Bump to 3.10.0

[CI skip]

Signed-off-by: Raphael Michel <mail@raphaelmichel.de>

.github/workflows/docs.yml

@@ -0,0 +1,42 @@
+name: Documentation
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - 'src/pretix/locale/**'
+      - 'src/pretix/static/**'
+      - 'src/tests/**'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - 'src/pretix/locale/**'
+      - 'src/pretix/static/**'
+      - 'src/tests/**'
+
+jobs:
+  spelling:
+    name: Spellcheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.8
+      - uses: actions/cache@v1
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install system packages
+        run: sudo apt install enchant hunspell aspell-en
+      - name: Install Dependencies
+        run: pip3 install --no-use-pep517 -Ur doc/requirements.txt
+      - name: Spellcheck docs
+        run: make spelling
+        working-directory: ./doc
+      - name:
+        run: '[ ! -s _build/spelling/output.txt ]'
+        working-directory: ./doc

.github/workflows/strings.yml

@@ -0,0 +1,62 @@
+name: Strings
+
+on:
+  push:
+    branches: [ master ]
+    paths:
+      - 'doc/**'
+      - 'src/pretix/locale/**'
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'doc/**'
+      - 'src/pretix/locale/**'
+
+jobs:
+  compile:
+    runs-on: ubuntu-latest
+    name: Check gettext syntax
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.8
+      - uses: actions/cache@v1
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install system packages
+        run: sudo apt install gettext
+      - name: Install Dependencies
+        run: pip3 install --no-use-pep517 -Ur src/requirements.txt
+      - name: Compile messages
+        run: python manage.py compilemessages
+        working-directory: ./src
+      - name: Compile jsi18n
+        run: python manage.py compilejsi18n
+        working-directory: ./src
+  spelling:
+    runs-on: ubuntu-latest
+    name: Spellcheck
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.8
+      - uses: actions/cache@v1
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install system packages
+        run: sudo apt install enchant hunspell hunspell-de-de aspell-en aspell-de
+      - name: Install Dependencies
+        run: pip3 install --no-use-pep517 -Ur src/requirements/dev.txt
+      - name: Spellcheck translations
+        run: potypo
+        working-directory: ./src

.github/workflows/style.yml

@@ -0,0 +1,55 @@
+name: Code Style
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - 'src/pretix/locale/**'
+      - 'src/pretix/static/**'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - 'src/pretix/locale/**'
+      - 'src/pretix/static/**'
+
+jobs:
+  isort:
+    name: isort
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.8
+      - uses: actions/cache@v1
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install Dependencies
+        run: pip3 install --no-use-pep517 -Ur src/requirements/dev.txt
+      - name: Run isort
+        run: isort -c -rc -df .
+        working-directory: ./src
+  flake:
+    name: flake8
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.8
+      - uses: actions/cache@v1
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install Dependencies
+        run: pip3 install -r src/requirements.txt --no-use-pep517 -Ur src/requirements/dev.txt
+      - name: Run flake8
+        run: flake8 .
+        working-directory: ./src

.github/workflows/tests.yml

@@ -0,0 +1,75 @@
+name: Tests
+
+on:
+  push:
+    branches: [ master ]
+    paths-ignore:
+      - 'doc/**'
+      - 'src/pretix/locale/**'
+  pull_request:
+    branches: [ master ]
+    paths-ignore:
+      - 'doc/**'
+      - 'src/pretix/locale/**'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Tests
+    strategy:
+      matrix:
+        python-version: [3.6, 3.7, 3.8]
+        database: [sqlite, postgres, mysql]
+        exclude:
+          - database: mysql
+            python-version: 3.7
+          - database: sqlite
+            python-version: 3.7
+          - database: mysql
+            python-version: 3.6
+          - database: sqlite
+            python-version: 3.6
+    steps:
+      - uses: actions/checkout@v2
+      - uses: getong/mariadb-action@v1.1
+        with:
+          mariadb version: '10.4'
+          mysql database: 'pretix'
+          mysql root password: ''
+        if: matrix.database == 'mysql'
+      - uses: harmon758/postgresql-action@v1
+        with:
+          postgresql version: '11'
+          postgresql db: 'pretix'
+          postgresql user: 'postgres'
+          postgresql password: 'postgres'
+        if: matrix.database == 'postgres'
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v1
+        with:
+          python-version: ${{ matrix.python-version }}
+      - uses: actions/cache@v1
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install system dependencies
+        run: sudo apt install gettext mysql-client
+      - name: Install Python dependencies
+        run: pip3 install -r src/requirements.txt --no-use-pep517 -Ur src/requirements/dev.txt mysqlclient psycopg2-binary
+      - name: Run checks
+        run: python manage.py check
+        working-directory: ./src
+      - name: Compile
+        working-directory: ./src
+        run: make all compress
+      - name: Run tests
+        working-directory: ./src
+        run: PRETIX_CONFIG_FILE=tests/travis_${{ matrix.database }}.cfg py.test -n 3 -p no:sugar --cov=./ --cov-report=xml --reruns 3 tests --maxfail=100
+      - name: Upload coverage
+        uses: codecov/codecov-action@v1
+        with:
+          file: src/coverage.xml
+          fail_ci_if_error: true
+        if: matrix.database == 'postgres' && matrix.python-version == '3.8'

.gitlab-ci.yml

@@ -5,7 +5,11 @@ tests:
         - virtualenv env
         - source env/bin/activate
         - pip install -U pip wheel setuptools
-        - XDG_CACHE_HOME=/cache bash .travis.sh tests
+        - XDG_CACHE_HOME=/cache pip3 install -r src/requirements.txt --no-use-pep517 -Ur src/requirements/dev.txt
+        - cd src
+        - python manage.py check
+        - make all compress
+        - py.test --reruns 3 -n 3 tests
     tags:
         - python3
     except:

.travis.sh

@@ -1,68 +0,0 @@
-#!/bin/bash
-set -e
-set -x
-
-echo "Executing job $1"
-
-if [ "$PRETIX_CONFIG_FILE" == "tests/travis_mysql.cfg" ]; then
-    mysql -u root -e 'CREATE DATABASE pretix DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;'
-    pip3 install -Ur src/requirements/mysql.txt
-fi
-
-if [ "$PRETIX_CONFIG_FILE" == "tests/travis_postgres.cfg" ]; then
-    psql -c 'create database travis_ci_test;' -U postgres
-fi
-
-if [ "$1" == "style" ]; then
-	XDG_CACHE_HOME=/cache pip3 install --no-use-pep517 -Ur src/requirements.txt -r src/requirements/dev.txt
-	cd src
-    flake8 .
-    isort -c -rc -df .
-fi
-if [ "$1" == "doctests" ]; then
-	XDG_CACHE_HOME=/cache pip3 install --no-use-pep517 -Ur doc/requirements.txt
-	cd doc
-	make doctest
-fi
-if [ "$1" == "doc-spelling" ]; then
-	XDG_CACHE_HOME=/cache pip3 install --no-use-pep517 -Ur doc/requirements.txt
-	cd doc
-	make spelling
-	if [ -s _build/spelling/output.txt ]; then
-		exit 1
-	fi
-fi
-if [ "$1" == "translation-spelling" ]; then
-	XDG_CACHE_HOME=/cache pip3 install --no-use-pep517 -Ur src/requirements/dev.txt
-	cd src
-	potypo
-fi
-if [ "$1" == "tests" ]; then
-	pip3 install -r src/requirements.txt --no-use-pep517 -Ur src/requirements/dev.txt
-	cd src
-	python manage.py check
-	make all compress
-	py.test --reruns 5 -n 3 tests
-fi
-if [ "$1" == "tests-cov" ]; then
-	pip3 install -r src/requirements.txt --no-use-pep517 -Ur src/requirements/dev.txt
-	cd src
-	python manage.py check
-	make all compress
-	coverage run -m py.test --reruns 5 tests && codecov
-fi
-if [ "$1" == "plugins" ]; then
-	pip3 install -r src/requirements.txt --no-use-pep517 -Ur src/requirements/dev.txt
-	cd src
-	python setup.py develop
-	make all compress
-
-	pushd ~
-    git clone --depth 1 https://github.com/pretix/pretix-cartshare.git
-    cd pretix-cartshare
-    python setup.py develop
-    make
-	py.test --reruns 5 tests
-    popd
-
-fi

.travis.yml

@@ -1,45 +0,0 @@
-language: python
-dist: xenial
-sudo: false
-install:
-  - pip install -U pip wheel setuptools
-script:
-  - bash .travis.sh $JOB
-cache:
-  directories:
-    - $HOME/.cache/pip
-services:
-  - mysql
-  - postgresql
-matrix:
-  include:
-    - python: 3.7
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
-    - python: 3.7
-      env: JOB=tests-cov PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.7
-      env: JOB=style
-    - python: 3.7
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
-    - python: 3.7
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.5
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.7
-      env: JOB=doc-spelling
-    - python: 3.7
-      env: JOB=translation-spelling
-addons:
-  postgresql: "9.4"
-  mariadb: '10.3'
-  apt:
-      packages:
-          - enchant
-          - myspell-de-de
-          - aspell-en
-          - sqlite3
-  sources:
-    - travis-ci/sqlite3
-branches:
-  except:
-  - /^weblate-.*/

README.rst

@@ -4,11 +4,10 @@ pretix
 .. image:: https://img.shields.io/pypi/v/pretix.svg
    :target: https://pypi.python.org/pypi/pretix
 
-.. image:: https://readthedocs.org/projects/pretix/badge/?version=latest
+.. image:: https://github.com/pretix/pretix/workflows/Documentation/badge.svg
    :target: https://docs.pretix.eu/en/latest/
 
-.. image:: https://travis-ci.org/pretix/pretix.svg?branch=master
-   :target: https://travis-ci.org/pretix/pretix
+.. image:: https://github.com/pretix/pretix/workflows/Tests/badge.svg
 
 .. image:: https://codecov.io/gh/pretix/pretix/branch/master/graph/badge.svg
    :target: https://codecov.io/gh/pretix/pretix

deployment/docker/nginx.conf

@@ -4,7 +4,7 @@ pid /var/run/nginx.pid;
 daemon off;
 
 events {
-	worker_connections 768;
+	worker_connections 4096;
 }
 
 http {
@@ -39,7 +39,7 @@ http {
 	include /etc/nginx/conf.d/*.conf;
 
     server {
-        listen 80 default_server;
+        listen 80 backlog=4096 default_server;
         listen [::]:80 ipv6only=on default_server;
         server_name _;
         index index.php index.html;

doc/admin/config.rst

@@ -90,6 +90,13 @@ Example::
     proxy that actively removes and re-adds the header to make sure the correct client IP is the first value.
     Defaults to ``off``.
 
+``trust_x_forwarded_proto``
+    Specifies whether the ``X-Forwarded-Proto`` header can be trusted. Only set to ``on`` if you have a reverse
+    proxy that actively removes and re-adds the header to make sure the correct value is set.
+    Defaults to ``off``.
+
+``csp_log``
+    Log violations of the Content Security Policy (CSP). Defaults to ``on``.
 
 Locale settings
 ---------------

doc/admin/installation/docker_smallscale.rst

@@ -125,6 +125,8 @@ Fill the configuration file ``/etc/pretix/pretix.cfg`` with the following conten
     ; DO NOT change the following value, it has to be set to the location of the
     ; directory *inside* the docker container
     datadir=/data
+    trust_x_forwarded_for=on
+    trust_x_forwarded_proto=on
 
     [database]
     ; Replace postgresql with mysql for MySQL
@@ -180,6 +182,7 @@ named ``/etc/systemd/system/pretix.service`` with the following content::
         -v /var/pretix-data:/data \
         -v /etc/pretix:/etc/pretix \
         -v /var/run/redis:/var/run/redis \
+        --sysctl net.core.somaxconn=4096 \
         pretix/standalone:stable all
     ExecStop=/usr/bin/docker stop %n
 

doc/admin/installation/manual_smallscale.rst

@@ -12,7 +12,7 @@ solution with many things readily set-up, look at :ref:`dockersmallscale`.
              get it right. If you're not feeling comfortable managing a Linux server, check out our hosting and service
              offers at `pretix.eu`_.
 
-We tested this guide on the Linux distribution **Debian 8.0** but it should work very similar on other
+We tested this guide on the Linux distribution **Debian 10.0** but it should work very similar on other
 modern distributions, especially on all systemd-based ones.
 
 Requirements
@@ -85,6 +85,8 @@ Fill the configuration file ``/etc/pretix/pretix.cfg`` with the following conten
     url=https://pretix.mydomain.com
     currency=EUR
     datadir=/var/pretix/data
+    trust_x_forwarded_for=on
+    trust_x_forwarded_proto=on
 
     [database]
     ; For MySQL, replace with "mysql"
@@ -131,7 +133,7 @@ command if you're running MySQL::
 
     (venv)$ pip3 install "pretix[postgres]" gunicorn
 
-Note that you need Python 3.5 or newer. You can find out your Python version using ``python -V``.
+Note that you need Python 3.6 or newer. You can find out your Python version using ``python -V``.
 
 We also need to create a data directory::
 

doc/api/fundamentals.rst

@@ -170,6 +170,19 @@ Date                  String in ISO 8601 format    ``2017-12-27``
 Multi-lingual string  Object of strings            ``{"en": "red", "de": "rot", "de_Informal": "rot"}``
 Money                 String with decimal number   ``"23.42"``
 Currency              String with ISO 4217 code    ``"EUR"``, ``"USD"``
+Relative datetime     *either* String in ISO 8601  ``"2017-12-27T10:00:00.596934Z"``,
+                      format *or* specification of ``"RELDATE/3/12:00:00/presale_start/"``
+                      a relative datetime,
+                      constructed from a number of
+                      days before the base point,
+                      a time of day, and the base
+                      point.
+Relative date         *either* String in ISO 8601  ``"2017-12-27"``,
+                      format *or* specification of ``"RELDATE/3/-/presale_start/"``
+                      a relative date,
+                      constructed from a number of
+                      days before the base point
+                      and the base point.
 ===================== ============================ ===================================
 
 Query parameters

doc/api/oauth.rst

@@ -61,7 +61,7 @@ access to the API. The ``token`` endpoint expects you to authenticate using `HTT
 ID as a username and your client secret as a password. You are also required to again supply the same ``redirect_uri``
 parameter that you used for the authorization.
 
-.. http:get:: /api/v1/oauth/token
+.. http:post:: /api/v1/oauth/token
 
    Request a new access token
 

doc/api/resources/billing_var.rst

@@ -0,0 +1,148 @@
+pretix Hosted reseller API
+==========================
+
+This API is only accessible to our `value-added reseller partners`_ on pretix Hosted.
+
+.. note:: This API is only accessible with user-level permissions, not with API tokens. Therefore, you will need to
+          create an :ref:`OAuth application <rest-oauth>` and obtain an OAuth access token for a user account that has
+          permission to your reseller account.
+
+Reseller account resource
+-------------------------
+
+The resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Your reseller ID
+name                                  string                     Internal name of your reseller account
+public_name                           string                     Public name of your reseller account
+public_url                            string                     Public URL of your company
+support_email                         string                     Your support email address
+support_phone                         string                     Your support phone number
+communication_language                string                     Language code we use to communicate with you
+===================================== ========================== =======================================================
+
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/var/
+
+   Returns a list of all reseller accounts you have access to.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/var/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "name": "ticketshop.live Ltd & Co. KG",
+            "public_name": "ticketshop.live",
+            "public_url": "https://ticketshop.live",
+            "support_email": "support@ticketshop.live",
+            "support_phone": "+4962213217750",
+            "communication_language": "de"
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+
+.. http:get:: /api/v1/var/(id)/
+
+   Returns information on one reseller account, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/var/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "ticketshop.live Ltd & Co. KG",
+        "public_name": "ticketshop.live",
+        "public_url": "https://ticketshop.live",
+        "support_email": "support@ticketshop.live",
+        "support_phone": "+4962213217750",
+        "communication_language": "de"
+      }
+
+   :param id: The ``id`` field of the reseller account to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 404: The requested account does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/var/(id)/create_organizer/
+
+   Creates a new organizer account that will be associated with a given reseller account.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/var/1/create_organizer/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 123
+
+      {
+        "name": "My new client",
+        "slug": "New client"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "My new client",
+        "slug": "New client"
+      }
+
+   :param id: The ``id`` field of the reseller account to fetch
+   :statuscode 201: no error
+   :statuscode 400: Invalid request body, usually the slug is invalid or already taken.
+   :statuscode 401: Authentication failure
+   :statuscode 404: The requested account does not exist **or** you have no permission to view this resource.
+
+.. _value-added reseller partners: https://pretix.eu/about/en/var

doc/api/resources/carts.rst

@@ -194,6 +194,7 @@ Cart position endpoints
    * ``subevent`` (optional)
    * ``expires`` (optional)
    * ``includes_tax`` (optional)
+   * ``sales_channel`` (optional)
    * ``answers``
 
       * ``question``

doc/api/resources/checkinlists.rst

@@ -30,6 +30,9 @@ position_count                        integer                    Number of ticke
 checkin_count                         integer                    Number of check-ins performed on this list (read-only).
 include_pending                       boolean                    If ``true``, the check-in list also contains tickets from orders in pending state.
 auto_checkin_sales_channels           list of strings            All items on the check-in list will be automatically marked as checked-in when purchased through any of the listed sales channels.
+allow_multiple_entries                boolean                    If ``true``, subsequent scans of a ticket on this list should not show a warning but instead be stored as an additional check-in.
+allow_entry_after_exit                boolean                    If ``true``, subsequent scans of a ticket on this list are valid if the last scan of the ticket was an exit scan.
+rules                                 object                     Custom check-in logic. The contents of this field are currently not considered a stable API and modifications through the API are highly discouraged.
 ===================================== ========================== =======================================================
 
 .. versionchanged:: 1.10
@@ -48,6 +51,11 @@ auto_checkin_sales_channels           list of strings            All items on th
 
     The ``auto_checkin_sales_channels`` field has been added.
 
+.. versionchanged:: 3.9
+
+    The ``subevent`` attribute may now be ``null`` inside event series. The ``allow_multiple_entries``,
+    ``allow_entry_after_exit``, and ``rules`` attributes have been added.
+
 Endpoints
 ---------
 
@@ -89,6 +97,9 @@ Endpoints
             "limit_products": [],
             "include_pending": false,
             "subevent": null,
+            "allow_multiple_entries": false,
+            "allow_entry_after_exit": true,
+            "rules": {},
             "auto_checkin_sales_channels": [
               "pretixpos"
             ]
@@ -133,6 +144,9 @@ Endpoints
         "limit_products": [],
         "include_pending": false,
         "subevent": null,
+        "allow_multiple_entries": false,
+        "allow_entry_after_exit": true,
+        "rules": {},
         "auto_checkin_sales_channels": [
           "pretixpos"
         ]
@@ -229,6 +243,8 @@ Endpoints
         "all_products": false,
         "limit_products": [1, 2],
         "subevent": null,
+        "allow_multiple_entries": false,
+        "allow_entry_after_exit": true,
         "auto_checkin_sales_channels": [
           "pretixpos"
         ]
@@ -251,6 +267,8 @@ Endpoints
         "limit_products": [1, 2],
         "include_pending": false,
         "subevent": null,
+        "allow_multiple_entries": false,
+        "allow_entry_after_exit": true,
         "auto_checkin_sales_channels": [
           "pretixpos"
         ]
@@ -303,6 +321,8 @@ Endpoints
         "limit_products": [1, 2],
         "include_pending": false,
         "subevent": null,
+        "allow_multiple_entries": false,
+        "allow_entry_after_exit": true,
         "auto_checkin_sales_channels": [
           "pretixpos"
         ]
@@ -696,6 +716,7 @@ Order position endpoints
      ``canceled_supported`` to ``true``, otherwise these orders return ``unpaid``.
    * ``already_redeemed`` - Ticket already has been redeemed
    * ``product`` - Tickets with this product may not be scanned at this device
+   * ``rules`` - Check-in prevented by a user-defined rule
 
    :param organizer: The ``slug`` field of the organizer to fetch
    :param event: The ``slug`` field of the event to fetch

doc/api/resources/events.rst

@@ -42,6 +42,8 @@ seating_plan                          integer                    If reserved sea
                                                                  plan. Otherwise ``null``.
 seat_category_mapping                 object                     An object mapping categories of the seating plan
                                                                  (strings) to items in the event (integers or ``null``).
+timezone                              string                     Event timezone name
+item_meta_properties                  object                     Item-specific meta data parameters and default values.
 ===================================== ========================== =======================================================
 
 
@@ -74,6 +76,14 @@ seat_category_mapping                 object                     An object mappi
 
    The attributes ``geo_lat`` and ``geo_lon`` have been added.
 
