``id`` field of the team to modify
+   :param id: The ``id`` field of the token to delete
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+   :statuscode 404: The requested team or token does not exist

doc/api/resources/vouchers.rst

@@ -18,8 +18,8 @@ max_usages                            integer                    The maximum num
 redeemed                              integer                    The number of times this voucher already has been
                                                                  redeemed.
 valid_until                           datetime                   The voucher expiration date (or ``null``).
-block_quota                           boolean                    If ``True``, quota is blocked for this voucher.
-allow_ignore_quota                    boolean                    If ``True``, this voucher can be redeemed even if a
+block_quota                           boolean                    If ``true``, quota is blocked for this voucher.
+allow_ignore_quota                    boolean                    If ``true``, this voucher can be redeemed even if a
                                                                  product is sold out and even if quota is not blocked
                                                                  for this voucher.
 price_mode                            string                     Determines how this voucher affects product prices.
@@ -38,9 +38,11 @@ quota                                 integer                    An ID of a quot
                                                                  attached either to a specific product or to all
                                                                  products within one quota or it can be available
                                                                  for all items without restriction.
+seat                                  string                     ``seat_guid`` attribute of a specific seat (or ``null``)
 tag                                   string                     A string that is used for grouping vouchers
 comment                               string                     An internal comment on the voucher
 subevent                              integer                    ID of the date inside an event series this voucher belongs to (or ``null``).
+show_hidden_items                     boolean                    Only if set to ``true``, this voucher allows to buy products with the property ``hide_without_voucher``. Defaults to ``true``.
 ===================================== ========================== =======================================================
 
 
@@ -48,6 +50,14 @@ subevent                              integer                    ID of the date
 
    The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
 
+.. versionchanged:: 3.0
+
+   The attribute ``show_hidden_items`` has been added.
+
+.. versionchanged:: 3.4
+
+   The attribute ``seat`` has been added.
+
 Endpoints
 ---------
 
@@ -91,7 +101,8 @@ Endpoints
             "quota": null,
             "tag": "testvoucher",
             "comment": "",
-            "subevent": null
+            "seat": null,
+            "subevent": null,
           }
         ]
       }
@@ -157,6 +168,7 @@ Endpoints
         "quota": null,
         "tag": "testvoucher",
         "comment": "",
+        "seat": null,
         "subevent": null
       }
 
@@ -220,6 +232,7 @@ Endpoints
         "quota": null,
         "tag": "testvoucher",
         "comment": "",
+        "seat": null,
         "subevent": null
       }
 
@@ -347,6 +360,7 @@ Endpoints
         "quota": null,
         "tag": "testvoucher",
         "comment": "",
+        "seat": null,
         "subevent": null
       }
 

doc/api/resources/webhooks.rst

@@ -17,11 +17,11 @@ The webhook resource contains the following public fields:
 Field                                 Type                       Description
 ===================================== ========================== =======================================================
 id                                    integer                    Internal ID of the webhook
-enabled                               boolean                    If ``False``, this webhook will not receive any notifications
+enabled                               boolean                    If ``false``, this webhook will not receive any notifications
 target_url                            string                     The URL to call
-all_events                            boolean                    If ``True``, this webhook will receive notifications
+all_events                            boolean                    If ``true``, this webhook will receive notifications
                                                                  on all events of this organizer
-limit_events                          list of strings            If ``all_events`` is ``False``, this is a list of
+limit_events                          list of strings            If ``all_events`` is ``false``, this is a list of
                                                                  event slugs this webhook is active for
 action_types                          list of strings            A list of action type filters that limit the
                                                                  notifications sent to this webhook. See below for
@@ -137,7 +137,7 @@ Endpoints
       POST /api/v1/organizers/bigevents/webhooks/ HTTP/1.1
       Host: pretix.eu
       Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
 
       {
         "enabled": true,

doc/conf.py

@@ -66,7 +66,7 @@ source_suffix = '.rst'
 #source_encoding = 'utf-8-sig'
 
 # The master toctree document.
-master_doc = 'contents'
+master_doc = 'index'
 
 # General information about the project.
 project = 'pretix'
@@ -234,7 +234,7 @@ latex_elements = {
 # (source start file, target name, title,
 #  author, documentclass [howto, manual, or own class]).
 latex_documents = [
-  ('contents', 'pretix.tex', 'pretix Documentation',
+  ('index', 'pretix.tex', 'pretix Documentation',
    'Raphael Michel', 'manual'),
 ]
 

doc/development/api/auth.rst

@@ -0,0 +1,70 @@
+.. highlight:: python
+   :linenothreshold: 5
+
+Pluggable authentication backends
+=================================
+
+Plugins can supply additional authentication backends. This is mainly useful in self-hosted installations
+and allows you to use company-wide login mechanisms such as LDAP or OAuth for accessing pretix' backend.
+
+Every authentication backend contains an implementation of the interface defined in ``pretix.base.auth.BaseAuthBackend``
+(see below). Note that pretix authentication backends work differently than plain Django authentication backends.
+Basically, three pre-defined flows are supported:
+
+* Authentication mechanisms that rely on a **set of input parameters**, e.g. a username and a password. These can be
+  implemented by supplying the ``login_form_fields`` property and a ``form_authenticate`` method.
+
+* Authentication mechanisms that rely on **external sessions**, e.g. a cookie or a proxy HTTP header. These can be
+  implemented by supplying a ``request_authenticate`` method.
+
+* Authentication mechanisms that rely on **redirection**, e.g. to an OAuth provider. These can be implemented by
+  supplying a ``authentication_url`` method and implementing a custom return view.
+
+Authentication backends are *not* collected through a signal. Instead, they must explicitly be set through the
+``auth_backends`` directive in the ``pretix.cfg`` :ref:`configuration file <config>`.
+
+In each of these methods (``form_authenticate``, ``request_authenticate`` or your custom view) you are supposed to
+either get an existing :py:class:`pretix.base.models.User` object from the database or create a new one. There are a
+few rules you need to follow:
+
+* You **MUST** only return users with the ``auth_backend`` attribute set to the ``identifier`` value of your backend.
+
+* You **MUST** create new users with the ``auth_backend`` attribute set to the ``identifier`` value of your backend.
+
+* Every user object **MUST** have an email address. Email addresses are globally unique. If the email address is
+  already registered to a user who signs in through a different backend, you **SHOULD** refuse the login.
+
+The backend interface
+---------------------
+
+.. class:: pretix.base.auth.BaseAuthBackend
+
+   The central object of each backend is the subclass of ``BaseAuthBackend``.
+
+   .. autoattribute:: identifier
+
+      This is an abstract attribute, you **must** override this!
+
+   .. autoattribute:: verbose_name
+
+      This is an abstract attribute, you **must** override this!
+
+   .. autoattribute:: login_form_fields
+
+   .. autoattribute:: visible
+
+   .. automethod:: form_authenticate
+
+   .. automethod:: request_authenticate
+
+   .. automethod:: authentication_url
+
+Logging users in
+----------------
+
+If you return a user from ``form_authenticate`` or ``request_authenticate``, the system will handle everything else
+for you correctly. However, if you use a redirection method and build a custom view to verify the login, we strongly
+recommend that you use the following utility method to correctly set session values and enforce two-factor
+authentication (if activated):
+
+.. autofunction:: pretix.control.views.auth.process_login

doc/development/api/customview.rst

@@ -66,7 +66,7 @@ event-related views, there is also a signal that allows you to add the view to t
 
     from django.urls import resolve, reverse
     from django.dispatch import receiver
-    from django.utils.translation import ugettext_lazy as _
+    from django.utils.translation import gettext_lazy as _
     from pretix.control.signals import nav_event
 
 

doc/development/api/email.rst

@@ -101,9 +101,12 @@ The template is passed the following context variables:
    The ``Event`` object
 
 ``signature`` (optional, only if configured)
-   The body as markdown (render with ``{{ signature|safe }}``)
+   The signature with event organizer contact details as markdown (render with ``{{ signature|safe }}``)
 
 ``order`` (optional, only if applicable)
    The ``Order`` object
 
+``position`` (optional, only if applicable)
+   The ``OrderPosition`` object
+
 .. _inlinestyler: https://pypi.org/project/inlinestyler/

doc/development/api/general.rst

@@ -12,7 +12,7 @@ Core
 
 .. automodule:: pretix.base.signals
    :members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types,
-      item_copy_data, register_sales_channels
+      item_copy_data, register_sales_channels, register_global_settings, quota_availability, global_email_filter
 
 Order events
 """"""""""""
@@ -20,17 +20,24 @@ Order events
 There are multiple signals that will be sent out in the ordering cycle:
 
 .. automodule:: pretix.base.signals
-   :members: validate_cart, order_fee_calculation, order_paid, order_placed, order_fee_type_name, allow_ticket_download
+   :members: validate_cart, validate_cart_addons, validate_order, order_fee_calculation, order_paid, order_placed, order_canceled, order_reactivated, order_expired, order_modified, order_changed, order_approved, order_denied, order_fee_type_name, allow_ticket_download, order_split, order_gracefully_delete, invoice_line_text
+
+Check-ins
+"""""""""
+
+.. automodule:: pretix.base.signals
+   :members: checkin_created
+
 
 Frontend
 --------
 
 .. automodule:: pretix.presale.signals
-   :members: html_head, html_footer, footer_link, front_page_top, front_page_bottom, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content, checkout_all_optional
+   :members: html_head, html_footer, footer_link, front_page_top, front_page_bottom, front_page_bottom_widget, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content, checkout_all_optional, html_page_header, sass_preamble, sass_postamble, render_seating_plan, checkout_flow_steps, position_info, position_info_top, item_description
 
 
 .. automodule:: pretix.presale.signals
-   :members: order_info, order_meta_from_request
+   :members: order_info, order_info_top, order_meta_from_request
 
 Request flow
 """"""""""""
@@ -49,11 +56,11 @@ Backend
 
 .. automodule:: pretix.control.signals
    :members: nav_event, html_head, html_page_start, quota_detail_html, nav_topbar, nav_global, nav_organizer, nav_event_settings,
-             order_info, event_settings_widget, oauth_application_registered, order_position_buttons
-
+             order_info, event_settings_widget, oauth_application_registered, order_position_buttons, subevent_forms,
+             item_formsets, order_search_filter_q
 
 .. automodule:: pretix.base.signals
-   :members: logentry_display, logentry_object_link, requiredaction_display
+   :members: logentry_display, logentry_object_link, requiredaction_display, timeline_events
 
 Vouchers
 """"""""
@@ -78,3 +85,12 @@ Ticket designs
 
 .. automodule:: pretix.base.signals
    :members: layout_text_variables
+
+.. automodule:: pretix.plugins.ticketoutputpdf.signals
+   :members: override_layout
+
+API
+---
+
+.. automodule:: pretix.base.signals
+   :members: validate_event_settings, api_event_settings_fields

doc/development/api/import.rst

@@ -0,0 +1,112 @@
+.. highlight:: python
+   :linenothreshold: 5
+
+.. _`importcol`:
+
+Extending the order import process
+==================================
+
+It's possible through the backend to import orders into pretix, for example from a legacy ticketing system. If your
+plugins defines additional data structures around orders, it might be useful to make it possible to import them as well.
+
+Import process
+--------------
+
+Here's a short description of pretix' import process to show you where the system will need to interact with your plugin.
+You can find more detailed descriptions of the attributes and methods further below.
+
+1. The user uploads a CSV file. The system tries to parse the CSV file and understand its column headers.
+
+2. A preview of the file is shown to the user and the user is asked to assign the various different input parameters to
+   columns of the file or static values. For example, the user either needs to manually select a product or specify a
+   column that contains a product. For this purpose, a select field is rendered for every possible input column,
+   allowing the user to choose between a default/empty value (defined by your ``default_value``/``default_label``)
+   attributes, the columns of the uploaded file, or a static value (defined by your ``static_choices`` method).
+
+3. The user submits its assignment and the system uses the ``resolve`` method of all columns to get the raw value for
+   all columns.
+
+4. The system uses the ``clean`` method of all columns to verify that all input fields are valid and transformed to the
+   correct data type.
+
+5. The system prepares internal model objects (``Order`` etc) and uses the ``assign`` method of all columns to assign
+   these objects with actual values.
+
+6. The system saves all of these model objects to the database in a database transaction. Plugins can create additional
+   objects in this stage through their ``save`` method.
+
+Column registration
+-------------------
+
+The import API does not make a lot of usage from signals, however, it
+does use a signal to get a list of all available import columns. Your plugin
+should listen for this signal and return the subclass of ``pretix.base.orderimport.ImportColumn``
+that we'll provide in this plugin:
+
+.. sourcecode:: python
+
+    from django.dispatch import receiver
+
+    from pretix.base.signals import order_import_columns
+
+
+    @receiver(order_import_columns, dispatch_uid="custom_columns")
+    def register_column(sender, **kwargs):
+        return [
+            EmailColumn(sender),
+        ]
+
+The column class API
+--------------------
+
+.. class:: pretix.base.orderimport.ImportColumn
+
+   The central object of each import extension is the subclass of ``ImportColumn``.
+
+   .. py:attribute:: ImportColumn.event
+
+      The default constructor sets this property to the event we are currently
+      working for.
+
+   .. autoattribute:: identifier
+
+      This is an abstract attribute, you **must** override this!
+
+   .. autoattribute:: verbose_name
+
+      This is an abstract attribute, you **must** override this!
+
+   .. autoattribute:: default_value
+
+   .. autoattribute:: default_label
+
+   .. autoattribute:: initial
+
+   .. automethod:: static_choices
+
+   .. automethod:: resolve
+
+   .. automethod:: clean
+
+   .. automethod:: assign
+
+   .. automethod:: save
+
+Example
+-------
+
+For example, the import column responsible for assigning email addresses looks like this:
+
+.. sourcecode:: python
+
+   class EmailColumn(ImportColumn):
+       identifier = 'email'
+       verbose_name = _('E-mail address')
+
+       def clean(self, value, previous_values):
+           if value:
+               EmailValidator()(value)
+           return value
+
+       def assign(self, value, order, position, invoice_address, **kwargs):
+           order.email = value

doc/development/api/index.rst

@@ -12,8 +12,11 @@ Contents:
    payment
    payment_2.0
    email
+   placeholder
    invoice
    shredder
+   import
    customview
+   auth
    general
    quality

doc/development/api/payment.rst

@@ -62,6 +62,8 @@ The provider class
 
    .. autoattribute:: is_enabled
 
+   .. autoattribute:: priority
+
    .. autoattribute:: settings_form_fields
 
    .. automethod:: settings_form_clean
@@ -108,8 +110,16 @@ The provider class
 
    .. automethod:: execute_refund
 
+   .. automethod:: refund_control_render
+
+   .. automethod:: api_payment_details
+
+   .. automethod:: matching_id
+
    .. automethod:: shred_payment_info
 
+   .. automethod:: cancel_payment
+
    .. autoattribute:: is_implicit
 
    .. autoattribute:: is_meta

doc/development/api/placeholder.rst

@@ -0,0 +1,79 @@
+.. highlight:: python
+   :linenothreshold: 5
+
+Writing an e-mail placeholder plugin
+====================================
+
+An email placeholder is a dynamic value that pretix users can use in their email templates.
+
+Please read :ref:`Creating a plugin <pluginsetup>` first, if you haven't already.
+
+Placeholder registration
+------------------------
+
+The placeholder API does not make a lot of usage from signals, however, it
+does use a signal to get a list of all available email placeholders. Your plugin
+should listen for this signal and return an instance of a subclass of ``pretix.base.email.BaseMailTextPlaceholder``::
+
+    from django.dispatch import receiver
+
+    from pretix.base.signals import register_mail_placeholders
+
+
+    @receiver(register_mail_placeholders, dispatch_uid="placeholder_custom")
+    def register_mail_renderers(sender, **kwargs):
+        from .email import MyPlaceholderClass
+        return MyPlaceholder()
+
+
+Context mechanism
+-----------------
+
+Emails are sent in different "contexts" within pretix. For example, many emails are sent in the
+the context of an order, but some are not, such as the notification of a waiting list voucher.
+
+Not all placeholders make sense in every email, and placeholders usually depend some parameters
+themselves, such as the ``Order`` object. Therefore, placeholders are expected to explicitly declare
+what values they depend on and they will only be available in an email if all those dependencies are
+met. Currently, placeholders can depend on the following context parameters:
+
+* ``event``
+* ``order``
+* ``position``
+* ``waiting_list_entry``
+* ``invoice_address``
+* ``payment``
+
+There are a few more that are only to be used internally but not by plugins.
+
+The placeholder class
+---------------------
+
+.. class:: pretix.base.email.BaseMailTextPlaceholder
+
+   .. autoattribute:: identifier
+
+      This is an abstract attribute, you **must** override this!
+
+   .. autoattribute:: required_context
+
+      This is an abstract attribute, you **must** override this!
+
+   .. automethod:: render
+
+      This is an abstract method, you **must** implement this!
+
+   .. automethod:: render_sample
+
+      This is an abstract method, you **must** implement this!
+
+Helper class for simple placeholders
+------------------------------------
+
+pretix ships with a helper class that makes it easy to provide placeholders based on simple
+functions::
+
+     placeholder = SimpleFunctionalMailTextPlaceholder(
+         'code', ['order'], lambda order: order.code, sample='F8VVL'
+     )
+

doc/development/api/plugins.rst

@@ -46,18 +46,25 @@ name               string               The human-readable name of your plugin
 author             string               Your name
 version            string               A human-readable version code of your plugin
 description        string               A more verbose description of what your plugin does.
+category           string               Category of a plugin. Either one of ``"FEATURE"``, ``"PAYMENT"``,
+                                        ``"INTEGRATION"``, ``"CUSTOMIZATION"``, ``"FORMAT"``, or ``"API"``,
+                                        or any other string.
 visible            boolean (optional)   ``True`` by default, can hide a plugin so it cannot be normally activated.
 restricted         boolean (optional)   ``False`` by default, restricts a plugin such that it can only be enabled
                                         for an event by system administrators / superusers.
+compatibility      string               Specifier for compatible pretix versions.
 ================== ==================== ===========================================================
 
 A working example would be::
 
-    from django.apps import AppConfig
-    from django.utils.translation import ugettext_lazy as _
+    try:
+        from pretix.base.plugins import PluginConfig
+    except ImportError:
+        raise RuntimeError("Please use pretix 2.7 or above to run this plugin!")
+    from django.utils.translation import gettext_lazy as _
 
 
-    class PaypalApp(AppConfig):
+    class PaypalApp(PluginConfig):
         name = 'pretix_paypal'
         verbose_name = _("PayPal")
 
@@ -65,9 +72,11 @@ A working example would be::
             name = _("PayPal")
             author = _("the pretix team")
             version = '1.0.0'
+            category = 'PAYMENT
             visible = True
             restricted = False
             description = _("This plugin allows you to receive payments via PayPal")
+            compatibility = "pretix>=2.7.0"
 
 
     default_app_config = 'pretix_paypal.PaypalApp'

doc/development/api/shredder.rst

@@ -35,9 +35,9 @@ The shredder class
 
 .. class:: pretix.base.shredder.BaseDataShredder
 
-   The central object of each invoice renderer is the subclass of ``BaseInvoiceRenderer``.
+   The central object of each data shredder is the subclass of ``BaseDataShredder``.
 
-   .. py:attribute:: BaseInvoiceRenderer.event
+   .. py:attribute:: BaseDataShredder.event
 
       The default constructor sets this property to the event we are currently
       working for.

doc/development/api/ticketoutput.rst

@@ -69,3 +69,13 @@ The output class
    .. automethod:: generate_order
 
    .. autoattribute:: download_button_text
+
+   .. autoattribute:: download_button_icon
+
+   .. autoattribute:: multi_download_button_text
+
+   .. autoattribute:: long_download_button_text
+
+   .. autoattribute:: preview_allowed
+
+   .. autoattribute:: javascript_required

doc/development/contribution/style.rst

@@ -18,7 +18,7 @@ Coding style and quality
 * We expect all new code to come with proper tests. When writing new tests, please write them using `pytest-style`_
   test functions and raw ``assert`` statements. Use `fixtures`_ to prevent repetitive code. Some old parts of pretix'
   test suite are in the style of Python's unit test module. If you extend those files, you might continue in this style,
-  but please use pytest style for any new test files.
+  but please use ``pytest`` style for any new test files.
 
