Widget: fix close-icon position

Add email placeholder positionid
Tax rule editor: Fix label for "text on invoice"
2023-03-21 08:43:45 +01:00 · 2023-03-20 17:26:49 +01:00 · 2023-03-20 17:19:32 +01:00 · 2023-03-20 16:46:44 +01:00 · 2023-03-20 16:46:44 +01:00 · 2023-03-17 22:07:37 +01:00
584 changed files with 392350 additions and 255360 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,6 +9,7 @@ updates:
    directory: "/src"
    schedule:
      interval: "daily"
+    versioning-strategy: increase
  - package-ecosystem: "npm"
    directory: "/src/pretix/static/npm_dir"
    schedule:
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -14,16 +14,22 @@ on:
      - 'src/pretix/static/**'
      - 'src/tests/**'

+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
+env:
+  FORCE_COLOR: 1
+
 jobs:
  spelling:
    name: Spellcheck
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v2
-      - name: Set up Python 3.8
+      - name: Set up Python 3.11
        uses: actions/setup-python@v1
        with:
-          python-version: 3.8
+          python-version: 3.11
      - uses: actions/cache@v1
        with:
          path: ~/.cache/pip
@@ -31,7 +37,7 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install system packages
-        run: sudo apt update && sudo apt install enchant hunspell aspell-en
+        run: sudo apt update && sudo apt install enchant-2 hunspell aspell-en
      - name: Install Dependencies
        run: pip3 install -Ur requirements.txt
        working-directory: ./doc
--- a/.github/workflows/strings.yml
+++ b/.github/workflows/strings.yml
@@ -12,16 +12,22 @@ on:
      - 'doc/**'
      - 'src/pretix/locale/**'

+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
+env:
+  FORCE_COLOR: 1
+
 jobs:
  compile:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    name: Check gettext syntax
    steps:
      - uses: actions/checkout@v2
-      - name: Set up Python 3.8
+      - name: Set up Python 3.11
        uses: actions/setup-python@v1
        with:
-          python-version: 3.8
+          python-version: 3.11
      - uses: actions/cache@v1
        with:
          path: ~/.cache/pip
@@ -40,14 +46,14 @@ jobs:
        run: python manage.py compilejsi18n
        working-directory: ./src
  spelling:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    name: Spellcheck
    steps:
      - uses: actions/checkout@v2
-      - name: Set up Python 3.8
+      - name: Set up Python 3.11
        uses: actions/setup-python@v1
        with:
-          python-version: 3.8
+          python-version: 3.11
      - uses: actions/cache@v1
        with:
          path: ~/.cache/pip
@@ -55,7 +61,7 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install system packages
-        run: sudo apt update && sudo apt install enchant hunspell hunspell-de-de aspell-en aspell-de
+        run: sudo apt update && sudo apt install enchant-2 hunspell hunspell-de-de aspell-en aspell-de
      - name: Install Dependencies
        run: pip3 install -e ".[dev]"
        working-directory: ./src
--- a/.github/workflows/style.yml
+++ b/.github/workflows/style.yml
@@ -12,16 +12,22 @@ on:
      - 'src/pretix/locale/**'
      - 'src/pretix/static/**'

+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
+env:
+  FORCE_COLOR: 1
+
 jobs:
  isort:
    name: isort
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v2
-      - name: Set up Python 3.8
+      - name: Set up Python 3.11
        uses: actions/setup-python@v1
        with:
-          python-version: 3.8
+          python-version: 3.11
      - uses: actions/cache@v1
        with:
          path: ~/.cache/pip
@@ -36,13 +42,13 @@ jobs:
        working-directory: ./src
  flake:
    name: flake8
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v2
-      - name: Set up Python 3.8
+      - name: Set up Python 3.11
        uses: actions/setup-python@v1
        with:
-          python-version: 3.8
+          python-version: 3.11
      - uses: actions/cache@v1
        with:
          path: ~/.cache/pip
@@ -57,13 +63,13 @@ jobs:
        working-directory: ./src
  licenseheader:
    name: licenseheaders
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v2
-      - name: Set up Python 3.8
+      - name: Set up Python 3.11
        uses: actions/setup-python@v1
        with:
-          python-version: 3.8
+          python-version: 3.11
      - name: Install Dependencies
        run: pip3 install licenseheaders
      - name: Run licenseheaders
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -12,28 +12,34 @@ on:
      - 'doc/**'
      - 'src/pretix/locale/**'

+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
+env:
+  FORCE_COLOR: 1
+
 jobs:
  test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    name: Tests
    strategy:
      matrix:
-        python-version: ["3.7", "3.8", "3.9"]
+        python-version: ["3.9", "3.10", "3.11"]
        database: [sqlite, postgres, mysql]
        exclude:
          - database: mysql
-            python-version: "3.8"
+            python-version: "3.9"
          - database: mysql
+            python-version: "3.11"
+          - database: sqlite
            python-version: "3.9"
          - database: sqlite
-            python-version: "3.7"
-          - database: sqlite
-            python-version: "3.8"
+            python-version: "3.10"
    steps:
      - uses: actions/checkout@v2
      - uses: getong/mariadb-action@v1.1
        with:
-          mariadb version: '10.4'
+          mariadb version: '10.10'
          mysql database: 'pretix'
          mysql root password: ''
        if: matrix.database == 'mysql'
@@ -55,9 +61,9 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install system dependencies
-        run: sudo apt update && sudo apt install gettext mariadb-client-10.3
+        run: sudo apt update && sudo apt install gettext mariadb-client
      - name: Install Python dependencies
-        run: pip3 install -e ".[dev]" mysqlclient psycopg2-binary
+        run: pip3 install --ignore-requires-python -e ".[dev]" mysqlclient psycopg2-binary  # We ignore that flake8 needs newer python as we don't run flake8 during tests
        working-directory: ./src
      - name: Run checks
        run: python manage.py check
@@ -75,5 +81,6 @@ jobs:
        uses: codecov/codecov-action@v1
        with:
          file: src/coverage.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
          fail_ci_if_error: true
-        if: matrix.database == 'postgres' && matrix.python-version == '3.8'
+        if: matrix.database == 'postgres' && matrix.python-version == '3.11'
--- a/.readthedocs.requirements.txt
+++ b/.readthedocs.requirements.txt
@@ -1 +0,0 @@
-r doc/requirements.txt
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@@ -0,0 +1,15 @@
+version: 2
+sphinx:
+   configuration: doc/conf.py
+build:
+  os: ubuntu-22.04
+  tools:
+    python: "3.8"
+    nodejs: "16"
+  apt_packages:
+    - gettext
+python:
+  install:
+    - method: pip
+      path: ./src/
+    - requirements: doc/requirements.rtd.txt
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM python:3.9-bullseye
+FROM python:3.11-bullseye

 RUN apt-get update && \
    apt-get install -y --no-install-recommends \
--- a/doc/_themes/pretix_theme/layout.html
+++ b/doc/_themes/pretix_theme/layout.html
@@ -18,67 +18,82 @@
  <title>{{ title|striptags|e }}{{ titlesuffix }}</title>
  {% endblock %}

-  {# FAVICON #}
-  {% if favicon %}
-    <link rel="shortcut icon" href="{{ pathto('_static/' + favicon, 1) }}"/>
-  {% endif %}
-  {# CANONICAL URL #}
-  {% if theme_canonical_url %}
+
+  {#- CSS #}
+  {%- for css in css_files %}
+    {%- if css|attr("rel") %}
+      <link rel="{{ css.rel }}" href="{{ pathto(css.filename, 1) }}" type="text/css"{% if css.title is not none %} title="{{ css.title }}"{% endif %} />
+    {%- else %}
+      <link rel="stylesheet" href="{{ pathto(css, 1) }}" type="text/css" />
+    {%- endif %}
+  {%- endfor %}
+
+  {%- for cssfile in extra_css_files %}
+    <link rel="stylesheet" href="{{ pathto(cssfile, 1) }}" type="text/css" />
+  {%- endfor -%}
+
+  {#- FAVICON
+      favicon_url is the only context var necessary since Sphinx 4.
+      In Sphinx<4, we use favicon but need to prepend path info.
+  #}
+  {%- set _favicon_url = favicon_url | default(pathto('_static/' + (favicon or ""), 1)) %}
+  {%- if favicon_url or favicon %}
+    <link rel="shortcut icon" href="{{ _favicon_url }}"/>
+  {%- endif %}
+
+  {#- CANONICAL URL (deprecated) #}
+  {%- if theme_canonical_url and not pageurl %}
    <link rel="canonical" href="{{ theme_canonical_url }}{{ pagename }}.html"/>
-  {% endif %}
+  {%- endif -%}

-  {# CSS #}
+  {#- CANONICAL URL #}
+  {%- if pageurl %}
+    <link rel="canonical" href="{{ pageurl|e }}" />
+  {%- endif -%}

-  {# OPENSEARCH #}
-  {% if not embedded %}
-    {% if use_opensearch %}
-      <link rel="search" type="application/opensearchdescription+xml" title="{% trans docstitle=docstitle|e %}Search within {{ docstitle }}{% endtrans %}" href="{{ pathto('_static/opensearch.xml', 1) }}"/>
-    {% endif %}
+  {#- JAVASCRIPTS #}
+  {%- block scripts %}
+  <!--[if lt IE 9]>
+    <script src="{{ pathto('_static/js/html5shiv.min.js', 1) }}"></script>
+  <![endif]-->
+  {%- if not embedded %}
+  {# XXX Sphinx 1.8.0 made this an external js-file, quick fix until we refactor the template to inherert more blocks directly from sphinx #}
+      {%- for scriptfile in script_files %}
+        {{ js_tag(scriptfile) }}
+      {%- endfor %}
+    <script src="{{ pathto('_static/js/theme.js', 1) }}"></script>

-  {% endif %}
-
-  {# RTD hosts this file, so just load on non RTD builds #}
-    <link rel="stylesheet" href="{{ pathto('_static/' + style, 1) }}" type="text/css" />
-
-  {% for cssfile in css_files %}
-    <link rel="stylesheet" href="{{ pathto(cssfile, 1) }}" type="text/css" />
-  {% endfor %}
-
-  {% for cssfile in extra_css_files %}
-    <link rel="stylesheet" href="{{ pathto(cssfile, 1) }}" type="text/css" />
-  {% endfor %}
+    {#- OPENSEARCH #}
+    {%- if use_opensearch %}
+    <link rel="search" type="application/opensearchdescription+xml"
+          title="{% trans docstitle=docstitle|e %}Search within {{ docstitle }}{% endtrans %}"
+          href="{{ pathto('_static/opensearch.xml', 1) }}"/>
+    {%- endif %}
+  {%- endif %}
+  {%- endblock %}

  {%- block linktags %}
    {%- if hasdoc('about') %}
-        <link rel="author" title="{{ _('About these documents') }}"
-              href="{{ pathto('about') }}"/>
+    <link rel="author" title="{{ _('About these documents') }}" href="{{ pathto('about') }}" />
    {%- endif %}
    {%- if hasdoc('genindex') %}
-        <link rel="index" title="{{ _('Index') }}"
-              href="{{ pathto('genindex') }}"/>
+    <link rel="index" title="{{ _('Index') }}" href="{{ pathto('genindex') }}" />
    {%- endif %}
    {%- if hasdoc('search') %}
-        <link rel="search" title="{{ _('Search') }}" href="{{ pathto('search') }}"/>
+    <link rel="search" title="{{ _('Search') }}" href="{{ pathto('search') }}" />
    {%- endif %}
    {%- if hasdoc('copyright') %}
-        <link rel="copyright" title="{{ _('Copyright') }}" href="{{ pathto('copyright') }}"/>
-    {%- endif %}
-    <link rel="top" title="{{ docstitle|e }}" href="{{ pathto('index') }}"/>
-    {%- if parents %}
-        <link rel="up" title="{{ parents[-1].title|striptags|e }}" href="{{ parents[-1].link|e }}"/>
+    <link rel="copyright" title="{{ _('Copyright') }}" href="{{ pathto('copyright') }}" />
    {%- endif %}
    {%- if next %}
-        <link rel="next" title="{{ next.title|striptags|e }}" href="{{ next.link|e }}"/>
+    <link rel="next" title="{{ next.title|striptags|e }}" href="{{ next.link|e }}" />
    {%- endif %}
    {%- if prev %}
-        <link rel="prev" title="{{ prev.title|striptags|e }}" href="{{ prev.link|e }}"/>
+    <link rel="prev" title="{{ prev.title|striptags|e }}" href="{{ prev.link|e }}" />
    {%- endif %}
  {%- endblock %}
  {%- block extrahead %} {% endblock %}

-  {# Keep modernizr in head - http://modernizr.com/docs/#installing #}
-  <script src="{{ pathto('_static/js/modernizr.min.js', 1) }}"></script>
-
 </head>

 <body class="wy-body-for-nav" role="document">
@@ -92,16 +107,14 @@
        <div class="wy-side-nav-search">
          {% block sidebartitle %}

-          {% if logo and theme_logo_only %}
-            <a href="{{ pathto('index') }}">
-          {% else %}
-            <a href="{{ pathto('index') }}" class="icon icon-home"> {{ project }}
-          {% endif %}
-
-          {% if logo %}
-            {# Not strictly valid HTML, but it's the only way to display/scale it properly, without weird scripting or heaps of work #}
-            <img src="{{ pathto('_static/' + logo, 1) }}" class="logo" />
-          {% endif %}
+          {# the logo helper function was removed in Sphinx 6 and deprecated since Sphinx 4 #}
+          {# the master_doc variable was renamed to root_doc in Sphinx 4 (master_doc still exists in later Sphinx versions) #}
+          {%- set _logo_url = logo_url|default(pathto('_static/' + (logo or ""), 1)) %}
+          {%- set _root_doc = root_doc|default(master_doc) %}
+          <a href="{{ pathto(_root_doc) }}"{% if not theme_logo_only %} class="icon icon-home"{% endif %}>
+            {%- if logo or logo_url %}
+              <img src="{{ _logo_url }}" class="logo" alt="{{ _('Logo') }}"/>
+            {%- endif %}
          </a>

          {% include "searchbox.html" %}
--- a/doc/_themes/pretix_theme/search.html
+++ b/doc/_themes/pretix_theme/search.html
@@ -5,31 +5,37 @@
    Template for the search page.

    :copyright: Copyright 2007-2013 by the Sphinx team, see AUTHORS.
-    :license: BSD, see LICENSE for details.
+    :license: BSD, see https://github.com/sphinx-doc/sphinx/blob/master/LICENSE for details.
 #}
 {%- extends "layout.html" %}
 {% set title = _('Search') %}
-{% set script_files = script_files + ['_static/searchtools.js'] %}
+{% set display_vcs_links = False %}
+{%- block scripts %}
+    {{ super() }}
+    <script src="{{ pathto('_static/searchtools.js', 1) }}"></script>
+    <script src="{{ pathto('_static/language_data.js', 1) }}"></script>
+{%- endblock %}
 {% block footer %}
-  <script type="text/javascript">
+  <script>
    jQuery(function() { Search.loadIndex("{{ pathto('searchindex.js', 1) }}"); });
  </script>
  {# this is used when loading the search index using $.ajax fails,
     such as on Chrome for documents on localhost #}
-  <script type="text/javascript" id="searchindexloader"></script>
+  <script id="searchindexloader"></script>
  {{ super() }}
 {% endblock %}
 {% block body %}
  <noscript>
  <div id="fallback" class="admonition warning">
    <p class="last">
-      {% trans %}Please activate JavaScript to enable the search
+      {% trans trimmed %}Please activate JavaScript to enable the search
      functionality.{% endtrans %}
    </p>
  </div>
  </noscript>

  {% if search_performed %}
+    {# Translators: Search is a noun, not a verb #}
    <h2>{{ _('Search Results') }}</h2>
    {% if not search_results %}
      <p>{{ _('Your search did not match any documents. Please make sure that all words are spelled correctly and that you\'ve selected enough categories.') }}</p>
@@ -47,4 +53,4 @@
    </ul>
  {% endif %}
  </div>
-{% endblock %}
+{% endblock %}
--- a/doc/admin/config.rst
+++ b/doc/admin/config.rst
@@ -2,7 +2,7 @@

 .. _`config`:

-.. spelling:: Galera
+.. spelling:word-list:: Galera

 Configuration file
 ==================
@@ -84,7 +84,7 @@ Example::
    Enables or disables the "keep me logged in" button. Defaults to ``on``.

 ``ecb_rates``
-    By default, pretix periodically downloads a XML file from the European Central Bank to retrieve exchange rates
+    By default, pretix periodically downloads currency rates from the European Central Bank as well as other authorities
    that are used to print tax amounts in the customer currency on invoices for some currencies. Set to ``off`` to
    disable this feature. Defaults to ``on``.

@@ -106,6 +106,11 @@ Example::
    proxy that actively removes and re-adds the header to make sure the correct value is set.
    Defaults to ``off``.

+``trust_x_forwarded_host``
+    Specifies whether the ``X-Forwarded-Host`` header can be trusted. Only set to ``on`` if you have a reverse
+    proxy that actively removes and re-adds the header to make sure the correct value is set.
+    Defaults to ``off``.
+
 ``csp_log``
    Log violations of the Content Security Policy (CSP). Defaults to ``on``.

@@ -117,6 +122,9 @@ Example::
 ``loglevel``
    Set console and file log level (``DEBUG``, ``INFO``, ``WARNING``, ``ERROR`` or ``CRITICAL``). Defaults to ``INFO``.

+``request_id_header``
+    Specifies the name of a header that should be used for logging request IDs. Off by default.
+
 Locale settings
 ---------------

@@ -138,7 +146,7 @@ Database settings
 Example::

    [database]
-    backend=mysql
+    backend=postgresql
    name=pretix
    user=pretix
    password=abcd
@@ -146,7 +154,7 @@ Example::
    port=3306

 ``backend``
-    One of ``mysql``, ``sqlite3``, ``oracle`` and ``postgresql``.
+    One of ``mysql`` (deprecated), ``sqlite3`` and ``postgresql``.
    Default: ``sqlite3``.

    If you use MySQL, be sure to create your database using
@@ -160,7 +168,7 @@ Example::
    Connection details for the database connection. Empty by default.

 ``galera``
-    Indicates if the database backend is a MySQL/MariaDB Galera cluster and
+    (Deprecated) Indicates if the database backend is a MySQL/MariaDB Galera cluster and
    turns on some optimizations/special case handlers. Default: ``False``

 .. _`config-replica`:
@@ -191,7 +199,7 @@ Example::

    [urls]
    media=/media/
-    static=/media/
+    static=/static/

 ``media``
    The URL to be used to serve user-uploaded content. You should not need to modify
@@ -396,9 +404,9 @@ The two ``transport_options`` entries can be omitted in most cases.
 If they are present they need to be a valid JSON dictionary.
 For possible entries in that dictionary see the `Celery documentation`_.

-To use redis with sentinels set the broker or backend to ``sentinel://sentinel_host_1:26379;sentinal_host_2:26379/0``
+To use redis with sentinels set the broker or backend to ``sentinel://sentinel_host_1:26379;sentinel_host_2:26379/0``
 and the respective transport_options to ``{"master_name":"mymaster"}``.
-If your redis instances behind the sentinel have a password use ``sentinel://:my_password@sentinel_host_1:26379;sentinal_host_2:26379/0``.
+If your redis instances behind the sentinel have a password use ``sentinel://:my_password@sentinel_host_1:26379;sentinel_host_2:26379/0``.
 If your redis sentinels themselves have a password set the transport_options to ``{"master_name":"mymaster","sentinel_kwargs":{"password":"my_password"}}``.

 Sentry
--- a/doc/admin/index.rst
+++ b/doc/admin/index.rst
@@ -14,4 +14,5 @@ This documentation is for everyone who wants to install pretix on a server.
   maintainance
   scaling
   errors
+   mysql2postgres
   indexes
--- a/doc/admin/indexes.rst
+++ b/doc/admin/indexes.rst
@@ -45,8 +45,8 @@ Here is the currently recommended set of commands::
    CREATE INDEX CONCURRENTLY pretix_addidx_order_comment
        ON pretixbase_order
        USING gin (upper("comment") gin_trgm_ops);
-    CREATE INDEX CONCURRENTLY pretix_addidx_order_event_date
-        ON public.pretixbase_order (event_id, datetime);
+    CREATE INDEX CONCURRENTLY pretix_addidx_order_event_date_id
+        ON public.pretixbase_order (event_id, datetime, id);
    CREATE INDEX CONCURRENTLY pretix_addidx_orderpos_name
        ON pretixbase_orderposition
        USING gin (upper("attendee_name_cached") gin_trgm_ops);
@@ -66,10 +66,10 @@ Here is the currently recommended set of commands::
        ON public.pretixbase_orderposition (upper((attendee_email)::text));
    CREATE INDEX CONCURRENTLY pretix_addidx_voucher_code_upper
        ON public.pretixbase_voucher (upper((code)::text));
-    CREATE INDEX CONCURRENTLY pretix_addidx_logentry_event_date
-        ON public.pretixbase_logentry (event_id, datetime);
-    CREATE INDEX CONCURRENTLY pretix_addidx_logentry_event_cid_date
-        ON public.pretixbase_logentry (event_id, content_type_id, datetime);
+    CREATE INDEX CONCURRENTLY pretix_addidx_logentry_event_date_id
+        ON public.pretixbase_logentry (event_id, datetime, id);
+    CREATE INDEX CONCURRENTLY pretix_addidx_logentry_event_cid_date_id
+        ON public.pretixbase_logentry (event_id, content_type_id, datetime, id);


 Also, if you use our ``pretix-shipping`` plugin::
--- a/doc/admin/installation/docker_smallscale.rst
+++ b/doc/admin/installation/docker_smallscale.rst
@@ -14,7 +14,7 @@ This has some trade-offs in terms of performance and isolation but allows a rath
             get it right. If you're not feeling comfortable managing a Linux server, check out our hosting and service
             offers at `pretix.eu`_.

-We tested this guide on the Linux distribution **Debian 8.0** but it should work very similar on other
+We tested this guide on the Linux distribution **Debian 11.0** but it should work very similar on other
 modern distributions, especially on all systemd-based ones.

 Requirements
@@ -26,7 +26,7 @@ installation guides):
 * `Docker`_
 * A SMTP server to send out mails, e.g. `Postfix`_ on your machine or some third-party server you have credentials for
 * A HTTP reverse proxy, e.g. `nginx`_ or Apache to allow HTTPS connections
-* A `PostgreSQL`_ 9.6+, `MySQL`_ 5.7+, or MariaDB 10.2.7+ database server
+* A `PostgreSQL`_ 9.6+ database server
 * A `redis`_ server

 We also recommend that you use a firewall, although this is not a pretix-specific recommendation. If you're new to
@@ -58,9 +58,6 @@ directory writable to the user that runs pretix inside the docker container::
 Database
 --------

-.. warning:: **Please use PostgreSQL for all new installations**. If you need to go for MySQL, make sure you run
-             **MySQL 5.7 or newer** or **MariaDB 10.2.7 or newer**.
-
 Next, we need a database and a database user. We can create these with any kind of database managing tool or directly on
 our database's shell. Please make sure that UTF8 is used as encoding for the best compatibility. You can check this with
 the following command::
@@ -86,13 +83,6 @@ Restart PostgreSQL after you changed these files::

 If you have a firewall running, you should also make sure that port 5432 is reachable from the ``172.17.0.1/16`` subnet.

-For MySQL, you can either also use network-based connections or mount the ``/var/run/mysqld/mysqld.sock`` socket into the docker container.
-When using MySQL, make sure you set the character set of the database to ``utf8mb4``, e.g. like this::
-
-    mysql > CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
-
-You will also need to make sure that ``sql_mode`` in your ``my.cnf`` file does **not** include ``ONLY_FULL_GROUP_BY``.
-
 Redis
 -----

@@ -152,15 +142,13 @@ Fill the configuration file ``/etc/pretix/pretix.cfg`` with the following conten
    trust_x_forwarded_proto=on

    [database]
-    ; Replace postgresql with mysql for MySQL
    backend=postgresql
    name=pretix
    user=pretix
    ; Replace with the password you chose above
    password=*********
    ; In most docker setups, 172.17.0.1 is the address of the docker host. Adjust
-    ; this to wherever your database is running, e.g. the name of a linked container
-    ; or of a mounted MySQL socket.
+    ; this to wherever your database is running, e.g. the name of a linked container.
    host=172.17.0.1

    [mail]
@@ -212,8 +200,6 @@ named ``/etc/systemd/system/pretix.service`` with the following content::
    [Install]
    WantedBy=multi-user.target

-When using MySQL and socket mounting, you'll need the additional flag ``-v /var/run/mysqld:/var/run/mysqld`` in the command.
-
 You can now run the following commands
 to enable and start the service::

@@ -339,7 +325,6 @@ workers, e.g. ``docker run … taskworker -Q notifications --concurrency 32``.
 .. _nginx: https://botleg.com/stories/https-with-lets-encrypt-and-nginx/
 .. _Let's Encrypt: https://letsencrypt.org/
 .. _pretix.eu: https://pretix.eu/
-.. _MySQL: https://dev.mysql.com/doc/refman/5.7/en/linux-installation-apt-repo.html
 .. _PostgreSQL: https://www.digitalocean.com/community/tutorials/how-to-install-and-use-postgresql-on-ubuntu-20-04
 .. _redis: https://blog.programster.org/debian-8-install-redis-server/
 .. _ufw: https://en.wikipedia.org/wiki/Uncomplicated_Firewall
--- a/doc/admin/installation/general.rst
+++ b/doc/admin/installation/general.rst
@@ -1,6 +1,6 @@
 .. highlight:: ini

-.. spelling:: SQL
+.. spelling:word-list:: SQL

 General remarks
 ===============
--- a/doc/admin/installation/manual_smallscale.rst
+++ b/doc/admin/installation/manual_smallscale.rst
@@ -12,7 +12,7 @@ solution with many things readily set-up, look at :ref:`dockersmallscale`.
             get it right. If you're not feeling comfortable managing a Linux server, check out our hosting and service
             offers at `pretix.eu`_.