+.. versionchanged:: 3.4
+
+   The attribute ``timezone`` has been added.
+
+.. versionchanged:: 3.7
+
+   The attribute ``item_meta_properties`` has been added.
+
 Endpoints
 ---------
 
@@ -127,6 +137,8 @@ Endpoints
             "meta_data": {},
             "seating_plan": null,
             "seat_category_mapping": {},
+            "timezone": "Europe/Berlin",
+            "item_meta_properties": {},
             "plugins": [
               "pretix.plugins.banktransfer"
               "pretix.plugins.stripe"
@@ -197,6 +209,8 @@ Endpoints
         "seating_plan": null,
         "seat_category_mapping": {},
         "meta_data": {},
+        "timezone": "Europe/Berlin",
+        "item_meta_properties": {},
         "plugins": [
           "pretix.plugins.banktransfer"
           "pretix.plugins.stripe"
@@ -248,6 +262,8 @@ Endpoints
         "geo_lon": null,
         "has_subevents": false,
         "meta_data": {},
+        "timezone": "Europe/Berlin",
+        "item_meta_properties": {},
         "plugins": [
           "pretix.plugins.stripe",
           "pretix.plugins.paypal"
@@ -281,6 +297,8 @@ Endpoints
         "seat_category_mapping": {},
         "has_subevents": false,
         "meta_data": {},
+        "timezone": "Europe/Berlin",
+        "item_meta_properties": {},
         "plugins": [
           "pretix.plugins.stripe",
           "pretix.plugins.paypal"
@@ -334,6 +352,8 @@ Endpoints
         "seat_category_mapping": {},
         "has_subevents": false,
         "meta_data": {},
+        "timezone": "Europe/Berlin",
+        "item_meta_properties": {},
         "plugins": [
           "pretix.plugins.stripe",
           "pretix.plugins.paypal"
@@ -367,6 +387,8 @@ Endpoints
         "seating_plan": null,
         "seat_category_mapping": {},
         "meta_data": {},
+        "timezone": "Europe/Berlin",
+        "item_meta_properties": {},
         "plugins": [
           "pretix.plugins.stripe",
           "pretix.plugins.paypal"
@@ -432,6 +454,8 @@ Endpoints
         "seating_plan": null,
         "seat_category_mapping": {},
         "meta_data": {},
+        "timezone": "Europe/Berlin",
+        "item_meta_properties": {},
         "plugins": [
           "pretix.plugins.banktransfer",
           "pretix.plugins.stripe",
@@ -474,3 +498,123 @@ Endpoints
    :statuscode 204: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.
+
+Event settings
+--------------
+
+pretix events have lots and lots of parameters of different types that are stored in a key-value store on our system.
+Since many of these settings depend on each other in complex ways, we can not give direct access to all of these
+settings through the API. However, we do expose many of the simple and useful flags through the API.
+
+Please note that the available settings flags change between pretix versions and also between events, depending on the
+installed plugins, and we do not give a guarantee on backwards-compatibility like with other parts of the API.
+Therefore, we're also not including a list of the options here, but instead recommend to look at the endpoint output
+to see available options. The ``explain=true`` flag enables a verbose mode that provides you with human-readable
+information about the properties.
+
+.. note:: Please note that this is not a complete representation of all event settings. You will find more settings
+          in the web interface.
+
+.. warning:: This API is intended for advanced users. Even though we take care to validate your input, you will be
+             able to break your event using this API by creating situations of conflicting settings. Please take care.
+
+.. versionchanged:: 3.6
+
+   Initial support for settings has been added to the API.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/settings/
+
+   Get current values of event settings.
+
+   Permission required: "Can change event settings" (Exception: with device auth, *some* settings can always be *read*.)
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/settings/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example standard response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "imprint_url": "https://pretix.eu",
+        …
+      }
+
+   **Example verbose response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "imprint_url":
+          {
+            "value": "https://pretix.eu",
+            "label": "Imprint URL",
+            "help_text": "This should point e.g. to a part of your website that has your contact details and legal information."
+          }
+        },
+        …
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event to access
+   :param event: The ``slug`` field of the event to access
+   :query explain: Set to ``true`` to enable verbose response mode
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/settings/
+
+   Updates event settings. Note that ``PUT`` is not allowed here, only ``PATCH``.
+
+    .. warning::
+
+       Settings can be stored at different levels in pretix. If a value is not set on event level, a default setting
+       from a higher level (organizer, global) will be returned. If you explicitly set a setting on event level, it
+       will no longer be inherited from the higher levels. Therefore, we recommend you to send only settings that you
+       explicitly want to set on event level. To unset a settings, pass ``null``.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/settings/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "imprint_url": "https://example.org/imprint/"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "imprint_url": "https://example.org/imprint/",
+        …
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event to update
+   :param event: The ``slug`` field of the event to update
+   :statuscode 200: no error
+   :statuscode 400: The event could not be updated due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.

doc/api/resources/giftcards.rst

@@ -18,6 +18,8 @@ secret                                string                     Gift card code
 value                                 money (string)             Current gift card value
 currency                              string                     Currency of the value (can not be modified later)
 testmode                              boolean                    Whether this is a test gift card
+expires                               datetime                   Expiry date (or ``null``)
+conditions                            string                     Special terms and conditions for this card (or ``null``)
 ===================================== ========================== =======================================================
 
 Endpoints
@@ -53,12 +55,17 @@ Endpoints
             "secret": "HLBYVELFRC77NCQY",
             "currency": "EUR",
             "testmode": false,
+            "expires": null,
+            "conditions": null,
             "value": "13.37"
           }
         ]
       }
 
    :query integer page: The page number in case of a multi-page result set, default is 1
+   :query string secret: Only show gift cards with the given secret.
+   :query boolean testmode: Filter for gift cards that are (not) in test mode.
+   :query boolean include_accepted: Also show gift cards issued by other organizers that are accepted by this organizer.
    :param organizer: The ``slug`` field of the organizer to fetch
    :statuscode 200: no error
    :statuscode 401: Authentication failure
@@ -89,11 +96,14 @@ Endpoints
         "secret": "HLBYVELFRC77NCQY",
         "currency": "EUR",
         "testmode": false,
+        "expires": null,
+        "conditions": null,
         "value": "13.37"
       }
 
    :param organizer: The ``slug`` field of the organizer to fetch
    :param id: The ``id`` field of the gift card to fetch
+   :query boolean include_accepted: Also show gift cards issued by other organizers that are accepted by this organizer.
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
@@ -130,6 +140,8 @@ Endpoints
         "secret": "HLBYVELFRC77NCQY",
         "testmode": false,
         "currency": "EUR",
+        "expires": null,
+        "conditions": null,
         "value": "13.37"
       }
 
@@ -176,6 +188,8 @@ Endpoints
         "secret": "HLBYVELFRC77NCQY",
         "testmode": false,
         "currency": "EUR",
+        "expires": null,
+        "conditions": null,
         "value": "14.00"
       }
 
@@ -218,12 +232,20 @@ Endpoints
         "secret": "HLBYVELFRC77NCQY",
         "currency": "EUR",
         "testmode": false,
+        "expires": null,
+        "conditions": null,
         "value": "15.37"
       }
 
+   .. versionchanged:: 3.5
+
+      This endpoint now returns status code ``409`` if the transaction would lead to a negative gift card value.
+
    :param organizer: The ``slug`` field of the organizer to modify
    :param id: The ``id`` field of the gift card to modify
+   :query boolean include_accepted: Also show gift cards issued by other organizers that are accepted by this organizer.
    :statuscode 200: no error
    :statuscode 400: The gift card could not be modified due to invalid submitted data
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer does not exist **or** you have no permission to change this resource.
+   :statuscode 409: There is not sufficient credit on the gift card.

doc/api/resources/index.rst

@@ -23,6 +23,8 @@ Resources and endpoints
    waitinglist
    giftcards
    carts
+   teams
    webhooks
    seatingplans
    billing_invoices
+   billing_var

doc/api/resources/invoices.rst

@@ -28,6 +28,7 @@ payment_provider_text                 string                     Text to be prin
                                                                  payment information
 footer_text                           string                     Text to be printed in the page footer area
 lines                                 list of objects            The actual invoice contents
+├ position                            integer                    Number of the line within an invoice.
 ├ description                         string                     Text representing the invoice line (e.g. product name)
 ├ gross_value                         money (string)             Price including taxes
 ├ tax_value                           money (string)             Tax amount included
@@ -63,6 +64,11 @@ internal_reference                    string                     Customer's refe
    The attribute ``internal_reference`` has been added.
 
 
+.. versionchanged:: 3.4
+
+   The attribute ``lines.number`` has been added.
+
+
 Endpoints
 ---------
 
@@ -107,6 +113,7 @@ Endpoints
             "footer_text": "Big Events LLC - Registration No. 123456 - VAT ID: EU0987654321",
             "lines": [
               {
+                "position": 1,
                 "description": "Budget Ticket",
                 "gross_value": "23.00",
                 "tax_value": "0.00",
@@ -171,6 +178,7 @@ Endpoints
         "footer_text": "Big Events LLC - Registration No. 123456 - VAT ID: EU0987654321",
         "lines": [
           {
+            "position": 1,
             "description": "Budget Ticket",
             "gross_value": "23.00",
             "tax_value": "0.00",

doc/api/resources/items.rst

@@ -114,6 +114,7 @@ bundles                               list of objects            Definition of b
 └ designated_price                    money (string)             Designated price of the bundled product. This will be
                                                                  used to split the price of the base item e.g. for mixed
                                                                  taxation. This is not added to the price.
+meta_data                             object                     Values set for event-specific meta data parameters.
 ===================================== ========================== =======================================================
 
 .. versionchanged:: 2.7
@@ -154,6 +155,10 @@ bundles                               list of objects            Definition of b
 
    The ``show_quota_left``, ``allow_waitinglist``, and ``hidden_if_available`` attributes have been added.
 
+.. versionchanged:: 3.7
+
+   The attribute ``meta_data`` has been added.
+
 Notes
 -----
 
@@ -208,6 +213,7 @@ Endpoints
             "tax_rule": 1,
             "admission": false,
             "issue_giftcard": false,
+            "meta_data": {},
             "position": 0,
             "picture": null,
             "available_from": null,
@@ -303,6 +309,7 @@ Endpoints
         "tax_rule": 1,
         "admission": false,
         "issue_giftcard": false,
+        "meta_data": {},
         "position": 0,
         "picture": null,
         "available_from": null,
@@ -379,6 +386,7 @@ Endpoints
         "tax_rule": 1,
         "admission": false,
         "issue_giftcard": false,
+        "meta_data": {},
         "position": 0,
         "picture": null,
         "available_from": null,
@@ -442,6 +450,7 @@ Endpoints
         "tax_rule": 1,
         "admission": false,
         "issue_giftcard": false,
+        "meta_data": {},
         "position": 0,
         "picture": null,
         "available_from": null,
@@ -537,6 +546,7 @@ Endpoints
         "tax_rule": 1,
         "admission": false,
         "issue_giftcard": false,
+        "meta_data": {},
         "position": 0,
         "picture": null,
         "available_from": null,

doc/api/resources/orders.rst

@@ -61,9 +61,10 @@ invoice_address                       object                     Invoice address
 └ vat_id_validated                    string                     ``true``, if the VAT ID has been validated against the
                                                                  EU VAT service and validation was successful. This only
                                                                  happens in rare cases.
-positions                             list of objects            List of non-canceled order positions (see below)
-fees                                  list of objects            List of non-canceled fees included in the order total
-                                                                 (i.e. payment fees)
+positions                             list of objects            List of order positions (see below). By default, only
+                                                                 non-canceled positions are included.
+fees                                  list of objects            List of fees included in the order total. By default, only
+                                                                 non-canceled fees are included.
 ├ fee_type                            string                     Type of fee (currently ``payment``, ``passbook``,
                                                                  ``other``)
 ├ value                               money (string)             Fee amount
@@ -72,7 +73,8 @@ fees                                  list of objects            List of non-can
                                                                  can be empty
 ├ tax_rate                            decimal (string)           VAT rate applied for this fee
 ├ tax_value                           money (string)             VAT included in this fee
-└ tax_rule                            integer                    The ID of the used tax rule (or ``null``)
+├ tax_rule                            integer                    The ID of the used tax rule (or ``null``)
+└ canceled                            boolean                    Whether or not this fee has been canceled.
 downloads                             list of objects            List of ticket download options for order-wise ticket
                                                                  downloading. This might be a multi-page PDF or a ZIP
                                                                  file of tickets for outputs that do not support
@@ -145,6 +147,18 @@ last_modified                         datetime                   Last modificati
    The ``invoice_address.state`` and ``url`` attributes have been added. When creating orders through the API,
    vouchers are now supported and many fields are now optional.
 
+.. versionchanged:: 3.5
+
+   The ``order.fees.canceled`` attribute has been added.
+
+.. versionchanged:: 3.8
+
+   The ``reactivate`` operation has been added.
+
+.. versionchanged:: 3.10
+
+   The ``search`` query parameter has been added.
+
 
 .. _order-position-resource:
 
@@ -159,12 +173,21 @@ Field                                 Type                       Description
 id                                    integer                    Internal ID of the order position
 order                                 string                     Order code of the order the position belongs to
 positionid                            integer                    Number of the position within the order
+canceled                              boolean                    Whether or not this position has been canceled. Note that
+                                                                 by default, only non-canceled positions are shown.
 item                                  integer                    ID of the purchased item
 variation                             integer                    ID of the purchased variation (or ``null``)
 price                                 money (string)             Price of this position
 attendee_name                         string                     Specified attendee name for this position (or ``null``)
 attendee_name_parts                   object of strings          Decomposition of attendee name (i.e. given name, family name)
 attendee_email                        string                     Specified attendee email address for this position (or ``null``)
+company                               string                     Attendee company name (or ``null``)
+street                                string                     Attendee street (or ``null``)
+zipcode                               string                     Attendee ZIP code (or ``null``)
+city                                  string                     Attendee city (or ``null``)
+country                               string                     Attendee country code (or ``null``)
+state                                 string                     Attendee state (ISO 3166-2 code). Only supported in
+                                                                 AU, BR, CA, CN, MY, MX, and US, otherwise ``null``.
 voucher                               integer                    Internal ID of the voucher used for this position (or ``null``)
 tax_rate                              decimal (string)           VAT rate applied for this position
 tax_value                             money (string)             VAT included in this position
@@ -176,6 +199,7 @@ pseudonymization_id                   string                     A random ID, e.
 checkins                              list of objects            List of check-ins with this ticket
 ├ list                                integer                    Internal ID of the check-in list
 ├ datetime                            datetime                   Time of check-in
+├ type                                string                     Type of scan (defaults to ``entry``)
 └ auto_checked_in                     boolean                    Indicates if this check-in been performed automatically by the system
 downloads                             list of objects            List of ticket download options
 ├ output                              string                     Ticket output provider (e.g. ``pdf``, ``passbook``)
@@ -224,6 +248,18 @@ pdf_data                              object                     Data object req
   The ``url`` of a ticket ``download`` can now also return a ``text/uri-list`` instead of a file. See
   :ref:`order-position-ticket-download` for details.
 
+.. versionchanged:: 3.5
+
+  The attribute ``canceled`` has been added.
+
+.. versionchanged:: 3.8
+
+  The attributes ``company``, ``street``, ``zipcode``, ``city``, ``country``, and ``state`` have been added.
+
+.. versionchanged:: 3.9
+
+  The ``checkin.type`` attribute has been added.
+
 .. _order-payment-resource:
 
 Order payment resource
@@ -290,6 +326,10 @@ List of all orders
 
    Filtering for emails or order codes is now case-insensitive.
 