 * Please keep the first line of your commit messages short. When referencing an issue, please phrase it like
   ``Fix #123 -- Problems with order creation`` or ``Refs #123 -- Fix this part of that bug``.

doc/development/implementation/logging.rst

@@ -69,7 +69,7 @@ We now need a way to translate the action codes like ``pretix.event.changed`` in
 strings. The :py:attr:`pretix.base.signals.logentry_display` signals allows you to do so. A simple
 implementation could look like::
 
-    from django.utils.translation import ugettext as _
+    from django.utils.translation import gettext as _
     from pretix.base.signals import logentry_display
 
     @receiver(signal=logentry_display)

doc/development/implementation/models.rst

@@ -23,7 +23,7 @@ Organizers and events
    :members:
 
 .. autoclass:: pretix.base.models.Event
-   :members: get_date_from_display, get_time_from_display, get_date_to_display, get_date_range_display, presale_has_ended, presale_is_running, cache, lock, get_plugins, get_mail_backend, payment_term_last, get_payment_providers, get_invoice_renderers, active_subevents, invoice_renderer, settings
+   :members: get_date_from_display, get_time_from_display, get_date_to_display, get_date_range_display, presale_has_ended, presale_is_running, cache, lock, get_plugins, get_mail_backend, payment_term_last, get_payment_providers, get_invoice_renderers, invoice_renderer, settings
 
 .. autoclass:: pretix.base.models.SubEvent
    :members: get_date_from_display, get_time_from_display, get_date_to_display, get_date_range_display, presale_has_ended, presale_is_running

doc/development/setup.rst

@@ -21,10 +21,12 @@ Your should install the following on your system:
 * Python 3.5 or newer
 * ``pip`` for Python 3 (Debian package: ``python3-pip``)
 * ``python-dev`` for Python 3 (Debian package: ``python3-dev``)
+* On Debian/Ubuntu: ``python-venv`` for Python 3 (Debian package: ``python3-venv``)
 * ``libffi`` (Debian package: ``libffi-dev``)
 * ``libssl`` (Debian package: ``libssl-dev``)
 * ``libxml2`` (Debian package ``libxml2-dev``)
 * ``libxslt`` (Debian package ``libxslt1-dev``)
+* ``libenchant1c2a`` (Debian package ``libenchant1c2a``)
 * ``msgfmt`` (Debian package ``gettext``)
 * ``git``
 
@@ -63,9 +65,7 @@ Then, create the local database::
     python manage.py migrate
 
 A first user with username ``admin@localhost`` and password ``admin`` will be automatically
-created. If you want to generate more test data, run::
-
-    python make_testdata.py
+created.
 
 If you want to see pretix in a different language than English, you have to compile our language
 files::
@@ -81,8 +81,7 @@ To run the local development webserver, execute::
 and head to http://localhost:8000/
 
 As we did not implement an overall front page yet, you need to go directly to
-http://localhost:8000/control/ for the admin view or, if you imported the test
-data as suggested above, to the event page at http://localhost:8000/bigevents/2019/
+http://localhost:8000/control/ for the admin view.
 
 .. note:: If you want the development server to listen on a different interface or
           port (for example because you develop on `pretixdroid`_), you can check

doc/index.rst

@@ -0,0 +1 @@
+.. include:: contents.rst

doc/plugins/campaigns.rst

@@ -0,0 +1,224 @@
+Campaigns
+=========
+
+The campaigns plugin provides a HTTP API that allows you to create new campaigns.
+
+Resource description
+--------------------
+
+The campaign resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal campaign ID
+code                                  string                     The URL component of the campaign, e.g. with code ``BAR``
+                                                                 the campaign URL would to be ``https://<server>/<organizer>/<event>/c/BAR/``.
+                                                                 This value needs to be *globally unique* and we do not
+                                                                 recommend setting it manually. If you omit it, a random
+                                                                 value will be chosen.
+description                           string                     An internal, human-readable name of the campaign.
+external_target                       string                     An URL to redirect to from the tracking link. To redirect to
+                                                                 the ticket shop, use an empty string.
+order_count                           integer                    Number of orders tracked on this campaign (read-only)
+click_count                           integer                    Number of clicks tracked on this campaign (read-only)
+===================================== ========================== =======================================================
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/campaigns/
+
+   Returns a list of all campaigns configured for an event.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/campaigns/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "code": "wZnL11fjq",
+            "description": "Facebook",
+            "external_target": "",
+            "order_count:" 0,
+            "click_count:" 0
+          }
+        ]
+      }
+
+   :query page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the event to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer or event does not exist **or** you have no permission to view it.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/campaigns/(id)/
+
+   Returns information on one campaign, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/campaigns/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "code": "wZnL11fjq",
+        "description": "Facebook",
+        "external_target": "",
+        "order_count:" 0,
+        "click_count:" 0
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param id: The ``id`` field of the campaign to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/campaign does not exist **or** you have no permission to view it.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/campaigns/
+
+   Create a new campaign.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/campaigns/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 166
+
+      {
+        "description": "Twitter"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "code": "IfVJQzSBL",
+        "description": "Twitter",
+        "external_target": "",
+        "order_count:" 0,
+        "click_count:" 0
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a campaign for
+   :param event: The ``slug`` field of the event to create a campaign for
+   :statuscode 201: no error
+   :statuscode 400: The campaign could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create campaigns.
+
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/campaigns/(id)/
+
+   Update a campaign. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/campaigns/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 34
+
+      {
+        "external_target": "https://mywebsite.com"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: text/javascript
+
+      {
+        "id": 2,
+        "code": "IfVJQzSBL",
+        "description": "Twitter",
+        "external_target": "https://mywebsite.com",
+        "order_count:" 0,
+        "click_count:" 0
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the campaign to modify
+   :statuscode 200: no error
+   :statuscode 400: The campaign could not be modified due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/campaign does not exist **or** you have no permission to change it.
+
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/campaigns/(id)/
+
+   Delete a campaign and all associated data.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/campaigns/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the campaign to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/campaign does not exist **or** you have no permission to change it

doc/plugins/digital.rst

@@ -0,0 +1,277 @@
+Digital content
+===============
+
+The digital content plugin provides a HTTP API that allows you to create new digital content for your ticket holders,
+such as live streams, videos, or material downloads.
+
+Resource description
+--------------------
+
+The digital content resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal content ID
+title                                 multi-lingual string       The content title (required)
+content_type                          string                     The type of content, valid values are ``webinar``, ``video``, ``livestream``, ``link``, ``file``
+url                                   string                     The location of the digital content
+description                           multi-lingual string       A public description of the item. May contain Markdown
+                                                                 syntax and is not required.
+available_from                        datetime                   The first date time at which this content will be shown
+                                                                 (or ``null``).
+available_until                       datetime                   The last date time at which this content will b e shown
+                                                                 (or ``null``).
+all_products                          boolean                    If ``true``, the content is available to all buyers of tickets for this event. The ``limit_products`` field is ignored in this case.
+limit_products                        list of integers           List of product/item IDs. This content is only shown to buyers of these ticket types.
+position                              integer                    An integer, used for sorting
+subevent                              integer                    Date in an event series this content should be shown for. Should be ``null`` if this is not an event series or if this should be shown to all customers.
+===================================== ========================== =======================================================
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/digitalcontents/
+
+   Returns a list of all digital content configured for an event.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/digitalcontents/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "subevent": null,
+            "title": {
+                "en": "Concert livestream"
+            },
+            "content_type": "link",
+            "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+            "description": {
+                "en": "Watch our event live here on YouTube!"
+            },
+            "all_products": true,
+            "limit_products": [],
+            "available_from": "2020-03-22T23:00:00Z",
+            "available_until": null,
+            "position": 1
+          }
+        ]
+      }
+
+   :query page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the event to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer or event does not exist **or** you have no permission to view it.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/digitalcontents/(id)/
+
+   Returns information on one content item, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/digitalcontents/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "subevent": null,
+        "title": {
+            "en": "Concert livestream"
+        },
+        "content_type": "link",
+        "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+        "description": {
+            "en": "Watch our event live here on YouTube!"
+        },
+        "all_products": true,
+        "limit_products": [],
+        "available_from": "2020-03-22T23:00:00Z",
+        "available_until": null,
+        "position": 1
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param id: The ``id`` field of the content to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/content does not exist **or** you have no permission to view it.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/digitalcontents/
+
+   Create a new digital content.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/digitalcontents/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 166
+
+      {
+        "subevent": null,
+        "title": {
+            "en": "Concert livestream"
+        },
+        "content_type": "link",
+        "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+        "description": {
+            "en": "Watch our event live here on YouTube!"
+        },
+        "all_products": true,
+        "limit_products": [],
+        "available_from": "2020-03-22T23:00:00Z",
+        "available_until": null,
+        "position": 1
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "subevent": null,
+        "title": {
+            "en": "Concert livestream"
+        },
+        "content_type": "link",
+        "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+        "description": {
+            "en": "Watch our event live here on YouTube!"
+        },
+        "all_products": true,
+        "limit_products": [],
+        "available_from": "2020-03-22T23:00:00Z",
+        "available_until": null,
+        "position": 1
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create new content for
+   :param event: The ``slug`` field of the event to create new content for
+   :statuscode 201: no error
+   :statuscode 400: The content could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create digital contents.
+
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/digitalcontents/(id)/
+
+   Update a content. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/digitalcontents/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 34
+
+      {
+        "url": "https://mywebsite.com"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: text/javascript
+
+      {
+        "id": 2,
+        "subevent": null,
+        "title": {
+            "en": "Concert livestream"
+        },
+        "content_type": "link",
+        "url": "https://mywebsite.com",
+        "description": {
+            "en": "Watch our event live here on YouTube!"
+        },
+        "all_products": true,
+        "limit_products": [],
+        "available_from": "2020-03-22T23:00:00Z",
+        "available_until": null,
+        "position": 1
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the content to modify
+   :statuscode 200: no error
+   :statuscode 400: The content could not be modified due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/content does not exist **or** you have no permission to change it.
+
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/digitalcontents/(id)/
+
+   Delete a digital content.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/digitalcontents/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the content to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/content does not exist **or** you have no permission to change it

doc/plugins/index.rst

@@ -14,3 +14,5 @@ If you want to **create** a plugin, please go to the
    banktransfer
    ticketoutputpdf
    badges
+   campaigns
+   digital

doc/plugins/pretixdroid.rst

@@ -316,7 +316,7 @@ uses to communicate with the pretix server.
         "total": 42,
         "version": 3,
         "event": {
-          "name": "Demo Converence",
+          "name": "Demo Conference",
           "slug": "democon",
           "date_from": "2016-12-27T17:00:00Z",
           "date_to": "2016-12-30T18:00:00Z",

doc/requirements.txt

@@ -1,8 +1,9 @@
 -r ../src/requirements.txt
-sphinx==1.6.*
+sphinx==2.3.*
 sphinx-rtd-theme
 sphinxcontrib-httpdomain
 sphinxcontrib-images
 sphinxcontrib-spelling
+pygments-markdown-lexer
 # See https://github.com/rfk/pyenchant/pull/130
 git+https://github.com/raphaelm/pyenchant.git@patch-1#egg=pyenchant

doc/spelling_wordlist.txt

@@ -10,10 +10,12 @@ availabilities
 backend
 backends
 banktransfer
+Bcc
 boolean
 booleans
 cancelled
 casted
+Ceph
 checkbox
 checksum
 config
@@ -29,18 +31,24 @@ deprovision
 discoverable
 django
 dockerfile
+downloadable
 durations
 eu
 filename
 filesystem
 fontawesome
+formset
+formsets
 frontend
 frontpage
 gettext
+giftcard
 gunicorn
+guid
 hardcoded
 hostname
 idempotency
+iframe
 incrementing
 inofficial
 invalidations
@@ -49,9 +57,11 @@ Jimdo
 libpretixprint
 libsass
 linters
+login
 memcached
 metadata
 middleware
+Minio
 mixin
 mixins
 multi
@@ -69,6 +79,7 @@ overpayment
 param
 passphrase
 percental
+pluggable
 positionid
 pre
 prepend
@@ -92,12 +103,18 @@ regex
 renderer
 renderers
 reportlab
+reseller
 SaaS
+scalability
 screenshot
+scss
+searchable
 selectable
-serializers
+serializable
+serializer
 serializers
 sexualized
+SQL
 startup
 stdout
 stylesheet
@@ -108,6 +125,7 @@ subdomains
 subevent
 subevents
 submodule
+subnet
 subpath
 Symfony
 systemd
@@ -120,12 +138,16 @@ unconfigured
 unix
 unprefixed
 untrusted
+uptime
 username
 url
+validator
 versa
 versioning
+viewable
 viewset
 viewsets
+waitinglist
 webhook
 webhooks
 webserver

doc/user/events/display.rst

@@ -21,11 +21,18 @@ Frontpage text
     your product types, give more information on the event or for other general notices.
     You can use :ref:`Markdown syntax <markdown-guide>` in this field.
 
+Voucher explanation
+    This text will be shown above the voucher input box. You can use it to explain how to obtain a voucher and use it.
+
 Show variations of a product expanded by default
     If this is not checked, a product with variations will be shown as one row in the show by default and will expand
     into multiple rows once it is clicked on. With this box checked, the variations will be shown as multiple rows
     right from the beginning.
 
+Ask search engines not to index the ticket shop
+    If this is checked, we will set a HTML meta attribute asking search engines by Google not to put this ticket shop
+    into their searchable index.
+
 
 The lower part of the page contains settings that you can **either** set on organizer-level for all your events **or**
 override for this single event individually. Those are:
@@ -35,6 +42,12 @@ Primary color
     customers. We suggest not choosing something to light, since text in that color should be readable on a white
     background and white text should be readable on a background of this color.
 
+Accent color for success
+    This color will be used for success messages. We suggest to choose a dark shade of green.
+
+Accent color for errors
+    This color will be used for error messages. We suggest to choose a dark shade of red.
+
 Font
     Choose one of multiple fonts to use for your web shop.
 

doc/user/events/email.rst

@@ -8,8 +8,8 @@ event.
    :align: center
    :class: screenshot
 
-The page is separated into three parts: "E-mail settings", "E-mail content" and "SMTP settings". We will explain all
-of them in detail on this page.
+The page is separated into four parts: "E-mail settings", "E-mail design", "E-mail content" and "SMTP settings".
+We will explain all of them in detail on this page.
 
 E-mail settings
 ---------------
@@ -30,10 +30,18 @@ Signature
     This text will be appended to all e-mails in form of a signature. This might be useful e.g. to add your contact
     details or any legal information that needs to be included with the e-mails.
 
+Bcc address
+    This email address will receive a copy of every event-related email.
+
+E-mail design
+-------------
+
+In this part, you can choose and preview the layout of your emails. More layouts can be added by pretix plugins.
+
 E-mail content
 --------------
 
-The middle part of the page allows you to customize the exact texts of all e-mails sent by the system automatically.
+The next part of the page allows you to customize the exact texts of all e-mails sent by the system automatically.
 You can click on the different boxes to expand them and see the texts.
 
 Within the texts, you can use placeholders that will later by replaced by values depending on the event or order. Below
@@ -45,6 +53,7 @@ Placeholder                    Description
 ============================== ===============================================================================
 event                          The event name
 total                          The order's total value
+total_with_currency            The order's total value with a localized currency sign
 currency                       The currency used for the event (three-letter code)
 payment_info                   Information text specific to the payment method (e.g. banking details)
 url                            An URL pointing to the download/status page of the order
@@ -112,6 +121,22 @@ Reminder to download tickets
     attendees to download their tickets. The e-mail should include a link to the ticket download. This e-mail will only
     ever be sent if you specify a number of days.
 
+Order approval process
+    If you configure one of your products to "require approval", orders of that product will not immediately be confirmed
+    but only after you approved them manually. In this case, the following e-mail templates will be sent out.
+
+    Received order
+        After an order has been received, this e-mail will be sent automatically instead of the "order placed" e-mail from
+        above.
+
+    Approved order
+        This e-mail will be sent after you manually approved an order. This should include instructions to pay for the order,
+        which is why this will only be used for a paid order. For a free order, the "free order" e-mail from above will
+        be sent.
+
+    Denied order
+        This e-mail will be sent out to customers when their order has been denied.
+
 SMTP settings
 -------------
 

doc/user/events/giftcards.rst

@@ -0,0 +1,71 @@
+.. spelling::
+
+   Warengutschein
+   Wertgutschein
+
+Gift cards
+==========
+
+Gift cards, also known as "gift coupons" or "gift certificates" are a mechanism that allows you to sell tokens that
+can later be used to pay for tickets.
+
+Gift cards are very different feature than **vouchers**. The difference is:
+
+* Vouchers can be used to give a discount. When a voucher is used, the price of a ticket is reduced by the configured
+  discount and sold at a lower price. They therefore reduce both revenue as well as taxes. Vouchers (in pretix) are
+  always specific to a certain product in an order. Vouchers are usually not sold but given out as part of a
+  marketing campaign or to specific groups of people. Vouchers in pretix are bound to a specific event.
+
+* Gift cards are not a discount, but rather a means of payment. If you buy a €20 ticket with a €10 gift card, it is
+  still a €20 ticket and will still count towards your revenue with €20. Gift cards are usually bought for the money
+  that they are worth. Gift cards in pretix can be used across events (and even organizers).
+
+Selling gift cards
+------------------
+
+Selling gift cards works like selling every other type of product in pretix: Create a new product, then head to
+"Additional settings" and select the option "This product is a gift card". Whenever someone buys this product and
+pays for it, a new gift card will be created.
+
+In this case, the gift card code corresponds to the "ticket secret" in the PDF ticket. Therefore, if selling gift cards,
+you can use ticket downloads just as with normal tickets and use our ticket editor to create beautiful gift certificates
+people can give to their loved ones.
+
+Of course, you can use pretix' flexible options to modify your product. For example, you can configure that the customer
+can freely choose the price of the gift card.
+
+.. note::
+
+   pretix currently does not support charging sales tax or VAT when selling gift cards, but instead charges VAT on
+   the full price when the gift card is redeemed. This is the correct behavior in Germany and some other countries for
+   gift cards which are not bound to a very specific service ("Warengutschein"), but instead to a monetary amount
+   ("Wertgutschein").
+
+.. note::
+
+   The ticket PDF will not contain the correct gift card code before the order has been paid, so we recommend not
+   selling gift cards in events where tickets are issued before payments arrive.
+
+
+Accepting gift cards
+--------------------
+
+All your events have have the payment provider "Gift card" enabled by default, but it will only show up in the ticket
+shop once the very first gift card has been issued on your organizer account. Of course, you can turn off gift card
+payments if you do not want them for a specific event.
+
+If gift card payments are enabled, buyers will be able to select "Gift card" as a payment method during checkout. If
+a gift card with a value less than the order total is used, the buyer will be asked to select a second payment method
+for the remaining payment. If a gift card with a value greater than the order total is used, the surplus amount
+remains on the gift card and can be used in a different purchase.
+
+If it possible to accept gift cards across organizer accounts. To do so, you need to have access to both organizer
+accounts. Then, you will see a configuration section at the bottom of the "Gift cards" page of your organizer settings
+where you can specify which gift cards should be accepted.
+
+Manually issuing or using gift cards
+------------------------------------
+
+Of course, you can also issue or redeem gift cards manually through our backend using the "Gift cards" menu item in your
+organizer profile or using our API. These gift cards will be tracked by pretix, but do not correspond to any purchase
+within pretix. You will therefore need to account for them in your books separately.

doc/user/events/invoicing.rst

@@ -11,18 +11,6 @@ The settings at "Settings" → "Invoice" allow you to specify if and how pretix
 
 In particular, you can configure the following things:
 
-Ask for invoice address
-    If this checkbox is enabled, customers will be able to enter an invoice address during checkout. If you only enable
-    this box, the invoice address will be optional to fill in.
-
-Require invoice address
-    If this checkbox is enabled, entering an invoice address will be obligatory for all customers and it will not be
-    able to create an order without entering an address.
-
-Require customer name
-    If this checkbox is enabled, the street, city, and country fields of the invoice address will still be optional but
-    the name field will be obligatory.
-
 Generate invoices
     This field controls whether pretix should generate an invoice for an order. You have the following options:
 
@@ -51,6 +39,51 @@ Attach invoices to emails
     "Automatically for all created orders" or to the payment confirmation e-mails if it is set to "Automatically on
     payment".
 
+Invoice number prefix
+    This is the prefix that will be prepended to all your invoice numbers. For example, if you set this to "Inv", your
+    invoices will be numbered Inv00001, Inv00002, etc. If you leave this field empty, your event slug will be used,
+    followed by a dash, e.g. DEMOCON-00001.
+
+    Within one organizer account, events with the same number prefix will share their number range. For example, if you
+    set this to "Inv" for all of your events, there will be only one invoice numbered Inv00007 across all your events
+    and the numbers will have gaps within one event.
+
+Generate invoices with consecutive numbers
+    If enabled, invoices will be created with numerical invoice numbers in the order of their creation, i.e.
+    PREFIX-00001, PREFIX-00002, and so on. If disabled, invoice numbers will instead be generated from the order code,
+    i.e. PREFIX-YHASD-1. When in doubt, keep this option enabled since it might be legally required in your country,
+    but disabling it has the advantage that your customers can not estimate the number of tickets sold by looking at
+    the invoice numbers.
+
+Invoice language
+    This setting allows you to configure the language of all invoices. You can either set it to one of your event
+    language or dynamically to the language used by the customer.
+
+Show free products on invoices
+    If enabled, products that do not cost anything will still show up on invoices. Note that the order needs to contain
+    at least one non-free product in order to generate an invoice.
+
+Show attendee names on invoices
+    If enabled, the attendee name will be printed on the invoice for admission tickets.
+
+Ask for invoice address
+    If this checkbox is enabled, customers will be able to enter an invoice address during checkout. If you only enable
+    this box, the invoice address will be optional to fill in.
+
+Require invoice address
+    If this checkbox is enabled, entering an invoice address will be obligatory for all customers and it will not be
+    able to create an order without entering an address.
+
+Require customer name
+    If this checkbox is enabled, the street, city, and country fields of the invoice address will still be optional but
+    the name field will be obligatory.
+
+Require a business address
+    If enabled, the invoice address form will require a company name and do not allow personal addresses.
+
+Ask for beneficiary
+    If enabled, the invoice address form will contain an additional field to input the beneficiary of the transaction.
+
 Ask for VAT ID
     If enabled, the invoice address form will not only ask for a postal address, but also for a VAT ID. The VAT ID will
     always be an optional field.
@@ -62,26 +95,13 @@ Generate invoices with consecutive numbers
     but disabling it has the advantage that your customers can not estimate the number of tickets sold by looking at
     the invoice numbers.
 