-We tested this guide on the Linux distribution **Debian 10.0** but it should work very similar on other
+We tested this guide on the Linux distribution **Debian 11.6** but it should work very similar on other
 modern distributions, especially on all systemd-based ones.

 Requirements
@@ -23,7 +23,7 @@ installation guides):

 * A SMTP server to send out mails, e.g. `Postfix`_ on your machine or some third-party server you have credentials for
 * A HTTP reverse proxy, e.g. `nginx`_ or Apache to allow HTTPS connections
-* A `PostgreSQL`_ 9.6+, `MySQL`_ 5.7+, or MariaDB 10.2.7+ database server
+* A `PostgreSQL`_ 11+ database server
 * A `redis`_ server
 * A `nodejs`_ installation

@@ -47,9 +47,6 @@ In this guide, all code lines prepended with a ``#`` symbol are commands that yo
 Database
 --------

-.. warning:: **Please use PostgreSQL for all new installations**. If you need to go for MySQL, make sure you run
-             **MySQL 5.7 or newer** or **MariaDB 10.2.7 or newer**.
-
 Having the database server installed, we still need a database and a database user. We can create these with any kind
 of database managing tool or directly on our database's shell. Please make sure that UTF8 is used as encoding for the
 best compatibility. You can check this with the following command::
@@ -61,12 +58,6 @@ For PostgreSQL database creation, we would do::
    # sudo -u postgres createuser pretix
    # sudo -u postgres createdb -O pretix pretix

-When using MySQL, make sure you set the character set of the database to ``utf8mb4``, e.g. like this::
-
-    mysql > CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
-
-You will also need to make sure that ``sql_mode`` in your ``my.cnf`` file does **not** include ``ONLY_FULL_GROUP_BY``.
-
 Package dependencies
 --------------------

@@ -74,7 +65,7 @@ To build and run pretix, you will need the following debian packages::

    # apt-get install git build-essential python-dev python3-venv python3 python3-pip \
                      python3-dev libxml2-dev libxslt1-dev libffi-dev zlib1g-dev libssl-dev \
-                      gettext libpq-dev libmariadb-dev libjpeg-dev libopenjp2-7-dev
+                      gettext libpq-dev libjpeg-dev libopenjp2-7-dev

 Config file
 -----------
@@ -97,16 +88,12 @@ Fill the configuration file ``/etc/pretix/pretix.cfg`` with the following conten
    trust_x_forwarded_proto=on

    [database]
-    ; For MySQL, replace with "mysql"
    backend=postgresql
    name=pretix
    user=pretix
-    ; For MySQL, enter the user password. For PostgreSQL on the same host,
-    ; we don't need one because we can use peer authentification if our
-    ; PostgreSQL user matches our unix user.
+    ; For PostgreSQL on the same host, we don't need a password because we can use
+    ; peer authentication if our PostgreSQL user matches our unix user.
    password=
-    ; For MySQL, use local socket, e.g. /var/run/mysqld/mysqld.sock
-    ; For a remote host, supply an IP address
    ; For local postgres authentication, you can leave it empty
    host=

@@ -140,11 +127,7 @@ We now install pretix, its direct dependencies and gunicorn::

    (venv)$ pip3 install pretix gunicorn

-If you're running MySQL, also install the client library::
-
-    (venv)$ pip3 install mysqlclient
-
-Note that you need Python 3.7 or newer. You can find out your Python version using ``python -V``.
+Note that you need Python 3.9 or newer. You can find out your Python version using ``python -V``.

 We also need to create a data directory::

@@ -318,12 +301,32 @@ example::
    (venv)$ python -m pretix rebuild
    # systemctl restart pretix-web pretix-worker

+System updates
+--------------
+
+After system updates, such as updates to a new Ubuntu or Debian release, you might be using a new Python version.
+That's great, but requires some adjustments. First, adjust any old version paths in your nginx configuration file.
+Then, re-create your Python environment::
+
+    $ source /var/pretix/venv/bin/activate
+    (venv)$ pip3 freeze > /tmp/pip-backup.txt
+    $ rm -rf /var/pretix/venv
+    $ python3 -m venv /var/pretix/venv
+    $ source /var/pretix/venv/bin/activate
+    (venv)$ pip3 install -U pip wheel setuptools
+    (venv)$ pip3 install -r /tmp/pip-backup.txt
+
+Then, proceed like after any plugin installation::
+
+    (venv)$ python -m pretix migrate
+    (venv)$ python -m pretix rebuild
+    (venv)$ python -m pretix updatestyles
+    # systemctl restart pretix-web pretix-worker

 .. _Postfix: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-16-04
 .. _nginx: https://botleg.com/stories/https-with-lets-encrypt-and-nginx/
 .. _Let's Encrypt: https://letsencrypt.org/
 .. _pretix.eu: https://pretix.eu/
-.. _MySQL: https://dev.mysql.com/doc/refman/5.7/en/linux-installation-apt-repo.html
 .. _PostgreSQL: https://www.digitalocean.com/community/tutorials/how-to-install-and-use-postgresql-on-ubuntu-20-04
 .. _redis: https://blog.programster.org/debian-8-install-redis-server/
 .. _ufw: https://en.wikipedia.org/wiki/Uncomplicated_Firewall
--- a/doc/admin/maintainance.rst
+++ b/doc/admin/maintainance.rst
@@ -17,11 +17,11 @@ Backups
 There are essentially two things which you should create backups of:

 Database
-    Your SQL database (MySQL or PostgreSQL). This is critical and you should **absolutely
-    always create automatic backups of your database**. There are tons of tutorials on the
-    internet on how to do this, and the exact process depends on the choice of your database.
-    For MySQL, see ``mysqldump`` and for PostgreSQL, see the ``pg_dump`` tool. You probably
-    want to create a cronjob that does the backups for you on a regular schedule.
+    Your SQL database. This is critical and you should **absolutely always create automatic
+    backups of your database**. There are tons of tutorials on the internet on how to do this,
+    and the exact process depends on the choice of your database. For PostgreSQL, see the
+    ``pg_dump`` tool. You probably want to create a cronjob that does the backups for you on a
+    regular schedule.

 Data directory
    The data directory of your pretix configuration might contain some things that you should
--- a/doc/admin/mysql2postgres.rst
+++ b/doc/admin/mysql2postgres.rst
@@ -0,0 +1,156 @@
+.. highlight:: none
+
+Migrating from MySQL/MariaDB to PostgreSQL
+==========================================
+
+Our recommended database for all production installations is PostgreSQL. Support for MySQL/MariaDB will be removed in
+pretix 5.0.
+
+In order to follow this guide, your pretix installation needs to be a version that fully supports MySQL/MariaDB. If you
+already upgraded to pretix 5.0, downgrade back to the last 4.x release using ``pip``.
+
+.. note:: We have tested this guide carefully, but we can't assume any liability for its correctness. The data loss
+          risk should be low as long as pretix is not running while you do the migration. If you are a pretix Enterprise
+          customer, feel free to reach out in advance if you want us to support you along the way.
+
+Update database schema
+----------------------
+
+Before you start, make sure your database schema is up to date::
+
+    # sudo -u pretix -s
+    $ source /var/pretix/venv/bin/activate
+    (venv)$ python -m pretix migrate
+
+Install PostgreSQL
+------------------
+
+Now, install and set up a PostgreSQL server. For a local installation on Debian or Ubuntu, use::
+
+    # apt install postgresql
+
+Having the database server installed, we still need a database and a database user. We can create these with any kind
+of database managing tool or directly on our database's shell. Please make sure that UTF8 is used as encoding for the
+best compatibility. You can check this with the following command::
+
+    # sudo -u postgres psql -c 'SHOW SERVER_ENCODING'
+
+Without Docker
+""""""""""""""
+
+For our standard manual installation, create the database and user like this::
+
+    # sudo -u postgres createuser pretix
+    # sudo -u postgres createdb -O pretix pretix
+
+With Docker
+"""""""""""
+
+For our standard docker installation, create the database and user like this::
+
+    # sudo -u postgres createuser -P pretix
+    # sudo -u postgres createdb -O pretix pretix
+
+Make sure that your database listens on the network. If PostgreSQL on the same same host as docker, but not inside a docker container, we recommend that you just listen on the Docker interface by changing the following line in ``/etc/postgresql/<version>/main/postgresql.conf``::
+
+    listen_addresses = 'localhost,172.17.0.1'
+
+You also need to add a new line to ``/etc/postgresql/<version>/main/pg_hba.conf`` to allow network connections to this user and database::
+
+    host    pretix          pretix          172.17.0.1/16           md5
+
+Restart PostgreSQL after you changed these files::
+
+    # systemctl restart postgresql
+
+If you have a firewall running, you should also make sure that port 5432 is reachable from the ``172.17.0.1/16`` subnet.
+
+Of course, instead of all this you can also run a PostgreSQL docker container and link it to the pretix container.
+
+Stop pretix
+-----------
+
+To prevent any more changes to your data, stop pretix from running::
+
+    # systemctl stop pretix-web pretix-worker
+
+Change configuration
+--------------------
+
+Change the database configuration in your ``/etc/pretix/pretix.cfg`` file::
+
+    [database]
+    backend=postgresql
+    name=pretix
+    user=pretix
+    password=  ; only required for docker or remote database, can be kept empty for local auth
+    host=      ; set to 172.17.0.1 in docker setup, keep empty for local auth
+
+
+Create database schema
+-----------------------
+
+To create the schema in your new PostgreSQL database, use the following commands::
+
+    # sudo -u pretix -s
+    $ source /var/pretix/venv/bin/activate
+    (venv)$ python -m pretix migrate
+
+
+Migrate your data
+-----------------
+
+Install ``pgloader``::
+
+    # apt install pgloader
+
+.. note::
+
+   If you are using Ubuntu 20.04, the ``pgloader`` version from the repositories seems to be incompatible with PostgreSQL
+   12+. You can install ``pgloader`` from the `PostgreSQL repositories`_ instead.
+   See also `this discussion <https://github.com/pretix/pretix/issues/3090>`_.
+
+Create a new file ``/tmp/pretix.load``, replacing the MySQL and PostgreSQL connection strings with the correct user names, passwords, and/or database names::
+
+    LOAD DATABASE
+        FROM mysql://pretix:password@localhost/pretix  -- replace with mysql://username:password@hostname/dbname
+        INTO postgresql:///pretix                      -- replace with dbname
+
+    WITH data only, include no drop, truncate, disable triggers,
+         create no indexes, drop indexes, reset sequences
+
+    ALTER SCHEMA 'pretix' RENAME TO 'public'           -- replace pretix with the name of the MySQL database
+
+    ALTER TABLE NAMES MATCHING ~/.*/
+        SET SCHEMA 'public'
+
+    SET timezone TO '+00:00'
+
+    SET PostgreSQL PARAMETERS
+         maintenance_work_mem to '128MB',
+         work_mem to '12MB';
+
+Then, run::
+
+    # sudo -u postgres pgloader /tmp/pretix.load
+
+The output should end with a table summarizing the results for every table. You can ignore warnings about type casts
+and missing constraints.
+
+Afterwards, delete the file again::
+
+    # rm -rf /tmp/pretix.load
+
+Start pretix
+------------
+
+Now, restart pretix. Maybe stop your MySQL server as a verification step that you are no longer using it::
+
+    # systemctl stop mariadb
+    # systemctl start pretix-web pretix-worker
+
+And you're done! After you've verified everything has been copied correctly, you can delete the old MySQL database.
+
+.. note:: Don't forget to update your backup process to back up your PostgreSQL database instead of your MySQL database now.
+
+.. _PostgreSQL repositories: https://wiki.postgresql.org/wiki/Apt
--- a/doc/admin/scaling.rst
+++ b/doc/admin/scaling.rst
@@ -42,7 +42,7 @@ A pretix installation usually consists of the following components which run per

 * ``pretix-worker`` is a Celery-based application that processes tasks that should be run asynchronously outside of the web application process.

-* A **SQL database** keeps all the important data and processes the actual transactions. We recommend using PostgreSQL, but MySQL/MariaDB works as well.
+* A **PostgreSQL database** keeps all the important data and processes the actual transactions.

 * A **web server** that terminates TLS and HTTP connections and forwards them to ``pretix-web``. In some cases, e.g. when serving static files, the web servers might return a response directly. We recommend using ``nginx``.

@@ -74,7 +74,7 @@ We recommend reading up on tuning your web server for high concurrency. For ngin
 processes and the number of connections each worker process accepts. Double-check that TLS session caching works, because TLS
 handshakes can get really expensive.

-During a traffic peak, your web server will be able to make us of more CPU resources, while memory usage will stay comparatively low,
+During a traffic peak, your web server will be able to make use of more CPU resources, while memory usage will stay comparatively low,
 so if you invest in more hardware here, invest in more and faster CPU cores.

 Make sure that pretix' static files (such as CSS and JavaScript assets) as well as user-uploaded media files (event logos, etc)
--- a/doc/api/fundamentals.rst
+++ b/doc/api/fundamentals.rst
@@ -48,10 +48,11 @@ Possible permissions are:
 Compatibility
 -------------

-We currently see pretix' API as a beta-stage feature. We therefore do not give any guarantees
-for compatibility between feature releases of pretix (such as 1.5 and 1.6). However, as always,
-we try not to break things when we don't need to. Any backwards-incompatible changes will be
-prominently noted in the release notes.
+We try to avoid any breaking changes to our API to avoid hassle on your end. If possible, we'll
+build new features in a way that keeps all pre-existing API usage unchanged. In some cases,
+this might not be possible or only possible with restrictions. In these case, any
+backwards-incompatible changes will be prominently noted in the "Changes to the REST API"
+section of our release notes. If possible, we will announce them multiple releases in advance.

 We treat the following types of changes as *backwards-compatible* so we ask you to make sure
 that your clients can deal with them properly:
@@ -60,6 +61,7 @@ that your clients can deal with them properly:
 * Support of new HTTP methods for a given API endpoint
 * Support of new query parameters for a given API endpoint
 * New fields contained in API responses
+* New possible values of enumeration-like fields
 * Response body structure or message texts on failed requests (``4xx``, ``5xx`` response codes)

 We treat the following types of changes as *backwards-incompatible*:
@@ -190,6 +192,9 @@ Relative date         *either* String in ISO 8601  ``"2017-12-27"``,
 File                  URL in responses, ``file:``  ``"https://…"``, ``"file:…"``
                      specifiers in requests
                      (see below).
+Date range            *either* two dates separated ``2022-03-18/2022-03-23``, ``2022-03-18/``,
+                      by ``/`` *or* the name of a  ``/2022-03-23``, ``week_this``, ``week_next``,
+                      defined range.               ``month_this``
 ===================== ============================ ===================================

 Query parameters
--- a/doc/api/oauth.rst
+++ b/doc/api/oauth.rst
@@ -107,9 +107,9 @@ You can supply a valid access token as a ``Bearer``-type token in the ``Authoriz
 .. sourcecode:: http
   :emphasize-lines: 3

-       GET /api/v1/organizers/ HTTP/1.1
-       Host: pretix.eu
-       Authorization: Bearer i3ytqTSRWsKp16fqjekHXa4tdM4qNC
+   GET /api/v1/organizers/ HTTP/1.1
+   Host: pretix.eu
+   Authorization: Bearer i3ytqTSRWsKp16fqjekHXa4tdM4qNC

 Refreshing an access token
 --------------------------
--- a/doc/api/resources/carts.rst
+++ b/doc/api/resources/carts.rst
@@ -17,8 +17,8 @@ The cart position resource contains the following public fields:
 Field                                 Type                       Description
 ===================================== ========================== =======================================================
 id                                    integer                    Internal ID of the cart position
-cart_id                               string                     Identifier of the cart this belongs to. Needs to end
-                                                                 in "@api" for API-created positions.
+cart_id                               string                     Identifier of the cart this belongs to, needs to end
+                                                                 in "@api" for API-created positions
 datetime                              datetime                   Time of creation
 expires                               datetime                   The cart position will expire at this time and no longer block quota
 item                                  integer                    ID of the item
@@ -29,22 +29,23 @@ attendee_name_parts                   object of strings          Composition of
 attendee_email                        string                     Specified attendee email address for this position (or ``null``)
 voucher                               integer                    Internal ID of the voucher used for this position (or ``null``)
 addon_to                              integer                    Internal ID of the position this position is an add-on for (or ``null``)
-subevent                              integer                    ID of the date inside an event series this position belongs to (or ``null``).
+is_bundled                            boolean                    If ``addon_to`` is set, this shows whether this is a bundled product or an addon product
+subevent                              integer                    ID of the date inside an event series this position belongs to (or ``null``)
 answers                               list of objects            Answers to user-defined questions
 ├ question                            integer                    Internal ID of the answered question
 ├ answer                              string                     Text representation of the answer
 ├ question_identifier                 string                     The question's ``identifier`` field
 ├ options                             list of integers           Internal IDs of selected option(s)s (only for choice types)
 └ option_identifiers                  list of strings            The ``identifier`` fields of the selected option(s)s
-seat                                  objects                    The assigned seat. Can be ``null``.
+seat                                  objects                    The assigned seat (or ``null``)
 ├ id                                  integer                    Internal ID of the seat instance
 ├ name                                string                     Human-readable seat name
 └ seat_guid                           string                     Identifier of the seat within the seating plan
 ===================================== ========================== =======================================================

-.. versionchanged:: 3.0
+.. versionchanged:: 4.14

-   This ``seat`` attribute has been added.
+   This ``is_bundled`` attribute has been added and the cart creation endpoints have been updated.


 Cart position endpoints
@@ -87,6 +88,7 @@ Cart position endpoints
            "attendee_email": null,
            "voucher": null,
            "addon_to": null,
+            "is_bundled": false,
            "subevent": null,
            "datetime": "2018-06-11T10:00:00Z",
            "expires": "2018-06-11T10:00:00Z",
@@ -133,6 +135,7 @@ Cart position endpoints
        "attendee_email": null,
        "voucher": null,
        "addon_to": null,
+        "is_bundled": false,
        "subevent": null,
        "datetime": "2018-06-11T10:00:00Z",
        "expires": "2018-06-11T10:00:00Z",
@@ -168,7 +171,7 @@ Cart position endpoints

       * does not validate if the event's ticket sales are already over or haven't started

-       * does not support add-on products at the moment
+       * does not validate constraints on add-on products at the moment

       * does not check or calculate prices but believes any prices you send

@@ -176,6 +179,8 @@ Cart position endpoints

       * does not support file upload questions

+       Note that more validation might be added in the future, so please do not rely on missing validation.
+
   You can supply the following fields of the resource:

   * ``cart_id`` (optional, needs to end in ``@api``)
@@ -190,6 +195,8 @@ Cart position endpoints
   * ``includes_tax`` (optional, **deprecated**, do not use, will be removed)
   * ``sales_channel`` (optional)
   * ``voucher`` (optional, expect a voucher code)
+   * ``addons`` (optional, expect a list of nested objects of cart positions)
+   * ``bundled`` (optional, expect a list of nested objects of cart positions)
   * ``answers``

      * ``question``
@@ -221,6 +228,12 @@ Cart position endpoints
            "options": []
          }
        ],
+        "addons": [
+          {
+            "item": 2,
+            "variation": null,
+          }
+        ],
        "subevent": null
      }

@@ -232,7 +245,7 @@ Cart position endpoints
      Vary: Accept
      Content-Type: application/json

-      (Full cart position resource, see above.)
+      (Full cart position resource, see above, with additional nested objects "addons" and "bundled".)

   :param organizer: The ``slug`` field of the organizer of the event to create a position for
   :param event: The ``slug`` field of the event to create a position for
@@ -244,8 +257,8 @@ Cart position endpoints

 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/cartpositions/bulk_create/

-   Creates multiple new cart position. This operation is deliberately not atomic, so each cart position can succeed
-   or fail individually, so the response code of the response is not the only thing to look at!
+   Creates multiple new cart position. **This operation is deliberately not atomic, so each cart position can succeed
+   or fail individually, so the response code of the response is not the only thing to look at!**

   .. warning:: This endpoint is considered **experimental**. It might change at any time without prior notice.

--- a/doc/api/resources/checkin.rst
+++ b/doc/api/resources/checkin.rst
@@ -1,4 +1,4 @@
-.. spelling:: checkin
+.. spelling:word-list:: checkin

 .. _rest-checkin:

@@ -203,6 +203,8 @@ Checking a ticket in

   * ``invalid`` - Ticket is not known.
   * ``unpaid`` - Ticket is not paid for.
+   * ``blocked`` - Ticket has been blocked.
+   * ``invalid_time`` - Ticket is not valid at this time.
   * ``canceled`` – Ticket is canceled or expired.
   * ``already_redeemed`` - Ticket already has been redeemed.
   * ``product`` - Tickets with this product may not be scanned at this device.
--- a/doc/api/resources/checkinlists.rst
+++ b/doc/api/resources/checkinlists.rst
@@ -1,4 +1,4 @@
-.. spelling:: checkin
+.. spelling:word-list:: checkin

 .. _rest-checkinlists:

@@ -39,23 +39,6 @@ exit_all_at                           datetime                   Automatically c
 addon_match                           boolean                    If ``true``, tickets on this list can be redeemed by scanning their parent ticket if this still leads to an unambiguous match.
 ===================================== ========================== =======================================================

-.. versionchanged:: 3.9
-
-    The ``subevent`` attribute may now be ``null`` inside event series. The ``allow_multiple_entries``,
-    ``allow_entry_after_exit``, and ``rules`` attributes have been added.
-
-.. versionchanged:: 3.11
-
-    The ``subevent_match`` and ``exclude`` query parameters have been added.
-
-.. versionchanged:: 3.12
-
-    The ``exit_all_at`` attribute has been added.
-
-.. versionchanged:: 3.17
-
-    The ``ends_after`` and ``expand`` query parameters have been added.
-
 .. versionchanged:: 4.12

    The ``addon_match`` attribute has been added.
@@ -115,6 +98,8 @@ Endpoints
   :query string ends_after: Exclude all check-in lists attached to a sub-event that is already in the past at the given time.
   :query string expand: Expand a field into a full object. Currently only ``subevent`` is supported. Can be passed multiple times.
   :query string exclude: Exclude a field from the output, e.g. ``checkin_count``. Can be used as a performance optimization. Can be passed multiple times.
+   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``id``, ``name``, and ``subevent__date_from``,
+                           Default: ``subevent__date_from,name``
   :param organizer: The ``slug`` field of the organizer to fetch
   :param event: The ``slug`` field of the event to fetch
   :statuscode 200: no error
@@ -379,7 +364,7 @@ Endpoints
   Stores a failed check-in. Only necessary for statistical purposes if you perform scan validation offline.

   :<json boolean error_reason: One of ``canceled``, ``invalid``, ``unpaid``, ``product``, ``rules``, ``revoked``,
-                                ``incomplete``, ``already_redeemed``, or ``error``. Required.
+                                ``incomplete``, ``already_redeemed``, ``blocked``, ``invalid_time``, or ``error``. Required.
   :<json raw_barcode: The raw barcode you scanned. Required.
   :<json datetime: Date and time of the scan. Optional.
   :<json type: Type of scan, defaults to ``"entry"``.
@@ -758,6 +743,8 @@ Order position endpoints

   * ``invalid`` - Ticket code not known.
   * ``unpaid`` - Ticket is not paid for.
+   * ``blocked`` - Ticket has been blocked.
+   * ``invalid_time`` - Ticket is not valid at this time.
   * ``canceled`` – Ticket is canceled or expired. This reason is only sent when your request sets.
     ``canceled_supported`` to ``true``, otherwise these orders return ``unpaid``.
   * ``already_redeemed`` - Ticket already has been redeemed.
--- a/doc/api/resources/devices.rst
+++ b/doc/api/resources/devices.rst
@@ -1,4 +1,4 @@
-.. spelling:: fullname
+.. spelling:word-list:: fullname

 .. _`rest-devices`:

--- a/doc/api/resources/events.rst
+++ b/doc/api/resources/events.rst
@@ -1,4 +1,4 @@
-.. spelling::
+.. spelling:word-list::

   geo
   lat
@@ -49,37 +49,13 @@ valid_keys                            object                     Cryptographic k
                                                                 only contained in detail views. Value can be cached.
 sales_channels                        list                       A list of sales channels this event is available for
                                                                 sale on.
+public_url                            string                     The public, customer-facing URL of the event (read-only).
 ===================================== ========================== =======================================================


-.. versionchanged:: 3.3
-
-   The attributes ``geo_lat`` and ``geo_lon`` have been added.
-
-.. versionchanged:: 3.4
-
-   The attribute ``timezone`` has been added.
-
-.. versionchanged:: 3.7
-
-   The attribute ``item_meta_properties`` has been added.
-
-.. versionchanged:: 3.12
-
-   The attribute ``valid_keys`` has been added.
-
-.. versionchanged:: 3.14
-
-    The attribute ``sales_channels`` has been added.
-
-
 Endpoints
 ---------

-.. versionchanged:: 3.3
-
-    The events resource can now be filtered by meta data attributes.
-
 .. versionchanged:: 4.0

    The ``clone_from`` parameter has been added to the event creation endpoint.
@@ -90,6 +66,10 @@ Endpoints

    The ``search`` query parameter has been added to filter events by their slug, name, or location in any language.