+.. versionchanged:: 3.5
+
+   The ``include_canceled_positions`` and ``include_canceled_fees`` query parameters have been added.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/
 
    Returns a list of all orders within a given event.
@@ -355,6 +395,7 @@ List of all orders
                 "id": 23442,
                 "order": "ABC12",
                 "positionid": 1,
+                "canceled": false,
                 "item": 1345,
                 "variation": null,
                 "price": "23.00",
@@ -363,6 +404,12 @@ List of all orders
                   "full_name": "Peter",
                 },
                 "attendee_email": null,
+                "company": "Sample company",
+                "street": "Test street 12",
+                "zipcode": "12345",
+                "city": "Testington",
+                "country": "DE",
+                "state": null,
                 "voucher": null,
                 "tax_rate": "0.00",
                 "tax_value": "0.00",
@@ -375,6 +422,7 @@ List of all orders
                 "checkins": [
                   {
                     "list": 44,
+                    "type": "entry",
                     "datetime": "2017-12-25T12:45:23Z",
                     "auto_checked_in": false
                   }
@@ -424,9 +472,13 @@ List of all orders
                            ``last_modified``, and ``status``. Default: ``datetime``
    :query string code: Only return orders that match the given order code
    :query string status: Only return orders in the given order status (see above)
+   :query string search: Only return orders matching a given search query
    :query boolean testmode: Only return orders with ``testmode`` set to ``true`` or ``false``
    :query boolean require_approval: If set to ``true`` or ``false``, only categories with this value for the field
                                     ``require_approval`` will be returned.
+   :query include_canceled_positions: If set to ``true``, the output will contain canceled order positions. Note that this
+                                      only affects position-level cancellations, not fully-canceled orders.
+   :query include_canceled_fees: If set to ``true``, the output will contain canceled order fees.
    :query string email: Only return orders created with the given email address
    :query string locale: Only return orders with the given customer locale
    :query datetime modified_since: Only return orders that have changed since the given date. Be careful: We only
@@ -444,6 +496,10 @@ List of all orders
 Fetching individual orders
 --------------------------
 
+.. versionchanged:: 3.5
+
+   The ``include_canceled_positions`` and ``include_canceled_fees`` query parameters have been added.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/
 
    Returns information on one order, identified by its order code.
@@ -503,6 +559,7 @@ Fetching individual orders
             "id": 23442,
             "order": "ABC12",
             "positionid": 1,
+            "canceled": false,
             "item": 1345,
             "variation": null,
             "price": "23.00",
@@ -511,6 +568,12 @@ Fetching individual orders
               "full_name": "Peter",
             },
             "attendee_email": null,
+            "company": "Sample company",
+            "street": "Test street 12",
+            "zipcode": "12345",
+            "city": "Testington",
+            "country": "DE",
+            "state": null,
             "voucher": null,
             "tax_rate": "0.00",
             "tax_rule": null,
@@ -523,6 +586,7 @@ Fetching individual orders
             "checkins": [
               {
                 "list": 44,
+                "type": "entry",
                 "datetime": "2017-12-25T12:45:23Z",
                 "auto_checked_in": false
               }
@@ -568,6 +632,9 @@ Fetching individual orders
    :param organizer: The ``slug`` field of the organizer to fetch
    :param event: The ``slug`` field of the event to fetch
    :param code: The ``code`` field of the order to fetch
+   :query include_canceled_positions: If set to ``true``, the output will contain canceled order positions. Note that this
+                                      only affects position-level cancellations, not fully-canceled orders.
+   :query include_canceled_fees: If set to ``true``, the output will contain canceled order fees.
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
@@ -788,9 +855,9 @@ Creating orders
    * ``consume_carts`` (optional) – A list of cart IDs. All cart positions with these IDs will be deleted if the
      order creation is successful. Any quotas or seats that become free by this operation will be credited to your order
      creation.
-   * ``email``
+   * ``email`` (optional)
    * ``locale``
-   * ``sales_channel``
+   * ``sales_channel`` (optional)
    * ``payment_provider`` (optional) – The identifier of the payment provider set for this order. This needs to be an
      existing payment provider. You should use ``"free"`` for free orders, and we strongly advise to use ``"manual"``
      for all orders you create as paid. This field is optional when the order status is ``"n"`` or the order total is
@@ -823,15 +890,21 @@ Creating orders
 
       * ``positionid`` (optional, see below)
       * ``item``
-      * ``variation``
+      * ``variation`` (optional)
       * ``price`` (optional, if set to ``null`` or missing the price will be computed from the given product)
       * ``seat`` (The ``seat_guid`` attribute of a seat. Required when the specified ``item`` requires a seat, otherwise must be ``null``.)
-      * ``attendee_name`` **or** ``attendee_name_parts``
+      * ``attendee_name`` **or** ``attendee_name_parts`` (optional)
       * ``voucher`` (optional, the ``code`` attribute of a valid voucher)
-      * ``attendee_email``
+      * ``attendee_email`` (optional)
+      * ``company`` (optional)
+      * ``street`` (optional)
+      * ``zipcode`` (optional)
+      * ``city`` (optional)
+      * ``country`` (optional)
+      * ``state`` (optional)
       * ``secret`` (optional)
       * ``addon_to`` (optional, see below)
-      * ``subevent``
+      * ``subevent`` (optional)
       * ``answers``
 
         * ``question``
@@ -845,6 +918,14 @@ Creating orders
       * ``description``
       * ``internal_type``
       * ``tax_rule``
+      * ``_treat_value_as_percentage`` (Optional convenience flag. If set to ``true``, your ``value`` parameter will
+        be treated as a percentage and the fee will be calculated using that percentage and the sum of all product
+        prices. Note that this will not include other fees and is calculated once during order generation and will not
+        be respected automatically when the order changes later.)
+      * ``_split_taxes_like_products`` (Optional convenience flag. If set to ``true``, your ``tax_rule`` will be ignored
+        and the fee will be taxed like the products in the order. If the products have multiple tax rates, multiple fees
+        will be generated with weights adjusted to the net price of the products. Note that this will be calculated once
+        during order generation and is not respected automatically when the order changes later.)
 
    * ``force`` (optional). If set to ``true``, quotas will be ignored.
    * ``send_mail`` (optional). If set to ``true``, the same emails will be sent as for a regular order. Defaults to
@@ -855,6 +936,13 @@ Creating orders
    IDs in the ``addon_to`` field of another position. Note that all add_ons for a specific position need to come
    immediately after the position itself.
 
+   Starting with pretix 3.7, you can add ``"simulate": true`` to the body to do a "dry run" of your order. This will
+   validate your order and return you an order object with the resulting prices, but will not create an actual order.
+   You can use this for testing or to look up prices. In this case, some attributes are ignored, such as whether
+   to send an email or what payment provider will be used. Note that some returned fields will contain empty values
+   (e.g. all ``id`` fields of positions will be zero) and some will contain fake values (e.g. the order code will
+   always be ``PREVIEW``). pretix plugins will not be triggered, so some special behavior might be missing as well.
+
    **Example request**:
 
    .. sourcecode:: http
@@ -1014,6 +1102,42 @@ Order state operations
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
    :statuscode 404: The requested order does not exist.
 
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/reactivate/
+
+   Reactivates a canceled order. This will set the order to pending or paid state. Only possible if all products are
+   still available.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/reactivate/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "code": "ABC12",
+        "status": "n",
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to modify
+   :statuscode 200: no error
+   :statuscode 400: The order cannot be reactivated
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+
 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_pending/
 
    Marks a paid order as unpaid.
@@ -1305,8 +1429,9 @@ List of all order positions
 
   The value ``auto_checked_in`` has been added to the ``checkins``-attribute.
 
+.. versionchanged:: 3.5
 
-.. note:: Individually canceled order positions are currently not visible via the API at all.
+   The ``include_canceled_positions`` and ``include_canceled_fees`` query parameters have been added.
 
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orderpositions/
 
@@ -1337,6 +1462,7 @@ List of all order positions
             "id": 23442,
             "order": "ABC12",
             "positionid": 1,
+            "canceled": false,
             "item": 1345,
             "variation": null,
             "price": "23.00",
@@ -1357,6 +1483,7 @@ List of all order positions
             "checkins": [
               {
                 "list": 44,
+                "type": "entry",
                 "datetime": "2017-12-25T12:45:23Z",
                 "auto_checked_in": false
               }
@@ -1406,6 +1533,8 @@ List of all order positions
                                 comma-separated IDs.
    :query string voucher: Only return positions with a specific voucher.
    :query string voucher__code: Only return positions with a specific voucher code.
+   :query include_canceled_positions: If set to ``true``, the output will contain canceled order positions. Note that this
+                                      only affects position-level cancellations, not fully-canceled orders.
    :param organizer: The ``slug`` field of the organizer to fetch
    :param event: The ``slug`` field of the event to fetch
    :statuscode 200: no error
@@ -1439,6 +1568,7 @@ Fetching individual positions
         "id": 23442,
         "order": "ABC12",
         "positionid": 1,
+        "canceled": false,
         "item": 1345,
         "variation": null,
         "price": "23.00",
@@ -1459,6 +1589,7 @@ Fetching individual positions
         "checkins": [
           {
             "list": 44,
+            "type": "entry",
             "datetime": "2017-12-25T12:45:23Z",
             "auto_checked_in": false
           }
@@ -1483,6 +1614,7 @@ Fetching individual positions
    :param organizer: The ``slug`` field of the organizer to fetch
    :param event: The ``slug`` field of the event to fetch
    :param id: The ``id`` field of the order position to fetch
+   :query include_canceled_positions: If set to ``true``, canceled positions may be returned (otherwise, they return 404).
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
@@ -1579,6 +1711,10 @@ Order payment endpoints
 
   These endpoints have been added.
 
+.. versionchanged:: 3.6
+
+   Payments can now be created through the API.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/payments/
 
    Returns a list of all payments for an order.
@@ -1787,6 +1923,61 @@ Order payment endpoints
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
    :statuscode 404: The requested order or payment does not exist.
 
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/payments/
+
+   Creates a new payment.
+
+   Be careful with the ``info`` parameter: You can pass a nested JSON object that will be set as the internal ``info``
+   value of the payment object that will be created. How this value is handled is up to the payment provider and you
+   should only use this if you know the specific payment provider in detail. Please keep in mind that the payment
+   provider will not be called to do anything about this (i.e. if you pass a bank account to a debit provider, *no*
+   charge will be created), this is just informative in case you *handled the payment already*.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/payments/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "state": "confirmed",
+        "amount": "23.00",
+        "payment_date": "2017-12-04T12:13:12Z",
+        "info": {},
+        "provider": "banktransfer"
+      }
+
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "local_id": 1,
+        "state": "confirmed",
+        "amount": "23.00",
+        "created": "2017-12-01T10:00:00Z",
+        "payment_date": "2017-12-04T12:13:12Z",
+        "payment_url": null,
+        "details": {},
+        "provider": "banktransfer"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to access
+   :param event: The ``slug`` field of the event to access
+   :param order: The ``code`` field of the order to access
+   :statuscode 201: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+
 
 Order refund endpoints
 ----------------------
@@ -1905,7 +2096,8 @@ Order refund endpoints
         "payment": 1,
         "execution_date": null,
         "provider": "manual",
-        "mark_canceled": false
+        "mark_canceled": false,
+        "mark_pending": true
       }
 
    **Example response**:

doc/api/resources/questions.rst

@@ -18,6 +18,7 @@ Field                                 Type                       Description
 ===================================== ========================== =======================================================
 id                                    integer                    Internal ID of the question
 question                              multi-lingual string       The field label shown to the customer
+help_text                             multi-lingual string       The help text shown to the customer
 type                                  string                     The expected type of answer. Valid options:
 
                                                                  * ``N`` – number
@@ -31,6 +32,7 @@ type                                  string                     The expected ty
                                                                  * ``H`` – time
                                                                  * ``W`` – date and time
                                                                  * ``CC`` – country code (ISO 3666-1 alpha-2)
+                                                                 * ``TEL`` – telephone number
 required                              boolean                    If ``true``, the question needs to be filled out.
 position                              integer                    An integer, used for sorting
 items                                 list of integers           List of item IDs this question is assigned to.
@@ -86,6 +88,10 @@ dependency_value                      string                     An old version
 
   The attribute ``print_on_invoice`` has been added.
 
+.. versionchanged:: 3.5
+
+  The attribute ``help_text`` has been added.
+
 Endpoints
 ---------
 
@@ -122,6 +128,7 @@ Endpoints
           {
             "id": 1,
             "question": {"en": "T-Shirt size"},
+            "help_text": {"en": "Choose your preferred t-shirt-size"},
             "type": "C",
             "required": false,
             "items": [1, 2],
@@ -192,6 +199,7 @@ Endpoints
       {
         "id": 1,
         "question": {"en": "T-Shirt size"},
+        "help_text": {"en": "Choose your preferred t-shirt-size"},
         "type": "C",
         "required": false,
         "items": [1, 2],
@@ -247,6 +255,7 @@ Endpoints
 
       {
         "question": {"en": "T-Shirt size"},
+        "help_text": {"en": "Choose your preferred t-shirt-size"},
         "type": "C",
         "required": false,
         "items": [1, 2],
@@ -281,6 +290,7 @@ Endpoints
       {
         "id": 1,
         "question": {"en": "T-Shirt size"},
+        "help_text": {"en": "Choose your preferred t-shirt-size"},
         "type": "C",
         "required": false,
         "items": [1, 2],
@@ -355,6 +365,7 @@ Endpoints
       {
         "id": 1,
         "question": {"en": "T-Shirt size"},
+        "help_text": {"en": "Choose your preferred t-shirt-size"},
         "type": "C",
         "required": false,
         "items": [1, 2],

doc/api/resources/quotas.rst

@@ -26,6 +26,8 @@ close_when_sold_out                   boolean                    If ``true``, th
                                                                  again.
 closed                                boolean                    Whether the quota is currently closed (see above
                                                                  field).
+release_after_exit                    boolean                    Whether the quota regains capacity as soon as some tickets
+                                                                 have been scanned at an exit.
 ===================================== ========================== =======================================================
 
 .. versionchanged:: 1.10
@@ -36,6 +38,10 @@ closed                                boolean                    Whether the quo
 
    The attributes ``close_when_sold_out`` and ``closed`` have been added.
 
+.. versionchanged:: 3.10
+
+   The attribute ``release_after_exit`` has been added.
+
 
 Endpoints
 ---------
@@ -283,6 +289,7 @@ Endpoints
         "total_size": 1000,
         "pending_orders": 25,
         "paid_orders": 423,
+        "exited_orders": 0,
         "cart_positions": 7,
         "blocking_vouchers": 126,
         "waiting_list": 0

doc/api/resources/subevents.rst

@@ -39,10 +39,12 @@ geo_lon                               float                      Longitude of th
 item_price_overrides                  list of objects            List of items for which this sub-event overrides the
                                                                  default price
 ├ item                                integer                    The internal item ID
+├ disabled                            boolean                    If ``true``, item should not be available for this sub-event
 └ price                               money (string)             The price or ``null`` for the default price
 variation_price_overrides             list of objects            List of variations for which this sub-event overrides
                                                                  the default price
 ├ variation                           integer                    The internal variation ID
+├ disabled                            boolean                    If ``true``, variation should not be available for this sub-event
 └ price                               money (string)             The price or ``null`` for the default price
 meta_data                             object                     Values set for organizer-specific meta data parameters.
 seating_plan                          integer                    If reserved seating is in use, the ID of a seating
@@ -74,6 +76,10 @@ seat_category_mapping                 object                     An object mappi
 
    The attributes ``geo_lat`` and ``geo_lon`` have been added.
 
+.. versionchanged:: 3.10
+
+   The ``disabled`` attribute has been added to ``item_price_overrides`` and ``variation_price_overrides``.
+
 Endpoints
 ---------
 
@@ -125,6 +131,7 @@ Endpoints
             "item_price_overrides": [
               {
                 "item": 2,
+                "disabled": false,
                 "price": "12.00"
               }
             ],
@@ -182,6 +189,7 @@ Endpoints
         "item_price_overrides": [
           {
             "item": 2,
+            "disabled": false,
             "price": "12.00"
           }
         ],
@@ -216,6 +224,7 @@ Endpoints
         "item_price_overrides": [
           {
             "item": 2,
+            "disabled": false,
             "price": "12.00"
           }
         ],
@@ -271,6 +280,7 @@ Endpoints
         "item_price_overrides": [
           {
             "item": 2,
+            "disabled": false,
             "price": "12.00"
           }
         ],
@@ -307,6 +317,7 @@ Endpoints
         "item_price_overrides": [
           {
             "item": 2,
+            "disabled": false,
             "price": "23.42"
           }
         ],
@@ -339,6 +350,7 @@ Endpoints
         "item_price_overrides": [
           {
             "item": 2,
+            "disabled": false,
             "price": "23.42"
           }
         ],
@@ -427,6 +439,7 @@ Endpoints
             "item_price_overrides": [
               {
                 "item": 2,
+                "disabled": false,
                 "price": "12.00"
               }
             ],

doc/api/resources/teams.rst

@@ -0,0 +1,671 @@
+.. spelling:: fullname
+
+.. _`rest-teams`:
+
+Teams
+=====
+
+.. warning:: Unlike our user interface, the team API **does** allow you to lock yourself out by deleting or modifying
+             the team your user or API key belongs to. Be careful around here!
+
+Team resource
+-------------
+
+The team resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the team
+name                                  string                     Team name
+all_events                            boolean                    Whether this team has access to all events
+limit_events                          list                       List of event slugs this team has access to
+can_create_events                     boolean
+can_change_teams                      boolean
+can_change_organizer_settings         boolean
+can_manage_gift_cards                 boolean
+can_change_event_settings             boolean
+can_change_items                      boolean
+can_view_orders                       boolean
+can_change_orders                     boolean
+can_view_vouchers                     boolean
+can_change_vouchers                   boolean
+===================================== ========================== =======================================================
+
+Team member resource
+--------------------
+
+The team member resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the user
+email                                 string                     The user's email address
+fullname                              string                     The user's full name (or ``null``)
+require_2fa                           boolean                    Whether this user uses two-factor-authentication
+===================================== ========================== =======================================================
+
+Team invite resource
+--------------------
+
+The team invite resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the invite
+email                                 string                     The invitee's email address
+===================================== ========================== =======================================================
+
+Team API token resource
+-----------------------
+
+The team API token resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the invite
+name                                  string                     Name of this API token
+active                                boolean                    Whether this API token is active (can never be set to
+                                                                 ``true`` again once ``false``)
+token                                 string                     The actual API token. Will only be sent back during
+                                                                 token creation.
+===================================== ========================== =======================================================
+
+Team endpoints
+--------------
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/
+
+   Returns a list of all teams within a given organizer.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "name": "Admin team",
+            "all_events": true,
+            "limit_events": [],
+            "can_create_events": true,
+            ...
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/(id)/
+
+   Returns information on one team, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "Admin team",
+        "all_events": true,
+        "limit_events": [],
+        "can_create_events": true,
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param id: The ``id`` field of the team to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/teams/
+
+   Creates a new team
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/teams/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "name": "Admin team",
+        "all_events": true,
+        "limit_events": [],
+        "can_create_events": true,
+        ...
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "name": "Admin team",
+        "all_events": true,
+        "limit_events": [],
+        "can_create_events": true,
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a team for
+   :statuscode 201: no error
+   :statuscode 400: The team could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/teams/(id)/
+
+   Update a team. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/teams/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "can_create_events": true
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "Admin team",
+        "all_events": true,
+        "limit_events": [],
+        "can_create_events": true,
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param id: The ``id`` field of the team to modify
+   :statuscode 200: no error
+   :statuscode 400: The team could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/teams/(id)/
+
+   Deletes a team.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/teams/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param id: The ``id`` field of the team to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to change this resource.
+
+Team member endpoints
+---------------------
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/(team)/members/
+
+   Returns a list of all members of a team.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/1/members/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "fullname": "John Doe",
+            "email": "john@example.com",
+            "require_2fa": true
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param team: The ``id`` field of the team to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested team does not exist
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/(team)/members/(id)/
+
+   Returns information on one team member, identified by their ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/1/members/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "fullname": "John Doe",
+        "email": "john@example.com",
+        "require_2fa": true
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param team: The ``id`` field of the team to fetch
+   :param id: The ``id`` field of the member to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested team or member does not exist
+
+.. http:delete:: /api/v1/organizers/(organizer)/teams/(team)/members/(id)/
+
+   Removes a member from the team.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/teams/1/members/1/ HTTP/1.1
+      Host: pretix.eu
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param team: The ``id`` field of the team to modify
+   :param id: The ``id`` field of the member to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+   :statuscode 404: The requested team or member does not exist
+
+Team invite endpoints
+---------------------
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/(team)/invites/
+
+   Returns a list of all invitations to a team.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/1/invites/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "email": "john@example.com"
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param team: The ``id`` field of the team to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested team does not exist
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/(team)/invites/(id)/
+
+   Returns information on one invite, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/1/invites/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "email": "john@example.org"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param team: The ``id`` field of the team to fetch
+   :param id: The ``id`` field of the invite to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested team or invite does not exist
+
+.. http:post:: /api/v1/organizers/(organizer)/teams/(team)/invites/
+
+   Invites someone into the team. Note that if the user already has a pretix account, you will receive a response without
+   an ``id`` and instead of an invite being created, the user will be directly added to the team.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/teams/1/invites/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "email": "mark@example.org"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "email": "mark@example.org"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param team: The ``id`` field of the team to modify
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+   :statuscode 404: The requested team does not exist
+
+.. http:delete:: /api/v1/organizers/(organizer)/teams/(team)/invites/(id)/
+
+   Revokes an invite.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/teams/1/invites/1/ HTTP/1.1
+      Host: pretix.eu
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param team: The ``id`` field of the team to modify
+   :param id: The ``id`` field of the invite to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+   :statuscode 404: The requested team or invite does not exist
+
+Team API token endpoints
+------------------------
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/(team)/tokens/
+
+   Returns a list of all API tokens of a team.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/1/tokens/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "active": true,
+            "name": "Test token"
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param team: The ``id`` field of the team to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested team does not exist
+
+.. http:get:: /api/v1/organizers/(organizer)/teams/(team)/tokens/(id)/
+
+   Returns information on one token, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/teams/1/tokens/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "active": true,
+        "name": "Test token"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param team: The ``id`` field of the team to fetch
+   :param id: The ``id`` field of the token to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested team or token does not exist
+
+.. http:post:: /api/v1/organizers/(organizer)/teams/(team)/tokens/
+
+   Creates a new token.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/teams/1/tokens/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "name": "New token"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "name": "New token",
+        "active": true,
+        "token": "",
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param team: The ``id`` field of the team to create a token for
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+   :statuscode 404: The requested team does not exist
+
+.. http:delete:: /api/v1/organizers/(organizer)/teams/(team)/tokens/(id)/
+
+   Disables a token.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/teams/1/tokens/1/ HTTP/1.1
+      Host: pretix.eu
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "My token",
+        "active": false
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param team: The ``id`` field of the team to modify
+   :param id: The ``id`` field of the token to delete
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+   :statuscode 404: The requested team or token does not exist

doc/api/resources/vouchers.rst

@@ -38,6 +38,7 @@ quota                                 integer                    An ID of a quot
                                                                  attached either to a specific product or to all
                                                                  products within one quota or it can be available
                                                                  for all items without restriction.
+seat                                  string                     ``seat_guid`` attribute of a specific seat (or ``null``)
 tag                                   string                     A string that is used for grouping vouchers
 comment                               string                     An internal comment on the voucher
 subevent                              integer                    ID of the date inside an event series this voucher belongs to (or ``null``).
@@ -53,6 +54,10 @@ show_hidden_items                     boolean                    Only if set to
 
    The attribute ``show_hidden_items`` has been added.
 