-Invoice number prefix
-    This is the prefix that will be prepended to all your invoice numbers. For example, if you set this to "Inv", your
-    invoices will be numbered Inv00001, Inv00002, etc. If you leave this field empty, your event slug will be used,
-    followed by a dash, e.g. DEMOCON-00001.
-
-    Within one organizer account, events with the same number prefix will share their number range. For example, if you
-    set this to "Inv" for all of your events, there will be only one invoice numbered Inv00007 across all your events
-    and the numbers will have gaps within one event.
-
-Show free products on invoices
-    If enabled, products that do not cost anything will still show up on invoices. Note that the order needs to contain
-    at least one non-free product in order to generate an invoice.
-
-Show attendee names on invoices
-    If enabled, the attendee name will be printed on the invoice for admission tickets.
-
-Your address
-    This should be set to the address of the entity issuing the invoice (read: you) and will be printed inside
+Your invoice details
+    These fields should be set to the address of the entity issuing the invoice (read: you) and will be printed inside
     the header of the invoice.
 
+Invoice style
+    This setting allows you to choose the design of your invoice. Additional designs can be added by pretix plugins.
+
 Introductory text
     A free custom text that will be printed above the list of products on the invoice.
 

doc/user/events/structureguide.rst

@@ -0,0 +1,346 @@
+Product structure guide
+=======================
+
+Between products, categories, variations, add-ons, bundles, and quotas, pretix provides a wide range of features that allow you to set up your event in the way you want it.
+However, it is easy to get lost in the process or to get started with building your event right.
+Often times, there are multiple ways to do something that come with different advantages and disadvantages.
+This guide will walk you through a number of typical examples of pretix event structures and will explain how to set them up – feel free to just skip ahead to a section relevant for you.
+
+Terminology
+-----------
+
+Products
+    A product is a basic entity that can be bought. You can think of it as a ticket type, but it can be more things than just a ticket, it can also be a piece of merchandise, a parking slot, etc.
+    You might find some places where they are called "items" instead, but we're trying to get rid of that.
+
+Product categories
+    Products can be sorted into categories. Each product can only be in one category. Category are mostly used for grouping related products together to make your event page easier to read for buyers. However, we'll need categories as well to set up some of the structures outlined below.
+
+Product variations
+    During creation of a product, you can decide that your product should have multiple variations. Variations of a product can differ in price, description, and availability, but are otherwise the same. You could use this e.g. for differentiating between a regular ticket and a discounted ticket for students, or when selling merchandise to differentiate the different sizes of a t-shirt.
+
+Product add-ons
+    Add-ons are products that are sold together with another product (which we will call the base product in this case). For example, you could have a base product "Conference ticket" and then define multiple workshops that can be chosen as an add-on.
+
+Product bundles
+    Bundles work very similarly to add-ons, but are different in the way that they are always automatically included with the base product and cannot be optional. In contrast to add-on products, the same product can be included multiple times in a bundle.
+
+Quotas
+    Quotas define the availability of products. A quota has a size (i.e. the number of products in the inventory) and is mapped to one or multiple products or variations.
+
+Questions
+    Questions are user-defined form fields that buyers will need to fill out when purchasing a product.
+
+Use case: Multiple price levels
+-------------------------------
+
+Imagine you're running a concert with general admission that sells a total of 200 tickets for two prices:
+
+* Regular: € 25.00
+* Students: € 19.00
+
+You can either set up two different products called e.g. "Regular ticket" and "Student ticket" with the respective prices, or two variations within the same product. In this simple case, it really doesn't matter.
+
+In addition, you will need quotas. If you do not care how many of your tickets are sold to students, you should set up just **one quota** of 200 called e.g. "General admission" that you link to **both products**.
+
+If you want to limit the number of student tickets to 50 to ensure a certain minimum revenue, but do not want to limit the number of regular tickets artificially, we suggest you to create the same quota of 200 that is linked to both products, and then create a **second quota** of 50 that is only linked to the student ticket. This way, the system will reduce both quotas whenever a student ticket is sold and only the larger quota when a regular ticket is sold.
+
+Use case: Early-bird tiers based on dates
+-----------------------------------------
+
+Let's say you run a conference that has the following pricing scheme:
+
+* 12 to 6 months before the event: € 450
+* 6 to 3 months before the event: € 550
+* closer than 3 months to the event: € 650
+
+Of course, you could just set up one product and change its price at the given dates manually, but if you want to set this up automatically, here's how:
+
+Create three products (e.g. "super early bird", "early bird", "regular ticket") with the respective prices and one shared quota of your total event capacity. Then, set the **available from** and **available until** configuration fields of the products to automatically turn them on and off based on the current date.
+
+Use case: Early-bird tiers based on ticket numbers
+--------------------------------------------------
+
+Let's say you run a conference with 400 tickets that has the following pricing scheme:
+
+* First 100 tickets ("super early bird"): € 450
+* Next 100 tickets ("early bird"): € 550
+* Remaining tickets ("regular"): € 650
+
+First of all, create three products:
+
+* "Super early bird ticket"
+* "Early bird ticket"
+* "Regular ticket"
+
+Then, create three quotas:
+
+* "Super early bird" with a **size of 100** and the "Super early bird ticket" product selected. At "Advanced options",
+  select the box "Close this quota permanently once it is sold out".
+
+* "Early bird and lower" with a **size of 200** and both of the "Super early bird ticket" and "Early bird ticket"
+  products selected. At "Advanced options", select the box "Close this quota permanently once it is sold out".
+
+* "All participants" with a **size of 400**, all three products selected and **no additional options**.
+
+Next, modify the product "Regular ticket". In the section "Availability", you should look for the option "Only show
+after sellout of" and select your quota "Early bird and lower". Do the same for the "Early bird ticket" with the quota
+"Super early bird ticket".
+
+This will ensure the following things:
+
+* Each ticket level is only visible after the previous level is sold out.
+
+* As soon as one level is really sold out, it's not coming back, because the quota "closes", i.e. locks in place.
+
+* By creating a total quota of 400 with all tickets included, you can still make sure to sell the maximum number of
+  tickets, even if e.g. early-bird tickets are canceled.
+
+Optionally, if you want to hide the early bird prices once they are sold out, go to "Settings", then "Display" and
+select "Hide all products that are sold out". Of course, it might be a nice idea to keep showing the prices to remind
+people to buy earlier next time ;)
+
+Please note that there might be short time intervals where the prices switch back and forth: When the last early bird
+tickets are in someone's cart (but not yet sold!), the early bird tickets will show as "Reserved" and the regular
+tickets start showing up. However, if the customers holding the reservations do not complete their order,
+the early bird tickets will become available again. This is not avoidable if we want to prevent malicious users
+from blocking all the cheap tickets without an actual sale happening.
+
+Use case: Up-selling of ticket extras
+-------------------------------------
+
+Let's assume you're putting up a great music festival, and to save trouble with handling payments on-site, you want to sell parking spaces together with your ticket. By using our add-on feature, you can prompt all users to book the parking space (to make sure they see it) and ensure that only people with a ticket can book a parking space. You can set it up like this:
+
+* Create a base product "Festival admission"
+* Create a quota for the base product
+* Create a category "Ticket extras" and check "Products in this category are add-on products"
+* Create a product "Parking space" within that category
+* Create a quota for the parking space product
+* Go to the base product and select the tab "Add-Ons" at the top. Click "Add a new add-on" and choose the "Ticket extras" category. You can keep the numbers at 0 and 1.
+
+During checkout, all buyers of the base product will now be prompted if they want to add the parking space.
+
+.. tip::
+
+   You can also use add-on products for free things, just to keep tabs on capacity.
+
+Use case: Conference with workshops
+-----------------------------------
+
+When running a conference, you might also organize a number of workshops with smaller capacity. To be able to plan, it would be great to know which workshops an attendee plans to attend.
+
+Option A: Questions
+"""""""""""""""""""
+
+Your first and simplest option is to just create a multiple-choice question. This has the upside of making it easy for users to change their mind later on, but will not allow you to restrict the number of attendees signing up for a given workshop – or even charge extra for a given workshop.
+
+Option B: Add-on products with fixed time slots
+"""""""""""""""""""""""""""""""""""""""""""""""
+
+The usually better option is to go with add-on products. Let's take for example the following conference schedule, in which the lecture can be attended by anyone, but the workshops only have space for 20 persons each:
+
+==================== =================================== ===================================
+Time                 Room A                              Room B
+==================== =================================== ===================================
+Wednesday morning    Lecture
+Wednesday afternoon  Workshop A                          Workshop B
+Thursday morning     Workshop C                          Workshop D (20 € extra charge)
+==================== =================================== ===================================
+
+Assuming you already created one or more products for your general conference admission, we suggest that you additionally create:
+
+* A category called "Workshops" with the checkbox "Products in this category are add-on products" activated
+
+* A free product called "Wednesday afternoon" within the category "Workshops" and with two variations:
+
+    * Workshop A
+
+    * Workshop B
+
+* A free product called "Thursday morning" within the category "Workshops" and with two variations:
+
+    * Workshop C
+
+    * Workshop D with a price of 20 €
+
+* Four quotas for each of the workshops
+
+* One add-on configuration on your base product that allows users to choose between 0 and 2 products from the category "Workshops"
+
+Option C: Add-on products with variable time slots
+""""""""""""""""""""""""""""""""""""""""""""""""""
+
+The above option only works if your conference uses fixed time slots and every workshop uses exactly one time slot. If
+your schedule looks like this, it's not going to work great:
+
++-------------+------------+-----------+
+| Time        | Room A     | Room B    |
++=============+============+===========+
+| 09:00-11:00 | Talk 1     | Long      |
++-------------+------------+ Workshop 1|
+| 11:00-13:00 | Talk 2     |           |
++-------------+------------+-----------+
+| 14:00-16:00 | Long       | Talk 3    |
++-------------+ workshop 2 +-----------+
+| 16:00-18:00 |            | Talk 4    |
++-------------+------------+-----------+
+
+In this case, we recommend that you go to *Settings*, then *Plugins* and activate the plugin **Agenda constraints**.
+
+Then, create a product (without variations) for every single part that should be bookable (talks 1-4 and long workshops
+1 and 2) as well as appropriate quotas for each of them.
+
+All of these products should be part of the same category. In your base product (e.g. your conference ticket), you
+can then create an add-on product configuration allowing users to add products from this category.
+
+If you edit these products, you will be able to enter the "Start date" and "End date" of the talk or workshop close
+to the bottom of the page. If you fill in these values, pretix will automatically ensure no overlapping talks are
+booked.
+
+.. note::
+
+    This option is currently only available on pretix Hosted. If you are interested in using it with pretix Enterprise,
+    please contact sales@pretix.eu.
+
+
+Use case: Discounted packages
+-----------------------------
+
+Imagine you run a trade show that opens on three consecutive days and you want to have the following pricing:
+
+* Single day: € 10
+* Any two days: € 17
+* All three days:  € 25
+
+In this case, there are multiple different ways you could set this up with pretix.
+
+Option A: Combination products
+""""""""""""""""""""""""""""""
+
+With this option, you just set up all the different combinations someone could by as a separate product. In this case, you would need 7 products:
+
+* Day 1 pass
+* Day 2 pass
+* Day 3 pass
+* Day 1+2 pass
+* Day 2+3 pass
+* Day 1+3 pass
+* All-day pass
+
+Then, you create three quotas, each one with the maximum capacity of your venue on any given day:
+
+* Day 1 quota, linked to "Day 1 pass", "Day 1+2 pass", "Day 1+3 pass", and "All-day pass"
+* Day 2 quota, linked to "Day 2 pass", "Day 1+2 pass", "Day 2+3 pass", and "All-day pass"
+* Day 3 quota, linked to "Day 3 pass", "Day 2+3 pass", "Day 1+3 pass", and "All-day pass"
+
+This way, every person gets exactly one ticket that they can use for all days that they attend. You can later set up check-in lists appropriately to make sure only tickets valid for a certain day can be scanned on that day.
+
+The benefit of this option is that your product structure and order structure stays very simple. However, the two-day packages scale badly when you need many products.
+
+We recommend this setup for most setups in which the number of possible combinations does not exceed the number of parts (here: number of days) by much.
+
+Option B: Add-ons and bundles
+"""""""""""""""""""""""""""""
+
+We can combine the two features "product add-ons" and "product bundles" to set this up in a different way. Here, you would create the following five products:
+
+* Day 1 pass in a category called "Day passes"
+* Day 2 pass in a category called "Day passes"
+* Day 3 pass in a category called "Day passes"
+* Two-day pass
+* All-day pass
+
+This time, you will need five quotas:
+
+* Day 1 quota, linked to "Day 1 pass"
+* Day 2 quota, linked to "Day 2 pass"
+* Day 3 quota, linked to "Day 3 pass"
+* Two-day pass quota, linked to "Two-day pass" (can be unlimited)
+* All-day pass quota, linked to "All-day pass" (can be unlimited)
+
+Then, you open the "Add-On" tab in the settings of the **Two-day pass** product and create a new add-on configuration specifying the following options:
+
+* Category: "Day passes"
+* Minimum number: 2
+* Maximum number: 2
+* Add-Ons are included in the price: Yes
+
+This way, when buying a two-day pass, the user will be able to select *exactly* two days for free, which will then be added to the cart. Depending on your specific configuration, the user will now receive *two separate* tickets, one for each day.
+
+For the all-day pass, you open the "Bundled products" tab in the settings of the **All-day pass** product and add **three** new bundled items with the following options:
+
+* Bundled product: "Day 1/2/3"
+* Bundled variation: None
+* Count: 1
+* Designated price: 0
+
+This way, when buying an all-day pass, three free day passes will *automatically* be added to the cart. Depending on your specific configuration, the user will now receive *three separate* tickets, one for each day.
+
+This approach makes your order data more complicated, since e.g. someone who buys an all-day pass now technically bought **four products**. However, this option allows for more flexibility when you have lots of options to choose from.
+
+.. tip::
+
+   Depending on the packages you offer, you **might not need both the add-on and the bundle feature**, i.e. you only need the add-on feature for the two-day pass and only the bundle feature for the all-day pass. You could also set up the two-day pass like we showed here, but the all-day pass like in option A!
+
+Use case: Group discounts
+-------------------------
+
+Often times, you want to give discounts for whole groups attending your event. pretix can't automatically discount based on volume, but there's still some ways you can set up group tickets.
+
+Flexible group sizes
+""""""""""""""""""""
+
+If you want to give out discounted tickets to groups starting at a given size, but still billed per person, you can do so by creating a special **Group ticket** at the per-person price and set the **Minimum amount per order** option of the ticket to the minimal group size.
+
+This way, your ticket can be bought an arbitrary number of times – but no less than the given minimal amount per order.
+
+Fixed group sizes
+"""""""""""""""""
+
+If you want to sell group tickets in fixed sizes, e.g. a table of eight at your gala dinner, you can use product bundles. Assuming you already set up a ticket for admission of single persons, you then set up a second product **Table (8 persons)** with a discounted full price. Then, head to the **Bundled products** tab of that product and add one bundle configuration to include the single admission product **eight times**. Next, create an unlimited quota mapped to the new product.
+
+This way, the purchase of a table will automatically create eight tickets, leading to a correct calculation of your total quota and, as expected, eight persons on your check-in list. You can even ask for the individual names of the persons during checkout.
+
+Use case: Restricted audience
+-----------------------------
+
+Not all events are for everyone. Sometimes, there is a good reason to restrict access to your event or parts of your event only to a specific, invited group. There's two ways to implement this with pretix:
+
+Option A: Required voucher codes
+""""""""""""""""""""""""""""""""
+
+If you check the option "**This product can only be bought using a voucher**" of one or multiple products, only people holding an applicable voucher code will be able to buy the product.
+
+You can then generate voucher codes for the respective product and send them out to the group of possible attendees. If the recipients should still be able to choose between different products, you can create an additional quota and map the voucher to that quota instead of the products themselves.
+
+There's also the second option "**This product will only be shown if a voucher matching the product is redeemed**". In this case, the existence of the product won't even be shown before a voucher code is entered – useful for a VIP option in a shop where you also sell other products to the general public. Please note that this option does **not** work with vouchers assigned to a quota, only with vouchers assigned directly to the product.
+
+This option is appropriate if you know the group of people beforehand, e.g. members of a club, and you can mail them their access codes.
+
+Option B: Order approvals
+"""""""""""""""""""""""""
+
+If you do not know your audience already, but still want to restrict it to a certain group, e.g. people with a given profession, you can check the "**Buying this product requires approval**" in the settings of your product. If a customer tries to buy such a product, they will be able to place their order but can not proceed to payment. Instead, you will be asked to approve or deny the order and only if you approve it, we will send a payment link to the customer.
+
+This requires the customer to interact with the ticket shop twice (once for the order, once for the payment) which adds a little more friction, but gives you full control over who attends the event.
+
+Use case: Mixed taxation
+------------------------
+
+Let's say you are a charitable organization in Germany and are allowed to charge a reduced tax rate of 7% for your educational event. However, your event includes a significant amount of food, you might need to charge a 19% tax rate on that portion. For example, your desired tax structure might then look like this:
+
+* Conference ticket price: € 450 (incl. € 150 for food)
+
+    * incl. € 19.63 VAT at 7%
+    * incl. € 23.95 VAT at 19%
+
+You can implement this in pretix using product bundles. In order to do so, you should create the following two products:
+
+* Conference ticket at € 450 with a 7% tax rule
+* Conference food at € 150 with a 19% tax rule and the option "**Only sell this product as part of a bundle**" set
+
+In addition to your normal conference quota, you need to create an unlimited quota for the food product.
+
+Then, head to the **Bundled products** tab of the "conference ticket" and add the "conference food" as a bundled product with a **designated price** of € 150.
+
+Once a customer tries to buy the € 450 conference ticket, a sub-product will be added and the price will automatically be split into the two components, leading to a correct computation of taxes.

doc/user/events/tickets.rst

@@ -25,6 +25,10 @@ Generate tickets for non-admission products
   By default, tickets will only be generated for products that are marked as admission products. Enable this option to
   generate tickets for all products instead.
 
+Offer to download tickets even before an order is paid
+  By default, ticket download is only possible for paid orders. If you run an event where people usually pay only after
+  the event, you can check this box to enable ticket download even before.
+
 Below these settings, the detail settings for the various ticket file formats are offered. They differ from format to
 format and only share the common "Enable" setting that can be used to turn them on. By default, pretix ships with
 a PDF output plugin that you can configure through a visual design editor.

doc/user/events/widget.rst

@@ -114,6 +114,51 @@ If you want to disable voucher input in the widget, you can pass the ``disable-v
 
    <pretix-widget event="https://pretix.eu/demo/democon/" disable-vouchers></pretix-widget>
 
+Filtering products
+------------------
+
+You can filter the products shown in the widget by passing in a list of product IDs::
+
+   <pretix-widget event="https://pretix.eu/demo/democon/" items="23,42"></pretix-widget>
+
+Alternatively, you can select one or more categories to be shown::
+
+   <pretix-widget event="https://pretix.eu/demo/democon/" categories="12,25"></pretix-widget>
+
+Multi-event selection
+---------------------
+
+If you want to embed multiple events in a single widget, you can do so. If it's multiple dates of an event series, just leave off the ``series`` attribute::
+
+   <pretix-widget event="https://pretix.eu/demo/series/"></pretix-widget>
+
+If you want to include all your public events, you can just reference your organizer::
+
+   <pretix-widget event="https://pretix.eu/demo/"></pretix-widget>
+
+There is an optional ``style`` parameter that let's you choose between a calendar view and a list view. If you do not set it, the choice will be taken from your organizer settings::
+
+   <pretix-widget event="https://pretix.eu/demo/series/" style="list"></pretix-widget>
+   <pretix-widget event="https://pretix.eu/demo/series/" style="calendar"></pretix-widget>
+
+You can see an example here:
+
+.. raw:: html
+
+    <pretix-widget event="https://pretix.eu/demo/series/" style="calendar"></pretix-widget>
+    <noscript>
+       <div class="pretix-widget">
+            <div class="pretix-widget-info-message">
+                JavaScript is disabled in your browser. To access our ticket shop without javascript, please <a target="_blank" href="https://pretix.eu/demo/series/">click here</a>.
+            </div>
+        </div>
+    </noscript>
+
+You can filter events by meta data attributes. You can create those attributes in your order profile and set their values in both event and series date
+settings. For example, if you set up a meta data property called "Promoted" that you set to "Yes" on some events, you can pass a filter like this::
+
+   <pretix-widget event="https://pretix.eu/demo/series/" style="list" filter="attr[Promoted]=Yes"></pretix-widget>
+
 pretix Button
 -------------
 
@@ -149,6 +194,24 @@ Just as the widget, the button supports the optional attributes ``voucher`` and
 
 You can style the button using the ``pretix-button`` CSS class.
 