+.. versionchanged:: 4.17
+
+    The ``public_url`` field has been added.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/

   Returns a list of all events within a given organizer the authenticated user/token has access to.
@@ -148,7 +128,8 @@ Endpoints
              "web",
              "pretixpos",
              "resellers"
-            ]
+            ],
+            "public_url": "https://pretix.eu/bigevents/sampleconf/"
          }
        ]
      }
@@ -156,6 +137,7 @@ Endpoints
   :query page: The page number in case of a multi-page result set, default is 1
   :query is_public: If set to ``true``/``false``, only events with a matching value of ``is_public`` are returned.
   :query live: If set to ``true``/``false``, only events with a matching value of ``live`` are returned.
+   :query testmode: If set to ``true``/``false``, only events with a matching value of ``testmode`` are returned.
   :query has_subevents: If set to ``true``/``false``, only events with a matching value of ``has_subevents`` are returned.
   :query is_future: If set to ``true`` (``false``), only events that happen currently or in the future are (not) returned. Event series are never (always) returned.
   :query is_past: If set to ``true`` (``false``), only events that are over are (not) returned. Event series are never (always) returned.
@@ -236,7 +218,8 @@ Endpoints
          "web",
          "pretixpos",
          "resellers"
-        ]
+        ],
+        "public_url": "https://pretix.eu/bigevents/sampleconf/"
      }

   :param organizer: The ``slug`` field of the organizer to fetch
@@ -332,7 +315,8 @@ Endpoints
          "web",
          "pretixpos",
          "resellers"
-        ]
+        ],
+        "public_url": "https://pretix.eu/bigevents/sampleconf/"
      }

   :param organizer: The ``slug`` field of the organizer of the event to create.
@@ -436,7 +420,8 @@ Endpoints
          "web",
          "pretixpos",
          "resellers"
-        ]
+        ],
+        "public_url": "https://pretix.eu/bigevents/sampleconf/"
      }

   :param organizer: The ``slug`` field of the organizer of the event to create.
@@ -510,7 +495,8 @@ Endpoints
          "web",
          "pretixpos",
          "resellers"
-        ]
+        ],
+        "public_url": "https://pretix.eu/bigevents/sampleconf/"
      }

   :param organizer: The ``slug`` field of the organizer of the event to update
@@ -567,10 +553,6 @@ information about the properties.
 .. warning:: This API is intended for advanced users. Even though we take care to validate your input, you will be
             able to break your event using this API by creating situations of conflicting settings. Please take care.

-.. versionchanged:: 3.6
-
-   Initial support for settings has been added to the API.
-
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/settings/

   Get current values of event settings.
--- a/doc/api/resources/exporters.rst
+++ b/doc/api/resources/exporters.rst
@@ -1,4 +1,4 @@
-.. spelling:: checkin
+.. spelling:word-list:: checkin

 Data exporters
 ==============
@@ -6,10 +6,6 @@ Data exporters
 pretix and it's plugins include a number of data exporters that allow you to bulk download various data from pretix in
 different formats. This page shows you how to use these exporters through the API.

-.. versionchanged:: 3.13
-
-   This feature has been added to the API.
-
 .. warning::

   While we consider the methods listed on this page to be a stable API, the availability and specific input field
--- a/doc/api/resources/giftcards.rst
+++ b/doc/api/resources/giftcards.rst
@@ -40,10 +40,6 @@ text                                  string                     Custom text of
 Endpoints
 ---------

-.. versionadded:: 3.14
-
-   The transaction list endpoint was added.
-
 .. http:get:: /api/v1/organizers/(organizer)/giftcards/

   Returns a list of all gift cards issued by a given organizer.
@@ -257,10 +253,6 @@ Endpoints
        "value": "15.37"
      }

-   .. versionchanged:: 3.5
-
-      This endpoint now returns status code ``409`` if the transaction would lead to a negative gift card value.
-
   :param organizer: The ``slug`` field of the organizer to modify
   :param id: The ``id`` field of the gift card to modify
   :query boolean include_accepted: Also show gift cards issued by other organizers that are accepted by this organizer.
--- a/doc/api/resources/invoices.rst
+++ b/doc/api/resources/invoices.rst
@@ -42,6 +42,7 @@ introductory_text                     string                     Text to be prin
 additional_text                       string                     Text to be printed below the product list
 payment_provider_text                 string                     Text to be printed below the product list with
                                                                 payment information
+payment_provider_stamp                string                     Short text to be visibly printed to indicate payment status
 footer_text                           string                     Text to be printed in the page footer area
 lines                                 list of objects            The actual invoice contents
 ├ position                            integer                    Number of the line within an invoice.
@@ -108,16 +109,6 @@ internal_reference                    string                     Customer's refe
 ===================================== ========================== =======================================================


-.. versionchanged:: 3.4
-
-   The attribute ``lines.number`` has been added.
-
-.. versionchanged:: 3.17
-
-   The attribute ``invoice_to_*``, ``invoice_from_*``, ``custom_field``, ``lines.item``, ``lines.variation``, ``lines.event_date_from``,
-   ``lines.event_date_to``, and ``lines.attendee_name`` have been added.
-   ``refers`` now returns an invoice number including the prefix.
-
 .. versionchanged:: 4.1

   The attributes ``fee_type`` and ``fee_internal_type`` have been added.
@@ -188,6 +179,7 @@ Endpoints
            "internal_reference": "",
            "additional_text": "We are looking forward to see you on our conference!",
            "payment_provider_text": "Please transfer the money to our account ABC…",
+            "payment_provider_stamp": null,
            "footer_text": "Big Events LLC - Registration No. 123456 - VAT ID: EU0987654321",
            "lines": [
              {
@@ -278,6 +270,7 @@ Endpoints
        "internal_reference": "",
        "additional_text": "We are looking forward to see you on our conference!",
        "payment_provider_text": "Please transfer the money to our account ABC…",
+        "payment_provider_stamp": null,
        "footer_text": "Big Events LLC - Registration No. 123456 - VAT ID: EU0987654321",
        "lines": [
          {
--- a/doc/api/resources/item_variations.rst
+++ b/doc/api/resources/item_variations.rst
@@ -24,6 +24,9 @@ active                                boolean                    If ``false``, t
 description                           multi-lingual string       A public description of the variation. May contain
                                                                 Markdown syntax or can be ``null``.
 position                              integer                    An integer, used for sorting
+checkin_attention                     boolean                    If ``true``, the check-in app should show a warning
+                                                                 that this ticket requires special attention if such
+                                                                 a variation is being scanned.
 require_approval                      boolean                    If ``true``, orders with this variation will need to be
                                                                 approved by the event organizer before they can be
                                                                 paid.
@@ -43,8 +46,13 @@ available_until                       datetime                   The last date t
 hide_without_voucher                  boolean                    If ``true``, this variation is only shown during the voucher
                                                                 redemption process, but not in the normal shop
                                                                 frontend.
+meta_data                             object                     Values set for event-specific meta data parameters.
 ===================================== ========================== =======================================================

+.. versionchanged:: 4.16
+
+   The ``meta_data`` and ``checkin_attention`` attributes have been added.
+
 Endpoints
 ---------

@@ -79,6 +87,7 @@ Endpoints
              "en": "S"
            },
            "active": true,
+            "checkin_attention": false,
            "require_approval": false,
            "require_membership": false,
            "require_membership_hidden": false,
@@ -94,6 +103,7 @@ Endpoints
            "default_price": "223.00",
            "price": 223.0,
            "original_price": null,
+            "meta_data": {}
          },
          {
            "id": 3,
@@ -101,6 +111,7 @@ Endpoints
              "en": "L"
            },
            "active": true,
+            "checkin_attention": false,
            "require_approval": false,
            "require_membership": false,
            "require_membership_hidden": false,
@@ -108,7 +119,8 @@ Endpoints
            "description": {},
            "position": 1,
            "default_price": null,
-            "price": 15.0
+            "price": 15.0,
+            "meta_data": {}
          }
        ]
      }
@@ -152,6 +164,7 @@ Endpoints
        "price": "10.00",
        "original_price": null,
        "active": true,
+        "checkin_attention": false,
        "require_approval": false,
        "require_membership": false,
        "require_membership_hidden": false,
@@ -161,7 +174,8 @@ Endpoints
        "available_until": null,
        "hide_without_voucher": false,
        "description": null,
-        "position": 0
+        "position": 0,
+        "meta_data": {}
      }

   :param organizer: The ``slug`` field of the organizer to fetch
@@ -189,6 +203,7 @@ Endpoints
        "value": {"en": "Student"},
        "default_price": "10.00",
        "active": true,
+        "checkin_attention": false,
        "require_approval": false,
        "require_membership": false,
        "require_membership_hidden": false,
@@ -198,7 +213,8 @@ Endpoints
        "available_until": null,
        "hide_without_voucher": false,
        "description": null,
-        "position": 0
+        "position": 0,
+        "meta_data": {}
      }

   **Example response**:
@@ -216,6 +232,7 @@ Endpoints
        "price": "10.00",
        "original_price": null,
        "active": true,
+        "checkin_attention": false,
        "require_approval": false,
        "require_membership": false,
        "require_membership_hidden": false,
@@ -225,7 +242,8 @@ Endpoints
        "available_until": null,
        "hide_without_voucher": false,
        "description": null,
-        "position": 0
+        "position": 0,
+        "meta_data": {}
      }

   :param organizer: The ``slug`` field of the organizer of the event/item to create a variation for
@@ -274,6 +292,7 @@ Endpoints
        "price": "10.00",
        "original_price": null,
        "active": false,
+        "checkin_attention": false,
        "require_approval": false,
        "require_membership": false,
        "require_membership_hidden": false,
@@ -283,7 +302,8 @@ Endpoints
        "available_until": null,
        "hide_without_voucher": false,
        "description": null,
-        "position": 1
+        "position": 1,
+        "meta_data": {}
      }

   :param organizer: The ``slug`` field of the organizer to modify
--- a/doc/api/resources/items.rst
+++ b/doc/api/resources/items.rst
@@ -11,148 +11,165 @@ The item resource contains the following public fields:

 .. rst-class:: rest-resource-table

-===================================== ========================== =======================================================
-Field                                 Type                       Description
-===================================== ========================== =======================================================
-id                                    integer                    Internal ID of the item
-name                                  multi-lingual string       The item's visible name
-internal_name                         string                     An optional name that is only used in the backend
-default_price                         money (string)             The item price that is applied if the price is not
-                                                                 overwritten by variations or other options.
-category                              integer                    The ID of the category this item belongs to
-                                                                 (or ``null``).
-active                                boolean                    If ``false``, the item is hidden from all public lists
-                                                                 and will not be sold.
-description                           multi-lingual string       A public description of the item. May contain Markdown
-                                                                 syntax or can be ``null``.
-free_price                            boolean                    If ``true``, customers can change the price at which
-                                                                 they buy the product (however, the price can't be set
-                                                                 lower than the price defined by ``default_price`` or
-                                                                 otherwise).
-tax_rate                              decimal (string)           The VAT rate to be applied for this item (read-only,
-                                                                 set through ``tax_rule``).
-tax_rule                              integer                    The internal ID of the applied tax rule (or ``null``).
-admission                             boolean                    ``true`` for items that grant admission to the event
-                                                                 (such as primary tickets) and ``false`` for others
-                                                                 (such as add-ons or merchandise).
-position                              integer                    An integer, used for sorting
-picture                               file                       A product picture to be displayed in the shop
-                                                                 (can be ``null``).
-sales_channels                        list of strings            Sales channels this product is available on, such as
-                                                                 ``"web"`` or ``"resellers"``. Defaults to ``["web"]``.
-available_from                        datetime                   The first date time at which this item can be bought
-                                                                 (or ``null``).
-available_until                       datetime                   The last date time at which this item can be bought
-                                                                 (or ``null``).
-hidden_if_available                   integer                    The internal ID of a quota object, or ``null``. If
-                                                                 set, this item won't be shown publicly as long as this
-                                                                 quota is available.
-require_voucher                       boolean                    If ``true``, this item can only be bought using a
-                                                                 voucher that is specifically assigned to this item.
-hide_without_voucher                  boolean                    If ``true``, this item is only shown during the voucher
-                                                                 redemption process, but not in the normal shop
-                                                                 frontend.
-allow_cancel                          boolean                    If ``false``, customers cannot cancel orders containing
-                                                                 this item.
-min_per_order                         integer                    This product can only be bought if it is included at
-                                                                 least this many times in the order (or ``null`` for no
-                                                                 limitation).
-max_per_order                         integer                    This product can only be bought if it is included at
-                                                                 most this many times in the order (or ``null`` for no
-                                                                 limitation).
-checkin_attention                     boolean                    If ``true``, the check-in app should show a warning
-                                                                 that this ticket requires special attention if such
-                                                                 a product is being scanned.
-original_price                        money (string)             An original price, shown for comparison, not used
-                                                                 for price calculations (or ``null``).
-require_approval                      boolean                    If ``true``, orders with this product will need to be
-                                                                 approved by the event organizer before they can be
-                                                                 paid.
-require_bundling                      boolean                    If ``true``, this item is only available as part of bundles.
-require_membership                    boolean                    If ``true``, booking this item requires an active membership.
-require_membership_hidden             boolean                    If ``true`` and ``require_membership`` is set, this product will
-                                                                 be hidden from users without a valid membership.
-require_membership_types              list of integers           Internal IDs of membership types valid if ``require_membership`` is ``true``
-grant_membership_type                 integer                    If set to the internal ID of a membership type, purchasing this item will
-                                                                 create a membership of the given type.
-grant_membership_duration_like_event  boolean                    If ``true``, the membership created through ``grant_membership_type`` will derive
-                                                                 its term from ``date_from`` to ``date_to`` of the purchased (sub)event.
-grant_membership_duration_days        integer                    If ``grant_membership_duration_like_event`` is ``false``, this sets the number of
-                                                                 days for the membership.
-grant_membership_duration_months      integer                    If ``grant_membership_duration_like_event`` is ``false``, this sets the number of
-                                                                 calendar months for the membership.
-generate_tickets                      boolean                    If ``false``, tickets are never generated for this
-                                                                 product, regardless of other settings. If ``true``,
-                                                                 tickets are generated even if this is a
-                                                                 non-admission or add-on product, regardless of event
-                                                                 settings. If this is ``null``, regular ticketing
-                                                                 rules apply.
-allow_waitinglist                     boolean                    If ``false``, no waiting list will be shown for this
-                                                                 product when it is sold out.
-issue_giftcard                        boolean                    If ``true``, buying this product will yield a gift card.
-show_quota_left                       boolean                    Publicly show how many tickets are still available.
-                                                                 If this is ``null``, the event default is used.
-has_variations                        boolean                    Shows whether or not this item has variations.
-variations                            list of objects            A list with one object for each variation of this item.
-                                                                 Can be empty. Only writable during creation,
-                                                                 use separate endpoint to modify this later.
-├ id                                  integer                    Internal ID of the variation
-├ value                               multi-lingual string       The "name" of the variation
-├ default_price                       money (string)             The price set directly for this variation or ``null``
-├ price                               money (string)             The price used for this variation. This is either the
-                                                                 same as ``default_price`` if that value is set or equal
-                                                                 to the item's ``default_price``.
-├ original_price                      money (string)             An original price, shown for comparison, not used
-                                                                 for price calculations (or ``null``).
-├ active                              boolean                    If ``false``, this variation will not be sold or shown.
-├ description                         multi-lingual string       A public description of the variation. May contain
-├ require_membership                  boolean                    If ``true``, booking this variation requires an active membership.
-├ require_membership_hidden           boolean                    If ``true`` and ``require_membership`` is set, this variation will
-                                                                 be hidden from users without a valid membership.
-├ require_membership_types            list of integers           Internal IDs of membership types valid if ``require_membership`` is ``true``
-                                                                 Markdown syntax or can be ``null``.
-├ sales_channels                      list of strings            Sales channels this variation is available on, such as
-                                                                 ``"web"`` or ``"resellers"``. Defaults to all existing sales channels.
-                                                                 The item-level list takes precedence, i.e. a sales
-                                                                 channel needs to be on both lists for the item to be
-                                                                 available.
-├ available_from                      datetime                   The first date time at which this variation can be bought
-                                                                 (or ``null``).
-├ available_until                     datetime                   The last date time at which this variation can be bought
-                                                                 (or ``null``).
-├ hide_without_voucher                boolean                    If ``true``, this variation is only shown during the voucher
-                                                                 redemption process, but not in the normal shop
-                                                                 frontend.
-└ position                            integer                    An integer, used for sorting
-addons                                list of objects            Definition of add-ons that can be chosen for this item.
-                                                                 Only writable during creation,
-                                                                 use separate endpoint to modify this later.
-├ addon_category                      integer                    Internal ID of the item category the add-on can be
-                                                                 chosen from.
-├ min_count                           integer                    The minimal number of add-ons that need to be chosen.
-├ max_count                           integer                    The maximal number of add-ons that can be chosen.
-├ position                            integer                    An integer, used for sorting
-├ multi_allowed                       boolean                    Adding the same item multiple times is allowed
-└ price_included                      boolean                    Adding this add-on to the item is free
-bundles                               list of objects            Definition of bundles that are included in this item.
-                                                                 Only writable during creation,
-                                                                 use separate endpoint to modify this later.
-├ bundled_item                        integer                    Internal ID of the item that is included.
-├ bundled_variation                   integer                    Internal ID of the variation of the item (or ``null``).
-├ count                               integer                    Number of items included
-└ designated_price                    money (string)             Designated price of the bundled product. This will be
-                                                                 used to split the price of the base item e.g. for mixed
-                                                                 taxation. This is not added to the price.
-meta_data                             object                     Values set for event-specific meta data parameters.
-===================================== ========================== =======================================================
-
-.. versionchanged:: 3.7
-
-   The attribute ``meta_data`` has been added.
-
-.. versionchanged:: 3.10
-
-   The attribute ``multi_allowed`` has been added to ``addons``.
+======================================= ========================== =======================================================
+Field                                   Type                       Description
+======================================= ========================== =======================================================
+id                                      integer                    Internal ID of the item
+name                                    multi-lingual string       The item's visible name
+internal_name                           string                     An optional name that is only used in the backend
+default_price                           money (string)             The item price that is applied if the price is not
+                                                                   overwritten by variations or other options.
+category                                integer                    The ID of the category this item belongs to
+                                                                   (or ``null``).
+active                                  boolean                    If ``false``, the item is hidden from all public lists
+                                                                   and will not be sold.
+description                             multi-lingual string       A public description of the item. May contain Markdown
+                                                                   syntax or can be ``null``.
+free_price                              boolean                    If ``true``, customers can change the price at which
+                                                                   they buy the product (however, the price can't be set
+                                                                   lower than the price defined by ``default_price`` or
+                                                                   otherwise).
+tax_rate                                decimal (string)           The VAT rate to be applied for this item (read-only,
+                                                                   set through ``tax_rule``).
+tax_rule                                integer                    The internal ID of the applied tax rule (or ``null``).
+admission                               boolean                    ``true`` for items that grant admission to the event
+                                                                   (such as primary tickets) and ``false`` for others
+                                                                   (such as add-ons or merchandise).
+personalized                            boolean                    ``true`` for items that require personalization according
+                                                                   to event settings. Only affects system-level fields, not
+                                                                   custom questions. Currently only allowed for products with
+                                                                   ``admission`` set to ``true``. For backwards compatibility,
+                                                                   when creating new items and this field is not given, it defaults
+                                                                   to the same value as ``admission``.
+position                                integer                    An integer, used for sorting
+picture                                 file                       A product picture to be displayed in the shop
+                                                                   (can be ``null``).
+sales_channels                          list of strings            Sales channels this product is available on, such as
+                                                                   ``"web"`` or ``"resellers"``. Defaults to ``["web"]``.
+available_from                          datetime                   The first date time at which this item can be bought
+                                                                   (or ``null``).
+available_until                         datetime                   The last date time at which this item can be bought
+                                                                   (or ``null``).
+hidden_if_available                     integer                    The internal ID of a quota object, or ``null``. If
+                                                                   set, this item won't be shown publicly as long as this
+                                                                   quota is available.
+require_voucher                         boolean                    If ``true``, this item can only be bought using a
+                                                                   voucher that is specifically assigned to this item.
+hide_without_voucher                    boolean                    If ``true``, this item is only shown during the voucher
+                                                                   redemption process, but not in the normal shop
+                                                                   frontend.
+allow_cancel                            boolean                    If ``false``, customers cannot cancel orders containing
+                                                                   this item.
+min_per_order                           integer                    This product can only be bought if it is included at
+                                                                   least this many times in the order (or ``null`` for no
+                                                                   limitation).
+max_per_order                           integer                    This product can only be bought if it is included at
+                                                                   most this many times in the order (or ``null`` for no
+                                                                   limitation).
+checkin_attention                       boolean                    If ``true``, the check-in app should show a warning
+                                                                   that this ticket requires special attention if such
+                                                                   a product is being scanned.
+original_price                          money (string)             An original price, shown for comparison, not used
+                                                                   for price calculations (or ``null``).
+require_approval                        boolean                    If ``true``, orders with this product will need to be
+                                                                   approved by the event organizer before they can be
+                                                                   paid.
+require_bundling                        boolean                    If ``true``, this item is only available as part of bundles.
+require_membership                      boolean                    If ``true``, booking this item requires an active membership.
+require_membership_hidden               boolean                    If ``true`` and ``require_membership`` is set, this product will
+                                                                   be hidden from users without a valid membership.
+require_membership_types                list of integers           Internal IDs of membership types valid if ``require_membership`` is ``true``
+grant_membership_type                   integer                    If set to the internal ID of a membership type, purchasing this item will
+                                                                   create a membership of the given type.
+grant_membership_duration_like_event    boolean                    If ``true``, the membership created through ``grant_membership_type`` will derive
+                                                                   its term from ``date_from`` to ``date_to`` of the purchased (sub)event.
+grant_membership_duration_days          integer                    If ``grant_membership_duration_like_event`` is ``false``, this sets the number of
+                                                                   days for the membership.
+grant_membership_duration_months        integer                    If ``grant_membership_duration_like_event`` is ``false``, this sets the number of
+                                                                   calendar months for the membership.
+validity_mode                           string                     If ``null``, tickets generated for this product do not
+                                                                   have special validity behavior, but follow event configuration and
+                                                                   can be limited e.g. through check-in rules. Other values are ``"fixed"`` and ``"dynamic"``
+validity_fixed_from                     datetime                   If ``validity_mode`` is ``"fixed"``, this is the start of validity for issued tickets.
+validity_fixed_until                    datetime                   If ``validity_mode`` is ``"fixed"``, this is the end of validity for issued tickets.
+validity_dynamic_duration_minutes       integer                    If ``validity_mode`` is ``"dynamic"``, this is the "minutes" component of the ticket validity duration.
+validity_dynamic_duration_hours         integer                    If ``validity_mode`` is ``"dynamic"``, this is the "hours" component of the ticket validity duration.
+validity_dynamic_duration_days          integer                    If ``validity_mode`` is ``"dynamic"``, this is the "days" component of the ticket validity duration.
+validity_dynamic_duration_months        integer                    If ``validity_mode`` is ``"dynamic"``, this is the "months" component of the ticket validity duration.
+validity_dynamic_start_choice           boolean                    If ``validity_mode`` is ``"dynamic"`` and this is ``true``, customers can choose the start of validity.
+validity_dynamic_start_choice_day_limit boolean                    If ``validity_mode`` is ``"dynamic"`` and ``validity_dynamic_start_choice`` is ``true``,
+                                                                   this is the maximum number of days the start can be in the future.
+generate_tickets                        boolean                    If ``false``, tickets are never generated for this
+                                                                   product, regardless of other settings. If ``true``,
+                                                                   tickets are generated even if this is a
+                                                                   non-admission or add-on product, regardless of event
+                                                                   settings. If this is ``null``, regular ticketing
+                                                                   rules apply.
+allow_waitinglist                       boolean                    If ``false``, no waiting list will be shown for this
+                                                                   product when it is sold out.
+issue_giftcard                          boolean                    If ``true``, buying this product will yield a gift card.
+show_quota_left                         boolean                    Publicly show how many tickets are still available.
+                                                                   If this is ``null``, the event default is used.
+has_variations                          boolean                    Shows whether or not this item has variations.
+variations                              list of objects            A list with one object for each variation of this item.
+                                                                   Can be empty. Only writable during creation,
+                                                                   use separate endpoint to modify this later.
+├ id                                    integer                    Internal ID of the variation
+├ value                                 multi-lingual string       The "name" of the variation
+├ default_price                         money (string)             The price set directly for this variation or ``null``
+├ price                                 money (string)             The price used for this variation. This is either the
+                                                                   same as ``default_price`` if that value is set or equal
+                                                                   to the item's ``default_price``.
+├ original_price                        money (string)             An original price, shown for comparison, not used
+                                                                   for price calculations (or ``null``).
+├ active                                boolean                    If ``false``, this variation will not be sold or shown.
+├ description                           multi-lingual string       A public description of the variation. May contain
+├ checkin_attention                     boolean                    If ``true``, the check-in app should show a warning
+                                                                   that this ticket requires special attention if such
+                                                                   a variation is being scanned.
+├ require_approval                      boolean                    If ``true``, orders with this variation will need to be
+                                                                   approved by the event organizer before they can be
+                                                                   paid.
+├ require_membership                    boolean                    If ``true``, booking this variation requires an active membership.
+├ require_membership_hidden             boolean                    If ``true`` and ``require_membership`` is set, this variation will
+                                                                   be hidden from users without a valid membership.
+├ require_membership_types              list of integers           Internal IDs of membership types valid if ``require_membership`` is ``true``
+                                                                   Markdown syntax or can be ``null``.
+├ sales_channels                        list of strings            Sales channels this variation is available on, such as
+                                                                   ``"web"`` or ``"resellers"``. Defaults to all existing sales channels.
+                                                                   The item-level list takes precedence, i.e. a sales
+                                                                   channel needs to be on both lists for the item to be
+                                                                   available.
+├ available_from                        datetime                   The first date time at which this variation can be bought
+                                                                   (or ``null``).
+├ available_until                       datetime                   The last date time at which this variation can be bought
+                                                                   (or ``null``).
+├ hide_without_voucher                  boolean                    If ``true``, this variation is only shown during the voucher
+                                                                   redemption process, but not in the normal shop
+                                                                   frontend.
+├ meta_data                             object                     Values set for event-specific meta data parameters.
+└ position                              integer                    An integer, used for sorting
+addons                                  list of objects            Definition of add-ons that can be chosen for this item.
+                                                                   Only writable during creation,
+                                                                   use separate endpoint to modify this later.
+├ addon_category                        integer                    Internal ID of the item category the add-on can be
+                                                                   chosen from.
+├ min_count                             integer                    The minimal number of add-ons that need to be chosen.
+├ max_count                             integer                    The maximal number of add-ons that can be chosen.
+├ position                              integer                    An integer, used for sorting
+├ multi_allowed                         boolean                    Adding the same item multiple times is allowed
+└ price_included                        boolean                    Adding this add-on to the item is free
+bundles                                 list of objects            Definition of bundles that are included in this item.
+                                                                   Only writable during creation,
+                                                                   use separate endpoint to modify this later.
+├ bundled_item                          integer                    Internal ID of the item that is included.
+├ bundled_variation                     integer                    Internal ID of the variation of the item (or ``null``).
+├ count                                 integer                    Number of items included
+└ designated_price                      money (string)             Designated price of the bundled product. This will be
+                                                                   used to split the price of the base item e.g. for mixed
+                                                                   taxation. This is not added to the price.
+meta_data                               object                     Values set for event-specific meta data parameters.
+======================================= ========================== =======================================================

 .. versionchanged:: 4.0

@@ -163,6 +180,15 @@ meta_data                             object                     Values set for

   The attributes ``require_membership_hidden`` attribute has been added.