+.. versionchanged:: 3.4
+
+   The attribute ``seat`` has been added.
+
 Endpoints
 ---------
 
@@ -96,7 +101,8 @@ Endpoints
             "quota": null,
             "tag": "testvoucher",
             "comment": "",
-            "subevent": null
+            "seat": null,
+            "subevent": null,
           }
         ]
       }
@@ -162,6 +168,7 @@ Endpoints
         "quota": null,
         "tag": "testvoucher",
         "comment": "",
+        "seat": null,
         "subevent": null
       }
 
@@ -225,6 +232,7 @@ Endpoints
         "quota": null,
         "tag": "testvoucher",
         "comment": "",
+        "seat": null,
         "subevent": null
       }
 
@@ -352,6 +360,7 @@ Endpoints
         "quota": null,
         "tag": "testvoucher",
         "comment": "",
+        "seat": null,
         "subevent": null
       }
 

doc/api/webhooks.rst

@@ -70,6 +70,9 @@ and ``checkin_list``.
              only include the minimum amount of data necessary for you to fetch the changed objects from our
              :ref:`rest-api` in an authenticated way.
 
+.. warning:: In very rare cases, you could receive the same webhook notification twice. We try to avoid it, but we
+             prefer it over missing a notification.
+
 If you want to further prevent others from accessing your webhook URL, you can also use `Basic authentication`_ and
 supply the URL to us in the format of ``https://username:password@domain.com/path/``.
 We recommend that you use HTTPS for your webhook URL and might require it in the future. If HTTPS is used, we require

doc/contents.rst

@@ -0,0 +1,12 @@
+Table of contents
+=================
+
+.. toctree::
+   :maxdepth: 3
+
+   user/index
+   admin/index
+   api/index
+   development/index
+   plugins/index
+

doc/development/api/customview.rst

@@ -66,7 +66,7 @@ event-related views, there is also a signal that allows you to add the view to t
 
     from django.urls import resolve, reverse
     from django.dispatch import receiver
-    from django.utils.translation import ugettext_lazy as _
+    from django.utils.translation import gettext_lazy as _
     from pretix.control.signals import nav_event
 
 

doc/development/api/exporter.rst

@@ -29,6 +29,22 @@ that we'll provide in this plugin::
         from .exporter import MyExporter
         return MyExporter
 
+Some exporters might also prove to be useful, when provided on an organizer-level. In order to declare your
+exporter as capable of providing exports spanning multiple events, your plugin should listen for this signal
+and return the subclass of ``pretix.base.exporter.BaseExporter`` that we'll provide in this plugin::
+
+    from django.dispatch import receiver
+
+    from pretix.base.signals import register_multievent_data_exporters
+
+
+    @receiver(register_multievent_data_exporters, dispatch_uid="multieventexporter_myexporter")
+    def register_multievent_data_exporter(sender, **kwargs):
+        from .exporter import MyExporter
+        return MyExporter
+
+If your exporter supports both event-level and multi-event level exports, you will need to listen for both
+signals.
 
 The exporter class
 ------------------

doc/development/api/general.rst

@@ -20,17 +20,24 @@ Order events
 There are multiple signals that will be sent out in the ordering cycle:
 
 .. automodule:: pretix.base.signals
-   :members: validate_cart, validate_cart_addons, validate_order, order_fee_calculation, order_paid, order_placed, order_canceled, order_expired, order_modified, order_changed, order_approved, order_denied, order_fee_type_name, allow_ticket_download, order_split, order_gracefully_delete
+   :members: validate_cart, validate_cart_addons, validate_order, order_fee_calculation, order_paid, order_placed, order_canceled, order_reactivated, order_expired, order_modified, order_changed, order_approved, order_denied, order_fee_type_name, allow_ticket_download, order_split, order_gracefully_delete, invoice_line_text
+
+Check-ins
+"""""""""
+
+.. automodule:: pretix.base.signals
+   :members: checkin_created
+
 
 Frontend
 --------
 
 .. automodule:: pretix.presale.signals
-   :members: html_head, html_footer, footer_link, front_page_top, front_page_bottom, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content, checkout_all_optional, html_page_header, sass_preamble, sass_postamble, render_seating_plan, checkout_flow_steps, position_info
+   :members: html_head, html_footer, footer_link, front_page_top, front_page_bottom, front_page_bottom_widget, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content, checkout_all_optional, html_page_header, sass_preamble, sass_postamble, render_seating_plan, checkout_flow_steps, position_info, position_info_top, item_description
 
 
 .. automodule:: pretix.presale.signals
-   :members: order_info, order_meta_from_request
+   :members: order_info, order_info_top, order_meta_from_request
 
 Request flow
 """"""""""""
@@ -49,8 +56,8 @@ Backend
 
 .. automodule:: pretix.control.signals
    :members: nav_event, html_head, html_page_start, quota_detail_html, nav_topbar, nav_global, nav_organizer, nav_event_settings,
-             order_info, event_settings_widget, oauth_application_registered, order_position_buttons, subevent_forms, item_formsets
-
+             order_info, event_settings_widget, oauth_application_registered, order_position_buttons, subevent_forms,
+             item_formsets, order_search_filter_q
 
 .. automodule:: pretix.base.signals
    :members: logentry_display, logentry_object_link, requiredaction_display, timeline_events
@@ -78,3 +85,12 @@ Ticket designs
 
 .. automodule:: pretix.base.signals
    :members: layout_text_variables
+
+.. automodule:: pretix.plugins.ticketoutputpdf.signals
+   :members: override_layout
+
+API
+---
+
+.. automodule:: pretix.base.signals
+   :members: validate_event_settings, api_event_settings_fields

doc/development/api/import.rst

@@ -0,0 +1,112 @@
+.. highlight:: python
+   :linenothreshold: 5
+
+.. _`importcol`:
+
+Extending the order import process
+==================================
+
+It's possible through the backend to import orders into pretix, for example from a legacy ticketing system. If your
+plugins defines additional data structures around orders, it might be useful to make it possible to import them as well.
+
+Import process
+--------------
+
+Here's a short description of pretix' import process to show you where the system will need to interact with your plugin.
+You can find more detailed descriptions of the attributes and methods further below.
+
+1. The user uploads a CSV file. The system tries to parse the CSV file and understand its column headers.
+
+2. A preview of the file is shown to the user and the user is asked to assign the various different input parameters to
+   columns of the file or static values. For example, the user either needs to manually select a product or specify a
+   column that contains a product. For this purpose, a select field is rendered for every possible input column,
+   allowing the user to choose between a default/empty value (defined by your ``default_value``/``default_label``)
+   attributes, the columns of the uploaded file, or a static value (defined by your ``static_choices`` method).
+
+3. The user submits its assignment and the system uses the ``resolve`` method of all columns to get the raw value for
+   all columns.
+
+4. The system uses the ``clean`` method of all columns to verify that all input fields are valid and transformed to the
+   correct data type.
+
+5. The system prepares internal model objects (``Order`` etc) and uses the ``assign`` method of all columns to assign
+   these objects with actual values.
+
+6. The system saves all of these model objects to the database in a database transaction. Plugins can create additional
+   objects in this stage through their ``save`` method.
+
+Column registration
+-------------------
+
+The import API does not make a lot of usage from signals, however, it
+does use a signal to get a list of all available import columns. Your plugin
+should listen for this signal and return the subclass of ``pretix.base.orderimport.ImportColumn``
+that we'll provide in this plugin:
+
+.. sourcecode:: python
+
+    from django.dispatch import receiver
+
+    from pretix.base.signals import order_import_columns
+
+
+    @receiver(order_import_columns, dispatch_uid="custom_columns")
+    def register_column(sender, **kwargs):
+        return [
+            EmailColumn(sender),
+        ]
+
+The column class API
+--------------------
+
+.. class:: pretix.base.orderimport.ImportColumn
+
+   The central object of each import extension is the subclass of ``ImportColumn``.
+
+   .. py:attribute:: ImportColumn.event
+
+      The default constructor sets this property to the event we are currently
+      working for.
+
+   .. autoattribute:: identifier
+
+      This is an abstract attribute, you **must** override this!
+
+   .. autoattribute:: verbose_name
+
+      This is an abstract attribute, you **must** override this!
+
+   .. autoattribute:: default_value
+
+   .. autoattribute:: default_label
+
+   .. autoattribute:: initial
+
+   .. automethod:: static_choices
+
+   .. automethod:: resolve
+
+   .. automethod:: clean
+
+   .. automethod:: assign
+
+   .. automethod:: save
+
+Example
+-------
+
+For example, the import column responsible for assigning email addresses looks like this:
+
+.. sourcecode:: python
+
+   class EmailColumn(ImportColumn):
+       identifier = 'email'
+       verbose_name = _('E-mail address')
+
+       def clean(self, value, previous_values):
+           if value:
+               EmailValidator()(value)
+           return value
+
+       def assign(self, value, order, position, invoice_address, **kwargs):
+           order.email = value

doc/development/api/index.rst

@@ -15,6 +15,7 @@ Contents:
    placeholder
    invoice
    shredder
+   import
    customview
    auth
    general

doc/development/api/payment.rst

@@ -62,6 +62,8 @@ The provider class
 
    .. autoattribute:: is_enabled
 
+   .. autoattribute:: priority
+
    .. autoattribute:: settings_form_fields
 
    .. automethod:: settings_form_clean
@@ -108,10 +110,16 @@ The provider class
 
    .. automethod:: execute_refund
 
+   .. automethod:: refund_control_render
+
    .. automethod:: api_payment_details
 
+   .. automethod:: matching_id
+
    .. automethod:: shred_payment_info
 
+   .. automethod:: cancel_payment
+
    .. autoattribute:: is_implicit
 
    .. autoattribute:: is_meta

doc/development/api/plugins.rst

@@ -46,6 +46,9 @@ name               string               The human-readable name of your plugin
 author             string               Your name
 version            string               A human-readable version code of your plugin
 description        string               A more verbose description of what your plugin does.
+category           string               Category of a plugin. Either one of ``"FEATURE"``, ``"PAYMENT"``,
+                                        ``"INTEGRATION"``, ``"CUSTOMIZATION"``, ``"FORMAT"``, or ``"API"``,
+                                        or any other string.
 visible            boolean (optional)   ``True`` by default, can hide a plugin so it cannot be normally activated.
 restricted         boolean (optional)   ``False`` by default, restricts a plugin such that it can only be enabled
                                         for an event by system administrators / superusers.
@@ -58,7 +61,7 @@ A working example would be::
         from pretix.base.plugins import PluginConfig
     except ImportError:
         raise RuntimeError("Please use pretix 2.7 or above to run this plugin!")
-    from django.utils.translation import ugettext_lazy as _
+    from django.utils.translation import gettext_lazy as _
 
 
     class PaypalApp(PluginConfig):
@@ -69,6 +72,7 @@ A working example would be::
             name = _("PayPal")
             author = _("the pretix team")
             version = '1.0.0'
+            category = 'PAYMENT
             visible = True
             restricted = False
             description = _("This plugin allows you to receive payments via PayPal")

doc/development/api/ticketoutput.rst

@@ -72,6 +72,10 @@ The output class
 
    .. autoattribute:: download_button_icon
 
+   .. autoattribute:: multi_download_button_text
+
+   .. autoattribute:: long_download_button_text
+
    .. autoattribute:: preview_allowed
 
    .. autoattribute:: javascript_required

doc/development/contribution/style.rst

@@ -18,7 +18,7 @@ Coding style and quality
 * We expect all new code to come with proper tests. When writing new tests, please write them using `pytest-style`_
   test functions and raw ``assert`` statements. Use `fixtures`_ to prevent repetitive code. Some old parts of pretix'
   test suite are in the style of Python's unit test module. If you extend those files, you might continue in this style,
-  but please use pytest style for any new test files.
+  but please use ``pytest`` style for any new test files.
 
 * Please keep the first line of your commit messages short. When referencing an issue, please phrase it like
   ``Fix #123 -- Problems with order creation`` or ``Refs #123 -- Fix this part of that bug``.

doc/development/implementation/logging.rst

@@ -69,7 +69,7 @@ We now need a way to translate the action codes like ``pretix.event.changed`` in
 strings. The :py:attr:`pretix.base.signals.logentry_display` signals allows you to do so. A simple
 implementation could look like::
 
-    from django.utils.translation import ugettext as _
+    from django.utils.translation import gettext as _
     from pretix.base.signals import logentry_display
 
     @receiver(signal=logentry_display)

doc/index.rst

@@ -1,12 +1 @@
-Table of contents
-=================
-
-.. toctree::
-   :maxdepth: 3
-
-   user/index
-   admin/index
-   api/index
-   development/index
-   plugins/index
-
+.. include:: contents.rst

doc/plugins/campaigns.rst

@@ -0,0 +1,224 @@
+Campaigns
+=========
+
+The campaigns plugin provides a HTTP API that allows you to create new campaigns.
+
+Resource description
+--------------------
+
+The campaign resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal campaign ID
+code                                  string                     The URL component of the campaign, e.g. with code ``BAR``
+                                                                 the campaign URL would to be ``https://<server>/<organizer>/<event>/c/BAR/``.
+                                                                 This value needs to be *globally unique* and we do not
+                                                                 recommend setting it manually. If you omit it, a random
+                                                                 value will be chosen.
+description                           string                     An internal, human-readable name of the campaign.
+external_target                       string                     An URL to redirect to from the tracking link. To redirect to
+                                                                 the ticket shop, use an empty string.
+order_count                           integer                    Number of orders tracked on this campaign (read-only)
+click_count                           integer                    Number of clicks tracked on this campaign (read-only)
+===================================== ========================== =======================================================
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/campaigns/
+
+   Returns a list of all campaigns configured for an event.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/campaigns/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "code": "wZnL11fjq",
+            "description": "Facebook",
+            "external_target": "",
+            "order_count:" 0,
+            "click_count:" 0
+          }
+        ]
+      }
+
+   :query page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the event to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer or event does not exist **or** you have no permission to view it.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/campaigns/(id)/
+
+   Returns information on one campaign, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/campaigns/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "code": "wZnL11fjq",
+        "description": "Facebook",
+        "external_target": "",
+        "order_count:" 0,
+        "click_count:" 0
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param id: The ``id`` field of the campaign to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/campaign does not exist **or** you have no permission to view it.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/campaigns/
+
+   Create a new campaign.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/campaigns/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 166
+
+      {
+        "description": "Twitter"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "code": "IfVJQzSBL",
+        "description": "Twitter",
+        "external_target": "",
+        "order_count:" 0,
+        "click_count:" 0
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a campaign for
+   :param event: The ``slug`` field of the event to create a campaign for
+   :statuscode 201: no error
+   :statuscode 400: The campaign could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create campaigns.
+
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/campaigns/(id)/
+
+   Update a campaign. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/campaigns/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 34
+
+      {
+        "external_target": "https://mywebsite.com"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: text/javascript
+
+      {
+        "id": 2,
+        "code": "IfVJQzSBL",
+        "description": "Twitter",
+        "external_target": "https://mywebsite.com",
+        "order_count:" 0,
+        "click_count:" 0
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the campaign to modify
+   :statuscode 200: no error
+   :statuscode 400: The campaign could not be modified due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/campaign does not exist **or** you have no permission to change it.
+
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/campaigns/(id)/
+
+   Delete a campaign and all associated data.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/campaigns/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the campaign to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/campaign does not exist **or** you have no permission to change it

doc/plugins/digital.rst

@@ -0,0 +1,277 @@
+Digital content
+===============
+
+The digital content plugin provides a HTTP API that allows you to create new digital content for your ticket holders,
+such as live streams, videos, or material downloads.
+
+Resource description
+--------------------
+
+The digital content resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal content ID
+title                                 multi-lingual string       The content title (required)
+content_type                          string                     The type of content, valid values are ``webinar``, ``video``, ``livestream``, ``link``, ``file``
+url                                   string                     The location of the digital content
+description                           multi-lingual string       A public description of the item. May contain Markdown
+                                                                 syntax and is not required.
+available_from                        datetime                   The first date time at which this content will be shown
+                                                                 (or ``null``).
+available_until                       datetime                   The last date time at which this content will b e shown
+                                                                 (or ``null``).
+all_products                          boolean                    If ``true``, the content is available to all buyers of tickets for this event. The ``limit_products`` field is ignored in this case.
+limit_products                        list of integers           List of product/item IDs. This content is only shown to buyers of these ticket types.
+position                              integer                    An integer, used for sorting
+subevent                              integer                    Date in an event series this content should be shown for. Should be ``null`` if this is not an event series or if this should be shown to all customers.
+===================================== ========================== =======================================================
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/digitalcontents/
+
+   Returns a list of all digital content configured for an event.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/digitalcontents/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "subevent": null,
+            "title": {
+                "en": "Concert livestream"
+            },
+            "content_type": "link",
+            "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+            "description": {
+                "en": "Watch our event live here on YouTube!"
+            },
+            "all_products": true,
+            "limit_products": [],
+            "available_from": "2020-03-22T23:00:00Z",
+            "available_until": null,
+            "position": 1
+          }
+        ]
+      }
+
+   :query page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the event to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer or event does not exist **or** you have no permission to view it.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/digitalcontents/(id)/
+
+   Returns information on one content item, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/digitalcontents/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "subevent": null,
+        "title": {
+            "en": "Concert livestream"
+        },
+        "content_type": "link",
+        "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+        "description": {
+            "en": "Watch our event live here on YouTube!"
+        },
+        "all_products": true,
+        "limit_products": [],
+        "available_from": "2020-03-22T23:00:00Z",
+        "available_until": null,
+        "position": 1
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param id: The ``id`` field of the content to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/content does not exist **or** you have no permission to view it.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/digitalcontents/
+
+   Create a new digital content.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/digitalcontents/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 166
+
+      {
+        "subevent": null,
+        "title": {
+            "en": "Concert livestream"
+        },
+        "content_type": "link",
+        "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+        "description": {
+            "en": "Watch our event live here on YouTube!"
+        },
+        "all_products": true,
+        "limit_products": [],
+        "available_from": "2020-03-22T23:00:00Z",
+        "available_until": null,
+        "position": 1
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "subevent": null,
+        "title": {
+            "en": "Concert livestream"
+        },
+        "content_type": "link",
+        "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+        "description": {
+            "en": "Watch our event live here on YouTube!"
+        },
+        "all_products": true,
+        "limit_products": [],
+        "available_from": "2020-03-22T23:00:00Z",
+        "available_until": null,
+        "position": 1
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create new content for
+   :param event: The ``slug`` field of the event to create new content for
+   :statuscode 201: no error
+   :statuscode 400: The content could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create digital contents.
+
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/digitalcontents/(id)/
+
+   Update a content. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/digitalcontents/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 34
+
+      {
+        "url": "https://mywebsite.com"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: text/javascript
+
+      {
+        "id": 2,
+        "subevent": null,
+        "title": {
+            "en": "Concert livestream"
+        },
+        "content_type": "link",
+        "url": "https://mywebsite.com",
+        "description": {
+            "en": "Watch our event live here on YouTube!"
+        },
+        "all_products": true,
+        "limit_products": [],
+        "available_from": "2020-03-22T23:00:00Z",
+        "available_until": null,
+        "position": 1
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the content to modify
+   :statuscode 200: no error
+   :statuscode 400: The content could not be modified due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/content does not exist **or** you have no permission to change it.
+
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/digitalcontents/(id)/
+
+   Delete a digital content.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/digitalcontents/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the content to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/content does not exist **or** you have no permission to change it