+Dynamically opening the widget
+------------------------------
+
+You can get the behavior of the pretix Button without a button at all, so you can trigger it from your own code in
+response to a user action. Usually, this will open an overlay with your ticket shop, however in some cases, such as
+missing HTTPS encryption on your case or a really small screen (mobile), it will open a new tab instead of an overlay.
+Therefore, make sure you call this *in direct response to a user action*, otherwise most browser will block it as an
+unwanted pop-up.
+
+.. js:function:: window.PretixWidget.open(target_url [, voucher [, subevent [, items, [, widget_data [, skip_ssl_check ]]]]])
+
+   :param string target_url: The URL of the ticket shop.
+   :param string voucher: A voucher code to be pre-selected, or ``null``.
+   :param string subevent: A subevent to be pre-selected, or ``null``.
+   :param array items: A collection of items to be put in the cart, of the form ``[{"item": "item_3", "count": 1}, {"item": "variation_5_6", "count": 4}]``
+   :param object widget_data: Additional data to be passed to the shop, see below.
+   :param boolean skip_ssl_check: Whether to ignore the check for HTTPS. Only to be used during development.
+
 Dynamically loading the widget
 ------------------------------
 
@@ -172,6 +235,21 @@ If you want, you can suppress us loading the widget and/or modify the user data
 
 If you then later want to trigger loading the widgets, just call ``window.PretixWidget.buildWidgets()``.
 
+Waiting for the widget to load
+------------------------------
+
+If you want to run custom JavaScript once the widget is fully loaded, you can register a callback function. Note that
+this function might be run multiple times, for example if you have multiple widgets on a page or if the user switches
+e.g. from an event list to an event detail view::
+
+    <script type="text/javascript">
+    window.pretixWidgetCallback = function () {
+        window.PretixWidget.addLoadListener(function () {
+            console.log("Widget has loaded!");
+        });
+    }
+    </script>
+
 
 Passing user data to the widget
 -------------------------------
@@ -189,7 +267,8 @@ with that information::
         data-question-L9G8NG9M="Foobar">
     </pretix-widget>
 
-This works for the pretix Button as well. Currently, the following attributes are understood by pretix itself:
+This works for the pretix Button as well, if you also specify a product.
+Currently, the following attributes are understood by pretix itself:
 
 * ``data-email`` will pre-fill the order email field as well as the attendee email field (if enabled).
 
@@ -207,6 +286,11 @@ This works for the pretix Button as well. Currently, the following attributes ar
   naming scheme such as ``name-title`` or ``name-given-name`` (see above). ``country`` expects a two-character
   country code.
 
+* If ``data-fix="true"`` is given, the user will not be able to change the other given values later. This currently
+  only works for the order email address as well as the invoice address. Attendee-level fields and questions can
+  always be modified. Note that this is not a security feature and can easily be overridden by users, so do not rely
+  on this for authentication.
+
 Any configured pretix plugins might understand more data fields. For example, if the appropriate plugins on pretix
 Hosted or pretix Enterprise are active, you can pass the following fields:
 
@@ -240,10 +324,17 @@ Hosted or pretix Enterprise are active, you can pass the following fields:
         };
     </script>
 
+  In some combinations with Google Tag Manager, the widget does not load this way. In this case, try replacing
+  ``tracker.get('clientId')`` with ``ga.getAll()[0].get('clientId')``.
+
 
 .. versionchanged:: 2.3
 
    Data passing options have been added in pretix 2.3. If you use a self-hosted version of pretix, they only work
    fully if you configured a redis server.
 
+.. versionchanged:: 3.6
+
+   Dynamically opening the widget has been added in pretix 3.6.
+
 .. _Let's Encrypt: https://letsencrypt.org/

doc/user/index.rst

@@ -10,6 +10,8 @@ wanting to use pretix to sell tickets.
    organizers/index
    events/create
    events/settings
+   events/structureguide
    events/widget
+   events/giftcards
    faq
-   markdown
+   markdown

doc/user/organizers/domain.rst

@@ -14,30 +14,23 @@ and with pretix, you can do this. On this page, you find out the necessary steps
 With the pretix.eu hosted service
 ---------------------------------
 
-Step 1: DNS Configuration
-#########################
+Go to "Organizers" in the backend and select your organizer account. Then, go to "Settings" and "Custom Domain".
+
+This page will show you instructions on how to set up your own domain. Basically, it works like this:
 
 Go to the website of the provider you registered your domain name with. Look for the "DNS" settings page in their
 interface. Unfortunately, we can't tell you exactly how that is named and how it looks, since it is different for every
 domain provider.
 
 Use this interface to add a new subdomain record, e.g. ``tickets`` of the type ``CNAME`` (might also be called "alias").
-The value of the record should be ``www.pretix.eu``.
-
-Step 2: Wait for the DNS entry to propagate
-###########################################
+The value of the record should be the one shown on the "Custom Domain" page in pretix' backend.
 
 Submit your changes and wait a bit, it can regularly take up to three hours for DNS changes to propagate to the caches
 of all DNS servers. You can try checking by accessing your new subdomain, ``http://tickets.awesomepartycorp.com``.
 If DNS was changed successfully, you should see a SSL certificate error. If you ignore the error and access the page
 anyways, you should get a pretix-themed error page with the headline "Unknown domain".
 
-Step 3: Tell us
-###############
-
-Write an email to support@pretix.eu, naming your new domain and your organizer account. We will then generate a SSL
-certificate for you (for free!) and configure the domain.
-
+Now, tell us about your domain on the "Custom Domain" page to get started.
 
 With a custom pretix installation
 ---------------------------------

doc/user/payments/paypal.rst

@@ -3,6 +3,13 @@
 PayPal
 ======
 
+.. note::
+
+   If you use pretix Hosted, you do not longer need to go through this tedious process! You can
+   just open the PayPal settings in the payment section of your event, click "Connect to PayPal"
+   and log in to your PayPal account. The following guide is only required for self-hosted
+   versions of pretix.
+
 To integrate PayPal with pretix, you first need to have an active PayPal merchant account. If you do not already have a
 PayPal account, you can create one on `paypal.com`_.
 If you look into pretix' settings, you are required to fill in two keys:

src/MANIFEST.in

@@ -22,3 +22,5 @@ recursive-include pretix/plugins/ticketoutputpdf/templates *
 recursive-include pretix/plugins/ticketoutputpdf/static *
 recursive-include pretix/plugins/badges/templates *
 recursive-include pretix/plugins/badges/static *
+recursive-include pretix/plugins/returnurl/templates *
+recursive-include pretix/plugins/returnurl/static *

src/make_testdata.py

@@ -1,71 +0,0 @@
-#!/usr/bin/env python
-import os
-import sys
-from datetime import datetime
-
-os.environ.setdefault("DJANGO_SETTINGS_MODULE", "pretix.settings")
-
-import django
-
-django.setup()
-
-from pretix.base.models import *  # NOQA
-from django.utils.timezone import now
-
-if Organizer.objects.exists():
-    print("There already is data in your DB!")
-    sys.exit(0)
-user = User.objects.get_or_create(
-    email='admin@localhost',
-)[0]
-user.set_password('admin')
-user.save()
-organizer = Organizer.objects.create(
-    name='BigEvents LLC', slug='bigevents'
-)
-year = now().year + 1
-event = Event.objects.create(
-    organizer=organizer, name='Demo Conference {}'.format(year),
-    slug=year, currency='EUR', live=True,
-    date_from=datetime(year, 9, 4, 17, 0, 0),
-    date_to=datetime(year, 9, 6, 17, 0, 0),
-)
-t = Team.objects.get_or_create(
-    organizer=organizer, name='Admin Team',
-    all_events=True, can_create_events=True, can_change_teams=True,
-    can_change_organizer_settings=True, can_change_event_settings=True, can_change_items=True,
-    can_view_orders=True, can_change_orders=True, can_view_vouchers=True, can_change_vouchers=True
-)
-t[0].members.add(user)
-cat_tickets = ItemCategory.objects.create(
-    event=event, name='Tickets'
-)
-cat_merch = ItemCategory.objects.create(
-    event=event, name='Merchandise'
-)
-question = Question.objects.create(
-    event=event, question='Age',
-    type=Question.TYPE_NUMBER, required=False
-)
-tr19 = event.tax_rules.create(rate=19)
-item_ticket = Item.objects.create(
-    event=event, category=cat_tickets, name='Ticket',
-    default_price=23, tax_rule=tr19, admission=True
-)
-item_ticket.questions.add(question)
-item_shirt = Item.objects.create(
-    event=event, category=cat_merch, name='T-Shirt',
-    default_price=15, tax_rule=tr19
-)
-var_s = ItemVariation.objects.create(item=item_shirt, value='S')
-var_m = ItemVariation.objects.create(item=item_shirt, value='M')
-var_l = ItemVariation.objects.create(item=item_shirt, value='L')
-ticket_quota = Quota.objects.create(
-    event=event, name='Ticket quota', size=400,
-)
-ticket_quota.items.add(item_ticket)
-ticket_shirts = Quota.objects.create(
-    event=event, name='Shirt quota', size=200,
-)
-ticket_quota.items.add(item_shirt)
-ticket_quota.variations.add(var_s, var_m, var_l)

src/pretix/__init__.py

@@ -1 +1 @@
-__version__ = "2.5.0"
+__version__ = "3.9.0.dev0"

src/pretix/api/auth/device.py

@@ -1,4 +1,5 @@
 from django.contrib.auth.models import AnonymousUser
+from django_scopes import scopes_disabled
 from rest_framework import exceptions
 from rest_framework.authentication import TokenAuthentication
 
@@ -12,14 +13,15 @@ class DeviceTokenAuthentication(TokenAuthentication):
     def authenticate_credentials(self, key):
         model = self.get_model()
         try:
-            device = model.objects.select_related('organizer').get(api_token=key)
+            with scopes_disabled():
+                device = model.objects.select_related('organizer').get(api_token=key)
         except model.DoesNotExist:
             raise exceptions.AuthenticationFailed('Invalid token.')
 
         if not device.initialized:
             raise exceptions.AuthenticationFailed('Device has not been initialized.')
 
-        if not device.api_token:
+        if device.revoked:
             raise exceptions.AuthenticationFailed('Device access has been revoked.')
 
         return AnonymousUser(), device

src/pretix/api/auth/permission.py

@@ -1,8 +1,9 @@
 from rest_framework.permissions import SAFE_METHODS, BasePermission
 
 from pretix.api.models import OAuthAccessToken
-from pretix.base.models import Device, Event
-from pretix.base.models.organizer import Organizer, TeamAPIToken
+from pretix.base.models import Device, Event, User
+from pretix.base.models.auth import SuperuserPermissionSet
+from pretix.base.models.organizer import TeamAPIToken
 from pretix.helpers.security import (
     SessionInvalid, SessionReauthRequired, assert_session_valid,
 )
@@ -37,21 +38,24 @@ class EventPermission(BasePermission):
                 slug=request.resolver_match.kwargs['event'],
                 organizer__slug=request.resolver_match.kwargs['organizer'],
             ).select_related('organizer').first()
-            if not request.event or not perm_holder.has_event_permission(request.event.organizer, request.event):
+            if not request.event or not perm_holder.has_event_permission(request.event.organizer, request.event, request=request):
                 return False
             request.organizer = request.event.organizer
-            request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event)
+            if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key):
+                request.eventpermset = SuperuserPermissionSet()
+            else:
+                request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event)
 
             if required_permission and required_permission not in request.eventpermset:
                 return False
 
         elif 'organizer' in request.resolver_match.kwargs:
-            request.organizer = Organizer.objects.filter(
-                slug=request.resolver_match.kwargs['organizer'],
-            ).first()
-            if not request.organizer or not perm_holder.has_organizer_permission(request.organizer):
+            if not request.organizer or not perm_holder.has_organizer_permission(request.organizer, request=request):
                 return False
-            request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer)
+            if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key):
+                request.orgapermset = SuperuserPermissionSet()
+            else:
+                request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer)
 
             if required_permission and required_permission not in request.orgapermset:
                 return False

src/pretix/api/middleware.py

@@ -0,0 +1,112 @@
+import json
+from hashlib import sha1
+
+from django.conf import settings
+from django.db import transaction
+from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.urls import resolve
+from django.utils.timezone import now
+from django_scopes import scope
+from rest_framework import status
+
+from pretix.api.models import ApiCall
+from pretix.base.models import Organizer
+
+
+class IdempotencyMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request: HttpRequest):
+        if request.method in ('GET', 'HEAD', 'OPTIONS'):
+            return self.get_response(request)
+
+        if not request.path.startswith('/api/'):
+            return self.get_response(request)
+
+        if not request.headers.get('X-Idempotency-Key'):
+            return self.get_response(request)
+
+        auth_hash_parts = '{}:{}'.format(
+            request.headers.get('Authorization', ''),
+            request.COOKIES.get(settings.SESSION_COOKIE_NAME, '')
+        )
+        auth_hash = sha1(auth_hash_parts.encode()).hexdigest()
+        idempotency_key = request.headers.get('X-Idempotency-Key', '')
+
+        with transaction.atomic():
+            call, created = ApiCall.objects.select_for_update().get_or_create(
+                auth_hash=auth_hash,
+                idempotency_key=idempotency_key,
+                defaults={
+                    'locked': now(),
+                    'request_method': request.method,
+                    'request_path': request.path,
+                    'response_code': 0,
+                    'response_headers': '{}',
+                    'response_body': b''
+                }
+            )
+
+        if created:
+            resp = self.get_response(request)
+            with transaction.atomic():
+                if resp.status_code in (409, 429, 503):
+                    # This is the exception: These calls are *meant* to be retried!
+                    call.delete()
+                else:
+                    call.response_code = resp.status_code
+                    if isinstance(resp.content, str):
+                        call.response_body = resp.content.encode()
+                    elif isinstance(resp.content, memoryview):
+                        call.response_body = resp.content.tobytes()
+                    elif isinstance(resp.content, bytes):
+                        call.response_body = resp.content
+                    elif hasattr(resp.content, 'read'):
+                        call.response_body = resp.read()
+                    elif hasattr(resp, 'data'):
+                        call.response_body = json.dumps(resp.data)
+                    else:
+                        call.response_body = repr(resp).encode()
+                    call.response_headers = json.dumps(resp._headers)
+                    call.locked = None
+                    call.save(update_fields=['locked', 'response_code', 'response_headers',
+                                             'response_body'])
+            return resp
+        else:
+            if call.locked:
+                r = JsonResponse(
+                    {'detail': 'Concurrent request with idempotency key.'},
+                    status=status.HTTP_409_CONFLICT,
+                )
+                r['Retry-After'] = 5
+                return r
+
+            content = call.response_body
+            if isinstance(content, memoryview):
+                content = content.tobytes()
+            r = HttpResponse(
+                content=content,
+                status=call.response_code,
+            )
+            for k, v in json.loads(call.response_headers).values():
+                r[k] = v
+            return r
+
+
+class ApiScopeMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request: HttpRequest):
+        if not request.path.startswith('/api/'):
+            return self.get_response(request)
+
+        url = resolve(request.path_info)
+        if 'organizer' in url.kwargs:
+            request.organizer = Organizer.objects.filter(
+                slug=url.kwargs['organizer'],
+            ).first()
+
+        with scope(organizer=getattr(request, 'organizer', None)):
+            return self.get_response(request)

src/pretix/api/migrations/0004_auto_20190405_1048.py

@@ -0,0 +1,44 @@
+# Generated by Django 2.1.5 on 2019-04-05 10:48
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('pretixbase', '0116_auto_20190402_0722'),
+        ('pretixapi', '0003_webhook_webhookcall_webhookeventlistener'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ApiCall',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('idempotency_key', models.CharField(db_index=True, max_length=190)),
+                ('auth_hash', models.CharField(db_index=True, max_length=190)),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('locked', models.DateTimeField(null=True)),
+                ('request_method', models.CharField(max_length=20)),
+                ('request_path', models.CharField(max_length=255)),
+                ('response_code', models.PositiveIntegerField()),
+                ('response_headers', models.TextField()),
+                ('response_body', models.BinaryField()),
+            ],
+        ),
+        migrations.AlterModelOptions(
+            name='webhookcall',
+            options={'ordering': ('-datetime',)},
+        ),
+        migrations.AlterModelOptions(
+            name='webhookeventlistener',
+            options={'ordering': ('action_type',)},
+        ),
+        migrations.AlterUniqueTogether(
+            name='apicall',
+            unique_together={('idempotency_key', 'auth_hash')},
+        ),
+    ]

src/pretix/api/migrations/0005_auto_20191028_1541.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.1 on 2019-10-28 15:41
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixapi', '0004_auto_20190405_1048'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='oauthgrant',
+            name='redirect_uri',
+            field=models.CharField(max_length=2500),
+        ),
+    ]

src/pretix/api/models.py

@@ -3,7 +3,7 @@ from datetime import timedelta
 from django.db import models
 from django.urls import reverse
 from django.utils.timezone import now
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _
 from oauth2_provider.generators import (
     generate_client_id, generate_client_secret,
 )
@@ -43,6 +43,7 @@ class OAuthGrant(AbstractGrant):
         OAuthApplication, on_delete=models.CASCADE
     )
     organizers = models.ManyToManyField('pretixbase.Organizer')
+    redirect_uri = models.CharField(max_length=2500)  # Only 255 in AbstractGrant, which caused problems
 
 
 class OAuthAccessToken(AbstractAccessToken):
@@ -77,6 +78,9 @@ class WebHook(models.Model):
     all_events = models.BooleanField(default=True, verbose_name=_("All events (including newly created ones)"))
     limit_events = models.ManyToManyField('pretixbase.Event', verbose_name=_("Limit to events"), blank=True)
 
+    class Meta:
+        ordering = ('id',)
+
     @property
     def action_types(self):
         return [
@@ -106,3 +110,20 @@ class WebHookCall(models.Model):
 
     class Meta:
         ordering = ("-datetime",)
+
+
+class ApiCall(models.Model):
+    idempotency_key = models.CharField(max_length=190, db_index=True)
+    auth_hash = models.CharField(max_length=190, db_index=True)
+    created = models.DateTimeField(auto_now_add=True)
+    locked = models.DateTimeField(null=True)
+
+    request_method = models.CharField(max_length=20)
+    request_path = models.CharField(max_length=255)
+
+    response_code = models.PositiveIntegerField()
+    response_headers = models.TextField()
+    response_body = models.BinaryField()
+
+    class Meta:
+        unique_together = (('idempotency_key', 'auth_hash'),)

src/pretix/api/serializers/cart.py

@@ -2,37 +2,40 @@ from datetime import timedelta
 
 from django.utils.crypto import get_random_string
 from django.utils.timezone import now
-from django.utils.translation import ugettext_lazy
+from django.utils.translation import gettext_lazy
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.api.serializers.order import (
-    AnswerCreateSerializer, AnswerSerializer,
+    AnswerCreateSerializer, AnswerSerializer, InlineSeatSerializer,
 )
-from pretix.base.models import Quota
+from pretix.base.models import Quota, Seat
 from pretix.base.models.orders import CartPosition
 
 
 class CartPositionSerializer(I18nAwareModelSerializer):
     answers = AnswerSerializer(many=True)
+    seat = InlineSeatSerializer()
 
     class Meta:
         model = CartPosition
         fields = ('id', 'cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts',
                   'attendee_email', 'voucher', 'addon_to', 'subevent', 'datetime', 'expires', 'includes_tax',
-                  'answers',)
+                  'answers', 'seat')
 
 
 class CartPositionCreateSerializer(I18nAwareModelSerializer):
     answers = AnswerCreateSerializer(many=True, required=False)
     expires = serializers.DateTimeField(required=False)
     attendee_name = serializers.CharField(required=False, allow_null=True)
+    seat = serializers.CharField(required=False, allow_null=True)
+    sales_channel = serializers.CharField(required=False, default='sales_channel')
 
     class Meta:
         model = CartPosition
         fields = ('cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts', 'attendee_email',
-                  'subevent', 'expires', 'includes_tax', 'answers',)
+                  'subevent', 'expires', 'includes_tax', 'answers', 'seat', 'sales_channel')
 
     def create(self, validated_data):
         answers_data = validated_data.pop('answers')
@@ -53,7 +56,7 @@ class CartPositionCreateSerializer(I18nAwareModelSerializer):
                           else validated_data.get('item').quotas.filter(subevent=validated_data.get('subevent')))
             if len(new_quotas) == 0:
                 raise ValidationError(
-                    ugettext_lazy('The product "{}" is not assigned to a quota.').format(
+                    gettext_lazy('The product "{}" is not assigned to a quota.').format(
                         str(validated_data.get('item'))
                     )
                 )
@@ -61,8 +64,8 @@ class CartPositionCreateSerializer(I18nAwareModelSerializer):
                 avail = quota.availability()
                 if avail[0] != Quota.AVAILABILITY_OK or (avail[1] is not None and avail[1] < 1):
                     raise ValidationError(
-                        ugettext_lazy('There is not enough quota available on quota "{}" to perform '
-                                      'the operation.').format(
+                        gettext_lazy('There is not enough quota available on quota "{}" to perform '
+                                     'the operation.').format(
                             quota.name
                         )
                     )
@@ -71,6 +74,25 @@ class CartPositionCreateSerializer(I18nAwareModelSerializer):
                 validated_data['attendee_name_parts'] = {
                     '_legacy': attendee_name
                 }
+
+            seated = validated_data.get('item').seat_category_mappings.filter(subevent=validated_data.get('subevent')).exists()
+            if validated_data.get('seat'):
+                if not seated:
+                    raise ValidationError('The specified product does not allow to choose a seat.')
+                try:
+                    seat = self.context['event'].seats.get(seat_guid=validated_data['seat'], subevent=validated_data.get('subevent'))
+                except Seat.DoesNotExist:
+                    raise ValidationError('The specified seat does not exist.')
+                except Seat.MultipleObjectsReturned:
+                    raise ValidationError('The specified seat ID is not unique.')
+                else:
+                    validated_data['seat'] = seat
+                    if not seat.is_available(sales_channel=validated_data.get('sales_channel', 'web')):
+                        raise ValidationError(gettext_lazy('The selected seat "{seat}" is not available.').format(seat=seat.name))
+            elif seated:
+                raise ValidationError('The specified product requires to choose a seat.')
+
+            validated_data.pop('sales_channel')
             cp = CartPosition.objects.create(event=self.context['event'], **validated_data)
 
         for answ_data in answers_data:

src/pretix/api/serializers/checkin.py

@@ -1,8 +1,9 @@
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
+from pretix.base.channels import get_all_sales_channels
 from pretix.base.models import CheckinList
 
 
@@ -13,7 +14,7 @@ class CheckinListSerializer(I18nAwareModelSerializer):
     class Meta:
         model = CheckinList
         fields = ('id', 'name', 'all_products', 'limit_products', 'subevent', 'checkin_count', 'position_count',
-                  'include_pending')
+                  'include_pending', 'auto_checkin_sales_channels')
 
     def validate(self, data):
         data = super().validate(data)
@@ -35,4 +36,8 @@ class CheckinListSerializer(I18nAwareModelSerializer):
             if full_data.get('subevent'):
                 raise ValidationError(_('The subevent does not belong to this event.'))
 