+.. versionchanged:: 4.16
+
+   The ``variations[x].meta_data`` and ``variations[x].checkin_attention`` attributes have been added.
+   The ``personalized`` attribute has been added.
+
+.. versionchanged:: 4.17
+
+   The ``validity_*`` attributes have been added.
+
 Notes
 -----

@@ -216,6 +242,7 @@ Endpoints
            "tax_rate": "0.00",
            "tax_rule": 1,
            "admission": false,
+            "personalized": false,
            "issue_giftcard": false,
            "meta_data": {},
            "position": 0,
@@ -241,6 +268,14 @@ Endpoints
            "grant_membership_duration_like_event": true,
            "grant_membership_duration_days": 0,
            "grant_membership_duration_months": 0,
+            "validity_fixed_from": null,
+            "validity_fixed_until": null,
+            "validity_dynamic_duration_minutes": null,
+            "validity_dynamic_duration_hours": null,
+            "validity_dynamic_duration_days": null,
+            "validity_dynamic_duration_months": null,
+            "validity_dynamic_start_choice": false,
+            "validity_dynamic_start_choice_day_limit": null,
            "variations": [
              {
                 "value": {"en": "Student"},
@@ -248,6 +283,8 @@ Endpoints
                 "price": "10.00",
                 "original_price": null,
                 "active": true,
+                 "checkin_attention": false,
+                 "require_approval": false,
                 "require_membership": false,
                 "require_membership_types": [],
                 "sales_channels": ["web"],
@@ -255,6 +292,7 @@ Endpoints
                 "available_until": null,
                 "hide_without_voucher": false,
                 "description": null,
+                 "meta_data": {},
                 "position": 0
              },
              {
@@ -263,6 +301,8 @@ Endpoints
                 "price": "23.00",
                 "original_price": null,
                 "active": true,
+                 "checkin_attention": false,
+                 "require_approval": false,
                 "require_membership": false,
                 "require_membership_types": [],
                 "sales_channels": ["web"],
@@ -270,6 +310,7 @@ Endpoints
                 "available_until": null,
                 "hide_without_voucher": false,
                 "description": null,
+                 "meta_data": {},
                 "position": 1
              }
            ],
@@ -330,6 +371,7 @@ Endpoints
        "tax_rate": "0.00",
        "tax_rule": 1,
        "admission": false,
+        "personalized": false,
        "issue_giftcard": false,
        "meta_data": {},
        "position": 0,
@@ -355,6 +397,14 @@ Endpoints
        "grant_membership_duration_like_event": true,
        "grant_membership_duration_days": 0,
        "grant_membership_duration_months": 0,
+        "validity_fixed_from": null,
+        "validity_fixed_until": null,
+        "validity_dynamic_duration_minutes": null,
+        "validity_dynamic_duration_hours": null,
+        "validity_dynamic_duration_days": null,
+        "validity_dynamic_duration_months": null,
+        "validity_dynamic_start_choice": false,
+        "validity_dynamic_start_choice_day_limit": null,
        "variations": [
          {
             "value": {"en": "Student"},
@@ -362,6 +412,8 @@ Endpoints
             "price": "10.00",
             "original_price": null,
             "active": true,
+             "checkin_attention": false,
+             "require_approval": false,
             "require_membership": false,
             "require_membership_types": [],
             "description": null,
@@ -369,6 +421,7 @@ Endpoints
             "available_from": null,
             "available_until": null,
             "hide_without_voucher": false,
+             "meta_data": {},
             "position": 0
          },
          {
@@ -377,6 +430,8 @@ Endpoints
             "price": "23.00",
             "original_price": null,
             "active": true,
+             "checkin_attention": false,
+             "require_approval": false,
             "require_membership": false,
             "require_membership_types": [],
             "sales_channels": ["web"],
@@ -384,6 +439,7 @@ Endpoints
             "available_until": null,
             "hide_without_voucher": false,
             "description": null,
+             "meta_data": {},
             "position": 1
          }
        ],
@@ -425,6 +481,7 @@ Endpoints
        "tax_rate": "0.00",
        "tax_rule": 1,
        "admission": false,
+        "personalized": false,
        "issue_giftcard": false,
        "meta_data": {},
        "position": 0,
@@ -449,6 +506,14 @@ Endpoints
        "grant_membership_duration_like_event": true,
        "grant_membership_duration_days": 0,
        "grant_membership_duration_months": 0,
+        "validity_fixed_from": null,
+        "validity_fixed_until": null,
+        "validity_dynamic_duration_minutes": null,
+        "validity_dynamic_duration_hours": null,
+        "validity_dynamic_duration_days": null,
+        "validity_dynamic_duration_months": null,
+        "validity_dynamic_start_choice": false,
+        "validity_dynamic_start_choice_day_limit": null,
        "variations": [
          {
             "value": {"en": "Student"},
@@ -456,6 +521,8 @@ Endpoints
             "price": "10.00",
             "original_price": null,
             "active": true,
+             "checkin_attention": false,
+             "require_approval": false,
             "require_membership": false,
             "require_membership_types": [],
             "sales_channels": ["web"],
@@ -463,6 +530,7 @@ Endpoints
             "available_until": null,
             "hide_without_voucher": false,
             "description": null,
+             "meta_data": {},
             "position": 0
          },
          {
@@ -471,6 +539,8 @@ Endpoints
             "price": "23.00",
             "original_price": null,
             "active": true,
+             "checkin_attention": false,
+             "require_approval": false,
             "require_membership": false,
             "require_membership_types": [],
             "sales_channels": ["web"],
@@ -478,6 +548,7 @@ Endpoints
             "available_until": null,
             "hide_without_voucher": false,
             "description": null,
+             "meta_data": {},
             "position": 1
          }
        ],
@@ -507,6 +578,7 @@ Endpoints
        "tax_rate": "0.00",
        "tax_rule": 1,
        "admission": false,
+        "personalized": false,
        "issue_giftcard": false,
        "meta_data": {},
        "position": 0,
@@ -532,6 +604,14 @@ Endpoints
        "grant_membership_duration_like_event": true,
        "grant_membership_duration_days": 0,
        "grant_membership_duration_months": 0,
+        "validity_fixed_from": null,
+        "validity_fixed_until": null,
+        "validity_dynamic_duration_minutes": null,
+        "validity_dynamic_duration_hours": null,
+        "validity_dynamic_duration_days": null,
+        "validity_dynamic_duration_months": null,
+        "validity_dynamic_start_choice": false,
+        "validity_dynamic_start_choice_day_limit": null,
        "variations": [
          {
             "value": {"en": "Student"},
@@ -539,6 +619,8 @@ Endpoints
             "price": "10.00",
             "original_price": null,
             "active": true,
+             "checkin_attention": false,
+             "require_approval": false,
             "require_membership": false,
             "require_membership_types": [],
             "sales_channels": ["web"],
@@ -546,6 +628,7 @@ Endpoints
             "available_until": null,
             "hide_without_voucher": false,
             "description": null,
+             "meta_data": {},
             "position": 0
          },
          {
@@ -554,6 +637,8 @@ Endpoints
             "price": "23.00",
             "original_price": null,
             "active": true,
+             "checkin_attention": false,
+             "require_approval": false,
             "require_membership": false,
             "require_membership_types": [],
             "sales_channels": ["web"],
@@ -561,6 +646,7 @@ Endpoints
             "available_until": null,
             "hide_without_voucher": false,
             "description": null,
+             "meta_data": {},
             "position": 1
          }
        ],
@@ -621,6 +707,7 @@ Endpoints
        "tax_rate": "0.00",
        "tax_rule": 1,
        "admission": false,
+        "personalized": false,
        "issue_giftcard": false,
        "meta_data": {},
        "position": 0,
@@ -646,6 +733,14 @@ Endpoints
        "grant_membership_duration_like_event": true,
        "grant_membership_duration_days": 0,
        "grant_membership_duration_months": 0,
+        "validity_fixed_from": null,
+        "validity_fixed_until": null,
+        "validity_dynamic_duration_minutes": null,
+        "validity_dynamic_duration_hours": null,
+        "validity_dynamic_duration_days": null,
+        "validity_dynamic_duration_months": null,
+        "validity_dynamic_start_choice": false,
+        "validity_dynamic_start_choice_day_limit": null,
        "variations": [
          {
             "value": {"en": "Student"},
@@ -653,6 +748,8 @@ Endpoints
             "price": "10.00",
             "original_price": null,
             "active": true,
+             "checkin_attention": false,
+             "require_approval": false,
             "require_membership": false,
             "require_membership_types": [],
             "sales_channels": ["web"],
@@ -660,6 +757,7 @@ Endpoints
             "available_until": null,
             "hide_without_voucher": false,
             "description": null,
+             "meta_data": {},
             "position": 0
          },
          {
@@ -668,6 +766,8 @@ Endpoints
             "price": "23.00",
             "original_price": null,
             "active": true,
+             "checkin_attention": false,
+             "require_approval": false,
             "require_membership": false,
             "require_membership_types": [],
             "sales_channels": ["web"],
@@ -675,6 +775,7 @@ Endpoints
             "available_until": null,
             "hide_without_voucher": false,
             "description": null,
+             "meta_data": {},
             "position": 1
          }
        ],
--- a/doc/api/resources/orders.rst
+++ b/doc/api/resources/orders.rst
@@ -1,4 +1,4 @@
-.. spelling::
+.. spelling:word-list::

   checkins
   pdf
@@ -91,6 +91,10 @@ require_approval                      boolean                    If ``true`` and
                                                                 needs approval by an organizer before it can
                                                                 continue. If ``true`` and the order is canceled,
                                                                 this order has been denied by the event organizer.
+valid_if_pending                      boolean                    If ``true`` and the order is pending, this order
+                                                                 is still treated like a paid order for most purposes,
+                                                                 such as check-in. This may be used e.g. for trusted
+                                                                 customers who only need to pay after the event.
 url                                   string                     The full URL to the order confirmation page
 payments                              list of objects            List of payment processes (see below)
 refunds                               list of objects            List of refund processes (see below)
@@ -98,30 +102,6 @@ last_modified                         datetime                   Last modificati
 ===================================== ========================== =======================================================


-.. versionchanged:: 3.5
-
-   The ``order.fees.canceled`` attribute has been added.
-
-.. versionchanged:: 3.8
-
-   The ``reactivate`` operation has been added.
-
-.. versionchanged:: 3.10
-
-   The ``search`` query parameter has been added.
-
-.. versionchanged:: 3.11
-
-   The ``exclude`` and ``subevent_after`` query parameter has been added.
-
-.. versionchanged:: 3.13
-
-   The ``subevent_before`` query parameter has been added.
-
-.. versionchanged:: 3.14
-
-   The ``phone`` attribute has been added.
-
 .. versionchanged:: 4.0

   The ``customer`` attribute has been added.
@@ -142,6 +122,14 @@ last_modified                         datetime                   Last modificati

   The ``order.fees.id`` attribute has been added.

+.. versionchanged:: 4.15
+
+   The ``include`` query parameter has been added.
+
+.. versionchanged:: 4.16
+
+   The ``valid_if_pending`` attribute has been added.
+

 .. _order-position-resource:

@@ -178,6 +166,10 @@ tax_rule                              integer                    The ID of the u
 secret                                string                     Secret code printed on the tickets for validation
 addon_to                              integer                    Internal ID of the position this position is an add-on for (or ``null``)
 subevent                              integer                    ID of the date inside an event series this position belongs to (or ``null``).
+discount                              integer                    ID of a discount that has been used during the creation of this position in some way (or ``null``).
+blocked                               list of strings            A list of strings, or ``null``. Whenever not ``null``, the ticket may not be used (e.g. for check-in).
+valid_from                            datetime                   The ticket will not be valid before this time. Can be ``null``.
+valid_until                           datetime                   The ticket will not be valid after this time. Can be ``null``.
 pseudonymization_id                   string                     A random ID, e.g. for use in lead scanning apps
 checkins                              list of objects            List of **successful** check-ins with this ticket
 ├ id                                  integer                    Internal ID of the check-in event
@@ -205,26 +197,9 @@ pdf_data                              object                     Data object req
                                                                 ``pdf_data=true`` query parameter to your request.
 ===================================== ========================== =======================================================

-.. versionchanged:: 3.3
+.. versionchanged:: 4.16

-  The ``url`` of a ticket ``download`` can now also return a ``text/uri-list`` instead of a file. See
-  :ref:`order-position-ticket-download` for details.
-
-.. versionchanged:: 3.5
-
-  The attribute ``canceled`` has been added.
-
-.. versionchanged:: 3.8
-
-  The attributes ``company``, ``street``, ``zipcode``, ``city``, ``country``, and ``state`` have been added.
-
-.. versionchanged:: 3.9
-
-  The ``checkin.type`` attribute has been added.
-
-.. versionchanged:: 3.16
-
-   Answers to file questions are now returned as an URL.
+   The attributes ``blocked``, ``valid_from`` and ``valid_until`` have been added.

 .. _order-payment-resource:

@@ -272,15 +247,20 @@ created                               datetime                   Date and time o
 comment                               string                     Reason for refund (shown to the customer in some cases, can be ``null``).
 execution_date                        datetime                   Date and time of completion of this refund (or ``null``)
 provider                              string                     Identification string of the payment provider
+details                               object                     Refund-specific information. This is a dictionary
+                                                                 with various fields that can be different between
+                                                                 payment providers, versions, payment states, etc. If
+                                                                 you read this field, you always need to be able to
+                                                                 deal with situations where values that you expect are
+                                                                 missing. Mostly, the field contains various IDs that
+                                                                 can be used for matching with other systems. If a
+                                                                 payment provider does not implement this feature,
+                                                                 the object is empty.
 ===================================== ========================== =======================================================

 List of all orders
 ------------------

-.. versionchanged:: 3.5
-
-   The ``include_canceled_positions`` and ``include_canceled_fees`` query parameters have been added.
-
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/

   Returns a list of all orders within a given event.
@@ -329,6 +309,7 @@ List of all orders
            "custom_followup_at": null,
            "checkin_attention": false,
            "require_approval": false,
+            "valid_if_pending": false,
            "invoice_address": {
                "last_modified": "2017-12-01T10:00:00Z",
                "is_business": true,
@@ -371,6 +352,10 @@ List of all orders
                "secret": "z3fsn8jyufm5kpk768q69gkbyr5f4h6w",
                "addon_to": null,
                "subevent": null,
+                "valid_from": null,
+                "valid_until": null,
+                "blocked": null,
+                "discount": null,
                "pseudonymization_id": "MQLJvANO3B",
                "seat": null,
                "checkins": [
@@ -447,6 +432,7 @@ List of all orders
   :query datetime subevent_after: Only return orders that contain a ticket for a subevent taking place after the given date. This is an exclusive after, and it considers the **end** of the subevent (or its start, if the end is not set).
   :query datetime subevent_before: Only return orders that contain a ticket for a subevent taking place after the given date. This is an exclusive before, and it considers the **start** of the subevent.
   :query string exclude: Exclude a field from the output, e.g. ``fees`` or ``positions.downloads``. Can be used as a performance optimization. Can be passed multiple times.
+   :query string include: Include only the given field in the output, e.g. ``fees`` or ``positions.downloads``. Can be used as a performance optimization. Can be passed multiple times. ``include`` is applied before ``exclude``, so ``exclude`` takes precedence.
   :param organizer: The ``slug`` field of the organizer to fetch
   :param event: The ``slug`` field of the event to fetch
   :resheader X-Page-Generated: The server time at the beginning of the operation. If you're using this API to fetch
@@ -458,10 +444,6 @@ List of all orders
 Fetching individual orders
 --------------------------

-.. versionchanged:: 3.5
-
-   The ``include_canceled_positions`` and ``include_canceled_fees`` query parameters have been added.
-
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/

   Returns information on one order, identified by its order code.
@@ -504,6 +486,7 @@ Fetching individual orders
        "custom_followup_at": null,
        "checkin_attention": false,
        "require_approval": false,
+        "valid_if_pending": false,
        "invoice_address": {
            "last_modified": "2017-12-01T10:00:00Z",
            "company": "Sample company",
@@ -546,6 +529,10 @@ Fetching individual orders
            "secret": "z3fsn8jyufm5kpk768q69gkbyr5f4h6w",
            "addon_to": null,
            "subevent": null,
+            "valid_from": null,
+            "valid_until": null,
+            "blocked": null,
+            "discount": null,
            "pseudonymization_id": "MQLJvANO3B",
            "seat": null,
            "checkins": [
@@ -676,6 +663,8 @@ Updating order fields

   * ``invoice_address`` (you always need to supply the full object, or ``null`` to delete the current address)

+   * ``valid_if_pending``
+
   **Example request**:

   .. sourcecode:: http
@@ -851,6 +840,7 @@ Creating orders

       * does not support or validate memberships

+
   You can supply the following fields of the resource:

   * ``code`` (optional) – Only ``A-Z`` and ``0-9``, but without ``O`` and ``1``.
@@ -881,6 +871,7 @@ Creating orders
   * ``custom_followup_at`` (optional)
   * ``checkin_attention`` (optional)
   * ``require_approval`` (optional)
+   * ``valid_if_pending`` (optional)
   * ``invoice_address`` (optional)

      * ``company``
@@ -916,6 +907,9 @@ Creating orders
      * ``secret`` (optional)
      * ``addon_to`` (optional, see below)
      * ``subevent`` (optional)
+      * ``valid_from`` (optional, if both ``valid_from`` and ``valid_until`` are **missing** (not ``null``) the availability will be computed from the given product)
+      * ``valid_until`` (optional, if both ``valid_from`` and ``valid_until`` are **missing** (not ``null``) the availability will be computed from the given product)
+      * ``requested_valid_from`` (optional, can be set **instead** of ``valid_from`` and ``valid_until`` to signal a user choice for the start time that may or may not be respected)
      * ``answers``

        * ``question``
@@ -986,7 +980,7 @@ Creating orders
          "street": "Sesam Street 12",
          "zipcode": "12345",
          "city": "Sample City",
-          "country": "UK",
+          "country": "GB",
          "state": "",
          "internal_reference": "",
          "vat_id": ""
@@ -1035,10 +1029,6 @@ Creating orders
 Order state operations
 ----------------------

-.. versionchanged:: 3.12
-
-   The ``mark_paid`` operation now takes a ``send_email`` parameter.
-
 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_paid/

   Marks a pending or expired order as successfully paid.
@@ -1440,10 +1430,6 @@ Sending e-mails
 List of all order positions
 ---------------------------

-.. versionchanged:: 3.5
-
-   The ``include_canceled_positions`` and ``include_canceled_fees`` query parameters have been added.
-
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orderpositions/

   Returns a list of all order positions within a given event.
@@ -1487,10 +1473,14 @@ List of all order positions
            "tax_rule": null,
            "tax_value": "0.00",
            "secret": "z3fsn8jyufm5kpk768q69gkbyr5f4h6w",
+            "discount": null,
            "pseudonymization_id": "MQLJvANO3B",
            "seat": null,
            "addon_to": null,
            "subevent": null,
+            "valid_from": null,
+            "valid_until": null,
+            "blocked": null,
            "checkins": [
              {
                "list": 44,
@@ -1597,6 +1587,10 @@ Fetching individual positions
        "secret": "z3fsn8jyufm5kpk768q69gkbyr5f4h6w",
        "addon_to": null,
        "subevent": null,
+        "valid_from": null,
+        "valid_until": null,
+        "blocked": null,
+        "discount": null,
        "pseudonymization_id": "MQLJvANO3B",
        "seat": null,
        "checkins": [
@@ -1696,15 +1690,15 @@ Order position ticket download
 Manipulating individual positions
 ---------------------------------

-.. versionchanged:: 3.15
-
-   The ``PATCH`` method has been added for individual positions.
-
 .. versionchanged:: 4.8

   The ``PATCH`` method now supports changing items, variations, subevents, seats, prices, and tax rules.
   The ``POST`` endpoint to add individual positions has been added.

+.. versionadded:: 4.16
+
+   The endpoints to manage blocks have been added.
+
 .. http:patch:: /api/v1/organizers/(organizer)/events/(event)/orderpositions/(id)/

   Updates specific fields on an order position. Currently, only the following fields are supported:
@@ -1743,6 +1737,10 @@ Manipulating individual positions

   * ``tax_rule``

+   * ``valid_from``
+
+   * ``valid_until``
+
   Changing parameters such as ``item`` or ``price`` will **not** automatically trigger creation of a new invoice,
   you need to take care of that yourself.

@@ -1817,6 +1815,10 @@ Manipulating individual positions
     and ``option_identifiers`` will be ignored. As a special case, you can submit the magic value
     ``"file:keep"`` as the answer to a file question to keep the current value without re-uploading it.

+   * ``valid_from``
+
+   * ``valid_until``
+
   This will **not** automatically trigger creation of a new invoice, you need to take care of that yourself.

   **Example request**:
@@ -1880,6 +1882,82 @@ Manipulating individual positions
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
   :statuscode 404: The requested order position does not exist.

+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orderpositions/(id)/add_block/
+
+   Blocks an order position from being used. The block name either needs to be ``"admin"`` or start with ``"api:"``. It
+   may only contain letters, numbers, dots and underscores. ``"admin"`` represents the regular block that can be set
+   in the backend user interface.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orderpositions/23/add_block/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+     {
+       "name": "api:block1"
+     }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      (Full order position resource, see above.)
+
+   :param organizer: The ``slug`` field of the organizer of the event
+   :param event: The ``slug`` field of the event
+   :param code: The ``id`` field of the order position to update
+
+   :statuscode 200: no error
+   :statuscode 400: The order position could not be updated due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to update this order position.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orderpositions/(id)/remove_block/
+
+   Unblocks an order position from being used. The block name either needs to be ``"admin"`` or start with ``"api:"``. It
+   may only contain letters, numbers, dots and underscores. ``"admin"`` represents the regular block that can be set
+   in the backend user interface. Blocks set by plugins cannot be lifted through this API.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orderpositions/23/remove_block/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+     {
+       "name": "api:block1"
+     }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      (Full order position resource, see above.)
+
+   :param organizer: The ``slug`` field of the organizer of the event
+   :param event: The ``slug`` field of the event
+   :param code: The ``id`` field of the order position to update
+
+   :statuscode 200: no error
+   :statuscode 400: The order position could not be updated due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to update this order position.
+
 Changing order contents
 -----------------------

@@ -1898,7 +1976,7 @@ otherwise, such as splitting an order or changing fees.

   * ``patch_positions``: A list of objects with the two keys ``position`` specifying an order position ID and
     ``body`` specifying the desired changed values of the position (``item``, ``variation``, ``subevent``, ``seat``,
-     ``price``, ``tax_rule``).
+     ``price``, ``tax_rule``, ``valid_from``, ``valid_until``).