doc/plugins/index.rst

@@ -14,3 +14,5 @@ If you want to **create** a plugin, please go to the
    banktransfer
    ticketoutputpdf
    badges
+   campaigns
+   digital

doc/requirements.txt

@@ -1,8 +1,9 @@
 -r ../src/requirements.txt
-sphinx==1.6.*
+sphinx==2.3.*
 sphinx-rtd-theme
 sphinxcontrib-httpdomain
 sphinxcontrib-images
 sphinxcontrib-spelling
+pygments-markdown-lexer
 # See https://github.com/rfk/pyenchant/pull/130
 git+https://github.com/raphaelm/pyenchant.git@patch-1#egg=pyenchant

doc/spelling_wordlist.txt

@@ -103,6 +103,7 @@ regex
 renderer
 renderers
 reportlab
+reseller
 SaaS
 scalability
 screenshot
@@ -110,9 +111,10 @@ scss
 searchable
 selectable
 serializable
-serializers
+serializer
 serializers
 sexualized
+SQL
 startup
 stdout
 stylesheet
@@ -139,6 +141,7 @@ untrusted
 uptime
 username
 url
+validator
 versa
 versioning
 viewable

doc/user/events/guides/timeslots.rst

@@ -0,0 +1,94 @@
+.. _timeslots:
+
+Use case: Time slots
+====================
+
+A more advanced use case of pretix is using pretix for time-slot-based access to an area with a limited visitor
+capacity, such as a museum or other attraction. This guide will show you the quickest way to set up such an event
+with pretix.
+
+First of all, when creating your event, you need to select that your event represents an "event series":
+
+
+.. thumbnail:: ../../../screens/event/create_step1.png
+   :align: center
+   :class: screenshot
+
+You can click :ref:`here <subevents>` for a more general description of event series with pretix, but everything you
+need to know is in this chapter as well.
+
+General event setup
+-------------------
+
+Before you go further, set up your products that you want to sell for each time slot, such as different types of entry.
+
+Creating slots
+--------------
+
+To create the time slots, you need to create a number of "dates" in the event series. Select "Dates" in the navigation
+menu on the left side and click "Create many new dates". Then, first enter the pattern of your opening days. In the
+example, the museum is open week Tuesday to Sunday. We recommend to create the slots for a few weeks at a time, but not
+e.g. for a full year, since it will be more complicated to change things later.
+
+.. thumbnail:: ../../../screens/event/timeslots_create.png
+   :align: center
+   :class: screenshot
+
+Then, scroll to the times section and create your time slots. You can do any interval you like. If you have different
+opening times on different week days, you will need to go through the creation process multiple times.
+
+.. thumbnail:: ../../../screens/event/timeslots_create_2.png
+   :align: center
+   :class: screenshot
+
+Scroll further down and create one or multiple quotas that define how many people can book a ticket for that time slot.
+In this example, 50 people in total are allowed to enter within every slot:
+
+.. thumbnail:: ../../../screens/event/timeslots_create_3.png
+   :align: center
+   :class: screenshot
+
+Do **not** create a check-in list at this point. We will deal with this further below in the guide.
+Now, press "Save" to create your slots.
+
+.. warning:: If you create a lot of time slots at once, the server might need a few minutes to create them all in our
+             system. If you receive an error page because it took too long, please do not try again immediately but wait
+             for a few minutes. Most likely, the slots will be created successfully even though you saw an error.
+
+Event settings
+--------------
+
+We recommend that you navigate to "Settings" > "General" > "Display" and set the settings "Default overview style"
+to "Week calendar":
+
+.. thumbnail:: ../../../screens/event/timeslots_settings_1.png
+   :align: center
+   :class: screenshot
+
+Now, your ticket shop should give users a nice weekly overview over all time slots and their availability:
+
+.. thumbnail:: ../../../screens/event/timeslots_presale.png
+   :align: center
+   :class: screenshot
+
+Check-in
+--------
+
+If you want to scan people at the entrance of your event and only admit them at their designated time, we recommend
+the following setup: Go to "Check-in" in the main navigation on the left and create a new check-in list. Give it a name
+and do *not* choose a specific data. We will use one check-in list for all dates. Then, go to the "Advanced" tab at
+the top and set up two restrictions to make sure people can only get in during the time slot they registered for.
+You can create the rules exactly like shown in the following screenshot:
+
+.. thumbnail:: ../../../screens/event/timeslots_checkinlists.png
+   :align: center
+   :class: screenshot
+
+If you want, you can enter a tolerance of e.g. "10" if you want to be a little bit more relaxed and admit people up to
+10 minutes before or after their time slot.
+
+Now, download our `Android or Desktop app`_ and register it to your account. The app will ask you to select one the
+time slots, but it does not matter, you can select any one of them and then select your newly created check-in list.
+That's it, you're good to go!
+
+.. _Android or Desktop app: https://pretix.eu/about/en/scan

doc/user/events/structureguide.rst

@@ -344,3 +344,13 @@ In addition to your normal conference quota, you need to create an unlimited quo
 Then, head to the **Bundled products** tab of the "conference ticket" and add the "conference food" as a bundled product with a **designated price** of € 150.
 
 Once a customer tries to buy the € 450 conference ticket, a sub-product will be added and the price will automatically be split into the two components, leading to a correct computation of taxes.
+
+You can find more use cases in these specialized guides:
+
+More use cases
+--------------
+
+.. toctree::
+   :maxdepth: 1
+
+   guides/timeslots

doc/user/events/widget.rst

@@ -114,6 +114,17 @@ If you want to disable voucher input in the widget, you can pass the ``disable-v
 
    <pretix-widget event="https://pretix.eu/demo/democon/" disable-vouchers></pretix-widget>
 
+Filtering products
+------------------
+
+You can filter the products shown in the widget by passing in a list of product IDs::
+
+   <pretix-widget event="https://pretix.eu/demo/democon/" items="23,42"></pretix-widget>
+
+Alternatively, you can select one or more categories to be shown::
+
+   <pretix-widget event="https://pretix.eu/demo/democon/" categories="12,25"></pretix-widget>
+
 Multi-event selection
 ---------------------
 
@@ -125,10 +136,15 @@ If you want to include all your public events, you can just reference your organ
 
    <pretix-widget event="https://pretix.eu/demo/"></pretix-widget>
 
-There is an optional ``style`` parameter that let's you choose between a calendar view and a list view. If you do not set it, the choice will be taken from your organizer settings::
+There is an optional ``style`` parameter that let's you choose between a monthly calendar view, a week view and a list
+view. If you do not set it, the choice will be taken from your organizer settings::
 
    <pretix-widget event="https://pretix.eu/demo/series/" style="list"></pretix-widget>
    <pretix-widget event="https://pretix.eu/demo/series/" style="calendar"></pretix-widget>
+   <pretix-widget event="https://pretix.eu/demo/series/" style="week"></pretix-widget>
+
+If you have more than 100 events, the system might refuse to show a list view and always show a calendar for performance
+reasons instead.
 
 You can see an example here:
 
@@ -183,6 +199,24 @@ Just as the widget, the button supports the optional attributes ``voucher`` and
 
 You can style the button using the ``pretix-button`` CSS class.
 
+Dynamically opening the widget
+------------------------------
+
+You can get the behavior of the pretix Button without a button at all, so you can trigger it from your own code in
+response to a user action. Usually, this will open an overlay with your ticket shop, however in some cases, such as
+missing HTTPS encryption on your case or a really small screen (mobile), it will open a new tab instead of an overlay.
+Therefore, make sure you call this *in direct response to a user action*, otherwise most browser will block it as an
+unwanted pop-up.
+
+.. js:function:: window.PretixWidget.open(target_url [, voucher [, subevent [, items, [, widget_data [, skip_ssl_check ]]]]])
+
+   :param string target_url: The URL of the ticket shop.
+   :param string voucher: A voucher code to be pre-selected, or ``null``.
+   :param string subevent: A subevent to be pre-selected, or ``null``.
+   :param array items: A collection of items to be put in the cart, of the form ``[{"item": "item_3", "count": 1}, {"item": "variation_5_6", "count": 4}]``
+   :param object widget_data: Additional data to be passed to the shop, see below.
+   :param boolean skip_ssl_check: Whether to ignore the check for HTTPS. Only to be used during development.
+
 Dynamically loading the widget
 ------------------------------
 
@@ -238,7 +272,8 @@ with that information::
         data-question-L9G8NG9M="Foobar">
     </pretix-widget>
 
-This works for the pretix Button as well. Currently, the following attributes are understood by pretix itself:
+This works for the pretix Button as well, if you also specify a product.
+Currently, the following attributes are understood by pretix itself:
 
 * ``data-email`` will pre-fill the order email field as well as the attendee email field (if enabled).
 
@@ -256,6 +291,11 @@ This works for the pretix Button as well. Currently, the following attributes ar
   naming scheme such as ``name-title`` or ``name-given-name`` (see above). ``country`` expects a two-character
   country code.
 
+* If ``data-fix="true"`` is given, the user will not be able to change the other given values later. This currently
+  only works for the order email address as well as the invoice address. Attendee-level fields and questions can
+  always be modified. Note that this is not a security feature and can easily be overridden by users, so do not rely
+  on this for authentication.
+
 Any configured pretix plugins might understand more data fields. For example, if the appropriate plugins on pretix
 Hosted or pretix Enterprise are active, you can pass the following fields:
 
@@ -298,4 +338,8 @@ Hosted or pretix Enterprise are active, you can pass the following fields:
    Data passing options have been added in pretix 2.3. If you use a self-hosted version of pretix, they only work
    fully if you configured a redis server.
 
+.. versionchanged:: 3.6
+
+   Dynamically opening the widget has been added in pretix 3.6.
+
 .. _Let's Encrypt: https://letsencrypt.org/

doc/user/organizers/domain.rst

@@ -14,30 +14,23 @@ and with pretix, you can do this. On this page, you find out the necessary steps
 With the pretix.eu hosted service
 ---------------------------------
 
-Step 1: DNS Configuration
-#########################
+Go to "Organizers" in the backend and select your organizer account. Then, go to "Settings" and "Custom Domain".
+
+This page will show you instructions on how to set up your own domain. Basically, it works like this:
 
 Go to the website of the provider you registered your domain name with. Look for the "DNS" settings page in their
 interface. Unfortunately, we can't tell you exactly how that is named and how it looks, since it is different for every
 domain provider.
 
 Use this interface to add a new subdomain record, e.g. ``tickets`` of the type ``CNAME`` (might also be called "alias").
-The value of the record should be ``www.pretix.eu``.
-
-Step 2: Wait for the DNS entry to propagate
-###########################################
+The value of the record should be the one shown on the "Custom Domain" page in pretix' backend.
 
 Submit your changes and wait a bit, it can regularly take up to three hours for DNS changes to propagate to the caches
 of all DNS servers. You can try checking by accessing your new subdomain, ``http://tickets.awesomepartycorp.com``.
 If DNS was changed successfully, you should see a SSL certificate error. If you ignore the error and access the page
 anyways, you should get a pretix-themed error page with the headline "Unknown domain".
 
-Step 3: Tell us
-###############
-
-Write an email to support@pretix.eu, naming your new domain and your organizer account. We will then generate a SSL
-certificate for you (for free!) and configure the domain.
-
+Now, tell us about your domain on the "Custom Domain" page to get started.
 
 With a custom pretix installation
 ---------------------------------

doc/user/payments/settings.rst

@@ -1,8 +1,8 @@
 General settings
 ================
 
-At "Settings" → "Payment", you can configure every aspect related to the payments you want to accept. The upper part
-of the page shows a number of general settings that affect all payment methods:
+At "Settings" → "Payment", you can configure every aspect related to the payments you want to accept. The "Deadline"
+and "Advanced" tabs of the page show a number of general settings that affect all payment methods:
 
 .. thumbnail:: ../../screens/event/settings_payment.png
    :align: center

src/pretix/__init__.py

@@ -1 +1 @@
-__version__ = "3.3.0"
+__version__ = "3.10.0"

src/pretix/api/models.py

@@ -3,7 +3,7 @@ from datetime import timedelta
 from django.db import models
 from django.urls import reverse
 from django.utils.timezone import now
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _
 from oauth2_provider.generators import (
     generate_client_id, generate_client_secret,
 )

src/pretix/api/serializers/cart.py

@@ -2,7 +2,7 @@ from datetime import timedelta
 
 from django.utils.crypto import get_random_string
 from django.utils.timezone import now
-from django.utils.translation import ugettext_lazy
+from django.utils.translation import gettext_lazy
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 
@@ -30,11 +30,12 @@ class CartPositionCreateSerializer(I18nAwareModelSerializer):
     expires = serializers.DateTimeField(required=False)
     attendee_name = serializers.CharField(required=False, allow_null=True)
     seat = serializers.CharField(required=False, allow_null=True)
+    sales_channel = serializers.CharField(required=False, default='sales_channel')
 
     class Meta:
         model = CartPosition
         fields = ('cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts', 'attendee_email',
-                  'subevent', 'expires', 'includes_tax', 'answers', 'seat')
+                  'subevent', 'expires', 'includes_tax', 'answers', 'seat', 'sales_channel')
 
     def create(self, validated_data):
         answers_data = validated_data.pop('answers')
@@ -55,7 +56,7 @@ class CartPositionCreateSerializer(I18nAwareModelSerializer):
                           else validated_data.get('item').quotas.filter(subevent=validated_data.get('subevent')))
             if len(new_quotas) == 0:
                 raise ValidationError(
-                    ugettext_lazy('The product "{}" is not assigned to a quota.').format(
+                    gettext_lazy('The product "{}" is not assigned to a quota.').format(
                         str(validated_data.get('item'))
                     )
                 )
@@ -63,8 +64,8 @@ class CartPositionCreateSerializer(I18nAwareModelSerializer):
                 avail = quota.availability()
                 if avail[0] != Quota.AVAILABILITY_OK or (avail[1] is not None and avail[1] < 1):
                     raise ValidationError(
-                        ugettext_lazy('There is not enough quota available on quota "{}" to perform '
-                                      'the operation.').format(
+                        gettext_lazy('There is not enough quota available on quota "{}" to perform '
+                                     'the operation.').format(
                             quota.name
                         )
                     )
@@ -86,11 +87,12 @@ class CartPositionCreateSerializer(I18nAwareModelSerializer):
                     raise ValidationError('The specified seat ID is not unique.')
                 else:
                     validated_data['seat'] = seat
-                    if not seat.is_available():
-                        raise ValidationError(ugettext_lazy('The selected seat "{seat}" is not available.').format(seat=seat.name))
+                    if not seat.is_available(sales_channel=validated_data.get('sales_channel', 'web')):
+                        raise ValidationError(gettext_lazy('The selected seat "{seat}" is not available.').format(seat=seat.name))
             elif seated:
                 raise ValidationError('The specified product requires to choose a seat.')
 
+            validated_data.pop('sales_channel')
             cp = CartPosition.objects.create(event=self.context['event'], **validated_data)
 
         for answ_data in answers_data:

src/pretix/api/serializers/checkin.py

@@ -1,4 +1,4 @@
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 
@@ -14,7 +14,8 @@ class CheckinListSerializer(I18nAwareModelSerializer):
     class Meta:
         model = CheckinList
         fields = ('id', 'name', 'all_products', 'limit_products', 'subevent', 'checkin_count', 'position_count',
-                  'include_pending', 'auto_checkin_sales_channels')
+                  'include_pending', 'auto_checkin_sales_channels', 'allow_multiple_entries', 'allow_entry_after_exit',
+                  'rules')
 
     def validate(self, data):
         data = super().validate(data)
@@ -28,9 +29,7 @@ class CheckinListSerializer(I18nAwareModelSerializer):
                 raise ValidationError(_('One or more items do not belong to this event.'))
 
         if event.has_subevents:
-            if not full_data.get('subevent'):
-                raise ValidationError(_('Subevent cannot be null for event series.'))
-            if event != full_data.get('subevent').event:
+            if full_data.get('subevent') and event != full_data.get('subevent').event:
                 raise ValidationError(_('The subevent does not belong to this event.'))
         else:
             if full_data.get('subevent'):

src/pretix/api/serializers/event.py

@@ -2,9 +2,12 @@ from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.db import transaction
 from django.utils.functional import cached_property
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from django_countries.serializers import CountryFieldMixin
-from rest_framework.fields import Field
+from hierarkey.proxy import HierarkeyProxy
+from pytz import common_timezones
+from rest_framework import serializers
+from rest_framework.fields import ChoiceField, Field
 from rest_framework.relations import SlugRelatedField
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
@@ -14,6 +17,8 @@ from pretix.base.models.items import SubEventItem, SubEventItemVariation
 from pretix.base.services.seating import (
     SeatProtected, generate_seats, validate_plan_change,
 )
+from pretix.base.settings import DEFAULTS, validate_settings
+from pretix.base.signals import api_event_settings_fields
 
 
 class MetaDataField(Field):
@@ -29,6 +34,19 @@ class MetaDataField(Field):
         }
 
 
+class MetaPropertyField(Field):
+
+    def to_representation(self, value):
+        return {
+            v.name: v.default for v in value.item_meta_properties.all()
+        }
+
+    def to_internal_value(self, data):
+        return {
+            'item_meta_properties': data
+        }
+
+
 class SeatCategoryMappingField(Field):
 
     def to_representation(self, value):
@@ -61,17 +79,28 @@ class PluginsField(Field):
         }
 
 
+class TimeZoneField(ChoiceField):
+    def get_attribute(self, instance):
+        return instance.cache.get_or_set(
+            'timezone_name',
+            lambda: instance.settings.timezone,
+            3600
+        )
+
+
 class EventSerializer(I18nAwareModelSerializer):
     meta_data = MetaDataField(required=False, source='*')
+    item_meta_properties = MetaPropertyField(required=False, source='*')
     plugins = PluginsField(required=False, source='*')
     seat_category_mapping = SeatCategoryMappingField(source='*', required=False)
+    timezone = TimeZoneField(required=False, choices=[(a, a) for a in common_timezones])
 
     class Meta:
         model = Event
         fields = ('name', 'slug', 'live', 'testmode', 'currency', 'date_from',
                   'date_to', 'date_admission', 'is_public', 'presale_start',
                   'presale_end', 'location', 'geo_lat', 'geo_lon', 'has_subevents', 'meta_data', 'seating_plan',
-                  'plugins', 'seat_category_mapping')
+                  'plugins', 'seat_category_mapping', 'timezone', 'item_meta_properties')
 
     def validate(self, data):
         data = super().validate(data)
@@ -116,6 +145,12 @@ class EventSerializer(I18nAwareModelSerializer):
                 raise ValidationError(_('Meta data property \'{name}\' does not exist.').format(name=key))
         return value
 