+        for channel in full_data.get('auto_checkin_sales_channels') or []:
+            if channel not in get_all_sales_channels():
+                raise ValidationError(_('Unknown sales channel.'))
+
         return data

src/pretix/api/serializers/event.py

@@ -2,15 +2,23 @@ from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.db import transaction
 from django.utils.functional import cached_property
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from django_countries.serializers import CountryFieldMixin
-from rest_framework.fields import Field
+from hierarkey.proxy import HierarkeyProxy
+from pytz import common_timezones
+from rest_framework import serializers
+from rest_framework.fields import ChoiceField, Field
 from rest_framework.relations import SlugRelatedField
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.models import Event, TaxRule
 from pretix.base.models.event import SubEvent
 from pretix.base.models.items import SubEventItem, SubEventItemVariation
+from pretix.base.services.seating import (
+    SeatProtected, generate_seats, validate_plan_change,
+)
+from pretix.base.settings import DEFAULTS, validate_settings
+from pretix.base.signals import api_event_settings_fields
 
 
 class MetaDataField(Field):
@@ -26,15 +34,44 @@ class MetaDataField(Field):
         }
 
 
+class MetaPropertyField(Field):
+
+    def to_representation(self, value):
+        return {
+            v.name: v.default for v in value.item_meta_properties.all()
+        }
+
+    def to_internal_value(self, data):
+        return {
+            'item_meta_properties': data
+        }
+
+
+class SeatCategoryMappingField(Field):
+
+    def to_representation(self, value):
+        qs = value.seat_category_mappings.all()
+        if isinstance(value, Event):
+            qs = qs.filter(subevent=None)
+        return {
+            v.layout_category: v.product_id for v in qs
+        }
+
+    def to_internal_value(self, data):
+        return {
+            'seat_category_mapping': data or {}
+        }
+
+
 class PluginsField(Field):
 
     def to_representation(self, obj):
         from pretix.base.plugins import get_all_plugins
 
-        return {
+        return sorted([
             p.module for p in get_all_plugins()
             if not p.name.startswith('.') and getattr(p, 'visible', True) and p.module in obj.get_plugins()
-        }
+        ])
 
     def to_internal_value(self, data):
         return {
@@ -42,15 +79,28 @@ class PluginsField(Field):
         }
 
 
+class TimeZoneField(ChoiceField):
+    def get_attribute(self, instance):
+        return instance.cache.get_or_set(
+            'timezone_name',
+            lambda: instance.settings.timezone,
+            3600
+        )
+
+
 class EventSerializer(I18nAwareModelSerializer):
     meta_data = MetaDataField(required=False, source='*')
+    item_meta_properties = MetaPropertyField(required=False, source='*')
     plugins = PluginsField(required=False, source='*')
+    seat_category_mapping = SeatCategoryMappingField(source='*', required=False)
+    timezone = TimeZoneField(required=False, choices=[(a, a) for a in common_timezones])
 
     class Meta:
         model = Event
         fields = ('name', 'slug', 'live', 'testmode', 'currency', 'date_from',
                   'date_to', 'date_admission', 'is_public', 'presale_start',
-                  'presale_end', 'location', 'has_subevents', 'meta_data', 'plugins')
+                  'presale_end', 'location', 'geo_lat', 'geo_lon', 'has_subevents', 'meta_data', 'seating_plan',
+                  'plugins', 'seat_category_mapping', 'timezone', 'item_meta_properties')
 
     def validate(self, data):
         data = super().validate(data)
@@ -61,6 +111,9 @@ class EventSerializer(I18nAwareModelSerializer):
         Event.clean_dates(data.get('date_from'), data.get('date_to'))
         Event.clean_presale(data.get('presale_start'), data.get('presale_end'))
 
+        if full_data.get('has_subevents') and full_data.get('seating_plan'):
+            raise ValidationError('Event series should not directly be assigned a seating plan.')
+
         return data
 
     def validate_has_subevents(self, value):
@@ -92,6 +145,36 @@ class EventSerializer(I18nAwareModelSerializer):
                 raise ValidationError(_('Meta data property \'{name}\' does not exist.').format(name=key))
         return value
 
+    @cached_property
+    def item_meta_props(self):
+        return {
+            p.name: p for p in self.context['request'].event.item_meta_properties.all()
+        }
+
+    def validate_seating_plan(self, value):
+        if value and value.organizer != self.context['request'].organizer:
+            raise ValidationError('Invalid seating plan.')
+        if self.instance and self.instance.pk:
+            try:
+                validate_plan_change(self.instance, None, value)
+            except SeatProtected as e:
+                raise ValidationError(str(e))
+        return value
+
+    def validate_seat_category_mapping(self, value):
+        if not self.instance or not self.instance.pk:
+            if value and value['seat_category_mapping']:
+                raise ValidationError('You cannot specify seat category mappings on event creation.')
+            else:
+                return {'seat_category_mapping': {}}
+        item_cache = {i.pk: i for i in self.instance.items.all()}
+        result = {}
+        for k, item in value['seat_category_mapping'].items():
+            if item not in item_cache:
+                raise ValidationError('Item \'{id}\' does not exist.'.format(id=item))
+            result[k] = item_cache[item]
+        return {'seat_category_mapping': result}
+
     def validate_plugins(self, value):
         from pretix.base.plugins import get_all_plugins
 
@@ -109,9 +192,15 @@ class EventSerializer(I18nAwareModelSerializer):
     @transaction.atomic
     def create(self, validated_data):
         meta_data = validated_data.pop('meta_data', None)
+        item_meta_properties = validated_data.pop('item_meta_properties', None)
+        validated_data.pop('seat_category_mapping', None)
         plugins = validated_data.pop('plugins', settings.PRETIX_PLUGINS_DEFAULT.split(','))
+        tz = validated_data.pop('timezone', None)
         event = super().create(validated_data)
 
+        if tz:
+            event.settings.timezone = tz
+
         # Meta data
         if meta_data is not None:
             for key, value in meta_data.items():
@@ -120,6 +209,19 @@ class EventSerializer(I18nAwareModelSerializer):
                     value=value
                 )
 
+        # Item Meta properties
+        if item_meta_properties is not None:
+            for key, value in item_meta_properties.items():
+                event.item_meta_properties.create(
+                    name=key,
+                    default=value,
+                    event=event
+                )
+
+        # Seats
+        if event.seating_plan:
+            generate_seats(event, None, event.seating_plan, {})
+
         # Plugins
         if plugins is not None:
             event.set_active_plugins(plugins)
@@ -130,9 +232,15 @@ class EventSerializer(I18nAwareModelSerializer):
     @transaction.atomic
     def update(self, instance, validated_data):
         meta_data = validated_data.pop('meta_data', None)
+        item_meta_properties = validated_data.pop('item_meta_properties', None)
         plugins = validated_data.pop('plugins', None)
+        seat_category_mapping = validated_data.pop('seat_category_mapping', None)
+        tz = validated_data.pop('timezone', None)
         event = super().update(instance, validated_data)
 
+        if tz:
+            event.settings.timezone = tz
+
         # Meta data
         if meta_data is not None:
             current = {mv.property: mv for mv in event.meta_values.select_related('property')}
@@ -151,6 +259,49 @@ class EventSerializer(I18nAwareModelSerializer):
                 if prop.name not in meta_data:
                     current_object.delete()
 
+        # Item Meta properties
+        if item_meta_properties is not None:
+            current = [imp for imp in event.item_meta_properties.all()]
+            for key, value in item_meta_properties.items():
+                prop = self.item_meta_props.get(key)
+                if prop in current:
+                    prop.default = value
+                    prop.save()
+                else:
+                    prop = event.item_meta_properties.create(
+                        name=key,
+                        default=value,
+                        event=event
+                    )
+                    current.append(prop)
+
+            for prop in current:
+                if prop.name not in list(item_meta_properties.keys()):
+                    prop.delete()
+
+        # Seats
+        if seat_category_mapping is not None or ('seating_plan' in validated_data and validated_data['seating_plan'] is None):
+            current_mappings = {
+                m.layout_category: m
+                for m in event.seat_category_mappings.filter(subevent=None)
+            }
+            if not event.seating_plan:
+                seat_category_mapping = {}
+            for key, value in seat_category_mapping.items():
+                if key in current_mappings:
+                    m = current_mappings.pop(key)
+                    m.product = value
+                    m.save()
+                else:
+                    event.seat_category_mappings.create(product=value, layout_category=key)
+            for m in current_mappings.values():
+                m.delete()
+        if 'seating_plan' in validated_data or seat_category_mapping is not None:
+            generate_seats(event, None, event.seating_plan, {
+                m.layout_category: m.product
+                for m in event.seat_category_mappings.select_related('product').filter(subevent=None)
+            })
+
         # Plugins
         if plugins is not None:
             event.set_active_plugins(plugins)
@@ -164,6 +315,9 @@ class CloneEventSerializer(EventSerializer):
     def create(self, validated_data):
         plugins = validated_data.pop('plugins', None)
         is_public = validated_data.pop('is_public', None)
+        testmode = validated_data.pop('testmode', None)
+        has_subevents = validated_data.pop('has_subevents', None)
+        tz = validated_data.pop('timezone', None)
         new_event = super().create(validated_data)
 
         event = Event.objects.filter(slug=self.context['event'], organizer=self.context['organizer'].pk).first()
@@ -173,7 +327,13 @@ class CloneEventSerializer(EventSerializer):
             new_event.set_active_plugins(plugins)
         if is_public is not None:
             new_event.is_public = is_public
+        if testmode is not None:
+            new_event.testmode = testmode
+        if has_subevents is not None:
+            new_event.has_subevents = has_subevents
         new_event.save()
+        if tz:
+            new_event.settings.timezone = tz
 
         return new_event
 
@@ -191,19 +351,311 @@ class SubEventItemVariationSerializer(I18nAwareModelSerializer):
 
 
 class SubEventSerializer(I18nAwareModelSerializer):
-    item_price_overrides = SubEventItemSerializer(source='subeventitem_set', many=True)
-    variation_price_overrides = SubEventItemVariationSerializer(source='subeventitemvariation_set', many=True)
+    item_price_overrides = SubEventItemSerializer(source='subeventitem_set', many=True, required=False)
+    variation_price_overrides = SubEventItemVariationSerializer(source='subeventitemvariation_set', many=True, required=False)
+    seat_category_mapping = SeatCategoryMappingField(source='*', required=False)
     event = SlugRelatedField(slug_field='slug', read_only=True)
     meta_data = MetaDataField(source='*')
 
     class Meta:
         model = SubEvent
         fields = ('id', 'name', 'date_from', 'date_to', 'active', 'date_admission',
-                  'presale_start', 'presale_end', 'location', 'event',
-                  'item_price_overrides', 'variation_price_overrides', 'meta_data')
+                  'presale_start', 'presale_end', 'location', 'geo_lat', 'geo_lon', 'event', 'is_public',
+                  'seating_plan', 'item_price_overrides', 'variation_price_overrides', 'meta_data',
+                  'seat_category_mapping')
+
+    def validate(self, data):
+        data = super().validate(data)
+        event = self.context['request'].event
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        Event.clean_dates(data.get('date_from'), data.get('date_to'))
+        Event.clean_presale(data.get('presale_start'), data.get('presale_end'))
+
+        SubEvent.clean_items(event, [item['item'] for item in full_data.get('subeventitem_set', [])])
+        SubEvent.clean_variations(event, [item['variation'] for item in full_data.get('subeventitemvariation_set', [])])
+        return data
+
+    def validate_item_price_overrides(self, data):
+        return list(filter(lambda i: 'item' in i, data))
+
+    def validate_variation_price_overrides(self, data):
+        return list(filter(lambda i: 'variation' in i, data))
+
+    def validate_seating_plan(self, value):
+        if value and value.organizer != self.context['request'].organizer:
+            raise ValidationError('Invalid seating plan.')
+        if self.instance and self.instance.pk:
+            try:
+                validate_plan_change(self.context['request'].event, self.instance, value)
+            except SeatProtected as e:
+                raise ValidationError(str(e))
+        return value
+
+    def validate_seat_category_mapping(self, value):
+        item_cache = {i.pk: i for i in self.context['request'].event.items.all()}
+        result = {}
+        for k, item in value['seat_category_mapping'].items():
+            if item not in item_cache:
+                raise ValidationError('Item \'{id}\' does not exist.'.format(id=item))
+            result[k] = item_cache[item]
+        return {'seat_category_mapping': result}
+
+    @cached_property
+    def meta_properties(self):
+        return {
+            p.name: p for p in self.context['request'].organizer.meta_properties.all()
+        }
+
+    def validate_meta_data(self, value):
+        for key in value['meta_data'].keys():
+            if key not in self.meta_properties:
+                raise ValidationError(_('Meta data property \'{name}\' does not exist.').format(name=key))
+        return value
+
+    @transaction.atomic
+    def create(self, validated_data):
+        item_price_overrides_data = validated_data.pop('subeventitem_set') if 'subeventitem_set' in validated_data else {}
+        variation_price_overrides_data = validated_data.pop('subeventitemvariation_set') if 'subeventitemvariation_set' in validated_data else {}
+        meta_data = validated_data.pop('meta_data', None)
+        seat_category_mapping = validated_data.pop('seat_category_mapping', None)
+        subevent = super().create(validated_data)
+
+        for item_price_override_data in item_price_overrides_data:
+            SubEventItem.objects.create(subevent=subevent, **item_price_override_data)
+        for variation_price_override_data in variation_price_overrides_data:
+            SubEventItemVariation.objects.create(subevent=subevent, **variation_price_override_data)
+
+        # Meta data
+        if meta_data is not None:
+            for key, value in meta_data.items():
+                subevent.meta_values.create(
+                    property=self.meta_properties.get(key),
+                    value=value
+                )
+
+        # Seats
+        if subevent.seating_plan:
+            if seat_category_mapping is not None:
+                for key, value in seat_category_mapping.items():
+                    self.context['request'].event.seat_category_mappings.create(
+                        product=value, layout_category=key, subevent=subevent
+                    )
+            generate_seats(self.context['request'].event, subevent, subevent.seating_plan, {
+                m.layout_category: m.product
+                for m in self.context['request'].event.seat_category_mappings.select_related('product').filter(subevent=subevent)
+            })
+
+        return subevent
+
+    @transaction.atomic
+    def update(self, instance, validated_data):
+        item_price_overrides_data = validated_data.pop('subeventitem_set') if 'subeventitem_set' in validated_data else {}
+        variation_price_overrides_data = validated_data.pop('subeventitemvariation_set') if 'subeventitemvariation_set' in validated_data else {}
+        meta_data = validated_data.pop('meta_data', None)
+        seat_category_mapping = validated_data.pop('seat_category_mapping', None)
+        subevent = super().update(instance, validated_data)
+
+        existing_item_overrides = {item.item: item.id for item in SubEventItem.objects.filter(subevent=subevent)}
+
+        for item_price_override_data in item_price_overrides_data:
+            id = existing_item_overrides.pop(item_price_override_data['item'], None)
+            SubEventItem(id=id, subevent=subevent, **item_price_override_data).save()
+
+        SubEventItem.objects.filter(id__in=existing_item_overrides.values()).delete()
+
+        existing_variation_overrides = {item.variation: item.id for item in SubEventItemVariation.objects.filter(subevent=subevent)}
+
+        for variation_price_override_data in variation_price_overrides_data:
+            id = existing_variation_overrides.pop(variation_price_override_data['variation'], None)
+            SubEventItemVariation(id=id, subevent=subevent, **variation_price_override_data).save()
+
+        SubEventItemVariation.objects.filter(id__in=existing_variation_overrides.values()).delete()
+
+        # Meta data
+        if meta_data is not None:
+            current = {mv.property: mv for mv in subevent.meta_values.select_related('property')}
+            for key, value in meta_data.items():
+                prop = self.meta_properties.get(key)
+                if prop in current:
+                    current[prop].value = value
+                    current[prop].save()
+                else:
+                    subevent.meta_values.create(
+                        property=self.meta_properties.get(key),
+                        value=value
+                    )
+
+            for prop, current_object in current.items():
+                if prop.name not in meta_data:
+                    current_object.delete()
+
+        # Seats
+        if seat_category_mapping is not None or ('seating_plan' in validated_data and validated_data['seating_plan'] is None):
+            current_mappings = {
+                m.layout_category: m
+                for m in self.context['request'].event.seat_category_mappings.filter(subevent=subevent)
+            }
+            if not subevent.seating_plan:
+                seat_category_mapping = {}
+            for key, value in seat_category_mapping.items():
+                if key in current_mappings:
+                    m = current_mappings.pop(key)
+                    m.product = value
+                    m.save()
+                else:
+                    self.context['request'].event.seat_category_mappings.create(
+                        product=value, layout_category=key, subevent=subevent
+                    )
+            for m in current_mappings.values():
+                m.delete()
+        if 'seating_plan' in validated_data or seat_category_mapping is not None:
+            generate_seats(self.context['request'].event, subevent, subevent.seating_plan, {
+                m.layout_category: m.product
+                for m in self.context['request'].event.seat_category_mappings.select_related('product').filter(subevent=subevent)
+            })
+
+        return subevent
 
 
 class TaxRuleSerializer(CountryFieldMixin, I18nAwareModelSerializer):
     class Meta:
         model = TaxRule
         fields = ('id', 'name', 'rate', 'price_includes_tax', 'eu_reverse_charge', 'home_country')
+
+
+class EventSettingsSerializer(serializers.Serializer):
+    default_fields = [
+        'imprint_url',
+        'checkout_email_helptext',
+        'presale_has_ended_text',
+        'voucher_explanation_text',
+        'banner_text',
+        'banner_text_bottom',
+        'show_dates_on_frontpage',
+        'show_date_to',
+        'show_times',
+        'show_items_outside_presale_period',
+        'display_net_prices',
+        'presale_start_show_date',
+        'locales',
+        'locale',
+        'last_order_modification_date',
+        'show_quota_left',
+        'waiting_list_enabled',
+        'waiting_list_hours',
+        'waiting_list_auto',
+        'max_items_per_order',
+        'reservation_time',
+        'contact_mail',
+        'show_variations_expanded',
+        'hide_sold_out',
+        'meta_noindex',
+        'redirect_to_checkout_directly',
+        'frontpage_subevent_ordering',
+        'frontpage_text',
+        'attendee_names_asked',
+        'attendee_names_required',
+        'attendee_emails_asked',
+        'attendee_emails_required',
+        'attendee_addresses_asked',
+        'attendee_addresses_required',
+        'attendee_company_asked',
+        'attendee_company_required',
+        'confirm_text',
+        'order_email_asked_twice',
+        'payment_term_days',
+        'payment_term_last',
+        'payment_term_weekdays',
+        'payment_term_expire_automatically',
+        'payment_term_accept_late',
+        'payment_explanation',
+        'ticket_download',
+        'ticket_download_date',
+        'ticket_download_addons',
+        'ticket_download_nonadm',
+        'ticket_download_pending',
+        'mail_prefix',
+        'mail_from',
+        'mail_from_name',
+        'mail_attach_ical',
+        'invoice_address_asked',
+        'invoice_address_required',
+        'invoice_address_vatid',
+        'invoice_address_company_required',
+        'invoice_address_beneficiary',
+        'invoice_address_custom_field',
+        'invoice_name_required',
+        'invoice_address_not_asked_free',
+        'invoice_show_payments',
+        'invoice_reissue_after_modify',
+        'invoice_include_free',
+        'invoice_generate',
+        'invoice_numbers_consecutive',
+        'invoice_numbers_prefix',
+        'invoice_numbers_prefix_cancellations',
+        'invoice_attendee_name',
+        'invoice_include_expire_date',
+        'invoice_address_explanation_text',
+        'invoice_email_attachment',
+        'invoice_address_from_name',
+        'invoice_address_from',
+        'invoice_address_from_zipcode',
+        'invoice_address_from_city',
+        'invoice_address_from_country',
+        'invoice_address_from_tax_id',
+        'invoice_address_from_vat_id',
+        'invoice_introductory_text',
+        'invoice_additional_text',
+        'invoice_footer_text',
+        'cancel_allow_user',
+        'cancel_allow_user_until',
+        'cancel_allow_user_paid',
+        'cancel_allow_user_paid_until',
+        'cancel_allow_user_paid_keep',
+        'cancel_allow_user_paid_keep_fees',
+        'cancel_allow_user_paid_keep_percentage',
+        'cancel_allow_user_paid_adjust_fees',
+        'cancel_allow_user_paid_adjust_fees_explanation',
+        'cancel_allow_user_paid_refund_as_giftcard',
+        'cancel_allow_user_paid_require_approval',
+    ]
+
+    def __init__(self, *args, **kwargs):
+        self.event = kwargs.pop('event')
+        super().__init__(*args, **kwargs)
+        for fname in self.default_fields:
+            kwargs = DEFAULTS[fname].get('serializer_kwargs', {})
+            kwargs.setdefault('required', False)
+            kwargs.setdefault('allow_null', True)
+            form_kwargs = DEFAULTS[fname].get('form_kwargs', {})
+            if 'serializer_class' not in DEFAULTS[fname]:
+                raise ValidationError('{} has no serializer class'.format(fname))
+            f = DEFAULTS[fname]['serializer_class'](
+                **kwargs
+            )
+            f._label = form_kwargs.get('label', fname)
+            f._help_text = form_kwargs.get('help_text')
+            self.fields[fname] = f
+
+        for recv, resp in api_event_settings_fields.send(sender=self.event):
+            for fname, field in resp.items():
+                field.required = False
+                self.fields[fname] = field
+
+    def update(self, instance: HierarkeyProxy, validated_data):
+        for attr, value in validated_data.items():
+            if value is None:
+                instance.delete(attr)
+            elif instance.get(attr, as_type=type(value)) != value:
+                instance.set(attr, value)
+        return instance
+
+    def validate(self, data):
+        data = super().validate(data)
+        settings_dict = self.instance.freeze()
+        settings_dict.update(data)
+        validate_settings(self.event, settings_dict)
+        return data