   * ``cancel_positions``: A list of objects with the single key ``position`` specifying an order position ID.

@@ -1925,7 +2003,7 @@ otherwise, such as splitting an order or changing fees.

   .. sourcecode:: http

-      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/ HTTP/1.1
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/change/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
      Content-Type: application/json
@@ -2006,14 +2084,6 @@ otherwise, such as splitting an order or changing fees.
 Order payment endpoints
 -----------------------

-.. versionchanged:: 3.6
-
-   Payments can now be created through the API.
-
-.. versionchanged:: 3.12
-
-   The ``confirm`` operation now takes a ``send_email`` parameter.
-
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/payments/

   Returns a list of all payments for an order.
@@ -2319,6 +2389,7 @@ Order refund endpoints
            "created": "2017-12-01T10:00:00Z",
            "execution_date": "2017-12-04T12:13:12Z",
            "comment": "Cancellation",
+            "details": {},
            "provider": "banktransfer"
          }
        ]
@@ -2362,6 +2433,7 @@ Order refund endpoints
        "created": "2017-12-01T10:00:00Z",
        "execution_date": "2017-12-04T12:13:12Z",
        "comment": "Cancellation",
+        "details": {},
        "provider": "banktransfer"
      }

@@ -2419,6 +2491,7 @@ Order refund endpoints
        "created": "2017-12-01T10:00:00Z",
        "execution_date": null,
        "comment": "Cancellation",
+        "details": {},
        "provider": "manual"
      }

@@ -2548,10 +2621,6 @@ Revoked ticket secrets

 With some non-default ticket secret generation methods, a list of revoked ticket secrets is required for proper validation.

-.. versionchanged:: 3.12
-
-   Added revocation lists.
-
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/revokedsecrets/

   Returns a list of all revoked secrets within a given event.
@@ -2596,3 +2665,57 @@ With some non-default ticket secret generation methods, a list of revoked ticket
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+Blocked ticket secrets
+----------------------
+
+With some non-default ticket secret generation methods, a list of blocked ticket secrets is required for proper validation.
+This endpoint returns all secrets that are currently blocked **or have been blocked before and are now unblocked**, so
+be sure to check the ``blocked`` attribute for its actual value. The list is currently always ordered with the most
+recently updated ones first.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/blockedsecrets/
+
+   Returns a list of all blocked or historically blocked secrets within a given event.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/blockedsecrets/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+      X-Page-Generated: 2017-12-01T10:00:00Z
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1234,
+            "secret": "k24fiuwvu8kxz3y1",
+            "blocked": true,
+            "updated": "2017-12-01T10:00:00Z",
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :query datetime updated_since: Only return records that have been updated since the given date.
+   :query boolean blocked: Only return blocked / non-blocked records.
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :resheader X-Page-Generated: The server time at the beginning of the operation. If you're using this API to fetch
+                                differences, this is the value you want to use as ``updated_since`` in your next call.
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
--- a/doc/api/resources/organizers.rst
+++ b/doc/api/resources/organizers.rst
@@ -17,12 +17,18 @@ Field                                 Type                       Description
 name                                  string                     The organizer's full name, i.e. the name of an
                                                                 organization or company.
 slug                                  string                     A short form of the name, used e.g. in URLs.
+public_url                            string                     The public, customer-facing URL of the organizer, where
+                                                                 the list of all events can be found (read-only).
 ===================================== ========================== =======================================================


 Endpoints
 ---------

+.. versionchanged:: 4.17
+
+    The ``public_url`` field has been added.
+
 .. http:get:: /api/v1/organizers/

   Returns a list of all organizers the authenticated user/token has access to.
@@ -51,6 +57,7 @@ Endpoints
          {
            "name": "Big Events LLC",
            "slug": "Big Events",
+            "public_url": "https://pretix.eu/bigevents/"
          }
        ]
      }
@@ -84,6 +91,7 @@ Endpoints
      {
        "name": "Big Events LLC",
        "slug": "Big Events",
+        "public_url": "https://pretix.eu/bigevents/"
      }

   :param organizer: The ``slug`` field of the organizer to fetch
@@ -109,10 +117,6 @@ information about the properties.
 .. warning:: This API is intended for advanced users. Even though we take care to validate your input, you will be
             able to break your shops using this API by creating situations of conflicting settings. Please take care.

-.. versionchanged:: 3.14
-
-   Initial support for settings has been added to the API.
-
 .. http:get:: /api/v1/organizers/(organizer)/settings/

   Get current values of organizer settings.
--- a/doc/api/resources/questions.rst
+++ b/doc/api/resources/questions.rst
@@ -1,4 +1,4 @@
-.. spelling::
+.. spelling:word-list::

   checkin
   datetime
@@ -76,26 +76,9 @@ dependency_value                      string                     An old version
                                                                 for one value. **Deprecated.**
 ===================================== ========================== =======================================================

-.. versionchanged:: 3.5
-
-  The attribute ``help_text`` has been added.
-
-.. versionchanged:: 3.14
-
-  The attributes ``valid_*`` have been added.
-
-.. versionchanged:: 3.18
-
-  The attribute ``valid_file_portrait`` have been added.
-
 Endpoints
 ---------

-.. versionchanged:: 1.15
-
-   The questions endpoint has been extended by the filter queries ``ask_during_checkin``, ``requred``, and
-   ``identifier``.
-
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/questions/

   Returns a list of all questions within a given event.
--- a/doc/api/resources/quotas.rst
+++ b/doc/api/resources/quotas.rst
@@ -36,10 +36,6 @@ available_number                      integer                    Number of avail
                                                                 slightly out of date. ``null`` means unlimited.
 ===================================== ========================== =======================================================

-.. versionchanged:: 3.10
-
-   The attribute ``release_after_exit`` has been added.
-
 .. versionchanged:: 4.1

    The ``with_availability`` query parameter has been added.
--- a/doc/api/resources/shredders.rst
+++ b/doc/api/resources/shredders.rst
@@ -1,4 +1,4 @@
-.. spelling:: checkin
+.. spelling:word-list:: checkin

 Data shredders
 ==============
--- a/doc/api/resources/subevents.rst
+++ b/doc/api/resources/subevents.rst
@@ -1,4 +1,4 @@
-.. spelling::
+.. spelling:word-list::

   geo
   lat
@@ -59,29 +59,13 @@ seat_category_mapping                 object                     An object mappi
 last_modified                         datetime                   Last modification of this object
 ===================================== ========================== =======================================================

-.. versionchanged:: 3.3
+.. versionchanged:: 4.15

-   The attributes ``geo_lat`` and ``geo_lon`` have been added.
-
-.. versionchanged:: 3.10
-
-   The ``disabled`` attribute has been added to ``item_price_overrides`` and ``variation_price_overrides``.
-
-.. versionchanged:: 3.12
-
-   The ``last_modified`` attribute has been added.
-
-.. versionchanged:: 3.18
-
-   The ``available_from``/``available_until`` attributes have been added to ``item_price_overrides`` and ``variation_price_overrides``.
+    The ``search`` query parameter has been added to filter sub-events by their name or location in any language.

 Endpoints
 ---------

-.. versionchanged:: 3.3
-
-    The sub-events resource can now be filtered by meta data attributes.
-
 .. versionchanged:: 4.1

    The ``with_availability_for`` parameter has been added.
@@ -147,6 +131,7 @@ Endpoints
   :query is_future: If set to ``true`` (``false``), only events that happen currently or in the future are (not) returned.
   :query is_past: If set to ``true`` (``false``), only events that are over are (not) returned.
   :query ends_after: If set to a date and time, only events that happen during of after the given time are returned.
+   :query search: Only return events matching a given search query.
   :param organizer: The ``slug`` field of a valid organizer
   :param event: The ``slug`` field of the main event
   :query datetime modified_since: Only return objects that have changed since the given date. Be careful: This does not
--- a/doc/api/resources/teams.rst
+++ b/doc/api/resources/teams.rst
@@ -1,4 +1,4 @@
-.. spelling:: fullname checkin
+.. spelling:word-list:: fullname checkin

 .. _`rest-teams`:

--- a/doc/api/resources/vouchers.rst
+++ b/doc/api/resources/vouchers.rst
@@ -19,6 +19,8 @@ max_usages                            integer                    The maximum num
                                                                 redeemed (default: 1).
 redeemed                              integer                    The number of times this voucher already has been
                                                                 redeemed.
+min_usages                            integer                    The minimum number of times this voucher must be
+                                                                 redeemed on first usage (default: 1).
 valid_until                           datetime                   The voucher expiration date (or ``null``).
 block_quota                           boolean                    If ``true``, quota is blocked for this voucher.
 allow_ignore_quota                    boolean                    If ``true``, this voucher can be redeemed even if a
@@ -48,10 +50,6 @@ show_hidden_items                     boolean                    Only if set to
 ===================================== ========================== =======================================================


-.. versionchanged:: 3.4
-
-   The attribute ``seat`` has been added.
-
 Endpoints
 ---------

--- a/doc/api/resources/waitinglist.rst
+++ b/doc/api/resources/waitinglist.rst
@@ -30,12 +30,6 @@ subevent                              integer                    ID of the date
 ===================================== ========================== =======================================================


-.. versionchanged:: 1.15
-
-   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added as well as a method to send out
-   vouchers.
-
-
 Endpoints
 ---------

--- a/doc/api/resources/webhooks.rst
+++ b/doc/api/resources/webhooks.rst
@@ -26,6 +26,7 @@ limit_events                          list of strings            If ``all_events
 action_types                          list of strings            A list of action type filters that limit the
                                                                 notifications sent to this webhook. See below for
                                                                 valid values
+comment                               string                     Internal comment on this webhook, default ``null``
 ===================================== ========================== =======================================================

 The following values for ``action_types`` are valid with pretix core:
@@ -56,6 +57,7 @@ The following values for ``action_types`` are valid with pretix core:
    * ``pretix.subevent.added``
    * ``pretix.subevent.changed``
    * ``pretix.subevent.deleted``
+    * ``pretix.event.item.*``
    * ``pretix.event.live.activated``
    * ``pretix.event.live.deactivated``
    * ``pretix.event.testmode.activated``
@@ -98,7 +100,8 @@ Endpoints
            "target_url": "https://httpstat.us/200",
            "all_events": false,
            "limit_events": ["democon"],
-            "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+            "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"],
+            "comment": null
          }
        ]
      }
@@ -135,7 +138,8 @@ Endpoints
        "target_url": "https://httpstat.us/200",
        "all_events": false,
        "limit_events": ["democon"],
-        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"],
+        "comment": null
      }

   :param organizer: The ``slug`` field of the organizer to fetch
@@ -162,7 +166,8 @@ Endpoints
        "target_url": "https://httpstat.us/200",
        "all_events": false,
        "limit_events": ["democon"],
-        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"],
+        "comment": "Called for changes"
      }

   **Example response**:
@@ -179,7 +184,8 @@ Endpoints
        "target_url": "https://httpstat.us/200",
        "all_events": false,
        "limit_events": ["democon"],
-        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"],
+        "comment": "Called for changes"
      }

   :param organizer: The ``slug`` field of the organizer to create a webhook for
@@ -224,7 +230,8 @@ Endpoints
        "target_url": "https://httpstat.us/200",
        "all_events": false,
        "limit_events": ["democon"],
-        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"],
+        "comment": null
      }

   :param organizer: The ``slug`` field of the organizer to modify
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -13,10 +13,6 @@
 # All configuration values have a default; values that are commented out
 # serve to show the default.

-from docutils.parsers.rst.directives.admonitions import BaseAdmonition
-from sphinx.util import compat
-compat.make_admonition = BaseAdmonition  # See https://github.com/spinus/sphinxcontrib-images/issues/41
-
 import sys
 import os

@@ -28,12 +24,13 @@ from datetime import date
 sys.path.insert(0, os.path.abspath('../src'))

 import django
+
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "pretix.testutils.settings")
 django.setup()

-
 try:
-    import enchant
+    import enchant  # noqa
+
    HAS_PYENCHANT = True
 except:
    HAS_PYENCHANT = False
@@ -41,7 +38,7 @@ except:
 # -- General configuration ------------------------------------------------

 # If your documentation needs a minimal Sphinx version, state it here.
-#needs_sphinx = '1.0'
+# needs_sphinx = '1.0'

 # Add any Sphinx extension module names here, as strings. They can be
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
@@ -52,6 +49,7 @@ extensions = [
    'sphinx.ext.coverage',
    'sphinxcontrib.httpdomain',
    'sphinxcontrib.images',
+    'sphinxcontrib.jquery',
    'sphinxemoji.sphinxemoji',
 ]
 if HAS_PYENCHANT:
@@ -64,7 +62,7 @@ templates_path = ['_templates']
 source_suffix = '.rst'

 # The encoding of source files.
-#source_encoding = 'utf-8-sig'
+# source_encoding = 'utf-8-sig'

 # The master toctree document.
 master_doc = 'index'
@@ -79,19 +77,20 @@ copyright = '2014-{}, Raphael Michel'.format(date.today().year)
 #
 # The short X.Y version.
 from pretix import __version__
+
 version = '.'.join(__version__.split('.')[:2])
 # The full version, including alpha/beta/rc tags.
 release = __version__

 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
-#language = None
+# language = None

 # There are two options for replacing |today|: either, you set today to some
 # non-false value, then it is used:
-#today = ''
+# today = ''
 # Else, today_fmt is used as the format for a strftime call.
-#today_fmt = '%B %d, %Y'
+# today_fmt = '%B %d, %Y'

 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
@@ -99,34 +98,34 @@ exclude_patterns = ['_build']

 # The reST default role (used for this markup: `text`) to use for all
 # documents.
-#default_role = None
+# default_role = None

 # If true, '()' will be appended to :func: etc. cross-reference text.
-#add_function_parentheses = True
+# add_function_parentheses = True

 # If true, the current module name will be prepended to all description
 # unit titles (such as .. function::).
-#add_module_names = True
+# add_module_names = True

 # If true, sectionauthor and moduleauthor directives will be shown in the
 # output. They are ignored by default.
-#show_authors = False
+# show_authors = False

 # The name of the Pygments (syntax highlighting) style to use.
 pygments_style = 'sphinx'

 # A list of ignored prefixes for module index sorting.
-#modindex_common_prefix = []
+# modindex_common_prefix = []

 # If true, keep warnings as "system message" paragraphs in the built documents.
-#keep_warnings = False
+# keep_warnings = False


 # -- Options for HTML output ----------------------------------------------

 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
-#html_theme = ""
+# html_theme = ""

 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
@@ -136,14 +135,14 @@ html_theme_options = {
 }

 # Add any paths that contain custom themes here, relative to this directory.
-#html_theme_path = []
+# html_theme_path = []

 # The name for this set of Sphinx documents.  If None, it defaults to
 # "<project> v<release> documentation".
-#html_title = None
+# html_title = None

 # A shorter title for the navigation bar.  Default is the same as html_title.
-#html_short_title = None
+# html_short_title = None

 # The name of an image file (relative to this directory) to place at the top
 # of the sidebar.
@@ -152,7 +151,7 @@ html_logo = 'images/logo-white.svg'
 # The name of an image file (within the static path) to use as favicon of the
 # docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
 # pixels large.
-#html_favicon = None
+# html_favicon = None

 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
@@ -166,18 +165,18 @@ html_static_path = [
 # Add any extra paths that contain custom files (such as robots.txt or
 # .htaccess) here, relative to this directory. These files are copied
 # directly to the root of the documentation.
-#html_extra_path = []
+# html_extra_path = []

 # If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
 # using the given strftime format.
-#html_last_updated_fmt = '%b %d, %Y'
+# html_last_updated_fmt = '%b %d, %Y'

 # If true, SmartyPants will be used to convert quotes and dashes to
 # typographically correct entities.
-#html_use_smartypants = True
+# html_use_smartypants = True

 # Custom sidebar templates, maps document names to template names.
-#html_sidebars = {}
+# html_sidebars = {}

 # Additional templates that should be rendered to pages, maps page names to
 # template names.
@@ -192,24 +191,24 @@ html_domain_indices = False
 html_use_index = False

 # If true, the index is split into individual pages for each letter.
-#html_split_index = False
+# html_split_index = False

 # If true, links to the reST sources are added to the pages.
 html_show_sourcelink = True

 # If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
-#html_show_sphinx = True
+# html_show_sphinx = True

 # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
-#html_show_copyright = True
+# html_show_copyright = True

 # If true, an OpenSearch description file will be output, and all pages will
 # contain a <link> tag referring to it.  The value of this option must be the
 # base URL from which the finished HTML is served.
-#html_use_opensearch = ''
+# html_use_opensearch = ''

 # This is the file name suffix for HTML files (e.g. ".xhtml").
-#html_file_suffix = None
+# html_file_suffix = None

 # Output file base name for HTML help builder.
 htmlhelp_basename = 'pretixdoc'
@@ -217,47 +216,46 @@ htmlhelp_basename = 'pretixdoc'
 html_theme = 'pretix_theme'
 html_theme_path = [os.path.abspath('_themes')]

-
 # -- Options for LaTeX output ---------------------------------------------

 latex_elements = {
-# The paper size ('letterpaper' or 'a4paper').
+    # The paper size ('letterpaper' or 'a4paper').
    'papersize': 'a4paper',

-# The font size ('10pt', '11pt' or '12pt').
+    # The font size ('10pt', '11pt' or '12pt').
    'pointsize': '10pt',

-# Additional stuff for the LaTeX preamble.
-#'preamble': '',
+    # Additional stuff for the LaTeX preamble.
+    # 'preamble': '',
 }

 # Grouping the document tree into LaTeX files. List of tuples
 # (source start file, target name, title,
 #  author, documentclass [howto, manual, or own class]).
 latex_documents = [
-  ('index', 'pretix.tex', 'pretix Documentation',
-   'Raphael Michel', 'manual'),
+    ('index', 'pretix.tex', 'pretix Documentation',
+     'Raphael Michel', 'manual'),
 ]

 # The name of an image file (relative to this directory) to place at the top of
 # the title page.
-#latex_logo = None
+# latex_logo = None

 # For "manual" documents, if this is true, then toplevel headings are parts,
 # not chapters.
-#latex_use_parts = False
+# latex_use_parts = False

 # If true, show page references after internal links.
-#latex_show_pagerefs = False
+# latex_show_pagerefs = False

 # If true, show URL addresses after external links.
-#latex_show_urls = False
+# latex_show_urls = False

 # Documents to append as an appendix to all manuals.
-#latex_appendices = []
+# latex_appendices = []

 # If false, no module index is generated.
-#latex_domain_indices = True
+# latex_domain_indices = True


 # -- Options for manual page output ---------------------------------------
@@ -270,7 +268,7 @@ man_pages = [
 ]

 # If true, show URL addresses after external links.
-#man_show_urls = False
+# man_show_urls = False


 # -- Options for Texinfo output -------------------------------------------
@@ -279,22 +277,22 @@ man_pages = [
 # (source start file, target name, title, author,
 #  dir menu entry, description, category)
 texinfo_documents = [
-  ('index', 'pretix', 'pretix Documentation',
-   'Raphael Michel', 'pretix', 'One line description of project.',
-   'Miscellaneous'),
+    ('index', 'pretix', 'pretix Documentation',
+     'Raphael Michel', 'pretix', 'One line description of project.',
+     'Miscellaneous'),
 ]

 # Documents to append as an appendix to all manuals.
-#texinfo_appendices = []
+# texinfo_appendices = []

 # If false, no module index is generated.
-#texinfo_domain_indices = True
+# texinfo_domain_indices = True

 # How to display URL addresses: 'footnote', 'no', or 'inline'.
-#texinfo_show_urls = 'footnote'
+# texinfo_show_urls = 'footnote'

 # If true, do not generate a @detailmenu in the "Top" node's menu.
-#texinfo_no_detailmenu = False
+# texinfo_no_detailmenu = False


 images_config = {
@@ -314,12 +312,13 @@ if HAS_PYENCHANT:
    # String specifying a file containing a list of words known to be spelled
    # correctly but that do not appear in the language dictionary selected by
    # spelling_lang. The file should contain one word per line.
-    spelling_word_list_filename='spelling_wordlist.txt'
+    spelling_word_list_filename = 'spelling_wordlist.txt'

    # Boolean controlling whether suggestions for misspelled words are printed.
    # Defaults to False.
-    spelling_show_suggestions=True
+    spelling_show_suggestions = True

    # List of filter classes to be added to the tokenizer that produces words to be checked.
    from checkin_filter import CheckinFilter
-    spelling_filters=[CheckinFilter]
+
+    spelling_filters = [CheckinFilter]
--- a/doc/development/api/exporter.rst
+++ b/doc/development/api/exporter.rst
@@ -60,7 +60,13 @@ The exporter class
   .. py:attribute:: BaseExporter.event

      The default constructor sets this property to the event we are currently
-      working for.
+      working for. This will be ``None`` if the exporter is run for multiple
+      events.
+
+   .. py:attribute:: BaseExporter.events
+
+      The default constructor sets this property to the list of events to work
+      on, regardless of whether the exporter is called for one or multiple events.

   .. autoattribute:: identifier

@@ -70,6 +76,10 @@ The exporter class

      This is an abstract attribute, you **must** override this!

+   .. autoattribute:: description
+
+   .. autoattribute:: category
+
   .. autoattribute:: export_form_fields

   .. automethod:: render
--- a/doc/development/api/general.rst
+++ b/doc/development/api/general.rst
@@ -61,7 +61,7 @@ Backend
             item_formsets, order_search_filter_q, order_search_forms

 .. automodule:: pretix.base.signals
-   :members: logentry_display, logentry_object_link, requiredaction_display, timeline_events
+   :members: logentry_display, logentry_object_link, requiredaction_display, timeline_events, orderposition_blocked_display

 Vouchers
 """"""""
--- a/doc/development/api/payment.rst
+++ b/doc/development/api/payment.rst
@@ -102,6 +102,8 @@ The provider class

   .. automethod:: render_invoice_text

+   .. automethod:: render_invoice_stamp
+
   .. automethod:: order_change_allowed

   .. automethod:: payment_prepare
@@ -120,14 +122,20 @@ The provider class

   .. automethod:: refund_control_render

+   .. automethod:: refund_control_render_short
+
   .. automethod:: new_refund_control_form_render

   .. automethod:: new_refund_control_form_process

   .. automethod:: api_payment_details

+   .. automethod:: api_refund_details
+
   .. automethod:: matching_id

+   .. automethod:: refund_matching_id
+
   .. automethod:: shred_payment_info

   .. automethod:: cancel_payment
@@ -136,6 +144,10 @@ The provider class

   .. autoattribute:: is_meta

+   .. autoattribute:: execute_payment_needs_user
+
+   .. autoattribute:: multi_use_supported
+
   .. autoattribute:: test_mode_message

   .. autoattribute:: requires_invoice_immediately
--- a/doc/development/api/plugins.rst
+++ b/doc/development/api/plugins.rst
@@ -55,7 +55,6 @@ visible            boolean (optional)   ``True`` by default, can hide a plugin s
 restricted         boolean (optional)   ``False`` by default, restricts a plugin such that it can only be enabled
                                        for an event by system administrators / superusers.
 experimental       boolean (optional)   ``False`` by default, marks a plugin as an experimental feature in the plugins list.
-picture            string (optional)    Path to a picture resolvable through the static file system.
 compatibility      string               Specifier for compatible pretix versions.
 ================== ==================== ===========================================================

--- a/doc/development/contribution/style.rst
+++ b/doc/development/contribution/style.rst
@@ -1,4 +1,4 @@
-.. spelling:: Rebase rebasing
+.. spelling:word-list:: Rebase rebasing

 Coding style and quality
 ========================
--- a/doc/development/implementation/models.rst
+++ b/doc/development/implementation/models.rst
@@ -1,7 +1,7 @@
 .. highlight:: python
   :linenothreshold: 5

-.. spelling:: answ contrib
+.. spelling:word-list:: answ contrib

 Data model
 ==========
--- a/doc/development/implementation/permissions.rst
+++ b/doc/development/implementation/permissions.rst
@@ -184,11 +184,6 @@ Most of these methods work identically on :class:`pretix.base.models.TeamAPIToke
 Staff sessions
 --------------