+    @cached_property
+    def item_meta_props(self):
+        return {
+            p.name: p for p in self.context['request'].event.item_meta_properties.all()
+        }
+
     def validate_seating_plan(self, value):
         if value and value.organizer != self.context['request'].organizer:
             raise ValidationError('Invalid seating plan.')
@@ -127,8 +162,11 @@ class EventSerializer(I18nAwareModelSerializer):
         return value
 
     def validate_seat_category_mapping(self, value):
-        if value and value['seat_category_mapping'] and (not self.instance or not self.instance.pk):
-            raise ValidationError('You cannot specify seat category mappings on event creation.')
+        if not self.instance or not self.instance.pk:
+            if value and value['seat_category_mapping']:
+                raise ValidationError('You cannot specify seat category mappings on event creation.')
+            else:
+                return {'seat_category_mapping': {}}
         item_cache = {i.pk: i for i in self.instance.items.all()}
         result = {}
         for k, item in value['seat_category_mapping'].items():
@@ -154,10 +192,15 @@ class EventSerializer(I18nAwareModelSerializer):
     @transaction.atomic
     def create(self, validated_data):
         meta_data = validated_data.pop('meta_data', None)
+        item_meta_properties = validated_data.pop('item_meta_properties', None)
         validated_data.pop('seat_category_mapping', None)
         plugins = validated_data.pop('plugins', settings.PRETIX_PLUGINS_DEFAULT.split(','))
+        tz = validated_data.pop('timezone', None)
         event = super().create(validated_data)
 
+        if tz:
+            event.settings.timezone = tz
+
         # Meta data
         if meta_data is not None:
             for key, value in meta_data.items():
@@ -166,6 +209,15 @@ class EventSerializer(I18nAwareModelSerializer):
                     value=value
                 )
 
+        # Item Meta properties
+        if item_meta_properties is not None:
+            for key, value in item_meta_properties.items():
+                event.item_meta_properties.create(
+                    name=key,
+                    default=value,
+                    event=event
+                )
+
         # Seats
         if event.seating_plan:
             generate_seats(event, None, event.seating_plan, {})
@@ -180,10 +232,15 @@ class EventSerializer(I18nAwareModelSerializer):
     @transaction.atomic
     def update(self, instance, validated_data):
         meta_data = validated_data.pop('meta_data', None)
+        item_meta_properties = validated_data.pop('item_meta_properties', None)
         plugins = validated_data.pop('plugins', None)
         seat_category_mapping = validated_data.pop('seat_category_mapping', None)
+        tz = validated_data.pop('timezone', None)
         event = super().update(instance, validated_data)
 
+        if tz:
+            event.settings.timezone = tz
+
         # Meta data
         if meta_data is not None:
             current = {mv.property: mv for mv in event.meta_values.select_related('property')}
@@ -202,6 +259,26 @@ class EventSerializer(I18nAwareModelSerializer):
                 if prop.name not in meta_data:
                     current_object.delete()
 
+        # Item Meta properties
+        if item_meta_properties is not None:
+            current = [imp for imp in event.item_meta_properties.all()]
+            for key, value in item_meta_properties.items():
+                prop = self.item_meta_props.get(key)
+                if prop in current:
+                    prop.default = value
+                    prop.save()
+                else:
+                    prop = event.item_meta_properties.create(
+                        name=key,
+                        default=value,
+                        event=event
+                    )
+                    current.append(prop)
+
+            for prop in current:
+                if prop.name not in list(item_meta_properties.keys()):
+                    prop.delete()
+
         # Seats
         if seat_category_mapping is not None or ('seating_plan' in validated_data and validated_data['seating_plan'] is None):
             current_mappings = {
@@ -240,6 +317,7 @@ class CloneEventSerializer(EventSerializer):
         is_public = validated_data.pop('is_public', None)
         testmode = validated_data.pop('testmode', None)
         has_subevents = validated_data.pop('has_subevents', None)
+        tz = validated_data.pop('timezone', None)
         new_event = super().create(validated_data)
 
         event = Event.objects.filter(slug=self.context['event'], organizer=self.context['organizer'].pk).first()
@@ -254,6 +332,8 @@ class CloneEventSerializer(EventSerializer):
         if has_subevents is not None:
             new_event.has_subevents = has_subevents
         new_event.save()
+        if tz:
+            new_event.settings.timezone = tz
 
         return new_event
 
@@ -261,13 +341,13 @@ class CloneEventSerializer(EventSerializer):
 class SubEventItemSerializer(I18nAwareModelSerializer):
     class Meta:
         model = SubEventItem
-        fields = ('item', 'price')
+        fields = ('item', 'price', 'disabled')
 
 
 class SubEventItemVariationSerializer(I18nAwareModelSerializer):
     class Meta:
         model = SubEventItemVariation
-        fields = ('variation', 'price')
+        fields = ('variation', 'price', 'disabled')
 
 
 class SubEventSerializer(I18nAwareModelSerializer):
@@ -444,3 +524,181 @@ class TaxRuleSerializer(CountryFieldMixin, I18nAwareModelSerializer):
     class Meta:
         model = TaxRule
         fields = ('id', 'name', 'rate', 'price_includes_tax', 'eu_reverse_charge', 'home_country')
+
+
+class EventSettingsSerializer(serializers.Serializer):
+    default_fields = [
+        'imprint_url',
+        'checkout_email_helptext',
+        'presale_has_ended_text',
+        'voucher_explanation_text',
+        'banner_text',
+        'banner_text_bottom',
+        'show_dates_on_frontpage',
+        'show_date_to',
+        'show_times',
+        'show_items_outside_presale_period',
+        'display_net_prices',
+        'presale_start_show_date',
+        'locales',
+        'locale',
+        'last_order_modification_date',
+        'show_quota_left',
+        'waiting_list_enabled',
+        'waiting_list_hours',
+        'waiting_list_auto',
+        'max_items_per_order',
+        'reservation_time',
+        'contact_mail',
+        'show_variations_expanded',
+        'hide_sold_out',
+        'meta_noindex',
+        'redirect_to_checkout_directly',
+        'frontpage_subevent_ordering',
+        'event_list_type',
+        'frontpage_text',
+        'attendee_names_asked',
+        'attendee_names_required',
+        'attendee_emails_asked',
+        'attendee_emails_required',
+        'attendee_addresses_asked',
+        'attendee_addresses_required',
+        'attendee_company_asked',
+        'attendee_company_required',
+        'confirm_text',
+        'order_email_asked_twice',
+        'payment_term_days',
+        'payment_term_last',
+        'payment_term_weekdays',
+        'payment_term_expire_automatically',
+        'payment_term_accept_late',
+        'payment_explanation',
+        'ticket_download',
+        'ticket_download_date',
+        'ticket_download_addons',
+        'ticket_download_nonadm',
+        'ticket_download_pending',
+        'mail_prefix',
+        'mail_from',
+        'mail_from_name',
+        'mail_attach_ical',
+        'invoice_address_asked',
+        'invoice_address_required',
+        'invoice_address_vatid',
+        'invoice_address_company_required',
+        'invoice_address_beneficiary',
+        'invoice_address_custom_field',
+        'invoice_name_required',
+        'invoice_address_not_asked_free',
+        'invoice_show_payments',
+        'invoice_reissue_after_modify',
+        'invoice_include_free',
+        'invoice_generate',
+        'invoice_numbers_consecutive',
+        'invoice_numbers_prefix',
+        'invoice_numbers_prefix_cancellations',
+        'invoice_attendee_name',
+        'invoice_include_expire_date',
+        'invoice_address_explanation_text',
+        'invoice_email_attachment',
+        'invoice_address_from_name',
+        'invoice_address_from',
+        'invoice_address_from_zipcode',
+        'invoice_address_from_city',
+        'invoice_address_from_country',
+        'invoice_address_from_tax_id',
+        'invoice_address_from_vat_id',
+        'invoice_introductory_text',
+        'invoice_additional_text',
+        'invoice_footer_text',
+        'invoice_eu_currencies',
+        'cancel_allow_user',
+        'cancel_allow_user_until',
+        'cancel_allow_user_paid',
+        'cancel_allow_user_paid_until',
+        'cancel_allow_user_paid_keep',
+        'cancel_allow_user_paid_keep_fees',
+        'cancel_allow_user_paid_keep_percentage',
+        'cancel_allow_user_paid_adjust_fees',
+        'cancel_allow_user_paid_adjust_fees_explanation',
+        'cancel_allow_user_paid_refund_as_giftcard',
+        'cancel_allow_user_paid_require_approval',
+    ]
+
+    def __init__(self, *args, **kwargs):
+        self.event = kwargs.pop('event')
+        super().__init__(*args, **kwargs)
+        for fname in self.default_fields:
+            kwargs = DEFAULTS[fname].get('serializer_kwargs', {})
+            if callable(kwargs):
+                kwargs = kwargs()
+            kwargs.setdefault('required', False)
+            kwargs.setdefault('allow_null', True)
+            form_kwargs = DEFAULTS[fname].get('form_kwargs', {})
+            if callable(form_kwargs):
+                form_kwargs = form_kwargs()
+            if 'serializer_class' not in DEFAULTS[fname]:
+                raise ValidationError('{} has no serializer class'.format(fname))
+            f = DEFAULTS[fname]['serializer_class'](
+                **kwargs
+            )
+            f._label = form_kwargs.get('label', fname)
+            f._help_text = form_kwargs.get('help_text')
+            self.fields[fname] = f
+
+        for recv, resp in api_event_settings_fields.send(sender=self.event):
+            for fname, field in resp.items():
+                field.required = False
+                self.fields[fname] = field
+
+    def update(self, instance: HierarkeyProxy, validated_data):
+        for attr, value in validated_data.items():
+            if value is None:
+                instance.delete(attr)
+            elif instance.get(attr, as_type=type(value)) != value:
+                instance.set(attr, value)
+        return instance
+
+    def validate(self, data):
+        data = super().validate(data)
+        settings_dict = self.instance.freeze()
+        settings_dict.update(data)
+        validate_settings(self.event, settings_dict)
+        return data
+
+
+class DeviceEventSettingsSerializer(EventSettingsSerializer):
+    default_fields = [
+        'locales',
+        'locale',
+        'last_order_modification_date',
+        'show_quota_left',
+        'max_items_per_order',
+        'attendee_names_asked',
+        'attendee_names_required',
+        'attendee_emails_asked',
+        'attendee_emails_required',
+        'attendee_addresses_asked',
+        'attendee_addresses_required',
+        'attendee_company_asked',
+        'attendee_company_required',
+        'ticket_download',
+        'ticket_download_addons',
+        'ticket_download_nonadm',
+        'ticket_download_pending',
+        'invoice_address_asked',
+        'invoice_address_required',
+        'invoice_address_vatid',
+        'invoice_address_company_required',
+        'invoice_address_beneficiary',
+        'invoice_address_custom_field',
+        'invoice_name_required',
+        'invoice_address_not_asked_free',
+        'invoice_address_from_name',
+        'invoice_address_from',
+        'invoice_address_from_zipcode',
+        'invoice_address_from_city',
+        'invoice_address_from_country',
+        'invoice_address_from_tax_id',
+        'invoice_address_from_vat_id',
+    ]

src/pretix/api/serializers/fields.py

@@ -0,0 +1,29 @@
+from collections import OrderedDict
+
+from rest_framework import serializers
+
+
+def remove_duplicates_from_list(data):
+    return list(OrderedDict.fromkeys(data))
+
+
+class ListMultipleChoiceField(serializers.MultipleChoiceField):
+    def to_internal_value(self, data):
+        if isinstance(data, str) or not hasattr(data, '__iter__'):
+            self.fail('not_a_list', input_type=type(data).__name__)
+        if not self.allow_empty and len(data) == 0:
+            self.fail('empty')
+
+        internal_value_data = [
+            super(serializers.MultipleChoiceField, self).to_internal_value(item)
+            for item in data
+        ]
+
+        return remove_duplicates_from_list(internal_value_data)
+
+    def to_representation(self, value):
+        representation_data = [
+            self.choice_strings_to_values.get(str(item), item) for item in value
+        ]
+
+        return remove_duplicates_from_list(representation_data)

src/pretix/api/serializers/item.py

@@ -2,13 +2,15 @@ from decimal import Decimal
 
 from django.core.exceptions import ValidationError
 from django.db import transaction
-from django.utils.translation import ugettext_lazy as _
+from django.utils.functional import cached_property
+from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
+from pretix.api.serializers.event import MetaDataField
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.models import (
-    Item, ItemAddOn, ItemBundle, ItemCategory, ItemVariation, Question,
-    QuestionOption, Quota,
+    Item, ItemAddOn, ItemBundle, ItemCategory, ItemMetaValue, ItemVariation,
+    Question, QuestionOption, Quota,
 )
 
 
@@ -110,6 +112,7 @@ class ItemSerializer(I18nAwareModelSerializer):
     bundles = InlineItemBundleSerializer(many=True, required=False)
     variations = InlineItemVariationSerializer(many=True, required=False)
     tax_rate = ItemTaxRateField(source='*', read_only=True)
+    meta_data = MetaDataField(required=False, source='*')
 
     class Meta:
         model = Item
@@ -119,12 +122,9 @@ class ItemSerializer(I18nAwareModelSerializer):
                   'require_voucher', 'hide_without_voucher', 'allow_cancel', 'require_bundling',
                   'min_per_order', 'max_per_order', 'checkin_attention', 'has_variations', 'variations',
                   'addons', 'bundles', 'original_price', 'require_approval', 'generate_tickets',
-                  'show_quota_left', 'hidden_if_available', 'allow_waitinglist', 'issue_giftcard')
+                  'show_quota_left', 'hidden_if_available', 'allow_waitinglist', 'issue_giftcard', 'meta_data')
         read_only_fields = ('has_variations', 'picture')
 
-    def get_serializer_context(self):
-        return {"has_variations": self.kwargs['has_variations']}
-
     def validate(self, data):
         data = super().validate(data)
         if self.instance and ('addons' in data or 'variations' in data or 'bundles' in data):
@@ -170,18 +170,65 @@ class ItemSerializer(I18nAwareModelSerializer):
                 ItemAddOn.clean_max_min_count(addon_data['max_count'], addon_data['min_count'])
         return value
 
+    @cached_property
+    def item_meta_properties(self):
+        return {
+            p.name: p for p in self.context['request'].event.item_meta_properties.all()
+        }
+
+    def validate_meta_data(self, value):
+        for key in value['meta_data'].keys():
+            if key not in self.item_meta_properties:
+                raise ValidationError(_('Item meta data property \'{name}\' does not exist.').format(name=key))
+        return value
+
     @transaction.atomic
     def create(self, validated_data):
         variations_data = validated_data.pop('variations') if 'variations' in validated_data else {}
         addons_data = validated_data.pop('addons') if 'addons' in validated_data else {}
         bundles_data = validated_data.pop('bundles') if 'bundles' in validated_data else {}
+        meta_data = validated_data.pop('meta_data', None)
         item = Item.objects.create(**validated_data)
+
         for variation_data in variations_data:
             ItemVariation.objects.create(item=item, **variation_data)
         for addon_data in addons_data:
             ItemAddOn.objects.create(base_item=item, **addon_data)
         for bundle_data in bundles_data:
             ItemBundle.objects.create(base_item=item, **bundle_data)
+
+        # Meta data
+        if meta_data is not None:
+            for key, value in meta_data.items():
+                ItemMetaValue.objects.create(
+                    property=self.item_meta_properties.get(key),
+                    value=value,
+                    item=item
+                )
+        return item
+
+    def update(self, instance, validated_data):
+        meta_data = validated_data.pop('meta_data', None)
+        item = super().update(instance, validated_data)
+
+        # Meta data
+        if meta_data is not None:
+            current = {mv.property: mv for mv in item.meta_values.select_related('property')}
+            for key, value in meta_data.items():
+                prop = self.item_meta_properties.get(key)
+                if prop in current:
+                    current[prop].value = value
+                    current[prop].save()
+                else:
+                    item.meta_values.create(
+                        property=self.item_meta_properties.get(key),
+                        value=value
+                    )
+
+            for prop, current_object in current.items():
+                if prop.name not in meta_data:
+                    current_object.delete()
+
         return item
 
 
@@ -230,7 +277,7 @@ class QuestionSerializer(I18nAwareModelSerializer):
         model = Question
         fields = ('id', 'question', 'type', 'required', 'items', 'options', 'position',
                   'ask_during_checkin', 'identifier', 'dependency_question', 'dependency_values',
-                  'hidden', 'dependency_value', 'print_on_invoice')
+                  'hidden', 'dependency_value', 'print_on_invoice', 'help_text')
 
     def validate_identifier(self, value):
         Question._clean_identifier(self.context['event'], value, self.instance)
@@ -240,8 +287,8 @@ class QuestionSerializer(I18nAwareModelSerializer):
         if value:
             if value.type not in (Question.TYPE_CHOICE, Question.TYPE_BOOLEAN, Question.TYPE_CHOICE_MULTIPLE):
                 raise ValidationError('Question dependencies can only be set to boolean or choice questions.')
-        if value == self.instance:
-            raise ValidationError('A question cannot depend on itself.')
+            if value == self.instance:
+                raise ValidationError('A question cannot depend on itself.')
         return value
 
     def validate(self, data):
@@ -270,6 +317,9 @@ class QuestionSerializer(I18nAwareModelSerializer):
                 seen_ids.add(dep.pk)
                 dep = dep.dependency_question
 
+        if full_data.get('ask_during_checkin') and full_data.get('type') in Question.ASK_DURING_CHECKIN_UNSUPPORTED:
+            raise ValidationError(_('This type of question cannot be asked during check-in.'))
+
         Question.clean_items(event, full_data.get('items'))
         return data
 
@@ -299,7 +349,7 @@ class QuotaSerializer(I18nAwareModelSerializer):
 
     class Meta:
         model = Quota
-        fields = ('id', 'name', 'size', 'items', 'variations', 'subevent', 'closed', 'close_when_sold_out')
+        fields = ('id', 'name', 'size', 'items', 'variations', 'subevent', 'closed', 'close_when_sold_out', 'release_after_exit')
 
     def validate(self, data):
         data = super().validate(data)

src/pretix/api/serializers/order.py

@@ -1,11 +1,11 @@
 import json
-from collections import Counter
+from collections import Counter, defaultdict
 from decimal import Decimal
 
 import pycountry
 from django.db.models import F, Q
 from django.utils.timezone import now
-from django.utils.translation import ugettext_lazy
+from django.utils.translation import gettext_lazy
 from django_countries.fields import Country
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
@@ -14,16 +14,18 @@ from rest_framework.reverse import reverse
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.channels import get_all_sales_channels
+from pretix.base.decimal import round_decimal
 from pretix.base.i18n import language
 from pretix.base.models import (
     Checkin, Invoice, InvoiceAddress, InvoiceLine, Item, ItemVariation, Order,
-    OrderPosition, Question, QuestionAnswer, Seat, SubEvent, Voucher,
+    OrderPosition, Question, QuestionAnswer, Seat, SubEvent, TaxRule, Voucher,
 )
 from pretix.base.models.orders import (
     CartPosition, OrderFee, OrderPayment, OrderRefund,
 )
 from pretix.base.pdf import get_variables
 from pretix.base.services.cart import error_messages
+from pretix.base.services.locking import NoLockManager
 from pretix.base.services.pricing import get_price
 from pretix.base.settings import COUNTRIES_WITH_STATE_IN_ADDRESS
 from pretix.base.signals import register_ticket_outputs
@@ -37,7 +39,7 @@ class CompatibleCountryField(serializers.Field):
     def to_representation(self, instance: InvoiceAddress):
         if instance.country:
             return str(instance.country)
-        else:
+        elif hasattr(instance, 'country_old'):
             return instance.country_old
 