src/pretix/api/serializers/fields.py

@@ -0,0 +1,29 @@
+from collections import OrderedDict
+
+from rest_framework import serializers
+
+
+def remove_duplicates_from_list(data):
+    return list(OrderedDict.fromkeys(data))
+
+
+class ListMultipleChoiceField(serializers.MultipleChoiceField):
+    def to_internal_value(self, data):
+        if isinstance(data, str) or not hasattr(data, '__iter__'):
+            self.fail('not_a_list', input_type=type(data).__name__)
+        if not self.allow_empty and len(data) == 0:
+            self.fail('empty')
+
+        internal_value_data = [
+            super(serializers.MultipleChoiceField, self).to_internal_value(item)
+            for item in data
+        ]
+
+        return remove_duplicates_from_list(internal_value_data)
+
+    def to_representation(self, value):
+        representation_data = [
+            self.choice_strings_to_values.get(str(item), item) for item in value
+        ]
+
+        return remove_duplicates_from_list(representation_data)

src/pretix/api/serializers/item.py

@@ -2,28 +2,43 @@ from decimal import Decimal
 
 from django.core.exceptions import ValidationError
 from django.db import transaction
-from django.utils.translation import ugettext_lazy as _
+from django.utils.functional import cached_property
+from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
+from pretix.api.serializers.event import MetaDataField
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.models import (
-    Item, ItemAddOn, ItemCategory, ItemVariation, Question, QuestionOption,
-    Quota,
+    Item, ItemAddOn, ItemBundle, ItemCategory, ItemMetaValue, ItemVariation,
+    Question, QuestionOption, Quota,
 )
 
 
 class InlineItemVariationSerializer(I18nAwareModelSerializer):
+    price = serializers.DecimalField(read_only=True, decimal_places=2, max_digits=10,
+                                     coerce_to_string=True)
+
     class Meta:
         model = ItemVariation
         fields = ('id', 'value', 'active', 'description',
-                  'position', 'default_price', 'price')
+                  'position', 'default_price', 'price', 'original_price')
 
 
 class ItemVariationSerializer(I18nAwareModelSerializer):
+    price = serializers.DecimalField(read_only=True, decimal_places=2, max_digits=10,
+                                     coerce_to_string=True)
+
     class Meta:
         model = ItemVariation
         fields = ('id', 'value', 'active', 'description',
-                  'position', 'default_price', 'price')
+                  'position', 'default_price', 'price', 'original_price')
+
+
+class InlineItemBundleSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = ItemBundle
+        fields = ('bundled_item', 'bundled_variation', 'count',
+                  'designated_price')
 
 
 class InlineItemAddOnSerializer(serializers.ModelSerializer):
@@ -33,6 +48,31 @@ class InlineItemAddOnSerializer(serializers.ModelSerializer):
                   'position', 'price_included')
 
 
+class ItemBundleSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = ItemBundle
+        fields = ('id', 'bundled_item', 'bundled_variation', 'count',
+                  'designated_price')
+
+    def validate(self, data):
+        data = super().validate(data)
+        event = self.context['event']
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        ItemBundle.clean_itemvar(event, full_data.get('bundled_item'), full_data.get('bundled_variation'))
+
+        item = self.context['item']
+        if item == full_data.get('bundled_item'):
+            raise ValidationError(_("The bundled item must not be the same item as the bundling one."))
+        if full_data.get('bundled_item'):
+            if full_data['bundled_item'].bundles.exists():
+                raise ValidationError(_("The bundled item must not have bundles on its own."))
+
+        return data
+
+
 class ItemAddOnSerializer(serializers.ModelSerializer):
     class Meta:
         model = ItemAddOn
@@ -69,31 +109,42 @@ class ItemTaxRateField(serializers.Field):
 
 class ItemSerializer(I18nAwareModelSerializer):
     addons = InlineItemAddOnSerializer(many=True, required=False)
+    bundles = InlineItemBundleSerializer(many=True, required=False)
     variations = InlineItemVariationSerializer(many=True, required=False)
     tax_rate = ItemTaxRateField(source='*', read_only=True)
+    meta_data = MetaDataField(required=False, source='*')
 
     class Meta:
         model = Item
         fields = ('id', 'category', 'name', 'internal_name', 'active', 'sales_channels', 'description',
                   'default_price', 'free_price', 'tax_rate', 'tax_rule', 'admission',
                   'position', 'picture', 'available_from', 'available_until',
-                  'require_voucher', 'hide_without_voucher', 'allow_cancel',
-                  'min_per_order', 'max_per_order', 'checkin_attention', 'has_variations',
-                  'variations', 'addons', 'original_price', 'require_approval', 'generate_tickets')
+                  'require_voucher', 'hide_without_voucher', 'allow_cancel', 'require_bundling',
+                  'min_per_order', 'max_per_order', 'checkin_attention', 'has_variations', 'variations',
+                  'addons', 'bundles', 'original_price', 'require_approval', 'generate_tickets',
+                  'show_quota_left', 'hidden_if_available', 'allow_waitinglist', 'issue_giftcard', 'meta_data')
         read_only_fields = ('has_variations', 'picture')
 
-    def get_serializer_context(self):
-        return {"has_variations": self.kwargs['has_variations']}
-
     def validate(self, data):
         data = super().validate(data)
-        if self.instance and ('addons' in data or 'variations' in data):
-            raise ValidationError(_('Updating add-ons or variations via PATCH/PUT is not supported. Please use the '
+        if self.instance and ('addons' in data or 'variations' in data or 'bundles' in data):
+            raise ValidationError(_('Updating add-ons, bundles, or variations via PATCH/PUT is not supported. Please use the '
                                     'dedicated nested endpoint.'))
 
         Item.clean_per_order(data.get('min_per_order'), data.get('max_per_order'))
         Item.clean_available(data.get('available_from'), data.get('available_until'))
 
+        if data.get('issue_giftcard'):
+            if data.get('tax_rule') and data.get('tax_rule').rate > 0:
+                raise ValidationError(
+                    _("Gift card products should not be associated with non-zero tax rates since sales tax will be "
+                      "applied when the gift card is redeemed.")
+                )
+            if data.get('admission'):
+                raise ValidationError(_(
+                    "Gift card products should not be admission products at the same time."
+                ))
+
         return data
 
     def validate_category(self, value):
@@ -104,6 +155,12 @@ class ItemSerializer(I18nAwareModelSerializer):
         Item.clean_tax_rule(value, self.context['event'])
         return value
 
+    def validate_bundles(self, value):
+        if not self.instance:
+            for b_data in value:
+                ItemBundle.clean_itemvar(self.context['event'], b_data['bundled_item'], b_data['bundled_variation'])
+        return value
+
     def validate_addons(self, value):
         if not self.instance:
             for addon_data in value:
@@ -113,15 +170,65 @@ class ItemSerializer(I18nAwareModelSerializer):
                 ItemAddOn.clean_max_min_count(addon_data['max_count'], addon_data['min_count'])
         return value
 
+    @cached_property
+    def item_meta_properties(self):
+        return {
+            p.name: p for p in self.context['request'].event.item_meta_properties.all()
+        }
+
+    def validate_meta_data(self, value):
+        for key in value['meta_data'].keys():
+            if key not in self.item_meta_properties:
+                raise ValidationError(_('Item meta data property \'{name}\' does not exist.').format(name=key))
+        return value
+
     @transaction.atomic
     def create(self, validated_data):
         variations_data = validated_data.pop('variations') if 'variations' in validated_data else {}
         addons_data = validated_data.pop('addons') if 'addons' in validated_data else {}
+        bundles_data = validated_data.pop('bundles') if 'bundles' in validated_data else {}
+        meta_data = validated_data.pop('meta_data', None)
         item = Item.objects.create(**validated_data)
+
         for variation_data in variations_data:
             ItemVariation.objects.create(item=item, **variation_data)
         for addon_data in addons_data:
             ItemAddOn.objects.create(base_item=item, **addon_data)
+        for bundle_data in bundles_data:
+            ItemBundle.objects.create(base_item=item, **bundle_data)
+
+        # Meta data
+        if meta_data is not None:
+            for key, value in meta_data.items():
+                ItemMetaValue.objects.create(
+                    property=self.item_meta_properties.get(key),
+                    value=value,
+                    item=item
+                )
+        return item
+
+    def update(self, instance, validated_data):
+        meta_data = validated_data.pop('meta_data', None)
+        item = super().update(instance, validated_data)
+
+        # Meta data
+        if meta_data is not None:
+            current = {mv.property: mv for mv in item.meta_values.select_related('property')}
+            for key, value in meta_data.items():
+                prop = self.item_meta_properties.get(key)
+                if prop in current:
+                    current[prop].value = value
+                    current[prop].save()
+                else:
+                    item.meta_values.create(
+                        property=self.item_meta_properties.get(key),
+                        value=value
+                    )
+
+            for prop, current_object in current.items():
+                if prop.name not in meta_data:
+                    current_object.delete()
+
         return item
 
 
@@ -152,19 +259,38 @@ class InlineQuestionOptionSerializer(I18nAwareModelSerializer):
         fields = ('id', 'identifier', 'answer', 'position')
 
 
+class LegacyDependencyValueField(serializers.CharField):
+
+    def to_representation(self, obj):
+        return obj[0] if obj else None
+
+    def to_internal_value(self, data):
+        return [data] if data else []
+
+
 class QuestionSerializer(I18nAwareModelSerializer):
     options = InlineQuestionOptionSerializer(many=True, required=False)
     identifier = serializers.CharField(allow_null=True)
+    dependency_value = LegacyDependencyValueField(source='dependency_values', required=False, allow_null=True)
 
     class Meta:
         model = Question
         fields = ('id', 'question', 'type', 'required', 'items', 'options', 'position',
-                  'ask_during_checkin', 'identifier')
+                  'ask_during_checkin', 'identifier', 'dependency_question', 'dependency_values',
+                  'hidden', 'dependency_value', 'print_on_invoice', 'help_text')
 
     def validate_identifier(self, value):
         Question._clean_identifier(self.context['event'], value, self.instance)
         return value
 
+    def validate_dependency_question(self, value):
+        if value:
+            if value.type not in (Question.TYPE_CHOICE, Question.TYPE_BOOLEAN, Question.TYPE_CHOICE_MULTIPLE):
+                raise ValidationError('Question dependencies can only be set to boolean or choice questions.')
+            if value == self.instance:
+                raise ValidationError('A question cannot depend on itself.')
+        return value
+
     def validate(self, data):
         data = super().validate(data)
         if self.instance and 'options' in data:
@@ -176,6 +302,24 @@ class QuestionSerializer(I18nAwareModelSerializer):
         full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
         full_data.update(data)
 
+        if full_data.get('ask_during_checkin') and full_data.get('dependency_question'):
+            raise ValidationError('Dependencies are not supported during check-in.')
+
+        dep = full_data.get('dependency_question')
+        if dep:
+            if dep.ask_during_checkin:
+                raise ValidationError(_('Question cannot depend on a question asked during check-in.'))
+
+            seen_ids = {self.instance.pk} if self.instance else set()
+            while dep:
+                if dep.pk in seen_ids:
+                    raise ValidationError(_('Circular dependency between questions detected.'))
+                seen_ids.add(dep.pk)
+                dep = dep.dependency_question
+
+        if full_data.get('ask_during_checkin') and full_data.get('type') in Question.ASK_DURING_CHECKIN_UNSUPPORTED:
+            raise ValidationError(_('This type of question cannot be asked during check-in.'))
+
         Question.clean_items(event, full_data.get('items'))
         return data
 
@@ -193,6 +337,7 @@ class QuestionSerializer(I18nAwareModelSerializer):
     def create(self, validated_data):
         options_data = validated_data.pop('options') if 'options' in validated_data else []
         items = validated_data.pop('items')
+
         question = Question.objects.create(**validated_data)
         question.items.set(items)
         for opt_data in options_data:
@@ -204,7 +349,7 @@ class QuotaSerializer(I18nAwareModelSerializer):
 
     class Meta:
         model = Quota
-        fields = ('id', 'name', 'size', 'items', 'variations', 'subevent')
+        fields = ('id', 'name', 'size', 'items', 'variations', 'subevent', 'closed', 'close_when_sold_out')
 
     def validate(self, data):
         data = super().validate(data)

src/pretix/api/serializers/order.py

@@ -1,9 +1,11 @@
 import json
-from collections import Counter
+from collections import Counter, defaultdict
 from decimal import Decimal
 
+import pycountry
+from django.db.models import F, Q
 from django.utils.timezone import now
-from django.utils.translation import ugettext_lazy
+from django.utils.translation import gettext_lazy
 from django_countries.fields import Country
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
@@ -12,16 +14,22 @@ from rest_framework.reverse import reverse
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.channels import get_all_sales_channels
+from pretix.base.decimal import round_decimal
 from pretix.base.i18n import language
 from pretix.base.models import (
-    Checkin, Invoice, InvoiceAddress, InvoiceLine, Order, OrderPosition,
-    Question, QuestionAnswer,
+    Checkin, Invoice, InvoiceAddress, InvoiceLine, Item, ItemVariation, Order,
+    OrderPosition, Question, QuestionAnswer, Seat, SubEvent, TaxRule, Voucher,
 )
 from pretix.base.models.orders import (
     CartPosition, OrderFee, OrderPayment, OrderRefund,
 )
 from pretix.base.pdf import get_variables
+from pretix.base.services.cart import error_messages
+from pretix.base.services.locking import NoLockManager
+from pretix.base.services.pricing import get_price
+from pretix.base.settings import COUNTRIES_WITH_STATE_IN_ADDRESS
 from pretix.base.signals import register_ticket_outputs
+from pretix.multidomain.urlreverse import build_absolute_uri
 
 
 class CompatibleCountryField(serializers.Field):
@@ -31,7 +39,7 @@ class CompatibleCountryField(serializers.Field):
     def to_representation(self, instance: InvoiceAddress):
         if instance.country:
             return str(instance.country)
-        else:
+        elif hasattr(instance, 'country_old'):
             return instance.country_old
 
 
@@ -42,8 +50,8 @@ class InvoiceAddressSerializer(I18nAwareModelSerializer):
     class Meta:
         model = InvoiceAddress
         fields = ('last_modified', 'is_business', 'company', 'name', 'name_parts', 'street', 'zipcode', 'city', 'country',
-                  'vat_id', 'vat_id_validated', 'internal_reference')
-        read_only_fields = ('last_modified', 'vat_id_validated')
+                  'state', 'vat_id', 'vat_id_validated', 'internal_reference')
+        read_only_fields = ('last_modified',)
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -58,6 +66,24 @@ class InvoiceAddressSerializer(I18nAwareModelSerializer):
             )
         if data.get('name_parts') and '_scheme' not in data.get('name_parts'):
             data['name_parts']['_scheme'] = self.context['request'].event.settings.name_scheme
+
+        if data.get('country'):
+            if not pycountry.countries.get(alpha_2=data.get('country')):
+                raise ValidationError(
+                    {'country': ['Invalid country code.']}
+                )
+
+        if data.get('state'):
+            cc = str(data.get('country') or self.instance.country or '')
+            if cc not in COUNTRIES_WITH_STATE_IN_ADDRESS:
+                raise ValidationError(
+                    {'state': ['States are not supported in country "{}".'.format(cc)]}
+                )
+            if not pycountry.subdivisions.get(code=cc + '-' + data.get('state')):
+                raise ValidationError(
+                    {'state': ['"{}" is not a known subdivision of the country "{}".'.format(data.get('state'), cc)]}
+                )
+
         return data
 
 
@@ -71,9 +97,22 @@ class AnswerQuestionOptionsIdentifierField(serializers.Field):
         return [o.identifier for o in instance.options.all()]
 
 
+class AnswerQuestionOptionsField(serializers.Field):
+    def to_representation(self, instance: QuestionAnswer):
+        return [o.pk for o in instance.options.all()]
+
+
+class InlineSeatSerializer(I18nAwareModelSerializer):
+
+    class Meta:
+        model = Seat
+        fields = ('id', 'name', 'seat_guid')
+
+
 class AnswerSerializer(I18nAwareModelSerializer):
     question_identifier = AnswerQuestionIdentifierField(source='*', read_only=True)
     option_identifiers = AnswerQuestionOptionsIdentifierField(source='*', read_only=True)
+    options = AnswerQuestionOptionsField(source='*', read_only=True)
 
     class Meta:
         model = QuestionAnswer
@@ -83,7 +122,7 @@ class AnswerSerializer(I18nAwareModelSerializer):
 class CheckinSerializer(I18nAwareModelSerializer):
     class Meta:
         model = Checkin
-        fields = ('datetime', 'list')
+        fields = ('datetime', 'list', 'auto_checked_in')
 
 
 class OrderDownloadsField(serializers.Field):
@@ -157,6 +196,11 @@ class PdfDataSerializer(serializers.Field):
             for k, v in ev._cached_meta_data.items():
                 res['meta:' + k] = v
 
+            if not hasattr(instance.item, '_cached_meta_data'):
+                instance.item._cached_meta_data = instance.item.meta_data
+            for k, v in instance.item._cached_meta_data.items():
+                res['itemmeta:' + k] = v
+
         return res
 
 
@@ -166,12 +210,15 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
     downloads = PositionDownloadsField(source='*')
     order = serializers.SlugRelatedField(slug_field='code', read_only=True)
     pdf_data = PdfDataSerializer(source='*')
+    seat = InlineSeatSerializer(read_only=True)
+    country = CompatibleCountryField(source='*')
 
     class Meta:
         model = OrderPosition
         fields = ('id', 'order', 'positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts',
+                  'company', 'street', 'zipcode', 'city', 'country', 'state',
                   'attendee_email', 'voucher', 'tax_rate', 'tax_value', 'secret', 'addon_to', 'subevent', 'checkins',
-                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data')
+                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data', 'seat', 'canceled')
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -179,6 +226,55 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
             self.fields.pop('pdf_data')
 