-.. versionchanged:: 1.14
-
-   In 1.14, the ``User.is_superuser`` attribute has been deprecated and statically set to return ``False``. Staff
-   sessions have been newly introduced.
-
 System administrators of a pretix instance are identified by the ``is_staff`` attribute on the user model. By default,
 the regular permission rules apply for users with ``is_staff = True``. The only difference is that such users can
 temporarily turn on "staff mode" via a button in the user interface that grants them **all permissions** as long as
--- a/doc/images/checkin_offline.png
+++ b/doc/images/checkin_offline.png
--- a/doc/images/checkin_offline.puml
+++ b/doc/images/checkin_offline.puml
@@ -23,30 +23,50 @@ partition "data-based check" {
    "Is the order in status PAID or PENDING\nand is the position not canceled?" --> if "" then
        -right->[no] "Return error CANCELED"
    else
-        -down->[yes] "Is the product part of the check-in list?"
+        -down->[yes] "Is one or more block set on the ticket?"
        --> if "" then
-            -right->[no] "Return error PRODUCT"
+            -right->[no] "Return error BLOCKED"
        else
-            -down->[yes] "Is the subevent part of the check-in list?"
+            -down->[yes] "If this is not an exit, is the valid_from/valid_until\nconstraint on the ticket fulfilled?"
            --> if "" then
-                -right->[no] "Return error INVALID"
-                note bottom: TODO\ninconsistent\nwith online\ncheck
+                -right->[no] "Return error INVALID_TIME"
            else
-                -down->[yes] "Is the order in status PAID?"
+                -down->[yes] "Is the product part of the check-in list?"
                --> if "" then
-                    -right->[no] "Does the check-in list include pending orders?"
+                    -right->[no] "Return error PRODUCT"
+                else
+                    -down->[yes] "Is the subevent part of the check-in list?"
                    --> if "" then
-                        -right->[no] "Return error UNPAID "
+                        -right->[no] "Return error INVALID"
+                        note bottom: TODO\ninconsistent\nwith online\ncheck
                    else
-                        -down->[yes] "Is ignore_unpaid set?\n(Has the operator confirmed\nthe checkin?)"
+                        -down->[yes] "Is the order in status PAID?"
                        --> if "" then
-                            -right->[no] "Return error UNPAID "
+                            -right->[no] "Is Order.require_approval set?"
+                            --> if "" then
+                                -->[yes] "Return error UNPAID "
+                            else
+                                -right->[no] "Is Order.valid_if_pending set?"
+                                --> if "" then
+                                    -->[yes] "Is this an entry or exit?"
+                                else
+                                    -->[no] "Does the check-in list include pending orders?"
+                                    --> if "" then
+                                        -->[no] "Return error UNPAID "
+                                    else
+                                        -->[yes] "Is ignore_unpaid set on the request?\n(Has the operator confirmed\nthe checkin?)"
+                                        --> if "" then
+                                            -->[no] "Return error UNPAID "
+                                        else
+                                            -->[yes] "Is this an entry or exit?"
+                                        endif
+                                    endif
+                                endif
+                            endif
                        else
                            -down->[yes] "Is this an entry or exit?"
                        endif
                    endif
-                else
-                    -down->[yes] "Is this an entry or exit?"
                endif
            endif
        endif
@@ -98,16 +118,26 @@ partition "dataless check" {
        --> if "" then
            -right->[yes] "Return error REVOKED"
        else
-            -down->[no] "Is the product part of the check-in list? "
+            -down->[yes] "Is the ticket secret on the block list?"
            --> if "" then
-                -right->[no] "Return error PRODUCT "
+                -right->[yes] "Return error BLOCKED "
            else
-                -down->[yes] "Is the subevent part of the check-in list? "
+                -down->[yes] "If this is not an exit, is the valid_from/valid_until\nconstraint on the ticket fulfilled? "
                --> if "" then
-                    -right->[no] "Return error INVALID  "
-                    note bottom: TODO\ninconsistent\nwith online\ncheck
+                    -right->[no] "Return error INVALID_TIME "
                else
-                  --> "Is this an entry or exit? "
+                    -down->[no] "Is the product part of the check-in list? "
+                    --> if "" then
+                        -right->[no] "Return error PRODUCT "
+                    else
+                        -down->[yes] "Is the subevent part of the check-in list? "
+                        --> if "" then
+                            -right->[no] "Return error INVALID  "
+                            note bottom: TODO\ninconsistent\nwith online\ncheck
+                        else
+                          --> "Is this an entry or exit? "
+                        endif
+                    endif
                endif
            endif
        endif
--- a/doc/images/checkin_online.png
+++ b/doc/images/checkin_online.png
--- a/doc/images/checkin_online.puml
+++ b/doc/images/checkin_online.puml
@@ -40,29 +40,49 @@ endif
 "Is the order in status PAID or PENDING\nand is the position not canceled?" --> if "" then
    -right->[no] "Return error CANCELED"
 else
-    -down->[yes] "Is the product part of the check-in list?"
+    -down->[yes] "Is one or more block set on the ticket?"
    --> if "" then
-        -right->[no] "Return error PRODUCT"
+        -right->[no] "Return error BLOCKED"
    else
-        -down->[yes] "Is the subevent part of the check-in list?"
+        -down->[yes] "If this is not an exit, is the valid_from/valid_until\nconstraint on the ticket fulfilled?"
        --> if "" then
-            -right->[no] "Return error PRODUCT "
+            -right->[no] "Return error INVALID_TIME"
        else
-            -down->[yes] "Is the order in status PAID\nor is this a forced upload?"
+            -down->[yes] "Is the product part of the check-in list?"
            --> if "" then
-                -right->[no] "Does the check-in list include pending orders?"
+                -right->[no] "Return error PRODUCT"
+            else
+                -down->[yes] "Is the subevent part of the check-in list?"
                --> if "" then
-                    -right->[no] "Return error UNPAID "
+                    -right->[no] "Return error PRODUCT "
                else
-                    -down->[yes] "Is ignore_unpaid set?\n(Has the operator confirmed\nthe checkin?)"
+                    -down->[yes] "Is the order in status PAID\nor is this a forced upload?"
                    --> if "" then
-                        -right->[no] "Return error UNPAID "
+                        -right->[no] "Is Order.require_approval set?"
+                        --> if "" then
+                            -->[no] "Is Order.valid_if_pending set?"
+                            --> if "" then
+                                -down->[yes] "Is this an entry or exit?\nIs the upload forced?"
+                            else
+                                -right->[no] "Does the check-in list include pending orders?"
+                                --> if "" then
+                                    -right->[no] "Return error UNPAID "
+                                else
+                                    -down->[yes] "Is ignore_unpaid set on the request?\n(Has the operator confirmed\nthe checkin?)"
+                                    --> if "" then
+                                        -right->[no] "Return error UNPAID "
+                                    else
+                                        -down->[yes] "Is this an entry or exit?\nIs the upload forced?"
+                                    endif
+                                endif
+                            endif
+                        else
+                            -->[yes] "Return error UNPAID "
+                        endif
                    else
                        -down->[yes] "Is this an entry or exit?\nIs the upload forced?"
                    endif
                endif
-            else
-                -down->[yes] "Is this an entry or exit?\nIs the upload forced?"
            endif
        endif
    endif
--- a/doc/images/logo-white.svg
+++ b/doc/images/logo-white.svg
@@ -1,69 +1 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="254.15625"
-   height="109.59375"
-   viewBox="0 0 254.15625 109.59375"
-   version="1.1"
-   id="svg5"
-   sodipodi:docname="logo-white.svg"
-   inkscape:version="0.92.1 r"><metadata
-   id="metadata9">
-  <rdf:RDF>
-    <cc:Work
-       rdf:about="">
-      <dc:format>image/svg+xml</dc:format>
-      <dc:type
-         rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-      <dc:title></dc:title>
-    </cc:Work>
-  </rdf:RDF>
-</metadata>
-<sodipodi:namedview
-   pagecolor="#ffffff"
-   bordercolor="#666666"
-   borderopacity="1"
-   objecttolerance="10"
-   gridtolerance="10"
-   guidetolerance="10"
-   inkscape:pageopacity="0"
-   inkscape:pageshadow="2"
-   inkscape:window-width="1364"
-   inkscape:window-height="676"
-   id="namedview7"
-   showgrid="false"
-   fit-margin-top="0"
-   fit-margin-left="0"
-   fit-margin-right="0"
-   fit-margin-bottom="0"
-   inkscape:zoom="1"
-   inkscape:cx="56.462442"
-   inkscape:cy="54.796875"
-   inkscape:window-x="0"
-   inkscape:window-y="72"
-   inkscape:window-maximized="0"
-   inkscape:current-layer="svg5" />
-
-   id=&quot;svg2&quot;
-   version=&quot;1.1&quot;&gt;
-  <defs
-   id="defs4" />
-<g
-   id="layer1"
-   transform="translate(-277.78125,-568.75)">
-  <path
-     style="color:#000000;display:inline;overflow:visible;visibility:visible;fill:#ffffff;fill-opacity:1;fill-rule:nonzero;stroke:none;marker:none;enable-background:accumulate"
-     d="m 20,20 v 34.09375 c 11.43679,0 20.71875,9.28196 20.71875,20.71875 C 40.71875,86.24928 31.43679,95.5 20,95.5 v 34.09375 h 146.6875 v -9.5 h 3 v 9.5 H 274.15625 V 95.5 c -0.0105,2e-5 -0.0208,0 -0.0312,0 -11.43678,0 -20.71875,-9.25072 -20.71875,-20.6875 0,-11.43679 9.28197,-20.71875 20.71875,-20.71875 0.0105,0 0.0208,-2e-5 0.0312,0 V 20 H 169.6875 v 9.09375 h -3 V 20 Z m 146.6875,16.09375 h 3 v 14 h -3 z m 41.44141,12.833984 c 2.79067,0 5.02343,1.92774 5.02343,4.3125 0,2.38476 -2.23276,4.363282 -5.02343,4.363282 -2.73994,0 -4.97266,-1.978522 -4.97266,-4.363282 0,-2.38476 2.23272,-4.3125 4.97266,-4.3125 z m -13.22852,4.210938 v 8.017578 h 3.95899 v 6.291016 h -3.95899 v 12.279296 c 0,2.02959 0.71015,2.791016 2.13086,2.791016 0.71035,0 1.06703,-0.10181 1.82813,-0.40625 v 5.935547 c -0.71036,0.40591 -2.38661,0.964844 -4.61915,0.964844 -6.13949,0 -8.98046,-3.753876 -8.98046,-8.472657 V 67.447266 h -2.8418 V 61.15625 h 2.8418 V 55.574219 Z M 166.6875,57.09375 h 3 v 14 h -3 z m -74.568359,3.554688 c 8.473509,0 14.207029,4.515688 14.207029,14.105468 0,8.62573 -5.02336,14.105469 -12.07617,14.105469 -1.72514,0 -3.147072,-0.20329 -3.857422,-0.40625 V 99.414062 H 80.751953 V 62.728516 c 2.58772,-1.21775 6.090268,-2.080081 11.367188,-2.080078 z m 49.863279,0 c 8.57499,0 12.63436,5.935363 12.12696,15.220703 l -15.93165,2.234375 c 0.60888,2.94289 2.18061,4.414062 5.68165,4.414062 3.24732,0 5.78445,-0.711556 7.30664,-1.472656 l 2.13086,5.886719 c -2.38476,1.16701 -5.58034,2.080078 -10.6543,2.080078 -8.93017,0 -13.64844,-6.037993 -13.64844,-14.257813 0,-8.21981 4.41329,-14.105468 12.98828,-14.105468 z m -17.92187,0.0059 c 0.8928,0.01358 1.82795,0.04496 2.80468,0.0957 l -1.67578,6.697266 c -1.77589,-0.86257 -3.50104,-0.913692 -4.76953,-0.457032 v 21.513672 h -9.64062 v -25.77539 c 2.79702,-1.376314 7.03166,-2.16926 13.28125,-2.074219 z m 79.24804,0.501953 h 9.64063 v 27.347656 h -9.64063 z m 13.23438,0 h 10.04687 l 3.29883,6.849609 h 0.10156 l 3.60157,-6.849609 h 8.98047 l -7.96485,12.632812 8.72656,14.714844 H 232.67969 L 229.17773,80.9434 h -0.10156 l -3.65234,7.560547 h -9.74219 l 8.57422,-14.105468 z m -74.9668,5.023438 c -2.84142,0 -4.41381,2.585948 -4.10937,7.355468 l 7.76367,-1.166015 c 0,-4.16064 -1.2188,-6.189454 -3.6543,-6.189453 z m -49.507811,0.09961 c -0.71035,0 -1.219131,0.101686 -1.675781,0.253906 v 16.439453 c 0.35517,0.15221 0.863828,0.253906 1.523438,0.253906 3.4503,0 4.871093,-2.840514 4.871093,-8.421874 0,-5.733571 -1.21772,-8.525391 -4.71875,-8.525391 z M 166.6875,78.09375 h 3 v 14 h -3 z m 0,21 h 3 v 14 h -3 z"
-     transform="translate(257.78125,548.75)"
-     id="rect3888"
-     inkscape:connector-curvature="0" />
-</g>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" width="254.156" height="109.594" version="1.1"><g transform="scale(1.9856)"><path d="M36.29 23.21c-.35 0-.61.06-.83.13v8.29c.19.06.45.13.77.13 1.73 0 2.46-1.44 2.46-4.26s-.64-4.29-2.4-4.29z" fill="#f8f8f8"/><path d="M61.22 23.15c-1.44 0-2.21 1.31-2.08 3.71l3.9-.58c.03-2.11-.58-3.14-1.82-3.14z" fill="#f8f8f8"/><path d="M127.39 17.1c.35-.03.61-.29.61-.64V.64c0-.35-.29-.64-.64-.64H75.94v2.48c0 .62-.5 1.12-1.12 1.12-.62 0-1.12-.5-1.12-1.12V0H.64C.29 0 0 .29 0 .64v15.82c0 .35.26.61.61.64 5.47.32 9.82 4.86 9.82 10.43 0 5.57-4.35 10.08-9.82 10.37-.35.03-.61.29-.61.64v15.82c0 .35.29.64.64.64h73.22-.16v-2.48c0-.63.49-1.12 1.12-1.12.63 0 1.12.5 1.12 1.12V55h-.16 51.58c.35 0 .64-.29.64-.64V38.54c0-.35-.26-.61-.61-.64-5.47-.32-9.82-4.83-9.82-10.4s4.35-10.11 9.82-10.4zM37.41 34.57c-.86 0-1.6-.1-1.95-.19v5.54H30.6v-18.5c1.31-.61 3.07-1.06 5.73-1.06 4.26 0 7.17 2.27 7.17 7.1 0 4.35-2.53 7.1-6.08 7.1zm15.58-10.78c-.9-.45-1.76-.45-2.4-.22v10.85h-4.86V21.43c1.41-.7 3.55-1.09 6.69-1.06.45 0 .93.03 1.41.06L53 23.79Zm14.56 4.26-8.03 1.12c.32 1.47 1.09 2.21 2.85 2.21 1.63 0 2.91-.35 3.68-.74l1.09 2.98c-1.22.58-2.82 1.06-5.38 1.06-4.51 0-6.88-3.04-6.88-7.17s2.21-7.1 6.53-7.1c4.35-.03 6.4 2.98 6.14 7.65zm8.38 18.56c0 .62-.5 1.12-1.12 1.12-.62 0-1.12-.5-1.12-1.12v-5.12c0-.62.5-1.12 1.12-1.12.62 0 1.12.52 1.12 1.12zm0-11.07c0 .6-.52 1.12-1.12 1.12-.6 0-1.12-.52-1.12-1.12v-5.12c0-.63.49-1.12 1.12-1.12.63 0 1.12.5 1.12 1.12zm0-11.01c0 .62-.5 1.12-1.12 1.12-.62 0-1.12-.5-1.12-1.12v-5.12c0-.62.5-1.12 1.12-1.12.62 0 1.12.52 1.12 1.12zm0-11.07c0 .6-.52 1.12-1.12 1.12-.6 0-1.12-.52-1.12-1.12V8.34c0-.63.49-1.12 1.12-1.12.63 0 1.12.5 1.12 1.12zM90.11 23.8h-2.02v6.18c0 1.02.35 1.41 1.09 1.41.35 0 .54-.06.93-.19v2.98c-.35.19-1.22.48-2.34.48-3.1 0-4.51-1.89-4.51-4.26v-6.59h-1.44v-3.17h1.44v-2.82l4.86-1.22v4.03h1.98v3.17zm7.07 10.62h-4.86V20.66h4.86zm-2.43-15.58c-1.38 0-2.5-.99-2.5-2.21s1.12-2.18 2.5-2.18 2.53.96 2.53 2.18c0 1.22-1.12 2.21-2.53 2.21zm12.35 15.58-1.76-3.81h-.06l-1.82 3.81h-4.9l4.32-7.1-3.87-6.66h5.06l1.66 3.46h.06l1.82-3.46h4.51l-4 6.37 4.38 7.42-5.41-.03z" fill="#f8f8f8"/></g></svg>
--- a/doc/license/faq.rst
+++ b/doc/license/faq.rst
@@ -1,4 +1,4 @@
-.. spelling::
+.. spelling:word-list::

   AGPL
   AGPLv3
--- a/doc/plugins/digital.rst
+++ b/doc/plugins/digital.rst
@@ -91,8 +91,10 @@ Field                                 Type                       Description
 ===================================== ========================== =======================================================
 id                                    integer                    Internal content ID
 title                                 multi-lingual string       The content title (required)
+internal_name                         string                     An optional name that is only used in the backend
 content_type                          string                     The type of content, valid values are ``webinar``, ``video``, ``livestream``, ``link``, ``file``
 url                                   string                     The location of the digital content
+file                                  file                       A downloadable file. Either ``url`` or ``file`` must be ``null``.
 description                           multi-lingual string       A public description of the item. May contain Markdown
                                                                 syntax and is not required.
 available_from                        datetime                   The first date time at which this content will be shown
@@ -144,6 +146,7 @@ API Endpoints
            },
            "content_type": "link",
            "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+            "file": null,
            "description": {
                "en": "Watch our event live here on YouTube!"
            },
@@ -191,6 +194,7 @@ API Endpoints
        },
        "content_type": "link",
        "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+        "file": null,
        "description": {
            "en": "Watch our event live here on YouTube!"
        },
@@ -229,6 +233,7 @@ API Endpoints
        },
        "content_type": "link",
        "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+        "file": null,
        "description": {
            "en": "Watch our event live here on YouTube!"
        },
@@ -255,6 +260,7 @@ API Endpoints
        },
        "content_type": "link",
        "url": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+        "file": null,
        "description": {
            "en": "Watch our event live here on YouTube!"
        },
@@ -309,6 +315,7 @@ API Endpoints
        },
        "content_type": "link",
        "url": "https://mywebsite.com",
+        "file": null,
        "description": {
            "en": "Watch our event live here on YouTube!"
        },
--- a/doc/plugins/list.rst
+++ b/doc/plugins/list.rst
@@ -1,4 +1,4 @@
-.. spelling::
+.. spelling:word-list::
   Analytics

 List of plugins
--- a/doc/plugins/presale-saml.rst
+++ b/doc/plugins/presale-saml.rst
@@ -1,5 +1,5 @@
 .. highlight:: ini
-.. spelling::
+.. spelling:word-list::

   IdP
   skIDentity
--- a/doc/plugins/ticketoutputpdf.rst
+++ b/doc/plugins/ticketoutputpdf.rst
@@ -17,9 +17,13 @@ Field                                 Type                       Description
 id                                    integer                    Internal layout ID
 name                                  string                     Internal layout description
 default                               boolean                    ``true`` if this is the default layout
-layout                                object                     Layout specification for libpretixprint
+layout                                list                       Dynamic layout specification. Each list element
+                                                                 corresponds to one dynamic element of the layout.
+                                                                 The current version of the schema in use can be found
+                                                                 `here`_.
+                                                                 Submitting invalid content can lead to application errors.
 background                            URL                        Background PDF file
-item_assignments                      list of objects            Products this layout is assigned to
+item_assignments                      list of objects            Products this layout is assigned to (currently read-only)
 ├ sales_channel                       string                     Sales channel (defaults to ``web``).
 └ item                                integer                    Item ID
 ===================================== ========================== =======================================================
@@ -58,7 +62,7 @@ Endpoints
            "name": "Default layout",
            "default": true,
            "layout": {…},
-            "background": {},
+            "background": null,
            "item_assignments": []
          }
        ]
@@ -96,7 +100,7 @@ Endpoints
        "name": "Default layout",
        "default": true,
        "layout": {…},
-        "background": {},
+        "background": null,
        "item_assignments": []
      }

@@ -147,3 +151,122 @@ Endpoints
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer does not exist **or** you have no permission to view it.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/ticketlayouts/
+
+   Creates a new ticket layout
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/ticketlayouts/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "name": "Default layout",
+        "default": true,
+        "layout": […],
+        "background": null,
+        "item_assignments": []
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "Default layout",
+        "default": true,
+        "layout": […],
+        "background": null,
+        "item_assignments": []
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event to create a layout for
+   :param event: The ``slug`` field of the event to create a layout for
+   :statuscode 201: no error
+   :statuscode 400: The layout could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/ticketlayouts/(id)/
+
+   Update a layout. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/ticketlayouts/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "name": "Default layout"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": "Default layout",
+        "default": true,
+        "layout": […],
+        "background": null,
+        "item_assignments": []
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the layout to modify
+   :statuscode 200: no error
+   :statuscode 400: The layout could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/ticketlayouts/(id)/
+
+   Delete a layout.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/ticketlayouts/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the layout to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.
+
+
+.. _here: https://github.com/pretix/pretix/blob/master/src/pretix/static/schema/pdf-layout.schema.json
--- a/doc/requirements.rtd.txt
+++ b/doc/requirements.rtd.txt
@@ -0,0 +1,10 @@
+sphinx==6.1.*
+jinja2==3.1.*
+sphinx-rtd-theme
+sphinxcontrib-httpdomain
+sphinxcontrib-images
+sphinxcontrib-jquery
+sphinxcontrib-spelling==7.*
+sphinxemoji
+pygments-markdown-lexer
+pyenchant==3.2.*
--- a/doc/requirements.txt
+++ b/doc/requirements.txt
@@ -1,11 +1,11 @@
 -e ../src/
-sphinx==2.3.*
-jinja2==3.0.*
+sphinx==6.1.*
+jinja2==3.1.*
 sphinx-rtd-theme
 sphinxcontrib-httpdomain
 sphinxcontrib-images
-sphinxcontrib-spelling==4.*
+sphinxcontrib-jquery
+sphinxcontrib-spelling==7.*
 sphinxemoji
 pygments-markdown-lexer
-# See https://github.com/rfk/pyenchant/pull/130
-git+https://github.com/raphaelm/pyenchant.git@patch-1#egg=pyenchant
+pyenchant==3.2.*
--- a/doc/spelling_wordlist.txt
+++ b/doc/spelling_wordlist.txt
@@ -97,6 +97,7 @@ overpayment
 param
 passphrase
 percental
+personalization
 pluggable
 positionid
 pre
--- a/doc/user/events/giftcards.rst
+++ b/doc/user/events/giftcards.rst
@@ -1,4 +1,4 @@
-.. spelling::
+.. spelling:word-list::

   Warengutschein
   Wertgutschein
--- a/doc/user/events/invoicing.rst
+++ b/doc/user/events/invoicing.rst
@@ -1,7 +1,7 @@
 Invoice settings
 ================

-.. spelling:: Inv
+.. spelling:word-list:: Inv

 The settings at "Settings" → "Invoice" allow you to specify if and how pretix should generate invoices for your orders.