 
@@ -66,7 +68,7 @@ class InvoiceAddressSerializer(I18nAwareModelSerializer):
             data['name_parts']['_scheme'] = self.context['request'].event.settings.name_scheme
 
         if data.get('country'):
-            if not pycountry.countries.get(alpha_2=data.get('country')):
+            if not pycountry.countries.get(alpha_2=data.get('country').code):
                 raise ValidationError(
                     {'country': ['Invalid country code.']}
                 )
@@ -95,6 +97,11 @@ class AnswerQuestionOptionsIdentifierField(serializers.Field):
         return [o.identifier for o in instance.options.all()]
 
 
+class AnswerQuestionOptionsField(serializers.Field):
+    def to_representation(self, instance: QuestionAnswer):
+        return [o.pk for o in instance.options.all()]
+
+
 class InlineSeatSerializer(I18nAwareModelSerializer):
 
     class Meta:
@@ -105,6 +112,7 @@ class InlineSeatSerializer(I18nAwareModelSerializer):
 class AnswerSerializer(I18nAwareModelSerializer):
     question_identifier = AnswerQuestionIdentifierField(source='*', read_only=True)
     option_identifiers = AnswerQuestionOptionsIdentifierField(source='*', read_only=True)
+    options = AnswerQuestionOptionsField(source='*', read_only=True)
 
     class Meta:
         model = QuestionAnswer
@@ -114,7 +122,7 @@ class AnswerSerializer(I18nAwareModelSerializer):
 class CheckinSerializer(I18nAwareModelSerializer):
     class Meta:
         model = Checkin
-        fields = ('datetime', 'list', 'auto_checked_in')
+        fields = ('datetime', 'list', 'auto_checked_in', 'type')
 
 
 class OrderDownloadsField(serializers.Field):
@@ -188,6 +196,11 @@ class PdfDataSerializer(serializers.Field):
             for k, v in ev._cached_meta_data.items():
                 res['meta:' + k] = v
 
+            if not hasattr(instance.item, '_cached_meta_data'):
+                instance.item._cached_meta_data = instance.item.meta_data
+            for k, v in instance.item._cached_meta_data.items():
+                res['itemmeta:' + k] = v
+
         return res
 
 
@@ -198,12 +211,14 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
     order = serializers.SlugRelatedField(slug_field='code', read_only=True)
     pdf_data = PdfDataSerializer(source='*')
     seat = InlineSeatSerializer(read_only=True)
+    country = CompatibleCountryField(source='*')
 
     class Meta:
         model = OrderPosition
         fields = ('id', 'order', 'positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts',
+                  'company', 'street', 'zipcode', 'city', 'country', 'state',
                   'attendee_email', 'voucher', 'tax_rate', 'tax_value', 'secret', 'addon_to', 'subevent', 'checkins',
-                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data', 'seat')
+                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data', 'seat', 'canceled')
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -283,7 +298,7 @@ class OrderPaymentDateField(serializers.DateField):
 class OrderFeeSerializer(I18nAwareModelSerializer):
     class Meta:
         model = OrderFee
-        fields = ('fee_type', 'value', 'description', 'internal_type', 'tax_rate', 'tax_value', 'tax_rule')
+        fields = ('fee_type', 'value', 'description', 'internal_type', 'tax_rate', 'tax_value', 'tax_rule', 'canceled')
 
 
 class PaymentURLField(serializers.URLField):
@@ -401,16 +416,26 @@ class OrderSerializer(I18nAwareModelSerializer):
         return instance
 
 
+class SimulatedOrderPositionSerializer(OrderPositionSerializer):
+    addon_to = serializers.SlugRelatedField(read_only=True, slug_field='positionid')
+
+
+class SimulatedOrderSerializer(OrderSerializer):
+    positions = SimulatedOrderPositionSerializer(many=True, read_only=True)
+
+
 class PriceCalcSerializer(serializers.Serializer):
     item = serializers.PrimaryKeyRelatedField(queryset=Item.objects.none(), required=False, allow_null=True)
     variation = serializers.PrimaryKeyRelatedField(queryset=ItemVariation.objects.none(), required=False, allow_null=True)
     subevent = serializers.PrimaryKeyRelatedField(queryset=SubEvent.objects.none(), required=False, allow_null=True)
+    tax_rule = serializers.PrimaryKeyRelatedField(queryset=TaxRule.objects.none(), required=False, allow_null=True)
     locale = serializers.CharField(allow_null=True, required=False)
 
     def __init__(self, *args, **kwargs):
         event = kwargs.pop('event')
         super().__init__(*args, **kwargs)
         self.fields['item'].queryset = event.items.all()
+        self.fields['tax_rule'].queryset = event.tax_rules.all()
         self.fields['variation'].queryset = ItemVariation.objects.filter(item__event=event)
         if event.has_subevents:
             self.fields['subevent'].queryset = event.subevents.all()
@@ -477,9 +502,13 @@ class AnswerCreateSerializer(I18nAwareModelSerializer):
 
 
 class OrderFeeCreateSerializer(I18nAwareModelSerializer):
+    _treat_value_as_percentage = serializers.BooleanField(default=False, required=False)
+    _split_taxes_like_products = serializers.BooleanField(default=False, required=False)
+
     class Meta:
         model = OrderFee
-        fields = ('fee_type', 'value', 'description', 'internal_type', 'tax_rule')
+        fields = ('fee_type', 'value', 'description', 'internal_type', 'tax_rule',
+                  '_treat_value_as_percentage', '_split_taxes_like_products')
 
     def validate_tax_rule(self, tr):
         if tr and tr.event != self.context['event']:
@@ -499,12 +528,22 @@ class OrderPositionCreateSerializer(I18nAwareModelSerializer):
                                      max_digits=10)
     voucher = serializers.SlugRelatedField(slug_field='code', queryset=Voucher.objects.none(),
                                            required=False, allow_null=True)
+    country = CompatibleCountryField(source='*')
 
     class Meta:
         model = OrderPosition
         fields = ('positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts', 'attendee_email',
+                  'company', 'street', 'zipcode', 'city', 'country', 'state',
                   'secret', 'addon_to', 'subevent', 'answers', 'seat', 'voucher')
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        for k, v in self.fields.items():
+            if k in ('company', 'street', 'zipcode', 'city', 'country', 'state'):
+                v.required = False
+                v.allow_blank = True
+                v.allow_null = True
+
     def validate_secret(self, secret):
         if secret and OrderPosition.all.filter(order__event=self.context['event'], secret=secret).exists():
             raise ValidationError(
@@ -559,6 +598,24 @@ class OrderPositionCreateSerializer(I18nAwareModelSerializer):
             )
         if data.get('attendee_name_parts') and '_scheme' not in data.get('attendee_name_parts'):
             data['attendee_name_parts']['_scheme'] = self.context['request'].event.settings.name_scheme
+
+        if data.get('country'):
+            if not pycountry.countries.get(alpha_2=data.get('country').code):
+                raise ValidationError(
+                    {'country': ['Invalid country code.']}
+                )
+
+        if data.get('state'):
+            cc = str(data.get('country') or self.instance.country or '')
+            if cc not in COUNTRIES_WITH_STATE_IN_ADDRESS:
+                raise ValidationError(
+                    {'state': ['States are not supported in country "{}".'.format(cc)]}
+                )
+            if not pycountry.subdivisions.get(code=cc + '-' + data.get('state')):
+                raise ValidationError(
+                    {'state': ['"{}" is not a known subdivision of the country "{}".'.format(data.get('state'), cc)]}
+                )
+
         return data
 
 
@@ -575,6 +632,28 @@ class CompatibleJSONField(serializers.JSONField):
         return value
 
 
+class WrappedList:
+    def __init__(self, data):
+        self._data = data
+
+    def all(self):
+        return self._data
+
+
+class WrappedModel:
+    def __init__(self, model):
+        self._wrapped = model
+
+    def __getattr__(self, item):
+        return getattr(self._wrapped, item)
+
+    def save(self, *args, **kwargs):
+        raise NotImplementedError
+
+    def delete(self, *args, **kwargs):
+        raise NotImplementedError
+
+
 class OrderCreateSerializer(I18nAwareModelSerializer):
     invoice_address = InvoiceAddressSerializer(required=False)
     positions = OrderPositionCreateSerializer(many=True, required=True)
@@ -595,6 +674,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
     force = serializers.BooleanField(default=False, required=False)
     payment_date = serializers.DateTimeField(required=False, allow_null=True)
     send_mail = serializers.BooleanField(default=False, required=False)
+    simulate = serializers.BooleanField(default=False, required=False)
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -604,7 +684,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         model = Order
         fields = ('code', 'status', 'testmode', 'email', 'locale', 'payment_provider', 'fees', 'comment', 'sales_channel',
                   'invoice_address', 'positions', 'checkin_attention', 'payment_info', 'payment_date', 'consume_carts',
-                  'force', 'send_mail')
+                  'force', 'send_mail', 'simulate')
 
     def validate_payment_provider(self, pp):
         if pp is None:
@@ -681,7 +761,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                 sales_channel = get_all_sales_channels()[self.initial_data['sales_channel']]
 
                 if testmode and not sales_channel.testmode_supported:
-                    raise ValidationError('This sales channel does not provide support for testmode.')
+                    raise ValidationError('This sales channel does not provide support for test mode.')
             except KeyError:
                 # We do not need to raise a ValidationError here, since there is another check to validate the
                 # sales_channel
@@ -696,6 +776,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         payment_info = validated_data.pop('payment_info', '{}')
         payment_date = validated_data.pop('payment_date', now())
         force = validated_data.pop('force', False)
+        simulate = validated_data.pop('simulate', False)
         self._send_mail = validated_data.pop('send_mail', False)
 
         if 'invoice_address' in validated_data:
@@ -709,12 +790,16 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         else:
             ia = None
 
-        with self.context['event'].lock() as now_dt:
+        lockfn = self.context['event'].lock
+        if simulate:
+            lockfn = NoLockManager
+        with lockfn() as now_dt:
             free_seats = set()
             seats_seen = set()
             consume_carts = validated_data.pop('consume_carts', [])
             delete_cps = []
             quota_avail_cache = {}
+            v_budget = {}
             voucher_usage = Counter()
             if consume_carts:
                 for cp in CartPosition.objects.filter(
@@ -737,9 +822,14 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
             errs = [{} for p in positions_data]
 
             for i, pos_data in enumerate(positions_data):
+
                 if pos_data.get('voucher'):
                     v = pos_data['voucher']
 
+                    if pos_data.get('addon_to'):
+                        errs[i]['voucher'] = ['Vouchers are currently not supported for add-on products.']
+                        continue
+
                     if not v.applies_to(pos_data['item'], pos_data.get('variation')):
                         errs[i]['voucher'] = [error_messages['voucher_invalid_item']]
                         continue
@@ -763,6 +853,44 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                                 'The voucher has already been used the maximum number of times.'
                             ]
 
+                    if v.budget is not None:
+                        price = pos_data.get('price')
+                        if price is None:
+                            price = get_price(
+                                item=pos_data.get('item'),
+                                variation=pos_data.get('variation'),
+                                voucher=v,
+                                custom_price=None,
+                                subevent=pos_data.get('subevent'),
+                                addon_to=pos_data.get('addon_to'),
+                                invoice_address=ia,
+                            ).gross
+                        pbv = get_price(
+                            item=pos_data['item'],
+                            variation=pos_data.get('variation'),
+                            voucher=None,
+                            custom_price=None,
+                            subevent=pos_data.get('subevent'),
+                            addon_to=pos_data.get('addon_to'),
+                            invoice_address=ia,
+                        )
+
+                        if v not in v_budget:
+                            v_budget[v] = v.budget - v.budget_used()
+                        disc = pbv.gross - price
+                        if disc > v_budget[v]:
+                            new_disc = v_budget[v]
+                            v_budget[v] -= new_disc
+                            if new_disc == Decimal('0.00') or pos_data.get('price') is not None:
+                                errs[i]['voucher'] = [
+                                    'The voucher has a remaining budget of {}, therefore a discount of {} can not be '
+                                    'given.'.format(v_budget[v] + new_disc, disc)
+                                ]
+                                continue
+                            pos_data['price'] = price + (disc - new_disc)
+                        else:
+                            v_budget[v] -= disc
+
                 seated = pos_data.get('item').seat_category_mappings.filter(subevent=pos_data.get('subevent')).exists()
                 if pos_data.get('seat'):
                     if not seated:
@@ -773,8 +901,8 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                         errs[i]['seat'] = ['The specified seat does not exist.']
                     else:
                         pos_data['seat'] = seat
-                        if (seat not in free_seats and not seat.is_available()) or seat in seats_seen:
-                            errs[i]['seat'] = [ugettext_lazy('The selected seat "{seat}" is not available.').format(seat=seat.name)]
+                        if (seat not in free_seats and not seat.is_available(sales_channel=validated_data.get('sales_channel', 'web'))) or seat in seats_seen:
+                            errs[i]['seat'] = [gettext_lazy('The selected seat "{seat}" is not available.').format(seat=seat.name)]
                         seats_seen.add(seat)
                 elif seated:
                     errs[i]['seat'] = ['The specified product requires to choose a seat.']
@@ -785,11 +913,24 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                         if pos_data['voucher'].allow_ignore_quota or pos_data['voucher'].block_quota:
                             continue
 
+                    if pos_data.get('subevent'):
+                        if pos_data.get('item').pk in pos_data['subevent'].item_overrides and pos_data['subevent'].item_overrides[pos_data['item'].pk].disabled:
+                            errs[i]['item'] = [gettext_lazy('The product "{}" is not available on this date.').format(
+                                str(pos_data.get('item'))
+                            )]
+                        if (
+                                pos_data.get('variation') and pos_data['variation'].pk in pos_data['subevent'].var_overrides and
+                                pos_data['subevent'].var_overrides[pos_data['variation'].pk].disabled
+                        ):
+                            errs[i]['item'] = [gettext_lazy('The product "{}" is not available on this date.').format(
+                                str(pos_data.get('item'))
+                            )]
+
                     new_quotas = (pos_data.get('variation').quotas.filter(subevent=pos_data.get('subevent'))
                                   if pos_data.get('variation')
                                   else pos_data.get('item').quotas.filter(subevent=pos_data.get('subevent')))
                     if len(new_quotas) == 0:
-                        errs[i]['item'] = [ugettext_lazy('The product "{}" is not assigned to a quota.').format(
+                        errs[i]['item'] = [gettext_lazy('The product "{}" is not assigned to a quota.').format(
                             str(pos_data.get('item'))
                         )]
                     else:
@@ -801,7 +942,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                                 quota_avail_cache[quota][1] -= 1
                                 if quota_avail_cache[quota][1] < 0:
                                     errs[i]['item'] = [
-                                        ugettext_lazy('There is not enough quota available on quota "{}" to perform the operation.').format(
+                                        gettext_lazy('There is not enough quota available on quota "{}" to perform the operation.').format(
                                             quota.name
                                         )
                                     ]
@@ -815,11 +956,20 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
             order.set_expires(subevents=[p.get('subevent') for p in positions_data])
             order.meta_info = "{}"
             order.total = Decimal('0.00')
-            order.save()
+            if simulate:
+                order = WrappedModel(order)
+                order.last_modified = now()
+                order.code = 'PREVIEW'
+            else:
+                order.save()
 
             if ia:
-                ia.order = order
-                ia.save()
+                if not simulate:
+                    ia.order = order
+                    ia.save()
+                else:
+                    order.invoice_address = ia
+                    ia.last_modified = now()
 
             pos_map = {}
             for pos_data in positions_data:
@@ -831,9 +981,15 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                         '_legacy': attendee_name
                     }
                 pos = OrderPosition(**pos_data)
-                pos.order = order
+                if simulate:
+                    pos.order = order._wrapped
+                else:
+                    pos.order = order
                 if addon_to:
-                    pos.addon_to = pos_map[addon_to]
+                    if simulate:
+                        pos.addon_to = pos_map[addon_to]._wrapped
+                    else:
+                        pos.addon_to = pos_map[addon_to]
 
                 if pos.price is None:
                     price = get_price(
@@ -851,26 +1007,95 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                     pos.tax_rule = pos.item.tax_rule
                 else:
                     pos._calculate_tax()
-                if pos.voucher:
-                    Voucher.objects.filter(pk=pos.voucher.pk).update(redeemed=F('redeemed') + 1)
-                pos.save()
+
+                pos.price_before_voucher = get_price(
+                    item=pos.item,
+                    variation=pos.variation,
+                    voucher=None,
+                    custom_price=None,
+                    subevent=pos.subevent,
+                    addon_to=pos.addon_to,
+                    invoice_address=ia,
+                ).gross
+
+                if simulate:
+                    pos = WrappedModel(pos)
+                    pos.id = 0
+                    answers = []
+                    for answ_data in answers_data:
+                        options = answ_data.pop('options', [])
+                        answ = WrappedModel(QuestionAnswer(**answ_data))
+                        answ.options = WrappedList(options)
+                        answers.append(answ)
+                    pos.answers = answers
+                    pos.pseudonymization_id = "PREVIEW"
+                else:
+                    if pos.voucher:
+                        Voucher.objects.filter(pk=pos.voucher.pk).update(redeemed=F('redeemed') + 1)
+                    pos.save()
+                    for answ_data in answers_data:
+                        options = answ_data.pop('options', [])
+                        answ = pos.answers.create(**answ_data)
+                        answ.options.add(*options)
                 pos_map[pos.positionid] = pos
-                for answ_data in answers_data:
-                    options = answ_data.pop('options', [])
-                    answ = pos.answers.create(**answ_data)
-                    answ.options.add(*options)
 
-            for cp in delete_cps:
-                cp.delete()
+            if not simulate:
+                for cp in delete_cps:
+                    cp.delete()
 
+        order.total = sum([p.price for p in pos_map.values()])
+        fees = []
         for fee_data in fees_data:
-            f = OrderFee(**fee_data)
-            f.order = order
-            f._calculate_tax()
-            f.save()
+            is_percentage = fee_data.pop('_treat_value_as_percentage', False)
+            if is_percentage:
+                fee_data['value'] = round_decimal(order.total * (fee_data['value'] / Decimal('100.00')),
+                                                  self.context['event'].currency)
+            is_split_taxes = fee_data.pop('_split_taxes_like_products', False)
 
-        order.total = sum([p.price for p in order.positions.all()]) + sum([f.value for f in order.fees.all()])
-        order.save(update_fields=['total'])
+            if is_split_taxes:
+                d = defaultdict(lambda: Decimal('0.00'))
+                trz = TaxRule.zero()
+                for p in pos_map.values():
+                    tr = p.tax_rule
+                    d[tr] += p.price - p.tax_value
+
+                base_values = sorted([tuple(t) for t in d.items()], key=lambda t: (t[0] or trz).rate)
+                sum_base = sum(t[1] for t in base_values)
+                fee_values = [(t[0], round_decimal(fee_data['value'] * t[1] / sum_base, self.context['event'].currency))
+                              for t in base_values]
+                sum_fee = sum(t[1] for t in fee_values)
+
+                # If there are rounding differences, we fix them up, but always leaning to the benefit of the tax
+                # authorities
+                if sum_fee > fee_data['value']:
+                    fee_values[0] = (fee_values[0][0], fee_values[0][1] + (fee_data['value'] - sum_fee))
+                elif sum_fee < fee_data['value']:
+                    fee_values[-1] = (fee_values[-1][0], fee_values[-1][1] + (fee_data['value'] - sum_fee))
+
+                for tr, val in fee_values:
+                    fee_data['tax_rule'] = tr
+                    fee_data['value'] = val
+                    f = OrderFee(**fee_data)
+                    f.order = order._wrapped if simulate else order
+                    f._calculate_tax()
+                    fees.append(f)
+                    if not simulate:
+                        f.save()
+            else:
+                f = OrderFee(**fee_data)
+                f.order = order._wrapped if simulate else order
+                f._calculate_tax()
+                fees.append(f)
+                if not simulate:
+                    f.save()
+
+        order.total += sum([f.value for f in fees])
+        if simulate:
+            order.fees = fees
+            order.positions = pos_map.values()
+            return order  # ignore payments
+        else:
+            order.save(update_fields=['total'])
 
         if order.total == Decimal('0.00') and validated_data.get('status') == Order.STATUS_PAID and not payment_provider:
             payment_provider = 'free'
@@ -905,10 +1130,25 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         return order
 