 
+class RequireAttentionField(serializers.Field):
+    def to_representation(self, instance: OrderPosition):
+        return instance.order.checkin_attention or instance.item.checkin_attention
+
+
+class AttendeeNameField(serializers.Field):
+    def to_representation(self, instance: OrderPosition):
+        an = instance.attendee_name
+        if not an:
+            if instance.addon_to_id:
+                an = instance.addon_to.attendee_name
+        if not an:
+            try:
+                an = instance.order.invoice_address.name
+            except InvoiceAddress.DoesNotExist:
+                pass
+        return an
+
+
+class AttendeeNamePartsField(serializers.Field):
+    def to_representation(self, instance: OrderPosition):
+        an = instance.attendee_name
+        p = instance.attendee_name_parts
+        if not an:
+            if instance.addon_to_id:
+                an = instance.addon_to.attendee_name
+                p = instance.addon_to.attendee_name_parts
+        if not an:
+            try:
+                p = instance.order.invoice_address.name_parts
+            except InvoiceAddress.DoesNotExist:
+                pass
+        return p
+
+
+class CheckinListOrderPositionSerializer(OrderPositionSerializer):
+    require_attention = RequireAttentionField(source='*')
+    attendee_name = AttendeeNameField(source='*')
+    attendee_name_parts = AttendeeNamePartsField(source='*')
+    order__status = serializers.SlugRelatedField(read_only=True, slug_field='status', source='order')
+
+    class Meta:
+        model = OrderPosition
+        fields = ('id', 'order', 'positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts',
+                  'attendee_email', 'voucher', 'tax_rate', 'tax_value', 'secret', 'addon_to', 'subevent', 'checkins',
+                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data', 'require_attention',
+                  'order__status')
+
+
 class OrderPaymentTypeField(serializers.Field):
     # TODO: Remove after pretix 2.2
     def to_representation(self, instance: Order):
@@ -202,13 +298,36 @@ class OrderPaymentDateField(serializers.DateField):
 class OrderFeeSerializer(I18nAwareModelSerializer):
     class Meta:
         model = OrderFee
-        fields = ('fee_type', 'value', 'description', 'internal_type', 'tax_rate', 'tax_value', 'tax_rule')
+        fields = ('fee_type', 'value', 'description', 'internal_type', 'tax_rate', 'tax_value', 'tax_rule', 'canceled')
+
+
+class PaymentURLField(serializers.URLField):
+    def to_representation(self, instance: OrderPayment):
+        if instance.state != OrderPayment.PAYMENT_STATE_CREATED:
+            return None
+        return build_absolute_uri(self.context['event'], 'presale:event.order.pay', kwargs={
+            'order': instance.order.code,
+            'secret': instance.order.secret,
+            'payment': instance.pk,
+        })
+
+
+class PaymentDetailsField(serializers.Field):
+    def to_representation(self, value: OrderPayment):
+        pp = value.payment_provider
+        if not pp:
+            return {}
+        return pp.api_payment_details(value)
 
 
 class OrderPaymentSerializer(I18nAwareModelSerializer):
+    payment_url = PaymentURLField(source='*', allow_null=True, read_only=True)
+    details = PaymentDetailsField(source='*', allow_null=True, read_only=True)
+
     class Meta:
         model = OrderPayment
-        fields = ('local_id', 'state', 'amount', 'created', 'payment_date', 'provider')
+        fields = ('local_id', 'state', 'amount', 'created', 'payment_date', 'provider', 'payment_url',
+                  'details')
 
 
 class OrderRefundSerializer(I18nAwareModelSerializer):
@@ -219,27 +338,100 @@ class OrderRefundSerializer(I18nAwareModelSerializer):
         fields = ('local_id', 'state', 'source', 'amount', 'payment', 'created', 'execution_date', 'provider')
 
 
+class OrderURLField(serializers.URLField):
+    def to_representation(self, instance: Order):
+        return build_absolute_uri(self.context['event'], 'presale:event.order', kwargs={
+            'order': instance.code,
+            'secret': instance.secret,
+        })
+
+
 class OrderSerializer(I18nAwareModelSerializer):
-    invoice_address = InvoiceAddressSerializer()
-    positions = OrderPositionSerializer(many=True)
-    fees = OrderFeeSerializer(many=True)
-    downloads = OrderDownloadsField(source='*')
-    payments = OrderPaymentSerializer(many=True)
-    refunds = OrderRefundSerializer(many=True)
-    payment_date = OrderPaymentDateField(source='*')
-    payment_provider = OrderPaymentTypeField(source='*')
+    invoice_address = InvoiceAddressSerializer(allow_null=True)
+    positions = OrderPositionSerializer(many=True, read_only=True)
+    fees = OrderFeeSerializer(many=True, read_only=True)
+    downloads = OrderDownloadsField(source='*', read_only=True)
+    payments = OrderPaymentSerializer(many=True, read_only=True)
+    refunds = OrderRefundSerializer(many=True, read_only=True)
+    payment_date = OrderPaymentDateField(source='*', read_only=True)
+    payment_provider = OrderPaymentTypeField(source='*', read_only=True)
+    url = OrderURLField(source='*', read_only=True)
 
     class Meta:
         model = Order
-        fields = ('code', 'status', 'testmode', 'secret', 'email', 'locale', 'datetime', 'expires', 'payment_date',
-                  'payment_provider', 'fees', 'total', 'comment', 'invoice_address', 'positions', 'downloads',
-                  'checkin_attention', 'last_modified', 'payments', 'refunds', 'require_approval', 'sales_channel')
+        fields = (
+            'code', 'status', 'testmode', 'secret', 'email', 'locale', 'datetime', 'expires', 'payment_date',
+            'payment_provider', 'fees', 'total', 'comment', 'invoice_address', 'positions', 'downloads',
+            'checkin_attention', 'last_modified', 'payments', 'refunds', 'require_approval', 'sales_channel',
+            'url'
+        )
+        read_only_fields = (
+            'code', 'status', 'testmode', 'secret', 'datetime', 'expires', 'payment_date',
+            'payment_provider', 'fees', 'total', 'positions', 'downloads',
+            'last_modified', 'payments', 'refunds', 'require_approval', 'sales_channel'
+        )
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         if not self.context['request'].query_params.get('pdf_data', 'false') == 'true':
             self.fields['positions'].child.fields.pop('pdf_data')
 
+    def validate_locale(self, l):
+        if l not in set(k for k in self.instance.event.settings.locales):
+            raise ValidationError('"{}" is not a supported locale for this event.'.format(l))
+        return l
+
+    def update(self, instance, validated_data):
+        # Even though all fields that shouldn't be edited are marked as read_only in the serializer
+        # (hopefully), we'll be extra careful here and be explicit about the model fields we update.
+        update_fields = ['comment', 'checkin_attention', 'email', 'locale']
+
+        if 'invoice_address' in validated_data:
+            iadata = validated_data.pop('invoice_address')
+
+            if not iadata:
+                try:
+                    instance.invoice_address.delete()
+                except InvoiceAddress.DoesNotExist:
+                    pass
+            else:
+                name = iadata.pop('name', '')
+                if name and not iadata.get('name_parts'):
+                    iadata['name_parts'] = {
+                        '_legacy': name
+                    }
+                try:
+                    ia = instance.invoice_address
+                    if iadata.get('vat_id') != ia.vat_id and 'vat_id_validated' not in iadata:
+                        ia.vat_id_validated = False
+                    self.fields['invoice_address'].update(ia, iadata)
+                except InvoiceAddress.DoesNotExist:
+                    InvoiceAddress.objects.create(order=instance, **iadata)
+
+        for attr, value in validated_data.items():
+            if attr in update_fields:
+                setattr(instance, attr, value)
+
+        instance.save(update_fields=update_fields)
+        return instance
+
+
+class PriceCalcSerializer(serializers.Serializer):
+    item = serializers.PrimaryKeyRelatedField(queryset=Item.objects.none(), required=False, allow_null=True)
+    variation = serializers.PrimaryKeyRelatedField(queryset=ItemVariation.objects.none(), required=False, allow_null=True)
+    subevent = serializers.PrimaryKeyRelatedField(queryset=SubEvent.objects.none(), required=False, allow_null=True)
+    locale = serializers.CharField(allow_null=True, required=False)
+
+    def __init__(self, *args, **kwargs):
+        event = kwargs.pop('event')
+        super().__init__(*args, **kwargs)
+        self.fields['item'].queryset = event.items.all()
+        self.fields['variation'].queryset = ItemVariation.objects.filter(item__event=event)
+        if event.has_subevents:
+            self.fields['subevent'].queryset = event.subevents.all()
+        else:
+            del self.fields['subevent']
+
 
 class AnswerCreateSerializer(I18nAwareModelSerializer):
 
@@ -300,9 +492,13 @@ class AnswerCreateSerializer(I18nAwareModelSerializer):
 
 
 class OrderFeeCreateSerializer(I18nAwareModelSerializer):
+    _treat_value_as_percentage = serializers.BooleanField(default=False, required=False)
+    _split_taxes_like_products = serializers.BooleanField(default=False, required=False)
+
     class Meta:
         model = OrderFee
-        fields = ('fee_type', 'value', 'description', 'internal_type', 'tax_rule')
+        fields = ('fee_type', 'value', 'description', 'internal_type', 'tax_rule',
+                  '_treat_value_as_percentage', '_split_taxes_like_products')
 
     def validate_tax_rule(self, tr):
         if tr and tr.event != self.context['event']:
@@ -317,11 +513,26 @@ class OrderPositionCreateSerializer(I18nAwareModelSerializer):
     addon_to = serializers.IntegerField(required=False, allow_null=True)
     secret = serializers.CharField(required=False)
     attendee_name = serializers.CharField(required=False, allow_null=True)
+    seat = serializers.CharField(required=False, allow_null=True)
+    price = serializers.DecimalField(required=False, allow_null=True, decimal_places=2,
+                                     max_digits=10)
+    voucher = serializers.SlugRelatedField(slug_field='code', queryset=Voucher.objects.none(),
+                                           required=False, allow_null=True)
+    country = CompatibleCountryField(source='*')
 
     class Meta:
         model = OrderPosition
         fields = ('positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts', 'attendee_email',
-                  'secret', 'addon_to', 'subevent', 'answers')
+                  'company', 'street', 'zipcode', 'city', 'country', 'state',
+                  'secret', 'addon_to', 'subevent', 'answers', 'seat', 'voucher')
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        for k, v in self.fields.items():
+            if k in ('company', 'street', 'zipcode', 'city', 'country', 'state'):
+                v.required = False
+                v.allow_blank = True
+                v.allow_null = True
 
     def validate_secret(self, secret):
         if secret and OrderPosition.all.filter(order__event=self.context['event'], secret=secret).exists():
@@ -377,6 +588,24 @@ class OrderPositionCreateSerializer(I18nAwareModelSerializer):
             )
         if data.get('attendee_name_parts') and '_scheme' not in data.get('attendee_name_parts'):
             data['attendee_name_parts']['_scheme'] = self.context['request'].event.settings.name_scheme
+
+        if data.get('country'):
+            if not pycountry.countries.get(alpha_2=data.get('country')):
+                raise ValidationError(
+                    {'country': ['Invalid country code.']}
+                )
+
+        if data.get('state'):
+            cc = str(data.get('country') or self.instance.country or '')
+            if cc not in COUNTRIES_WITH_STATE_IN_ADDRESS:
+                raise ValidationError(
+                    {'state': ['States are not supported in country "{}".'.format(cc)]}
+                )
+            if not pycountry.subdivisions.get(code=cc + '-' + data.get('state')):
+                raise ValidationError(
+                    {'state': ['"{}" is not a known subdivision of the country "{}".'.format(data.get('state'), cc)]}
+                )
+
         return data
 
 
@@ -393,9 +622,31 @@ class CompatibleJSONField(serializers.JSONField):
         return value
 
 
+class WrappedList:
+    def __init__(self, data):
+        self._data = data
+
+    def all(self):
+        return self._data
+
+
+class WrappedModel:
+    def __init__(self, model):
+        self._wrapped = model
+
+    def __getattr__(self, item):
+        return getattr(self._wrapped, item)
+
+    def save(self, *args, **kwargs):
+        raise NotImplementedError
+
+    def delete(self, *args, **kwargs):
+        raise NotImplementedError
+
+
 class OrderCreateSerializer(I18nAwareModelSerializer):
     invoice_address = InvoiceAddressSerializer(required=False)
-    positions = OrderPositionCreateSerializer(many=True, required=False)
+    positions = OrderPositionCreateSerializer(many=True, required=True)
     fees = OrderFeeCreateSerializer(many=True, required=False)
     status = serializers.ChoiceField(choices=(
         ('n', Order.STATUS_PENDING),
@@ -407,16 +658,27 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         min_length=5
     )
     comment = serializers.CharField(required=False, allow_blank=True)
-    payment_provider = serializers.CharField(required=True)
+    payment_provider = serializers.CharField(required=False, allow_null=True)
     payment_info = CompatibleJSONField(required=False)
     consume_carts = serializers.ListField(child=serializers.CharField(), required=False)
+    force = serializers.BooleanField(default=False, required=False)
+    payment_date = serializers.DateTimeField(required=False, allow_null=True)
+    send_mail = serializers.BooleanField(default=False, required=False)
+    simulate = serializers.BooleanField(default=False, required=False)
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields['positions'].child.fields['voucher'].queryset = self.context['event'].vouchers.all()
 
     class Meta:
         model = Order
         fields = ('code', 'status', 'testmode', 'email', 'locale', 'payment_provider', 'fees', 'comment', 'sales_channel',
-                  'invoice_address', 'positions', 'checkin_attention', 'payment_info', 'consume_carts')
+                  'invoice_address', 'positions', 'checkin_attention', 'payment_info', 'payment_date', 'consume_carts',
+                  'force', 'send_mail', 'simulate')
 
     def validate_payment_provider(self, pp):
+        if pp is None:
+            return None
         if pp not in self.context['event'].get_payment_providers():
             raise ValidationError('The given payment provider is not known.')
         return pp
@@ -475,16 +737,37 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                 {'positionid': ["If you set addon_to on any position, you need to specify position IDs manually."]}
                 for p in data
             ]
+        else:
+            for i, p in enumerate(data):
+                p['positionid'] = i + 1
 
         if any(errs):
             raise ValidationError(errs)
         return data
 
+    def validate_testmode(self, testmode):
+        if 'sales_channel' in self.initial_data:
+            try:
+                sales_channel = get_all_sales_channels()[self.initial_data['sales_channel']]
+
+                if testmode and not sales_channel.testmode_supported:
+                    raise ValidationError('This sales channel does not provide support for test mode.')
+            except KeyError:
+                # We do not need to raise a ValidationError here, since there is another check to validate the
+                # sales_channel
+                pass
+
+        return testmode
+
     def create(self, validated_data):
         fees_data = validated_data.pop('fees') if 'fees' in validated_data else []
         positions_data = validated_data.pop('positions') if 'positions' in validated_data else []
-        payment_provider = validated_data.pop('payment_provider')
+        payment_provider = validated_data.pop('payment_provider', None)
         payment_info = validated_data.pop('payment_info', '{}')
+        payment_date = validated_data.pop('payment_date', now())
+        force = validated_data.pop('force', False)
+        simulate = validated_data.pop('simulate', False)
+        self._send_mail = validated_data.pop('send_mail', False)
 
         if 'invoice_address' in validated_data:
             iadata = validated_data.pop('invoice_address')
@@ -497,14 +780,21 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         else:
             ia = None
 
-        with self.context['event'].lock() as now_dt:
-            quotadiff = Counter()
-
+        lockfn = self.context['event'].lock
+        if simulate:
+            lockfn = NoLockManager
+        with lockfn() as now_dt:
+            free_seats = set()
+            seats_seen = set()
             consume_carts = validated_data.pop('consume_carts', [])
             delete_cps = []
             quota_avail_cache = {}
+            v_budget = {}
+            voucher_usage = Counter()
             if consume_carts:
-                for cp in CartPosition.objects.filter(event=self.context['event'], cart_id__in=consume_carts):
+                for cp in CartPosition.objects.filter(
+                    event=self.context['event'], cart_id__in=consume_carts, expires__gt=now()
+                ):
                     quotas = (cp.variation.quotas.filter(subevent=cp.subevent)
                               if cp.variation else cp.item.quotas.filter(subevent=cp.subevent))
                     for quota in quotas:
@@ -512,35 +802,127 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                             quota_avail_cache[quota] = list(quota.availability())
                         if quota_avail_cache[quota][1] is not None:
                             quota_avail_cache[quota][1] += 1
+                    if cp.voucher:
+                        voucher_usage[cp.voucher] -= 1
                     if cp.expires > now_dt:
-                        quotadiff.subtract(quotas)
+                        if cp.seat:
+                            free_seats.add(cp.seat)
                     delete_cps.append(cp)
 
             errs = [{} for p in positions_data]
 
             for i, pos_data in enumerate(positions_data):
-                new_quotas = (pos_data.get('variation').quotas.filter(subevent=pos_data.get('subevent'))
-                              if pos_data.get('variation')
-                              else pos_data.get('item').quotas.filter(subevent=pos_data.get('subevent')))
-                if len(new_quotas) == 0:
-                    errs[i]['item'] = [ugettext_lazy('The product "{}" is not assigned to a quota.').format(
-                        str(pos_data.get('item'))
-                    )]
-                else:
-                    for quota in new_quotas:
-                        if quota not in quota_avail_cache:
-                            quota_avail_cache[quota] = list(quota.availability())
 
-                        if quota_avail_cache[quota][1] is not None:
-                            quota_avail_cache[quota][1] -= 1
-                            if quota_avail_cache[quota][1] < 0:
-                                errs[i]['item'] = [
-                                    ugettext_lazy('There is not enough quota available on quota "{}" to perform the operation.').format(
-                                        quota.name
-                                    )
+                if pos_data.get('voucher'):
+                    v = pos_data['voucher']
+
+                    if pos_data.get('addon_to'):
+                        errs[i]['voucher'] = ['Vouchers are currently not supported for add-on products.']
+                        continue
+
+                    if not v.applies_to(pos_data['item'], pos_data.get('variation')):
+                        errs[i]['voucher'] = [error_messages['voucher_invalid_item']]
+                        continue
+
+                    if v.subevent_id and pos_data.get('subevent').pk != v.subevent_id:
+                        errs[i]['voucher'] = [error_messages['voucher_invalid_subevent']]
+                        continue
+
+                    if v.valid_until is not None and v.valid_until < now_dt:
+                        errs[i]['voucher'] = [error_messages['voucher_expired']]
+                        continue
+
+                    voucher_usage[v] += 1
+                    if voucher_usage[v] > 0:
+                        redeemed_in_carts = CartPosition.objects.filter(
+                            Q(voucher=pos_data['voucher']) & Q(event=self.context['event']) & Q(expires__gte=now_dt)
+                        ).exclude(pk__in=[cp.pk for cp in delete_cps])
+                        v_avail = v.max_usages - v.redeemed - redeemed_in_carts.count()
+                        if v_avail < voucher_usage[v]:
+                            errs[i]['voucher'] = [
+                                'The voucher has already been used the maximum number of times.'
+                            ]
+
+                    if v.budget is not None:
+                        price = pos_data.get('price')
+                        if price is None:
+                            price = get_price(
+                                item=pos_data.get('item'),
+                                variation=pos_data.get('variation'),
+                                voucher=v,
+                                custom_price=None,
+                                subevent=pos_data.get('subevent'),
+                                addon_to=pos_data.get('addon_to'),
+                                invoice_address=ia,
+                            ).gross
+                        pbv = get_price(
+                            item=pos_data['item'],
+                            variation=pos_data.get('variation'),
+                            voucher=None,
+                            custom_price=None,
+                            subevent=pos_data.get('subevent'),
+                            addon_to=pos_data.get('addon_to'),
+                            invoice_address=ia,
+                        )
+
+                        if v not in v_budget:
+                            v_budget[v] = v.budget - v.budget_used()
+                        disc = pbv.gross - price
+                        if disc > v_budget[v]:
+                            new_disc = v_budget[v]
+                            v_budget[v] -= new_disc
+                            if new_disc == Decimal('0.00') or pos_data.get('price') is not None:
+                                errs[i]['voucher'] = [
+                                    'The voucher has a remaining budget of {}, therefore a discount of {} can not be '
+                                    'given.'.format(v_budget[v] + new_disc, disc)
                                 ]
+                                continue
+                            pos_data['price'] = price + (disc - new_disc)
+                        else:
+                            v_budget[v] -= disc
 
-                quotadiff.update(new_quotas)
+                seated = pos_data.get('item').seat_category_mappings.filter(subevent=pos_data.get('subevent')).exists()
+                if pos_data.get('seat'):
+                    if not seated:
+                        errs[i]['seat'] = ['The specified product does not allow to choose a seat.']
+                    try:
+                        seat = self.context['event'].seats.get(seat_guid=pos_data['seat'], subevent=pos_data.get('subevent'))
+                    except Seat.DoesNotExist:
+                        errs[i]['seat'] = ['The specified seat does not exist.']
+                    else:
+                        pos_data['seat'] = seat
+                        if (seat not in free_seats and not seat.is_available(sales_channel=validated_data.get('sales_channel', 'web'))) or seat in seats_seen:
+                            errs[i]['seat'] = [gettext_lazy('The selected seat "{seat}" is not available.').format(seat=seat.name)]
+                        seats_seen.add(seat)
+                elif seated:
+                    errs[i]['seat'] = ['The specified product requires to choose a seat.']
+
+            if not force:
+                for i, pos_data in enumerate(positions_data):
+                    if pos_data.get('voucher'):
+                        if pos_data['voucher'].allow_ignore_quota or pos_data['voucher'].block_quota:
+                            continue
+
+                    new_quotas = (pos_data.get('variation').quotas.filter(subevent=pos_data.get('subevent'))
+                                  if pos_data.get('variation')
+                                  else pos_data.get('item').quotas.filter(subevent=pos_data.get('subevent')))
+                    if len(new_quotas) == 0:
+                        errs[i]['item'] = [gettext_lazy('The product "{}" is not assigned to a quota.').format(
+                            str(pos_data.get('item'))
+                        )]
+                    else:
+                        for quota in new_quotas:
+                            if quota not in quota_avail_cache:
+                                quota_avail_cache[quota] = list(quota.availability())
+
+                            if quota_avail_cache[quota][1] is not None:
+                                quota_avail_cache[quota][1] -= 1
+                                if quota_avail_cache[quota][1] < 0:
+                                    errs[i]['item'] = [
+                                        gettext_lazy('There is not enough quota available on quota "{}" to perform the operation.').format(
+                                            quota.name
+                                        )
+                                    ]
 
             if any(errs):
                 raise ValidationError({'positions': errs})
@@ -549,38 +931,23 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                 validated_data['locale'] = self.context['event'].settings.locale
             order = Order(event=self.context['event'], **validated_data)
             order.set_expires(subevents=[p.get('subevent') for p in positions_data])
-            order.total = sum([p['price'] for p in positions_data]) + sum([f['value'] for f in fees_data], Decimal('0.00'))
             order.meta_info = "{}"
-            order.save()
-
-            if order.total == Decimal('0.00') and validated_data.get('status') != Order.STATUS_PAID:
-                order.status = Order.STATUS_PAID
+            order.total = Decimal('0.00')
+            if simulate:
+                order = WrappedModel(order)
+                order.last_modified = now()
+                order.code = 'PREVIEW'
+            else:
                 order.save()
-                order.payments.create(
-                    amount=order.total, provider='free', state=OrderPayment.PAYMENT_STATE_CONFIRMED,
-                    payment_date=now()
-                )
-            elif payment_provider == "free" and order.total != Decimal('0.00'):
-                raise ValidationError('You cannot use the "free" payment provider for non-free orders.')
-            elif validated_data.get('status') == Order.STATUS_PAID:
-                order.payments.create(
-                    amount=order.total,
-                    provider=payment_provider,
-                    info=payment_info,
-                    payment_date=now(),
-                    state=OrderPayment.PAYMENT_STATE_CONFIRMED
-                )
-            elif payment_provider:
-                order.payments.create(
-                    amount=order.total,
-                    provider=payment_provider,
-                    info=payment_info,
-                    state=OrderPayment.PAYMENT_STATE_CREATED
-                )
 
             if ia:
-                ia.order = order
-                ia.save()
+                if not simulate:
+                    ia.order = order
+                    ia.save()
+                else:
+                    order.invoice_address = ia
+                    ia.last_modified = now()
+
             pos_map = {}
             for pos_data in positions_data:
                 answers_data = pos_data.pop('answers', [])
@@ -591,32 +958,171 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                         '_legacy': attendee_name
                     }
                 pos = OrderPosition(**pos_data)
-                pos.order = order
-                pos._calculate_tax()
+                if simulate:
+                    pos.order = order._wrapped
+                else:
+                    pos.order = order
                 if addon_to:
                     pos.addon_to = pos_map[addon_to]
-                pos.save()
-                pos_map[pos.positionid] = pos
-                for answ_data in answers_data:
-                    options = answ_data.pop('options', [])
-                    answ = pos.answers.create(**answ_data)
-                    answ.options.add(*options)
 