--- a/doc/user/events/widget.rst
+++ b/doc/user/events/widget.rst
@@ -153,9 +153,9 @@ If you want to include all your public events, you can just reference your organ
 There is an optional ``style`` parameter that let's you choose between a monthly calendar view, a week view and a list
 view. If you do not set it, the choice will be taken from your organizer settings::

-   <pretix-widget event="https://pretix.eu/demo/series/" style="list"></pretix-widget>
-   <pretix-widget event="https://pretix.eu/demo/series/" style="calendar"></pretix-widget>
-   <pretix-widget event="https://pretix.eu/demo/series/" style="week"></pretix-widget>
+   <pretix-widget event="https://pretix.eu/demo/series/" list-type="list"></pretix-widget>
+   <pretix-widget event="https://pretix.eu/demo/series/" list-type="calendar"></pretix-widget>
+   <pretix-widget event="https://pretix.eu/demo/series/" list-type="week"></pretix-widget>

 If you have more than 100 events, the system might refuse to show a list view and always show a calendar for performance
 reasons instead.
@@ -164,7 +164,7 @@ You can see an example here:

 .. raw:: html

-    <pretix-widget event="https://pretix.eu/demo/series/" style="calendar"></pretix-widget>
+    <pretix-widget event="https://pretix.eu/demo/series/" list-type="calendar"></pretix-widget>
    <noscript>
       <div class="pretix-widget">
            <div class="pretix-widget-info-message">
@@ -176,7 +176,7 @@ You can see an example here:
 You can filter events by meta data attributes. You can create those attributes in your order profile and set their values in both event and series date
 settings. For example, if you set up a meta data property called "Promoted" that you set to "Yes" on some events, you can pass a filter like this::

-   <pretix-widget event="https://pretix.eu/demo/series/" style="list" filter="attr[Promoted]=Yes"></pretix-widget>
+   <pretix-widget event="https://pretix.eu/demo/series/" list-type="list" filter="attr[Promoted]=Yes"></pretix-widget>

 pretix Button
 -------------
@@ -447,8 +447,4 @@ Hosted or pretix Enterprise are active, you can pass the following fields:
    </script>


-.. versionchanged:: 3.6
-
-   Dynamically opening the widget has been added in pretix 3.6.
-
 .. _Let's Encrypt: https://letsencrypt.org/
--- a/readthedocs.yml
+++ b/readthedocs.yml
@@ -1,6 +0,0 @@
-
-build:
-  image: latest
-
-python:
-  version: 3.6
--- a/res/icon.png
+++ b/res/icon.png
--- a/res/icon.svg
+++ b/res/icon.svg
@@ -1,36 +1 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   viewBox="0 0 149.59399 149.59399"
-   version="1.1"
-   id="svg2"
-   height="159.56693"
-   width="159.56693">
-  <defs
-     id="defs4" />
-  <metadata
-     id="metadata7">
-    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title></dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <g
-     transform="translate(-257.78125,-548.74975)"
-     id="layer1">
-    <path
-       id="rect3888"
-       transform="matrix(0.93749999,0,0,0.93749999,257.78125,548.74975)"
-       d="M 21.333984 21.333984 L 21.333984 57.699219 C 33.470966 57.699219 43.320312 67.601506 43.320312 79.800781 C 43.320312 92.000035 33.470966 101.86719 21.333984 101.86719 L 21.333984 138.23438 L 94.226562 138.23438 L 94.226562 128.09961 L 97.410156 128.09961 L 97.410156 138.23438 L 138.23438 138.23438 L 138.23438 101.86719 C 138.22328 101.86721 138.21216 101.86719 138.20117 101.86719 C 126.0642 101.86719 116.21289 92.000035 116.21289 79.800781 C 116.21289 67.601506 126.0642 57.699219 138.20117 57.699219 C 138.21237 57.699219 138.22339 57.699197 138.23438 57.699219 L 138.23438 21.333984 L 97.410156 21.333984 L 97.410156 31.033203 L 94.226562 31.033203 L 94.226562 21.333984 L 21.333984 21.333984 z M 94.226562 38.5 L 97.410156 38.5 L 97.410156 53.433594 L 94.226562 53.433594 L 94.226562 38.5 z M 94.226562 60.900391 L 97.410156 60.900391 L 97.410156 75.833984 L 94.226562 75.833984 L 94.226562 60.900391 z M 67.044922 64.027344 C 76.359333 64.027344 82.662109 68.991742 82.662109 79.533203 C 82.662109 89.014942 77.139434 95.039062 69.386719 95.039062 C 67.490377 95.039062 65.927327 94.814901 65.146484 94.591797 L 65.146484 106.64062 L 54.550781 106.64062 L 54.550781 66.314453 C 57.395304 64.97585 61.244324 64.027344 67.044922 64.027344 z M 66.990234 70.216797 C 66.209392 70.216797 65.648458 70.328766 65.146484 70.496094 L 65.146484 88.568359 C 65.536906 88.735677 66.097199 88.845703 66.822266 88.845703 C 70.61497 88.845703 72.175781 85.725087 72.175781 79.589844 C 72.175781 73.287273 70.838704 70.216797 66.990234 70.216797 z M 94.226562 83.300781 L 97.410156 83.300781 L 97.410156 98.234375 L 94.226562 98.234375 L 94.226562 83.300781 z M 94.226562 105.69922 L 97.410156 105.69922 L 97.410156 120.63281 L 94.226562 120.63281 L 94.226562 105.69922 z "
-       style="color:#000000;display:inline;overflow:visible;visibility:visible;fill:#3b1c4a;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1.06666672;marker:none;enable-background:accumulate" />
-  </g>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" width="159.567" height="159.567" version="1.1" viewBox="0 0 149.594 149.594"><g transform="matrix(.9375 0 0 .9375 20.413 20.413)"><path d="M45.52 48.98c-.74 0-1.28.13-1.75.27v17.43c.4.13.94.27 1.61.27 3.63 0 5.18-3.03 5.18-8.95s-1.35-9.02-5.05-9.02z" fill="#3b1c4a"/><path d="M114.72 36.13c.74-.07 1.28-.61 1.28-1.35V1.35c0-.74-.61-1.35-1.35-1.35H75.99v5.38c0 1.15-.94 2.09-2.09 2.09s-2.09-.94-2.09-2.09V0H1.35C.61 0 0 .61 0 1.35v33.44c0 .74.54 1.28 1.28 1.35 11.51.67 20.66 10.23 20.66 21.94s-9.15 21.2-20.66 21.8c-.74.07-1.28.61-1.28 1.35v33.44c0 .74.61 1.35 1.35 1.35h70.48v-5.38c0-1.19.9-2.09 2.09-2.09s2.09.94 2.09 2.09v5.38h38.66c.74 0 1.35-.61 1.35-1.35V81.23c0-.74-.54-1.28-1.28-1.35-11.51-.67-20.66-10.16-20.66-21.87s9.15-21.26 20.66-21.87zM47.87 72.87c-1.82 0-3.36-.2-4.1-.4v11.64H33.54V45.22C36.3 43.94 40 43 45.58 43c8.95 0 15.07 4.78 15.07 14.94 0 9.15-5.32 14.94-12.78 14.94zm28.12 25.3c0 1.15-.94 2.09-2.09 2.09s-2.09-.94-2.09-2.09V87.4c0-1.15.94-2.09 2.09-2.09s2.09.97 2.09 2.09zm0-23.28c0 1.11-.97 2.09-2.09 2.09-1.12 0-2.09-.97-2.09-2.09V64.12c0-1.19.9-2.09 2.09-2.09s2.09.94 2.09 2.09zm0-23.15c0 1.15-.94 2.09-2.09 2.09s-2.09-.94-2.09-2.09V40.97c0-1.15.94-2.09 2.09-2.09s2.09.97 2.09 2.09zm0-23.28c0 1.11-.97 2.09-2.09 2.09-1.12 0-2.09-.97-2.09-2.09V17.69c0-1.19.9-2.09 2.09-2.09s2.09.94 2.09 2.09z" fill="#3b1c4a"/></g></svg>
--- a/res/logo.png
+++ b/res/logo.png
--- a/res/logo.svg
+++ b/res/logo.svg
@@ -1,72 +1 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="600"
-   height="400"
-   id="svg2"
-   version="1.1"
-   inkscape:version="0.92.1 r"
-   sodipodi:docname="logo.svg"
-   inkscape:export-filename="/tmp/LOGO.png"
-   inkscape:export-xdpi="96"
-   inkscape:export-ydpi="96"
-   viewBox="0 0 562.50001 375.00002">
-  <defs
-     id="defs4" />
-  <sodipodi:namedview
-     id="base"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageopacity="0.0"
-     inkscape:pageshadow="2"
-     inkscape:zoom="0.9899495"
-     inkscape:cx="133.36756"
-     inkscape:cy="276.10571"
-     inkscape:document-units="px"
-     inkscape:current-layer="layer1"
-     showgrid="false"
-     inkscape:window-width="1916"
-     inkscape:window-height="1041"
-     inkscape:window-x="1920"
-     inkscape:window-y="18"
-     inkscape:window-maximized="0"
-     fit-margin-top="20"
-     fit-margin-left="20"
-     fit-margin-right="20"
-     fit-margin-bottom="20" />
-  <metadata
-     id="metadata7">
-    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title></dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <g
-     inkscape:label="Ebene 1"
-     inkscape:groupmode="layer"
-     id="layer1"
-     transform="translate(-259.03125,-322.09374)">
-    <path
-       style="color:#000000;display:inline;overflow:visible;visibility:visible;fill:#3b1c4a;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1.91138947;marker:none;enable-background:accumulate"
-       d="m 297.38548,404.85558 v 65.16643 c 21.86016,0 39.6016,17.74144 39.6016,39.60159 0,21.86015 -17.74144,39.54187 -39.6016,39.54187 v 65.16644 h 280.37693 v -18.1582 h 5.73417 v 18.1582 h 199.68046 v -65.16644 c -0.02,4e-5 -0.0397,0 -0.0596,0 -21.86015,0 -39.6016,-17.68172 -39.6016,-39.54187 0,-21.86015 17.74145,-39.60159 39.6016,-39.60159 0.02,0 0.0397,-4e-5 0.0596,0 V 404.85558 H 583.49658 v 17.38169 h -5.73417 V 404.85558 Z M 577.76241,435.617 h 5.73417 v 26.75945 h -5.73417 z m 79.21068,24.53074 c 5.33405,0 9.60172,3.68466 9.60172,8.24287 0,4.5582 -4.26767,8.33993 -9.60172,8.33993 -5.2371,0 -9.50469,-3.78173 -9.50469,-8.33993 0,-4.55821 4.26759,-8.24287 9.50469,-8.24287 z m -25.28486,8.04874 v 15.32472 h 7.56717 v 12.02458 h -7.56717 v 23.47051 c 0,3.87934 1.35737,5.33473 4.0729,5.33473 1.35775,0 2.03951,-0.19461 3.49427,-0.77651 v 11.34514 c -1.35777,0.77585 -4.56174,1.84419 -8.829,1.84419 -11.73495,0 -17.16515,-7.17511 -17.16515,-16.19455 v -25.02351 h -5.43179 V 483.5212 h 5.43179 v -10.66944 z m -53.92582,7.5597 h 5.73417 v 26.75945 h -5.73417 z m -142.52917,6.79439 c 16.19618,0 27.15517,8.63124 27.15517,26.96104 0,16.48713 -9.6016,26.96105 -23.08227,26.96105 -3.29741,0 -6.01528,-0.38857 -7.37304,-0.77651 v 20.95062 H 413.50612 V 486.5264 c 4.94614,-2.32759 11.64087,-3.97583 21.72712,-3.97583 z m 95.30815,0 c 16.39014,0 24.14917,11.34479 23.17933,29.09269 l -30.45158,4.27076 c 1.1638,5.62501 4.16799,8.437 10.85985,8.437 6.20689,0 11.05633,-1.36007 13.96583,-2.81482 l 4.0729,11.2518 c -4.5582,2.23062 -10.6662,3.97584 -20.36451,3.97584 -17.06903,0 -26.08749,-11.54096 -26.08749,-27.25223 0,-15.71126 8.43552,-26.96104 24.82567,-26.96104 z m -34.25568,0.0113 c 1.70649,0.026 3.49392,0.0859 5.36084,0.18292 l -3.20307,12.80108 c -3.39442,-1.6487 -6.69185,-1.74642 -9.11643,-0.87356 v 41.121 h -18.42698 v -49.2668 c 5.3462,-2.63068 13.44024,-4.1463 25.38564,-3.96465 z m 151.47387,0.95943 h 18.42699 v 52.27202 h -18.42699 z m 25.29605,0 h 19.20348 l 6.30535,13.09227 h 0.19412 l 6.884,-13.09227 h 17.16517 l -15.22393,24.14622 16.67986,28.1258 h -20.3645 l -6.69361,-14.45115 h -0.19412 l -6.98104,14.45115 h -18.62112 l 16.38867,-26.96104 z m -143.29075,9.60175 c -5.43106,0 -8.43651,4.94275 -7.85461,14.05916 l 14.8394,-2.22871 c 0,-7.9526 -2.3296,-11.83045 -6.98479,-11.83045 z m -94.6287,0.19038 c -1.35776,0 -2.33024,0.19437 -3.20308,0.48532 v 31.4222 c 0.67888,0.29093 1.65112,0.48531 2.91189,0.48531 6.59487,0 9.31055,-5.42933 9.31055,-16.09748 0,-10.95908 -2.32753,-16.29535 -9.01936,-16.29535 z m 142.62623,22.58194 h 5.73417 v 26.75946 h -5.73417 z m 0,40.13918 h 5.73417 v 26.75946 h -5.73417 z"
-       id="rect3888"
-       inkscape:connector-curvature="0"
-       inkscape:export-filename="/tmp/LOGO.png"
-       inkscape:export-xdpi="88"
-       inkscape:export-ydpi="88" />
-  </g>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" width="600" height="400" version="1.1" viewBox="0 0 562.5 375"><g transform="translate(-259.031 -322.094)"><g transform="matrix(3.79525 0 0 3.79525 297.317 405.22)"><path d="M36.29 23.21c-.35 0-.61.06-.83.13v8.29c.19.06.45.13.77.13 1.73 0 2.46-1.44 2.46-4.26s-.64-4.29-2.4-4.29z" fill="#3b1c4a"/><path d="M61.22 23.15c-1.44 0-2.21 1.31-2.08 3.71l3.9-.58c.03-2.11-.58-3.14-1.82-3.14z" fill="#3b1c4a"/><path d="M127.39 17.1c.35-.03.61-.29.61-.64V.64c0-.35-.29-.64-.64-.64H75.81v2.48c0 .55-.45.99-.99.99s-.99-.45-.99-.99V0H.64C.29 0 0 .29 0 .64v15.82c0 .35.26.61.61.64 5.47.32 9.82 4.86 9.82 10.43 0 5.57-4.35 10.08-9.82 10.37-.35.03-.61.29-.61.64v15.82c0 .35.29.64.64.64h73.22-.03v-2.48c0-.57.43-.99.99-.99s.99.45.99.99V55h-.03 51.58c.35 0 .64-.29.64-.64V38.54c0-.35-.26-.61-.61-.64-5.47-.32-9.82-4.83-9.82-10.4s4.35-10.11 9.82-10.4zM37.41 34.57c-.86 0-1.6-.1-1.95-.19v5.54H30.6v-18.5c1.31-.61 3.07-1.06 5.73-1.06 4.26 0 7.17 2.27 7.17 7.1 0 4.35-2.53 7.1-6.08 7.1zm15.58-10.78c-.9-.45-1.76-.45-2.4-.22v10.85h-4.86V21.43c1.41-.7 3.55-1.09 6.69-1.06.45 0 .93.03 1.41.06L53 23.79Zm14.56 4.26-8.03 1.12c.32 1.47 1.09 2.21 2.85 2.21 1.63 0 2.91-.35 3.68-.74l1.09 2.98c-1.22.58-2.82 1.06-5.38 1.06-4.51 0-6.88-3.04-6.88-7.17s2.21-7.1 6.53-7.1c4.35-.03 6.4 2.98 6.14 7.65zm8.26 18.56c0 .55-.45.99-.99.99s-.99-.45-.99-.99v-5.12c0-.55.45-.99.99-.99s.99.46.99.99zm0-11.07c0 .53-.46.99-.99.99s-.99-.46-.99-.99v-5.12c0-.57.43-.99.99-.99s.99.45.99.99zm0-11.01c0 .55-.45.99-.99.99s-.99-.45-.99-.99v-5.12c0-.55.45-.99.99-.99s.99.46.99.99zm0-11.07c0 .53-.46.99-.99.99s-.99-.46-.99-.99V8.34c0-.57.43-.99.99-.99s.99.45.99.99zm14.3 10.34h-2.02v6.18c0 1.02.35 1.41 1.09 1.41.35 0 .54-.06.93-.19v2.98c-.35.19-1.22.48-2.34.48-3.1 0-4.51-1.89-4.51-4.26v-6.59h-1.44v-3.17h1.44v-2.82l4.86-1.22v4.03h1.98v3.17zm7.07 10.62h-4.86V20.66h4.86zm-2.43-15.58c-1.38 0-2.5-.99-2.5-2.21s1.12-2.18 2.5-2.18 2.53.96 2.53 2.18c0 1.22-1.12 2.21-2.53 2.21zm12.35 15.58-1.76-3.81h-.06l-1.82 3.81h-4.9l4.32-7.1-3.87-6.66h5.06l1.66 3.46h.06l1.82-3.46h4.51l-4 6.37 4.38 7.42-5.41-.03z" fill="#3b1c4a"/></g></g></svg>
--- a/res/logo_white.svg
+++ b/res/logo_white.svg
@@ -1,68 +1 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="294.15625"
-   height="149.59375"
-   id="svg2"
-   version="1.1"
-   inkscape:version="0.91 r13725"
-   sodipodi:docname="logo_draft_white.svg"
-   inkscape:export-filename="/home/raphael/proj/pretix/pretix/logo_draft.png"
-   inkscape:export-xdpi="88.529999"
-   inkscape:export-ydpi="88.529999">
-  <defs
-     id="defs4" />
-  <sodipodi:namedview
-     id="base"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageopacity="0.0"
-     inkscape:pageshadow="2"
-     inkscape:zoom="0.9899495"
-     inkscape:cx="121.06383"
-     inkscape:cy="277.43904"
-     inkscape:document-units="px"
-     inkscape:current-layer="layer1"
-     showgrid="false"
-     inkscape:window-width="956"
-     inkscape:window-height="1041"
-     inkscape:window-x="2880"
-     inkscape:window-y="18"
-     inkscape:window-maximized="0"
-     fit-margin-top="20"
-     fit-margin-left="20"
-     fit-margin-right="20"
-     fit-margin-bottom="20" />
-  <metadata
-     id="metadata7">
-    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title></dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <g
-     inkscape:label="Ebene 1"
-     inkscape:groupmode="layer"
-     id="layer1"
-     transform="translate(-257.78125,-548.75)">
-    <path
-       style="color:#000000;display:inline;overflow:visible;visibility:visible;fill:#ffffff;fill-opacity:1;fill-rule:nonzero;stroke:none;marker:none;enable-background:accumulate"
-       d="M 20 20 L 20 54.09375 C 31.43679 54.09375 40.71875 63.37571 40.71875 74.8125 C 40.71875 86.24928 31.43679 95.5 20 95.5 L 20 129.59375 L 166.6875 129.59375 L 166.6875 120.09375 L 169.6875 120.09375 L 169.6875 129.59375 L 274.15625 129.59375 L 274.15625 95.5 C 274.14575 95.50002 274.1354 95.5 274.125 95.5 C 262.68822 95.5 253.40625 86.24928 253.40625 74.8125 C 253.40625 63.37571 262.68822 54.09375 274.125 54.09375 C 274.1355 54.09375 274.14585 54.09373 274.15625 54.09375 L 274.15625 20 L 169.6875 20 L 169.6875 29.09375 L 166.6875 29.09375 L 166.6875 20 L 20 20 z M 166.6875 36.09375 L 169.6875 36.09375 L 169.6875 50.09375 L 166.6875 50.09375 L 166.6875 36.09375 z M 208.12891 48.927734 C 210.91958 48.927734 213.15234 50.855474 213.15234 53.240234 C 213.15234 55.624994 210.91958 57.603516 208.12891 57.603516 C 205.38897 57.603516 203.15625 55.624994 203.15625 53.240234 C 203.15625 50.855474 205.38897 48.927734 208.12891 48.927734 z M 194.90039 53.138672 L 194.90039 61.15625 L 198.85938 61.15625 L 198.85938 67.447266 L 194.90039 67.447266 L 194.90039 79.726562 C 194.90039 81.756152 195.61054 82.517578 197.03125 82.517578 C 197.7416 82.517578 198.09828 82.415768 198.85938 82.111328 L 198.85938 88.046875 C 198.14902 88.452785 196.47277 89.011719 194.24023 89.011719 C 188.10074 89.011719 185.25977 85.257843 185.25977 80.539062 L 185.25977 67.447266 L 182.41797 67.447266 L 182.41797 61.15625 L 185.25977 61.15625 L 185.25977 55.574219 L 194.90039 53.138672 z M 166.6875 57.09375 L 169.6875 57.09375 L 169.6875 71.09375 L 166.6875 71.09375 L 166.6875 57.09375 z M 92.119141 60.648438 C 100.59265 60.648438 106.32617 65.164126 106.32617 74.753906 C 106.32617 83.379636 101.30281 88.859375 94.25 88.859375 C 92.52486 88.859375 91.102928 88.656085 90.392578 88.453125 L 90.392578 99.414062 L 80.751953 99.414062 L 80.751953 62.728516 C 83.339673 61.510766 86.842221 60.648435 92.119141 60.648438 z M 141.98242 60.648438 C 150.55741 60.648438 154.61678 66.583801 154.10938 75.869141 L 138.17773 78.103516 C 138.78661 81.046406 140.35834 82.517578 143.85938 82.517578 C 147.1067 82.517578 149.64383 81.806022 151.16602 81.044922 L 153.29688 86.931641 C 150.91212 88.098651 147.71654 89.011719 142.64258 89.011719 C 133.71241 89.011719 128.99414 82.973726 128.99414 74.753906 C 128.99414 66.534096 133.40743 60.648438 141.98242 60.648438 z M 124.06055 60.654297 C 124.95335 60.667874 125.8885 60.69926 126.86523 60.75 L 125.18945 67.447266 C 123.41356 66.584696 121.68841 66.533574 120.41992 66.990234 L 120.41992 88.503906 L 110.7793 88.503906 L 110.7793 62.728516 C 113.57632 61.352202 117.81096 60.559256 124.06055 60.654297 z M 203.30859 61.15625 L 212.94922 61.15625 L 212.94922 88.503906 L 203.30859 88.503906 L 203.30859 61.15625 z M 216.54297 61.15625 L 226.58984 61.15625 L 229.88867 68.005859 L 229.99023 68.005859 L 233.5918 61.15625 L 242.57227 61.15625 L 234.60742 73.789062 L 243.33398 88.503906 L 232.67969 88.503906 L 229.17773 80.943359 L 229.07617 80.943359 L 225.42383 88.503906 L 215.68164 88.503906 L 224.25586 74.398438 L 216.54297 61.15625 z M 141.57617 66.179688 C 138.73475 66.179688 137.16236 68.765636 137.4668 73.535156 L 145.23047 72.369141 C 145.23047 68.208501 144.01167 66.179687 141.57617 66.179688 z M 92.068359 66.279297 C 91.358009 66.279297 90.849228 66.380983 90.392578 66.533203 L 90.392578 82.972656 C 90.747748 83.124866 91.256406 83.226562 91.916016 83.226562 C 95.366316 83.226562 96.787109 80.386048 96.787109 74.804688 C 96.787109 69.071117 95.569389 66.279297 92.068359 66.279297 z M 166.6875 78.09375 L 169.6875 78.09375 L 169.6875 92.09375 L 166.6875 92.09375 L 166.6875 78.09375 z M 166.6875 99.09375 L 169.6875 99.09375 L 169.6875 113.09375 L 166.6875 113.09375 L 166.6875 99.09375 z "
-       transform="translate(257.78125,548.75)"
-       id="rect3888" />
-  </g>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" width="294.156" height="149.594" version="1.1"><g transform="translate(-257.781 -548.75)"><g transform="matrix(1.9856 0 0 1.9856 277.781 568.75)"><path d="M36.29 23.21c-.35 0-.61.06-.83.13v8.29c.19.06.45.13.77.13 1.73 0 2.46-1.44 2.46-4.26s-.64-4.29-2.4-4.29z" fill="#f8f8f8"/><path d="M61.22 23.15c-1.44 0-2.21 1.31-2.08 3.71l3.9-.58c.03-2.11-.58-3.14-1.82-3.14z" fill="#f8f8f8"/><path d="M127.39 17.1c.35-.03.61-.29.61-.64V.64c0-.35-.29-.64-.64-.64H75.94v2.48c0 .62-.5 1.12-1.12 1.12-.62 0-1.12-.5-1.12-1.12V0H.64C.29 0 0 .29 0 .64v15.82c0 .35.26.61.61.64 5.47.32 9.82 4.86 9.82 10.43 0 5.57-4.35 10.08-9.82 10.37-.35.03-.61.29-.61.64v15.82c0 .35.29.64.64.64h73.22-.16v-2.48c0-.63.49-1.12 1.12-1.12.63 0 1.12.5 1.12 1.12V55h-.16 51.58c.35 0 .64-.29.64-.64V38.54c0-.35-.26-.61-.61-.64-5.47-.32-9.82-4.83-9.82-10.4s4.35-10.11 9.82-10.4zM37.41 34.57c-.86 0-1.6-.1-1.95-.19v5.54H30.6v-18.5c1.31-.61 3.07-1.06 5.73-1.06 4.26 0 7.17 2.27 7.17 7.1 0 4.35-2.53 7.1-6.08 7.1zm15.58-10.78c-.9-.45-1.76-.45-2.4-.22v10.85h-4.86V21.43c1.41-.7 3.55-1.09 6.69-1.06.45 0 .93.03 1.41.06L53 23.79Zm14.56 4.26-8.03 1.12c.32 1.47 1.09 2.21 2.85 2.21 1.63 0 2.91-.35 3.68-.74l1.09 2.98c-1.22.58-2.82 1.06-5.38 1.06-4.51 0-6.88-3.04-6.88-7.17s2.21-7.1 6.53-7.1c4.35-.03 6.4 2.98 6.14 7.65zm8.38 18.56c0 .62-.5 1.12-1.12 1.12-.62 0-1.12-.5-1.12-1.12v-5.12c0-.62.5-1.12 1.12-1.12.62 0 1.12.52 1.12 1.12zm0-11.07c0 .6-.52 1.12-1.12 1.12-.6 0-1.12-.52-1.12-1.12v-5.12c0-.63.49-1.12 1.12-1.12.63 0 1.12.5 1.12 1.12zm0-11.01c0 .62-.5 1.12-1.12 1.12-.62 0-1.12-.5-1.12-1.12v-5.12c0-.62.5-1.12 1.12-1.12.62 0 1.12.52 1.12 1.12zm0-11.07c0 .6-.52 1.12-1.12 1.12-.6 0-1.12-.52-1.12-1.12V8.34c0-.63.49-1.12 1.12-1.12.63 0 1.12.5 1.12 1.12zM90.11 23.8h-2.02v6.18c0 1.02.35 1.41 1.09 1.41.35 0 .54-.06.93-.19v2.98c-.35.19-1.22.48-2.34.48-3.1 0-4.51-1.89-4.51-4.26v-6.59h-1.44v-3.17h1.44v-2.82l4.86-1.22v4.03h1.98v3.17zm7.07 10.62h-4.86V20.66h4.86zm-2.43-15.58c-1.38 0-2.5-.99-2.5-2.21s1.12-2.18 2.5-2.18 2.53.96 2.53 2.18c0 1.22-1.12 2.21-2.53 2.21zm12.35 15.58-1.76-3.81h-.06l-1.82 3.81h-4.9l4.32-7.1-3.87-6.66h5.06l1.66 3.46h.06l1.82-3.46h4.51l-4 6.37 4.38 7.42-5.41-.03z" fill="#f8f8f8"/></g></g></svg>
--- a/src/pretix/init.py
+++ b/src/pretix/init.py
@@ -19,4 +19,4 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-__version__ = "4.13.1"
+__version__ = "4.18.0.dev0"
--- a/src/pretix/api/auth/devicesecurity.py
+++ b/src/pretix/api/auth/devicesecurity.py
@@ -19,9 +19,12 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
+import logging