 
+class LinePositionField(serializers.IntegerField):
+    """
+    Internally, the position field is stored starting at 0, but for the API, starting at 1 makes it
+    more consistent with other models
+    """
+
+    def to_representation(self, value):
+        return super().to_representation(value) + 1
+
+    def to_internal_value(self, data):
+        return super().to_internal_value(data) - 1
+
+
 class InlineInvoiceLineSerializer(I18nAwareModelSerializer):
+    position = LinePositionField(read_only=True)
+
     class Meta:
         model = InvoiceLine
-        fields = ('description', 'gross_value', 'tax_value', 'tax_rate', 'tax_name')
+        fields = ('position', 'description', 'gross_value', 'tax_value', 'tax_rate', 'tax_name')
 
 
 class InvoiceSerializer(I18nAwareModelSerializer):
@@ -924,6 +1164,20 @@ class InvoiceSerializer(I18nAwareModelSerializer):
                   'internal_reference')
 
 
+class OrderPaymentCreateSerializer(I18nAwareModelSerializer):
+    provider = serializers.CharField(required=True, allow_null=False, allow_blank=False)
+    info = CompatibleJSONField(required=False)
+
+    class Meta:
+        model = OrderPayment
+        fields = ('state', 'amount', 'payment_date', 'provider', 'info')
+
+    def create(self, validated_data):
+        order = OrderPayment(order=self.context['order'], **validated_data)
+        order.save()
+        return order
+
+
 class OrderRefundCreateSerializer(I18nAwareModelSerializer):
     payment = serializers.IntegerField(required=False, allow_null=True)
     provider = serializers.CharField(required=True, allow_null=False, allow_blank=False)

src/pretix/api/serializers/organizer.py

@@ -1,12 +1,19 @@
+from decimal import Decimal
+
 from django.db.models import Q
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import get_language, gettext_lazy as _
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.api.serializers.order import CompatibleJSONField
-from pretix.base.models import GiftCard, Organizer, SeatingPlan
+from pretix.base.auth import get_auth_backends
+from pretix.base.models import (
+    GiftCard, Organizer, SeatingPlan, Team, TeamAPIToken, TeamInvite, User,
+)
 from pretix.base.models.seating import SeatingPlanLayoutValidator
+from pretix.base.services.mail import SendMailException, mail
+from pretix.helpers.urls import build_absolute_uri
 
 
 class OrganizerSerializer(I18nAwareModelSerializer):
@@ -26,7 +33,7 @@ class SeatingPlanSerializer(I18nAwareModelSerializer):
 
 
 class GiftCardSerializer(I18nAwareModelSerializer):
-    value = serializers.DecimalField(max_digits=10, decimal_places=2)
+    value = serializers.DecimalField(max_digits=10, decimal_places=2, min_value=Decimal('0.00'))
 
     def validate(self, data):
         data = super().validate(data)
@@ -34,16 +41,129 @@ class GiftCardSerializer(I18nAwareModelSerializer):
         qs = GiftCard.objects.filter(
             secret=s
         ).filter(
-            Q(issuer=self.context["organizer"]) | Q(issuer__gift_card_collector_acceptance__collector=self.context["organizer"])
+            Q(issuer=self.context["organizer"]) | Q(
+                issuer__gift_card_collector_acceptance__collector=self.context["organizer"])
         )
         if self.instance:
             qs = qs.exclude(pk=self.instance.pk)
         if qs.exists():
             raise ValidationError(
-                {'secret': _('A gift card with the same secret already exists in your or an affiliated organizer account.')}
+                {'secret': _(
+                    'A gift card with the same secret already exists in your or an affiliated organizer account.')}
             )
         return data
 
     class Meta:
         model = GiftCard
-        fields = ('id', 'secret', 'issuance', 'value', 'currency', 'testmode')
+        fields = ('id', 'secret', 'issuance', 'value', 'currency', 'testmode', 'expires', 'conditions')
+
+
+class EventSlugField(serializers.SlugRelatedField):
+    def get_queryset(self):
+        return self.context['organizer'].events.all()
+
+
+class TeamSerializer(serializers.ModelSerializer):
+    limit_events = EventSlugField(slug_field='slug', many=True)
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+    class Meta:
+        model = Team
+        fields = (
+            'id', 'name', 'all_events', 'limit_events', 'can_create_events', 'can_change_teams',
+            'can_change_organizer_settings', 'can_manage_gift_cards', 'can_change_event_settings',
+            'can_change_items', 'can_view_orders', 'can_change_orders', 'can_view_vouchers',
+            'can_change_vouchers'
+        )
+
+    def validate(self, data):
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+        if full_data.get('limit_events') and full_data.get('all_events'):
+            raise ValidationError('Do not set both limit_events and all_events.')
+        return data
+
+
+class TeamInviteSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = TeamInvite
+        fields = (
+            'id', 'email'
+        )
+
+    def _send_invite(self, instance):
+        try:
+            mail(
+                instance.email,
+                _('pretix account invitation'),
+                'pretixcontrol/email/invitation.txt',
+                {
+                    'user': self,
+                    'organizer': self.context['organizer'].name,
+                    'team': instance.team.name,
+                    'url': build_absolute_uri('control:auth.invite', kwargs={
+                        'token': instance.token
+                    })
+                },
+                event=None,
+                locale=get_language()  # TODO: expose?
+            )
+        except SendMailException:
+            pass  # Already logged
+
+    def create(self, validated_data):
+        if 'email' in validated_data:
+            try:
+                user = User.objects.get(email__iexact=validated_data['email'])
+            except User.DoesNotExist:
+                if self.context['team'].invites.filter(email__iexact=validated_data['email']).exists():
+                    raise ValidationError(_('This user already has been invited for this team.'))
+                if 'native' not in get_auth_backends():
+                    raise ValidationError('Users need to have a pretix account before they can be invited.')
+
+                invite = self.context['team'].invites.create(email=validated_data['email'])
+                self._send_invite(invite)
+                invite.team.log_action(
+                    'pretix.team.invite.created',
+                    data={
+                        'email': validated_data['email']
+                    },
+                    **self.context['log_kwargs']
+                )
+                return invite
+            else:
+                if self.context['team'].members.filter(pk=user.pk).exists():
+                    raise ValidationError(_('This user already has permissions for this team.'))
+
+                self.context['team'].members.add(user)
+                self.context['team'].log_action(
+                    'pretix.team.member.added',
+                    data={
+                        'email': user.email,
+                        'user': user.pk,
+                    },
+                    **self.context['log_kwargs']
+                )
+                return TeamInvite(email=user.email)
+        else:
+            raise ValidationError('No email address given.')
+
+
+class TeamAPITokenSerializer(serializers.ModelSerializer):
+    active = serializers.BooleanField(default=True, read_only=True)
+
+    class Meta:
+        model = TeamAPIToken
+        fields = (
+            'id', 'name', 'active'
+        )
+
+
+class TeamMemberSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = User
+        fields = (
+            'id', 'email', 'fullname', 'require_2fa'
+        )

src/pretix/api/serializers/voucher.py

@@ -2,15 +2,23 @@ from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
-from pretix.base.models import Voucher
+from pretix.base.models import Seat, Voucher
 
 
 class VoucherListSerializer(serializers.ListSerializer):
     def create(self, validated_data):
         codes = set()
+        seats = set()
         errs = []
         err = False
         for voucher_data in validated_data:
+            if voucher_data.get('seat') and (voucher_data.get('seat'), voucher_data.get('subevent')) in seats:
+                err = True
+                errs.append({'code': ['Duplicate seat ID in request.']})
+                continue
+            else:
+                seats.add((voucher_data.get('seat'), voucher_data.get('subevent')))
+
             if voucher_data['code'] in codes:
                 err = True
                 errs.append({'code': ['Duplicate voucher code in request.']})
@@ -22,12 +30,19 @@ class VoucherListSerializer(serializers.ListSerializer):
         return super().create(validated_data)
 
 
+class SeatGuidField(serializers.CharField):
+    def to_representation(self, val: Seat):
+        return val.seat_guid
+
+
 class VoucherSerializer(I18nAwareModelSerializer):
+    seat = SeatGuidField(allow_null=True, required=False)
+
     class Meta:
         model = Voucher
         fields = ('id', 'code', 'max_usages', 'redeemed', 'valid_until', 'block_quota',
                   'allow_ignore_quota', 'price_mode', 'value', 'item', 'variation', 'quota',
-                  'tag', 'comment', 'subevent', 'show_hidden_items')
+                  'tag', 'comment', 'subevent', 'show_hidden_items', 'seat')
         read_only_fields = ('id', 'redeemed')
         list_serializer_class = VoucherListSerializer
 
@@ -39,7 +54,8 @@ class VoucherSerializer(I18nAwareModelSerializer):
 
         Voucher.clean_item_properties(
             full_data, self.context.get('event'),
-            full_data.get('quota'), full_data.get('item'), full_data.get('variation')
+            full_data.get('quota'), full_data.get('item'), full_data.get('variation'),
+            block_quota=full_data.get('block_quota')
         )
         Voucher.clean_subevent(
             full_data, self.context.get('event')
@@ -61,4 +77,10 @@ class VoucherSerializer(I18nAwareModelSerializer):
             )
         Voucher.clean_voucher_code(full_data, self.context.get('event'), self.instance.pk if self.instance else None)
 
+        if full_data.get('seat'):
+            data['seat'] = Voucher.clean_seat_id(
+                full_data, full_data.get('item'), full_data.get('quota'), self.context.get('event'),
+                self.instance.pk if self.instance else None
+            )
+
         return data

src/pretix/api/urls.py

@@ -7,8 +7,8 @@ from rest_framework import routers
 from pretix.api.views import cart
 
 from .views import (
-    checkin, device, event, item, oauth, order, organizer, user, voucher,
-    waitinglist, webhooks,
+    checkin, device, event, item, oauth, order, organizer, user, version,
+    voucher, waitinglist, webhooks,
 )
 
 router = routers.DefaultRouter()
@@ -20,6 +20,12 @@ orga_router.register(r'subevents', event.SubEventViewSet)
 orga_router.register(r'webhooks', webhooks.WebHookViewSet)
 orga_router.register(r'seatingplans', organizer.SeatingPlanViewSet)
 orga_router.register(r'giftcards', organizer.GiftCardViewSet)
+orga_router.register(r'teams', organizer.TeamViewSet)
+
+team_router = routers.DefaultRouter()
+team_router.register(r'members', organizer.TeamMemberViewSet)
+team_router.register(r'invites', organizer.TeamInviteViewSet)
+team_router.register(r'tokens', organizer.TeamAPITokenViewSet)
 
 event_router = routers.DefaultRouter()
 event_router.register(r'subevents', event.SubEventViewSet)
@@ -61,7 +67,10 @@ for app in apps.get_app_configs():
 urlpatterns = [
     url(r'^', include(router.urls)),
     url(r'^organizers/(?P<organizer>[^/]+)/', include(orga_router.urls)),
+    url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/settings/$', event.EventSettingsView.as_view(),
+        name="event.settings"),
     url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/', include(event_router.urls)),
+    url(r'^organizers/(?P<organizer>[^/]+)/teams/(?P<team>[^/]+)/', include(team_router.urls)),
     url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/items/(?P<item>[^/]+)/', include(item_router.urls)),
     url(r'^organizers/(?P<organizer>[^/]+)/events/(?P<event>[^/]+)/questions/(?P<question>[^/]+)/',
         include(question_router.urls)),
@@ -76,4 +85,5 @@ urlpatterns = [
     url(r"^device/roll$", device.RollKeyView.as_view(), name="device.roll"),
     url(r"^device/revoke$", device.RevokeKeyView.as_view(), name="device.revoke"),
     url(r"^me$", user.MeView.as_view(), name="user.me"),
+    url(r"^version$", version.VersionView.as_view(), name="version"),
 ]

src/pretix/api/views/__init__.py

@@ -41,8 +41,8 @@ class ConditionalListView:
             return super().list(request, **kwargs)
 
         lmd = request.event.logentry_set.filter(
-            content_type__model=self.queryset.model._meta.model_name,
-            content_type__app_label=self.queryset.model._meta.app_label,
+            content_type__model=self.get_queryset().model._meta.model_name,
+            content_type__app_label=self.get_queryset().model._meta.app_label,
         ).aggregate(
             m=Max('datetime')
         )['m']

src/pretix/api/views/checkin.py

@@ -88,8 +88,9 @@ class CheckinListViewSet(viewsets.ModelViewSet):
         pqs = OrderPosition.objects.filter(
             order__event=clist.event,
             order__status__in=[Order.STATUS_PAID] + ([Order.STATUS_PENDING] if clist.include_pending else []),
-            subevent=clist.subevent,
         )
+        if clist.subevent:
+            pqs = pqs.filter(subevent=clist.subevent)
         if not clist.all_products:
             pqs = pqs.filter(item__in=clist.limit_products.values_list('id', flat=True))
             cqs = cqs.filter(position__item__in=clist.limit_products.values_list('id', flat=True))
@@ -201,10 +202,13 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
 
         qs = OrderPosition.objects.filter(
             order__event=self.request.event,
-            subevent=self.checkinlist.subevent
         ).annotate(
             last_checked_in=Subquery(cqs)
         )
+        if self.checkinlist.subevent:
+            qs = qs.filter(
+                subevent=self.checkinlist.subevent
+            )
 
         if self.request.query_params.get('ignore_status', 'false') != 'true' and not ignore_status:
             qs = qs.filter(
@@ -251,6 +255,9 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
     @action(detail=True, methods=['POST'])
     def redeem(self, *args, **kwargs):
         force = bool(self.request.data.get('force', False))
+        type = self.request.data.get('type', None) or Checkin.TYPE_ENTRY
+        if type not in dict(Checkin.CHECKIN_TYPES):
+            raise ValidationError("Invalid check-in type.")
         ignore_unpaid = bool(self.request.data.get('ignore_unpaid', False))
         nonce = self.request.data.get('nonce')
         op = self.get_object(ignore_status=True)
@@ -283,6 +290,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
                 canceled_supported=self.request.data.get('canceled_supported', False),
                 user=self.request.user,
                 auth=self.request.auth,
+                type=type,
             )
         except RequiredQuestionsError as e:
             return Response({

src/pretix/api/views/event.py

@@ -4,13 +4,14 @@ from django.db.models import ProtectedError, Q
 from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from django_scopes import scopes_disabled
-from rest_framework import filters, viewsets
+from rest_framework import filters, views, viewsets
 from rest_framework.exceptions import PermissionDenied
+from rest_framework.response import Response
 
 from pretix.api.auth.permission import EventCRUDPermission
 from pretix.api.serializers.event import (
-    CloneEventSerializer, EventSerializer, SubEventSerializer,
-    TaxRuleSerializer,
+    CloneEventSerializer, DeviceEventSettingsSerializer, EventSerializer,
+    EventSettingsSerializer, SubEventSerializer, TaxRuleSerializer,
 )
 from pretix.api.views import ConditionalListView
 from pretix.base.models import (
@@ -133,6 +134,7 @@ class EventViewSet(viewsets.ModelViewSet):
 
     def perform_create(self, serializer):
         serializer.save(organizer=self.request.organizer)
+        serializer.instance.set_defaults()
         serializer.instance.log_action(
             'pretix.event.added',
             user=self.request.user,
@@ -332,3 +334,39 @@ class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet):
             auth=self.request.auth,
         )
         super().perform_destroy(instance)
+
+
+class EventSettingsView(views.APIView):
+    permission = None
+    write_permission = 'can_change_event_settings'
+
+    def get(self, request, *args, **kwargs):
+        if isinstance(request.auth, Device):
+            s = DeviceEventSettingsSerializer(instance=request.event.settings, event=request.event)
+        elif 'can_change_event_settings' in request.eventpermset:
+            s = EventSettingsSerializer(instance=request.event.settings, event=request.event)
+        else:
+            raise PermissionDenied()
+        if 'explain' in request.GET:
+            return Response({
+                fname: {
+                    'value': s.data[fname],
+                    'label': getattr(field, '_label', fname),
+                    'help_text': getattr(field, '_help_text', None)
+                } for fname, field in s.fields.items()
+            })
+        return Response(s.data)
+
+    def patch(self, request, *wargs, **kwargs):
+        s = EventSettingsSerializer(instance=request.event.settings, data=request.data, partial=True,
+                                    event=request.event)
+        s.is_valid(raise_exception=True)
+        with transaction.atomic():
+            s.save()
+            self.request.event.log_action(
+                'pretix.event.settings', user=self.request.user, auth=self.request.auth, data={
+                    k: v for k, v in s.validated_data.items()
+                }
+            )
+        s = EventSettingsSerializer(instance=request.event.settings, event=request.event)
+        return Response(s.data)

src/pretix/api/views/item.py

@@ -20,6 +20,7 @@ from pretix.base.models import (
     CartPosition, Item, ItemAddOn, ItemBundle, ItemCategory, ItemVariation,
     Question, QuestionOption, Quota,
 )
+from pretix.base.services.quotas import QuotaAvailability
 from pretix.helpers.dicts import merge_dicts
 
 with scopes_disabled():
@@ -62,7 +63,6 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
         ctx['event'] = self.request.event
-        ctx['has_variations'] = self.request.data.get('has_variations')
         return ctx
 
     def perform_update(self, serializer):
@@ -534,14 +534,18 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
     def availability(self, request, *args, **kwargs):
         quota = self.get_object()
 
-        avail = quota.availability()
+        qa = QuotaAvailability()
+        qa.queue(quota)
+        qa.compute()
+        avail = qa.results[quota]
 
         data = {
-            'paid_orders': quota.count_paid_orders(),
-            'pending_orders': quota.count_pending_orders(),
-            'blocking_vouchers': quota.count_blocking_vouchers(),
-            'cart_positions': quota.count_in_cart(),
-            'waiting_list': quota.count_waiting_list_pending(),
+            'paid_orders': qa.count_paid_orders[quota],
+            'pending_orders': qa.count_pending_orders[quota],
+            'exited_orders': qa.count_exited_orders[quota],
+            'blocking_vouchers': qa.count_vouchers[quota],
+            'cart_positions': qa.count_cart[quota],
+            'waiting_list': qa.count_pending_orders[quota],
             'available_number': avail[1],
             'available': avail[0] == Quota.AVAILABILITY_OK,
             'total_size': quota.size,

src/pretix/api/views/oauth.py

@@ -2,7 +2,7 @@ import logging
 
 from django import forms
 from django.conf import settings
-from django.utils.translation import ugettext as _
+from django.utils.translation import gettext as _
 from oauth2_provider.exceptions import OAuthToolkitError
 from oauth2_provider.forms import AllowForm
 from oauth2_provider.views import (