-            for cp in delete_cps:
-                cp.delete()
+                if pos.price is None:
+                    price = get_price(
+                        item=pos.item,
+                        variation=pos.variation,
+                        voucher=pos.voucher,
+                        custom_price=None,
+                        subevent=pos.subevent,
+                        addon_to=pos.addon_to,
+                        invoice_address=ia,
+                    )
+                    pos.price = price.gross
+                    pos.tax_rate = price.rate
+                    pos.tax_value = price.tax
+                    pos.tax_rule = pos.item.tax_rule
+                else:
+                    pos._calculate_tax()
+
+                pos.price_before_voucher = get_price(
+                    item=pos.item,
+                    variation=pos.variation,
+                    voucher=None,
+                    custom_price=None,
+                    subevent=pos.subevent,
+                    addon_to=pos.addon_to,
+                    invoice_address=ia,
+                ).gross
+
+                if simulate:
+                    pos = WrappedModel(pos)
+                    pos.id = 0
+                    answers = []
+                    for answ_data in answers_data:
+                        options = answ_data.pop('options', [])
+                        answ = WrappedModel(QuestionAnswer(**answ_data))
+                        answ.options = WrappedList(options)
+                        answers.append(answ)
+                    pos.answers = answers
+                    pos.pseudonymization_id = "PREVIEW"
+                else:
+                    if pos.voucher:
+                        Voucher.objects.filter(pk=pos.voucher.pk).update(redeemed=F('redeemed') + 1)
+                    pos.save()
+                    for answ_data in answers_data:
+                        options = answ_data.pop('options', [])
+                        answ = pos.answers.create(**answ_data)
+                        answ.options.add(*options)
+                pos_map[pos.positionid] = pos
+
+            if not simulate:
+                for cp in delete_cps:
+                    cp.delete()
+
+        order.total = sum([p.price for p in pos_map.values()])
+        fees = []
         for fee_data in fees_data:
-            f = OrderFee(**fee_data)
-            f.order = order
-            f._calculate_tax()
-            f.save()
+            is_percentage = fee_data.pop('_treat_value_as_percentage', False)
+            if is_percentage:
+                fee_data['value'] = round_decimal(order.total * (fee_data['value'] / Decimal('100.00')),
+                                                  self.context['event'].currency)
+            is_split_taxes = fee_data.pop('_split_taxes_like_products', False)
+
+            if is_split_taxes:
+                d = defaultdict(lambda: Decimal('0.00'))
+                trz = TaxRule.zero()
+                for p in pos_map.values():
+                    tr = p.tax_rule
+                    d[tr] += p.price - p.tax_value
+
+                base_values = sorted([tuple(t) for t in d.items()], key=lambda t: (t[0] or trz).rate)
+                sum_base = sum(t[1] for t in base_values)
+                fee_values = [(t[0], round_decimal(fee_data['value'] * t[1] / sum_base, self.context['event'].currency))
+                              for t in base_values]
+                sum_fee = sum(t[1] for t in fee_values)
+
+                # If there are rounding differences, we fix them up, but always leaning to the benefit of the tax
+                # authorities
+                if sum_fee > fee_data['value']:
+                    fee_values[0] = (fee_values[0][0], fee_values[0][1] + (fee_data['value'] - sum_fee))
+                elif sum_fee < fee_data['value']:
+                    fee_values[-1] = (fee_values[-1][0], fee_values[-1][1] + (fee_data['value'] - sum_fee))
+
+                for tr, val in fee_values:
+                    fee_data['tax_rule'] = tr
+                    fee_data['value'] = val
+                    f = OrderFee(**fee_data)
+                    f.order = order._wrapped if simulate else order
+                    f._calculate_tax()
+                    fees.append(f)
+                    if not simulate:
+                        f.save()
+            else:
+                f = OrderFee(**fee_data)
+                f.order = order._wrapped if simulate else order
+                f._calculate_tax()
+                fees.append(f)
+                if not simulate:
+                    f.save()
+
+        order.total += sum([f.value for f in fees])
+        if simulate:
+            order.fees = fees
+            order.positions = pos_map.values()
+            return order  # ignore payments
+        else:
+            order.save(update_fields=['total'])
+
+        if order.total == Decimal('0.00') and validated_data.get('status') == Order.STATUS_PAID and not payment_provider:
+            payment_provider = 'free'
+
+        if order.total == Decimal('0.00') and validated_data.get('status') != Order.STATUS_PAID:
+            order.status = Order.STATUS_PAID
+            order.save()
+            order.payments.create(
+                amount=order.total, provider='free', state=OrderPayment.PAYMENT_STATE_CONFIRMED,
+                payment_date=now()
+            )
+        elif payment_provider == "free" and order.total != Decimal('0.00'):
+            raise ValidationError('You cannot use the "free" payment provider for non-free orders.')
+        elif validated_data.get('status') == Order.STATUS_PAID:
+            if not payment_provider:
+                raise ValidationError('You cannot create a paid order without a payment provider.')
+            order.payments.create(
+                amount=order.total,
+                provider=payment_provider,
+                info=payment_info,
+                payment_date=payment_date,
+                state=OrderPayment.PAYMENT_STATE_CONFIRMED
+            )
+        elif payment_provider:
+            order.payments.create(
+                amount=order.total,
+                provider=payment_provider,
+                info=payment_info,
+                state=OrderPayment.PAYMENT_STATE_CREATED
+            )
 
         return order
 
 
+class LinePositionField(serializers.IntegerField):
+    """
+    Internally, the position field is stored starting at 0, but for the API, starting at 1 makes it
+    more consistent with other models
+    """
+
+    def to_representation(self, value):
+        return super().to_representation(value) + 1
+
+    def to_internal_value(self, data):
+        return super().to_internal_value(data) - 1
+
+
 class InlineInvoiceLineSerializer(I18nAwareModelSerializer):
+    position = LinePositionField(read_only=True)
+
     class Meta:
         model = InvoiceLine
-        fields = ('description', 'gross_value', 'tax_value', 'tax_rate', 'tax_name')
+        fields = ('position', 'description', 'gross_value', 'tax_value', 'tax_rate', 'tax_name')
 
 
 class InvoiceSerializer(I18nAwareModelSerializer):
@@ -632,6 +1138,20 @@ class InvoiceSerializer(I18nAwareModelSerializer):
                   'internal_reference')
 
 
+class OrderPaymentCreateSerializer(I18nAwareModelSerializer):
+    provider = serializers.CharField(required=True, allow_null=False, allow_blank=False)
+    info = CompatibleJSONField(required=False)
+
+    class Meta:
+        model = OrderPayment
+        fields = ('state', 'amount', 'payment_date', 'provider', 'info')
+
+    def create(self, validated_data):
+        order = OrderPayment(order=self.context['order'], **validated_data)
+        order.save()
+        return order
+
+
 class OrderRefundCreateSerializer(I18nAwareModelSerializer):
     payment = serializers.IntegerField(required=False, allow_null=True)
     provider = serializers.CharField(required=True, allow_null=False, allow_blank=False)

src/pretix/api/serializers/organizer.py

@@ -1,8 +1,169 @@
+from decimal import Decimal
+
+from django.db.models import Q
+from django.utils.translation import get_language, gettext_lazy as _
+from rest_framework import serializers
+from rest_framework.exceptions import ValidationError
+
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
-from pretix.base.models import Organizer
+from pretix.api.serializers.order import CompatibleJSONField
+from pretix.base.auth import get_auth_backends
+from pretix.base.models import (
+    GiftCard, Organizer, SeatingPlan, Team, TeamAPIToken, TeamInvite, User,
+)
+from pretix.base.models.seating import SeatingPlanLayoutValidator
+from pretix.base.services.mail import SendMailException, mail
+from pretix.helpers.urls import build_absolute_uri
 
 
 class OrganizerSerializer(I18nAwareModelSerializer):
     class Meta:
         model = Organizer
         fields = ('name', 'slug')
+
+
+class SeatingPlanSerializer(I18nAwareModelSerializer):
+    layout = CompatibleJSONField(
+        validators=[SeatingPlanLayoutValidator()]
+    )
+
+    class Meta:
+        model = SeatingPlan
+        fields = ('id', 'name', 'layout')
+
+
+class GiftCardSerializer(I18nAwareModelSerializer):
+    value = serializers.DecimalField(max_digits=10, decimal_places=2, min_value=Decimal('0.00'))
+
+    def validate(self, data):
+        data = super().validate(data)
+        s = data['secret']
+        qs = GiftCard.objects.filter(
+            secret=s
+        ).filter(
+            Q(issuer=self.context["organizer"]) | Q(
+                issuer__gift_card_collector_acceptance__collector=self.context["organizer"])
+        )
+        if self.instance:
+            qs = qs.exclude(pk=self.instance.pk)
+        if qs.exists():
+            raise ValidationError(
+                {'secret': _(
+                    'A gift card with the same secret already exists in your or an affiliated organizer account.')}
+            )
+        return data
+
+    class Meta:
+        model = GiftCard
+        fields = ('id', 'secret', 'issuance', 'value', 'currency', 'testmode', 'expires', 'conditions')
+
+
+class EventSlugField(serializers.SlugRelatedField):
+    def get_queryset(self):
+        return self.context['organizer'].events.all()
+
+
+class TeamSerializer(serializers.ModelSerializer):
+    limit_events = EventSlugField(slug_field='slug', many=True)
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+    class Meta:
+        model = Team
+        fields = (
+            'id', 'name', 'all_events', 'limit_events', 'can_create_events', 'can_change_teams',
+            'can_change_organizer_settings', 'can_manage_gift_cards', 'can_change_event_settings',
+            'can_change_items', 'can_view_orders', 'can_change_orders', 'can_view_vouchers',
+            'can_change_vouchers'
+        )
+
+    def validate(self, data):
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+        if full_data.get('limit_events') and full_data.get('all_events'):
+            raise ValidationError('Do not set both limit_events and all_events.')
+        return data
+
+
+class TeamInviteSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = TeamInvite
+        fields = (
+            'id', 'email'
+        )
+
+    def _send_invite(self, instance):
+        try:
+            mail(
+                instance.email,
+                _('pretix account invitation'),
+                'pretixcontrol/email/invitation.txt',
+                {
+                    'user': self,
+                    'organizer': self.context['organizer'].name,
+                    'team': instance.team.name,
+                    'url': build_absolute_uri('control:auth.invite', kwargs={
+                        'token': instance.token
+                    })
+                },
+                event=None,
+                locale=get_language()  # TODO: expose?
+            )
+        except SendMailException:
+            pass  # Already logged
+
+    def create(self, validated_data):
+        if 'email' in validated_data:
+            try:
+                user = User.objects.get(email__iexact=validated_data['email'])
+            except User.DoesNotExist:
+                if self.context['team'].invites.filter(email__iexact=validated_data['email']).exists():
+                    raise ValidationError(_('This user already has been invited for this team.'))
+                if 'native' not in get_auth_backends():
+                    raise ValidationError('Users need to have a pretix account before they can be invited.')
+
+                invite = self.context['team'].invites.create(email=validated_data['email'])
+                self._send_invite(invite)
+                invite.team.log_action(
+                    'pretix.team.invite.created',
+                    data={
+                        'email': validated_data['email']
+                    },
+                    **self.context['log_kwargs']
+                )
+                return invite
+            else:
+                if self.context['team'].members.filter(pk=user.pk).exists():
+                    raise ValidationError(_('This user already has permissions for this team.'))
+
+                self.context['team'].members.add(user)
+                self.context['team'].log_action(
+                    'pretix.team.member.added',
+                    data={
+                        'email': user.email,
+                        'user': user.pk,
+                    },
+                    **self.context['log_kwargs']
+                )
+                return TeamInvite(email=user.email)
+        else:
+            raise ValidationError('No email address given.')
+
+
+class TeamAPITokenSerializer(serializers.ModelSerializer):
+    active = serializers.BooleanField(default=True, read_only=True)
+
+    class Meta:
+        model = TeamAPIToken
+        fields = (
+            'id', 'name', 'active'
+        )
+
+
+class TeamMemberSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = User
+        fields = (
+            'id', 'email', 'fullname', 'require_2fa'
+        )

src/pretix/api/serializers/voucher.py

@@ -2,15 +2,23 @@ from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
-from pretix.base.models import Voucher
+from pretix.base.models import Seat, Voucher
 
 
 class VoucherListSerializer(serializers.ListSerializer):
     def create(self, validated_data):
         codes = set()
+        seats = set()
         errs = []
         err = False
         for voucher_data in validated_data:
+            if voucher_data.get('seat') and (voucher_data.get('seat'), voucher_data.get('subevent')) in seats:
+                err = True
+                errs.append({'code': ['Duplicate seat ID in request.']})
+                continue
+            else:
+                seats.add((voucher_data.get('seat'), voucher_data.get('subevent')))
+
             if voucher_data['code'] in codes:
                 err = True
                 errs.append({'code': ['Duplicate voucher code in request.']})
@@ -22,12 +30,19 @@ class VoucherListSerializer(serializers.ListSerializer):
         return super().create(validated_data)
 
 
+class SeatGuidField(serializers.CharField):
+    def to_representation(self, val: Seat):
+        return val.seat_guid
+
+
 class VoucherSerializer(I18nAwareModelSerializer):
+    seat = SeatGuidField(allow_null=True, required=False)
+
     class Meta:
         model = Voucher
         fields = ('id', 'code', 'max_usages', 'redeemed', 'valid_until', 'block_quota',
                   'allow_ignore_quota', 'price_mode', 'value', 'item', 'variation', 'quota',
-                  'tag', 'comment', 'subevent')
+                  'tag', 'comment', 'subevent', 'show_hidden_items', 'seat')
         read_only_fields = ('id', 'redeemed')
         list_serializer_class = VoucherListSerializer
 
@@ -39,7 +54,8 @@ class VoucherSerializer(I18nAwareModelSerializer):
 
         Voucher.clean_item_properties(
             full_data, self.context.get('event'),
-            full_data.get('quota'), full_data.get('item'), full_data.get('variation')
+            full_data.get('quota'), full_data.get('item'), full_data.get('variation'),
+            block_quota=full_data.get('block_quota')
         )
         Voucher.clean_subevent(
             full_data, self.context.get('event')
@@ -61,4 +77,10 @@ class VoucherSerializer(I18nAwareModelSerializer):
             )
         Voucher.clean_voucher_code(full_data, self.context.get('event'), self.instance.pk if self.instance else None)
 
+        if full_data.get('seat'):
+            data['seat'] = Voucher.clean_seat_id(
+                full_data, full_data.get('item'), full_data.get('quota'), self.context.get('event'),
+                self.instance.pk if self.instance else None
+            )
+
         return data

src/pretix/api/signals.py

@@ -2,8 +2,9 @@ from datetime import timedelta
 
 from django.dispatch import Signal, receiver
 from django.utils.timezone import now
+from django_scopes import scopes_disabled
 
-from pretix.api.models import WebHookCall
+from pretix.api.models import ApiCall, WebHookCall
 from pretix.base.signals import periodic_task
 
 register_webhook_events = Signal(
@@ -17,5 +18,12 @@ instances.
 
 
 @receiver(periodic_task)
+@scopes_disabled()
 def cleanup_webhook_logs(sender, **kwargs):
     WebHookCall.objects.filter(datetime__lte=now() - timedelta(days=30)).delete()
+
+
+@receiver(periodic_task)
+@scopes_disabled()
+def cleanup_api_logs(sender, **kwargs):
+    ApiCall.objects.filter(created__lte=now() - timedelta(hours=24)).delete()

src/pretix/api/urls.py

@@ -7,8 +7,8 @@ from rest_framework import routers
 from pretix.api.views import cart
 
 from .views import (
-    checkin, device, event, item, oauth, order, organizer, user, voucher,
-    waitinglist, webhooks,
+    checkin, device, event, item, oauth, order, organizer, user, version,
+    voucher, waitinglist, webhooks,
 )
 
 router = routers.DefaultRouter()
@@ -18,6 +18,14 @@ orga_router = routers.DefaultRouter()
 orga_router.register(r'events', event.EventViewSet)
 orga_router.register(r'subevents', event.SubEventViewSet)
 orga_router.register(r'webhooks', webhooks.WebHookViewSet)
+orga_router.register(r'seatingplans', organizer.SeatingPlanViewSet)
+orga_router.register(r'giftcards', organizer.GiftCardViewSet)
+orga_router.register(r'teams', organizer.TeamViewSet)
+
+team_router = routers.DefaultRouter()
+team_router.register(r'members', organizer.TeamMemberViewSet)
+team_router.register(r'invites', organizer.TeamInviteViewSet)
+team_router.register(r'tokens', organizer.TeamAPITokenViewSet)
 
 event_router = routers.DefaultRouter()
 event_router.register(r'subevents', event.SubEventViewSet)
@@ -44,6 +52,7 @@ question_router.register(r'options', item.QuestionOptionViewSet)
 item_router = routers.DefaultRouter()
 item_router.register(r'variations', item.ItemVariationViewSet)
 item_router.register(r'addons', item.ItemAddOnViewSet)
+item_router.register(r'bundles', item.ItemBundleViewSet)
 
 order_router = routers.DefaultRouter()
 order_router.register(r'payments', order.PaymentViewSet)
@@ -58,7 +67,10 @@ for app in apps.get_app_configs():
 urlpatterns = [
     url(r'^', include(router.urls)),
     url(r'^organizers/(?P<organizer>[^/]+)/', include(orga_router.urls)),
+    url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/settings/$', event.EventSettingsView.as_view(),
+        name="event.settings"),
     url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/', include(event_router.urls)),
+    url(r'^organizers/(?P<organizer>[^/]+)/teams/(?P<team>[^/]+)/', include(team_router.urls)),
     url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/items/(?P<item>[^/]+)/', include(item_router.urls)),
     url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/questions/(?P<question>[^/]+)/',
         include(question_router.urls)),
@@ -73,4 +85,5 @@ urlpatterns = [
     url(r"^device/roll$", device.RollKeyView.as_view(), name="device.roll"),
     url(r"^device/revoke$", device.RevokeKeyView.as_view(), name="device.revoke"),
     url(r"^me$", user.MeView.as_view(), name="user.me"),
+    url(r"^version$", version.VersionView.as_view(), name="version"),
 ]

src/pretix/api/views/__init__.py

@@ -31,10 +31,10 @@ class RichOrderingFilter(OrderingFilter):
 class ConditionalListView:
 
     def list(self, request, **kwargs):
-        if_modified_since = request.META.get('HTTP_IF_MODIFIED_SINCE')
+        if_modified_since = request.headers.get('If-Modified-Since')
         if if_modified_since:
             if_modified_since = parse_http_date_safe(if_modified_since)
-        if_unmodified_since = request.META.get('HTTP_IF_UNMODIFIED_SINCE')
+        if_unmodified_since = request.headers.get('If-Unmodified-Since')
         if if_unmodified_since:
             if_unmodified_since = parse_http_date_safe(if_unmodified_since)
         if not hasattr(request, 'event'):

src/pretix/api/views/cart.py

@@ -24,7 +24,7 @@ class CartPositionViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnly
         return CartPosition.objects.filter(
             event=self.request.event,
             cart_id__endswith="@api"
-        )
+        ).select_related('seat').prefetch_related('answers')
 
     def get_serializer_context(self):
         ctx = super().get_serializer_context()