 from django.utils.translation import gettext_lazy as _

+logger = logging.getLogger(__name__)
+

 class FullAccessSecurityProfile:
    identifier = 'full'
@@ -36,7 +39,13 @@ class AllowListSecurityProfile:

    def is_allowed(self, request):
        key = (request.method, f"{request.resolver_match.namespace}:{request.resolver_match.url_name}")
-        return key in self.allowlist
+        if key in self.allowlist:
+            return True
+        else:
+            logger.info(
+                f'Request {key} not allowed in profile {self.identifier}'
+            )
+            return False


 class PretixScanSecurityProfile(AllowListSecurityProfile):
@@ -46,6 +55,7 @@ class PretixScanSecurityProfile(AllowListSecurityProfile):
        ('GET', 'api-v1:version'),
        ('GET', 'api-v1:device.eventselection'),
        ('GET', 'api-v1:idempotency.query'),
+        ('GET', 'api-v1:device.info'),
        ('POST', 'api-v1:device.update'),
        ('POST', 'api-v1:device.revoke'),
        ('POST', 'api-v1:device.roll'),
@@ -64,6 +74,7 @@ class PretixScanSecurityProfile(AllowListSecurityProfile):
        ('GET', 'api-v1:checkinlistpos-list'),
        ('POST', 'api-v1:checkinlistpos-redeem'),
        ('GET', 'api-v1:revokedsecrets-list'),
+        ('GET', 'api-v1:blockedsecrets-list'),
        ('GET', 'api-v1:order-list'),
        ('GET', 'api-v1:orderposition-pdf_image'),
        ('GET', 'api-v1:event.settings'),
@@ -80,6 +91,7 @@ class PretixScanNoSyncNoSearchSecurityProfile(AllowListSecurityProfile):
        ('GET', 'api-v1:version'),
        ('GET', 'api-v1:device.eventselection'),
        ('GET', 'api-v1:idempotency.query'),
+        ('GET', 'api-v1:device.info'),
        ('POST', 'api-v1:device.update'),
        ('POST', 'api-v1:device.revoke'),
        ('POST', 'api-v1:device.roll'),
@@ -97,6 +109,7 @@ class PretixScanNoSyncNoSearchSecurityProfile(AllowListSecurityProfile):
        ('POST', 'api-v1:checkinlist-failed_checkins'),
        ('POST', 'api-v1:checkinlistpos-redeem'),
        ('GET', 'api-v1:revokedsecrets-list'),
+        ('GET', 'api-v1:blockedsecrets-list'),
        ('GET', 'api-v1:orderposition-pdf_image'),
        ('GET', 'api-v1:event.settings'),
        ('POST', 'api-v1:upload'),
@@ -112,6 +125,7 @@ class PretixScanNoSyncSecurityProfile(AllowListSecurityProfile):
        ('GET', 'api-v1:version'),
        ('GET', 'api-v1:device.eventselection'),
        ('GET', 'api-v1:idempotency.query'),
+        ('GET', 'api-v1:device.info'),
        ('POST', 'api-v1:device.update'),
        ('POST', 'api-v1:device.revoke'),
        ('POST', 'api-v1:device.roll'),
@@ -130,6 +144,7 @@ class PretixScanNoSyncSecurityProfile(AllowListSecurityProfile):
        ('GET', 'api-v1:checkinlistpos-list'),
        ('POST', 'api-v1:checkinlistpos-redeem'),
        ('GET', 'api-v1:revokedsecrets-list'),
+        ('GET', 'api-v1:blockedsecrets-list'),
        ('GET', 'api-v1:orderposition-pdf_image'),
        ('GET', 'api-v1:event.settings'),
        ('POST', 'api-v1:upload'),
@@ -145,6 +160,7 @@ class PretixPosSecurityProfile(AllowListSecurityProfile):
        ('GET', 'api-v1:version'),
        ('GET', 'api-v1:device.eventselection'),
        ('GET', 'api-v1:idempotency.query'),
+        ('GET', 'api-v1:device.info'),
        ('POST', 'api-v1:device.update'),
        ('POST', 'api-v1:device.revoke'),
        ('POST', 'api-v1:device.roll'),
@@ -192,8 +208,10 @@ class PretixPosSecurityProfile(AllowListSecurityProfile):
        ('POST', 'plugins:pretix_posbackend:posdebuglogentry-bulk-create'),
        ('GET', 'plugins:pretix_posbackend:poscashier-list'),
        ('POST', 'plugins:pretix_posbackend:stripeterminal.token'),
+        ('POST', 'plugins:pretix_posbackend:stripeterminal.paymentintent'),
        ('PUT', 'plugins:pretix_posbackend:file.upload'),
        ('GET', 'api-v1:revokedsecrets-list'),
+        ('GET', 'api-v1:blockedsecrets-list'),
        ('GET', 'api-v1:event.settings'),
        ('GET', 'plugins:pretix_seating:event.event'),
        ('GET', 'plugins:pretix_seating:event.event.subevent'),
--- a/src/pretix/api/exception.py
+++ b/src/pretix/api/exception.py
@@ -19,11 +19,17 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
+import logging
+
+import ujson
+from rest_framework import exceptions
 from rest_framework.response import Response
 from rest_framework.views import exception_handler, status

 from pretix.base.services.locking import LockTimeoutException

+logger = logging.getLogger(__name__)
+

 def custom_exception_handler(exc, context):
    response = exception_handler(exc, context)
@@ -37,4 +43,7 @@ def custom_exception_handler(exc, context):
            }
        )

+    if isinstance(exc, exceptions.APIException):
+        logger.info(f'API Exception [{exc.status_code}]: {ujson.dumps(exc.detail)}')
+
    return response
--- a/src/pretix/api/middleware.py
+++ b/src/pretix/api/middleware.py
@@ -20,6 +20,7 @@
 # <https://www.gnu.org/licenses/>.
 #
 import json
+import logging
 from hashlib import sha1

 from django.conf import settings
@@ -32,6 +33,9 @@ from rest_framework import status

 from pretix.api.models import ApiCall
 from pretix.base.models import Organizer
+from pretix.helpers import OF_SELF
+
+logger = logging.getLogger(__name__)


 class IdempotencyMiddleware:
@@ -56,7 +60,7 @@ class IdempotencyMiddleware:
        idempotency_key = request.headers.get('X-Idempotency-Key', '')

        with transaction.atomic():
-            call, created = ApiCall.objects.select_for_update().get_or_create(
+            call, created = ApiCall.objects.select_for_update(of=OF_SELF).get_or_create(
                auth_hash=auth_hash,
                idempotency_key=idempotency_key,
                defaults={
@@ -96,6 +100,9 @@ class IdempotencyMiddleware:
            return resp
        else:
            if call.locked:
+                logger.info(
+                    f'Concurrent request with idempotency key {idempotency_key} blocked.'
+                )
                r = JsonResponse(
                    {'detail': 'Concurrent request with idempotency key.'},
                    status=status.HTTP_409_CONFLICT,
@@ -110,6 +117,7 @@ class IdempotencyMiddleware:
                content=content,
                status=call.response_code,
            )
+            logger.info(f'API response replayed from idempotency store for key {idempotency_key} [{call.response_code}]')
            for k, v in json.loads(call.response_headers).values():
                r[k] = v
            return r
--- a/src/pretix/api/migrations/0009_auto_20221217_1847.py
+++ b/src/pretix/api/migrations/0009_auto_20221217_1847.py
@@ -0,0 +1,77 @@
+# Generated by Django 3.2.16 on 2022-12-17 18:47
+
+import uuid
+
+import django.db.models.deletion
+import oauth2_provider.generators
+import oauth2_provider.models
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0226_itemvariationmetavalue'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('pretixapi', '0008_webhookcallretry'),
+    ]
+    run_before = [
+        ('oauth2_provider', '0002_auto_20190406_1805'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='oauthapplication',
+            name='algorithm',
+            field=models.CharField(default='', max_length=5),
+        ),
+        migrations.AddField(
+            model_name='oauthgrant',
+            name='claims',
+            field=models.TextField(default=''),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name='oauthgrant',
+            name='code_challenge',
+            field=models.CharField(default='', max_length=128),
+        ),
+        migrations.AddField(
+            model_name='oauthgrant',
+            name='code_challenge_method',
+            field=models.CharField(default='', max_length=10),
+        ),
+        migrations.AddField(
+            model_name='oauthgrant',
+            name='nonce',
+            field=models.CharField(default='', max_length=255),
+        ),
+        migrations.AlterField(
+            model_name='oauthapplication',
+            name='client_secret',
+            field=oauth2_provider.models.ClientSecretField(db_index=True, default=oauth2_provider.generators.generate_client_secret, max_length=255),
+        ),
+        migrations.CreateModel(
+            name='OAuthIDToken',
+            fields=[
+                ('id', models.BigAutoField(primary_key=True, serialize=False)),
+                ('jti', models.UUIDField(default=uuid.uuid4, unique=True)),
+                ('expires', models.DateTimeField()),
+                ('scope', models.TextField()),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('updated', models.DateTimeField(auto_now=True)),
+                ('application', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.OAUTH2_PROVIDER_APPLICATION_MODEL)),
+                ('organizers', models.ManyToManyField(to='pretixbase.Organizer')),
+                ('user', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='pretixapi_oauthidtoken', to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'abstract': False,
+            },
+        ),
+        migrations.AddField(
+            model_name='oauthaccesstoken',
+            name='id_token',
+            field=models.OneToOneField(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='access_token', to='pretixapi.oauthidtoken'),
+        ),
+    ]
--- a/src/pretix/api/migrations/0010_webhook_comment.py
+++ b/src/pretix/api/migrations/0010_webhook_comment.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.17 on 2023-02-07 12:18
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixapi', '0009_auto_20221217_1847'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='webhook',
+            name='comment',
+            field=models.CharField(max_length=255, null=True),
+        ),
+    ]
--- a/src/pretix/api/models.py
+++ b/src/pretix/api/models.py
@@ -29,8 +29,8 @@ from oauth2_provider.generators import (
    generate_client_id, generate_client_secret,
 )
 from oauth2_provider.models import (
-    AbstractAccessToken, AbstractApplication, AbstractGrant,
-    AbstractRefreshToken,
+    AbstractAccessToken, AbstractApplication, AbstractGrant, AbstractIDToken,
+    AbstractRefreshToken, ClientSecretField,
 )
 from oauth2_provider.validators import URIValidator

@@ -46,7 +46,7 @@ class OAuthApplication(AbstractApplication):
        verbose_name=_("Client ID"),
        max_length=100, unique=True, default=generate_client_id, db_index=True
    )
-    client_secret = models.CharField(
+    client_secret = ClientSecretField(
        verbose_name=_("Client secret"),
        max_length=255, blank=False, default=generate_client_secret, db_index=True
    )
@@ -67,12 +67,26 @@ class OAuthGrant(AbstractGrant):
    redirect_uri = models.CharField(max_length=2500)  # Only 255 in AbstractGrant, which caused problems


+class OAuthIDToken(AbstractIDToken):
+    application = models.ForeignKey(
+        OAuthApplication, on_delete=models.CASCADE,
+    )
+    organizers = models.ManyToManyField('pretixbase.Organizer')
+
+
 class OAuthAccessToken(AbstractAccessToken):
    source_refresh_token = models.OneToOneField(
        # unique=True implied by the OneToOneField
        'OAuthRefreshToken', on_delete=models.SET_NULL, blank=True, null=True,
        related_name="refreshed_access_token"
    )
+    id_token = models.OneToOneField(
+        OAuthIDToken,
+        on_delete=models.CASCADE,
+        blank=True,
+        null=True,
+        related_name="access_token",
+    )
    application = models.ForeignKey(
        OAuthApplication, on_delete=models.CASCADE, blank=True, null=True,
    )
@@ -98,6 +112,7 @@ class WebHook(models.Model):
    target_url = models.URLField(verbose_name=_("Target URL"), max_length=255)
    all_events = models.BooleanField(default=True, verbose_name=_("All events (including newly created ones)"))
    limit_events = models.ManyToManyField('pretixbase.Event', verbose_name=_("Limit to events"), blank=True)
+    comment = models.CharField(verbose_name=_("Comment"), max_length=255, null=True, blank=True)

    class Meta:
        ordering = ('id',)
--- a/src/pretix/api/pagination.py
+++ b/src/pretix/api/pagination.py
@@ -19,9 +19,19 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
+from rest_framework.filters import OrderingFilter
 from rest_framework.pagination import PageNumberPagination

+from pretix.helpers import get_deterministic_ordering
+

 class Pagination(PageNumberPagination):
    page_size_query_param = 'page_size'
    max_page_size = 50
+
+
+class TotalOrderingFilter(OrderingFilter):
+    def get_ordering(self, request, queryset, view):
+        o = super().get_ordering(request, queryset, view)
+        o = get_deterministic_ordering(queryset.model, o)
+        return o
--- a/src/pretix/api/serializers/cart.py
+++ b/src/pretix/api/serializers/cart.py
@@ -23,8 +23,7 @@ import os
 from datetime import timedelta

 from django.core.files import File
-from django.db.models import Q
-from django.utils.crypto import get_random_string
+from django.db.models import prefetch_related_objects
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy
 from rest_framework import serializers
@@ -34,7 +33,7 @@ from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.api.serializers.order import (
    AnswerCreateSerializer, AnswerSerializer, InlineSeatSerializer,
 )
-from pretix.base.models import Quota, Seat, Voucher
+from pretix.base.models import Seat, Voucher
 from pretix.base.models.orders import CartPosition


@@ -52,148 +51,18 @@ class CartPositionSerializer(I18nAwareModelSerializer):
        model = CartPosition
        fields = ('id', 'cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts',
                  'attendee_email', 'voucher', 'addon_to', 'subevent', 'datetime', 'expires', 'includes_tax',
-                  'answers', 'seat')
+                  'answers', 'seat', 'is_bundled')


-class CartPositionCreateSerializer(I18nAwareModelSerializer):
+class BaseCartPositionCreateSerializer(I18nAwareModelSerializer):
    answers = AnswerCreateSerializer(many=True, required=False)
-    expires = serializers.DateTimeField(required=False)
    attendee_name = serializers.CharField(required=False, allow_null=True)
-    seat = serializers.CharField(required=False, allow_null=True)
-    sales_channel = serializers.CharField(required=False, default='sales_channel')
    includes_tax = serializers.BooleanField(required=False, allow_null=True)
-    voucher = serializers.CharField(required=False, allow_null=True)

    class Meta:
        model = CartPosition
-        fields = ('cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts', 'attendee_email',
-                  'subevent', 'expires', 'includes_tax', 'answers', 'seat', 'sales_channel', 'voucher')
-
-    def create(self, validated_data):
-        answers_data = validated_data.pop('answers')
-        if not validated_data.get('cart_id'):
-            cid = "{}@api".format(get_random_string(48))
-            while CartPosition.objects.filter(cart_id=cid).exists():
-                cid = "{}@api".format(get_random_string(48))
-            validated_data['cart_id'] = cid
-
-        if not validated_data.get('expires'):
-            validated_data['expires'] = now() + timedelta(
-                minutes=self.context['event'].settings.get('reservation_time', as_type=int)
-            )
-
-        new_quotas = (validated_data.get('variation').quotas.filter(subevent=validated_data.get('subevent'))
-                      if validated_data.get('variation')
-                      else validated_data.get('item').quotas.filter(subevent=validated_data.get('subevent')))
-        if len(new_quotas) == 0:
-            raise ValidationError(
-                gettext_lazy('The product "{}" is not assigned to a quota.').format(
-                    str(validated_data.get('item'))
-                )
-            )
-        for quota in new_quotas:
-            avail = quota.availability(_cache=self.context['quota_cache'])
-            if avail[0] != Quota.AVAILABILITY_OK or (avail[1] is not None and avail[1] < 1):
-                raise ValidationError(
-                    gettext_lazy('There is not enough quota available on quota "{}" to perform '
-                                 'the operation.').format(
-                        quota.name
-                    )
-                )
-
-        for quota in new_quotas:
-            oldsize = self.context['quota_cache'][quota.pk][1]
-            newsize = oldsize - 1 if oldsize is not None else None
-            self.context['quota_cache'][quota.pk] = (
-                Quota.AVAILABILITY_OK if newsize is None or newsize > 0 else Quota.AVAILABILITY_GONE,
-                newsize
-            )
-
-        attendee_name = validated_data.pop('attendee_name', '')
-        if attendee_name and not validated_data.get('attendee_name_parts'):
-            validated_data['attendee_name_parts'] = {
-                '_legacy': attendee_name
-            }
-
-        seated = validated_data.get('item').seat_category_mappings.filter(subevent=validated_data.get('subevent')).exists()
-        if validated_data.get('seat'):
-            if not seated:
-                raise ValidationError('The specified product does not allow to choose a seat.')
-            try:
-                seat = self.context['event'].seats.get(seat_guid=validated_data['seat'], subevent=validated_data.get('subevent'))
-            except Seat.DoesNotExist:
-                raise ValidationError('The specified seat does not exist.')
-            except Seat.MultipleObjectsReturned:
-                raise ValidationError('The specified seat ID is not unique.')
-            else:
-                validated_data['seat'] = seat
-        elif seated:
-            raise ValidationError('The specified product requires to choose a seat.')
-
-        if validated_data.get('voucher'):
-            try:
-                voucher = self.context['event'].vouchers.get(code__iexact=validated_data.get('voucher'))
-            except Voucher.DoesNotExist:
-                raise ValidationError('The specified voucher does not exist.')
-
-            if voucher and not voucher.applies_to(validated_data.get('item'), validated_data.get('variation')):
-                raise ValidationError('The specified voucher is not valid for the given item and variation.')
-
-            if voucher and voucher.seat and voucher.seat != validated_data.get('seat'):
-                raise ValidationError('The specified voucher is not valid for this seat.')
-
-            if voucher and voucher.subevent_id and (not validated_data.get('subevent') or voucher.subevent_id != validated_data['subevent'].pk):
-                raise ValidationError('The specified voucher is not valid for this subevent.')
-
-            if voucher.valid_until is not None and voucher.valid_until < now():
-                raise ValidationError('The specified voucher is expired.')
-
-            redeemed_in_carts = CartPosition.objects.filter(
-                Q(voucher=voucher) & Q(event=self.context['event']) & Q(expires__gte=now())
-            )
-            cart_count = redeemed_in_carts.count()
-            v_avail = voucher.max_usages - voucher.redeemed - cart_count
-            if v_avail < 1:
-                raise ValidationError('The specified voucher has already been used the maximum number of times.')
-
-            validated_data['voucher'] = voucher
-
-        if validated_data.get('seat'):
-            if not validated_data['seat'].is_available(
-                sales_channel=validated_data.get('sales_channel', 'web'),
-                distance_ignore_cart_id=validated_data['cart_id'],
-                ignore_voucher_id=validated_data['voucher'].pk if validated_data.get('voucher') else None,
-            ):
-                raise ValidationError(
-                    gettext_lazy('The selected seat "{seat}" is not available.').format(seat=validated_data['seat'].name))
-
-        validated_data.pop('sales_channel')
-        # todo: does this make sense?
-        validated_data['custom_price_input'] = validated_data['price']
-        # todo: listed price, etc?
-        # currently does not matter because there is no way to transform an API cart position into an order that keeps
-        # prices, cart positions are just quota/voucher placeholders
-        validated_data['custom_price_input_is_net'] = not validated_data.pop('includes_tax', True)
-        cp = CartPosition.objects.create(event=self.context['event'], **validated_data)
-
-        for answ_data in answers_data:
-            options = answ_data.pop('options')
-            if isinstance(answ_data['answer'], File):
-                an = answ_data.pop('answer')
-                answ = cp.answers.create(**answ_data, answer='')
-                answ.file.save(os.path.basename(an.name), an, save=False)
-                answ.answer = 'file://' + answ.file.name
-                answ.save()
-                an.close()
-            else:
-                answ = cp.answers.create(**answ_data)
-                answ.options.add(*options)
-        return cp
-
-    def validate_cart_id(self, cid):
-        if cid and not cid.endswith('@api'):
-            raise ValidationError('Cart ID should end in @api or be empty.')
-        return cid
+        fields = ('item', 'variation', 'price', 'attendee_name', 'attendee_name_parts', 'attendee_email',
+                  'subevent', 'includes_tax', 'answers')

    def validate_item(self, item):
        if item.event != self.context['event']:
@@ -240,4 +109,180 @@ class CartPositionCreateSerializer(I18nAwareModelSerializer):
            raise ValidationError(
                {'attendee_name': ['Do not specify attendee_name if you specified attendee_name_parts.']}
            )
+
+        if not data.get('expires'):
+            data['expires'] = now() + timedelta(
+                minutes=self.context['event'].settings.get('reservation_time', as_type=int)
+            )
+
+        quotas_for_item_cache = self.context.get('quotas_for_item_cache', {})
+        quotas_for_variation_cache = self.context.get('quotas_for_variation_cache', {})
+
+        seated = data.get('item').seat_category_mappings.filter(subevent=data.get('subevent')).exists()
+        if data.get('seat'):
+            if not seated:
+                raise ValidationError({'seat': ['The specified product does not allow to choose a seat.']})
+            try:
+                seat = self.context['event'].seats.get(seat_guid=data['seat'], subevent=data.get('subevent'))
+            except Seat.DoesNotExist:
+                raise ValidationError({'seat': ['The specified seat does not exist.']})
+            except Seat.MultipleObjectsReturned:
+                raise ValidationError({'seat': ['The specified seat ID is not unique.']})
+            else:
+                data['seat'] = seat
+        elif seated:
+            raise ValidationError({'seat': ['The specified product requires to choose a seat.']})
+
+        if data.get('voucher'):
+            try:
+                voucher = self.context['event'].vouchers.get(code__iexact=data['voucher'])
+            except Voucher.DoesNotExist:
+                raise ValidationError({'voucher': ['The specified voucher does not exist.']})
+
+            if voucher and not voucher.applies_to(data['item'], data.get('variation')):
+                raise ValidationError({'voucher': ['The specified voucher is not valid for the given item and variation.']})
+
+            if voucher and voucher.seat and voucher.seat != data.get('seat'):
+                raise ValidationError({'voucher': ['The specified voucher is not valid for this seat.']})
+
+            if voucher and voucher.subevent_id and (not data.get('subevent') or voucher.subevent_id != data['subevent'].pk):
+                raise ValidationError({'voucher': ['The specified voucher is not valid for this subevent.']})
+
+            if voucher.valid_until is not None and voucher.valid_until < now():
+                raise ValidationError({'voucher': ['The specified voucher is expired.']})
+
+            data['voucher'] = voucher
+
+        if not data.get('voucher') or (not data['voucher'].allow_ignore_quota and not data['voucher'].block_quota):
+            if data.get('variation'):
+                if data['variation'].pk not in quotas_for_variation_cache:
+                    quotas_for_variation_cache[data['variation'].pk] = data['variation'].quotas.filter(subevent=data.get('subevent'))
+                data['_quotas'] = quotas_for_variation_cache[data['variation'].pk]
+            else:
+                if data['item'].pk not in quotas_for_item_cache:
+                    quotas_for_item_cache[data['item'].pk] = data['item'].quotas.filter(subevent=data.get('subevent'))
+                data['_quotas'] = quotas_for_item_cache[data['item'].pk]
+
+            if len(data['_quotas']) == 0:
+                raise ValidationError(
+                    gettext_lazy('The product "{}" is not assigned to a quota.').format(
+                        str(data.get('item'))
+                    )
+                )
+        else:
+            data['_quotas'] = []
+
+        return data
+
+    def create(self, validated_data):
+        validated_data.pop('_quotas')
+        answers_data = validated_data.pop('answers')
+
+        attendee_name = validated_data.pop('attendee_name', '')
+        if attendee_name and not validated_data.get('attendee_name_parts'):
+            validated_data['attendee_name_parts'] = {
+                '_legacy': attendee_name
+            }
+
+        # todo: does this make sense?
+        validated_data['custom_price_input'] = validated_data['price']
+        # todo: listed price, etc?
+        # currently does not matter because there is no way to transform an API cart position into an order that keeps
+        # prices, cart positions are just quota/voucher placeholders
+        validated_data['custom_price_input_is_net'] = not validated_data.pop('includes_tax', True)
+        cp = CartPosition.objects.create(event=self.context['event'], **validated_data)
+
+        for answ_data in answers_data:
+            options = answ_data.pop('options')
+            if isinstance(answ_data['answer'], File):
+                an = answ_data.pop('answer')
+                answ = cp.answers.create(**answ_data, answer='')
+                answ.file.save(os.path.basename(an.name), an, save=False)
+                answ.answer = 'file://' + answ.file.name
+                answ.save()
+                an.close()
+            else:
+                answ = cp.answers.create(**answ_data)
+                answ.options.add(*options)
+        return cp
+
+
+class CartPositionCreateSerializer(BaseCartPositionCreateSerializer):
+    expires = serializers.DateTimeField(required=False)
+    addons = BaseCartPositionCreateSerializer(many=True, required=False)
+    bundled = BaseCartPositionCreateSerializer(many=True, required=False)
+    seat = serializers.CharField(required=False, allow_null=True)
+    sales_channel = serializers.CharField(required=False, default='sales_channel')
+    voucher = serializers.CharField(required=False, allow_null=True)
+
+    class Meta:
+        model = CartPosition
+        fields = BaseCartPositionCreateSerializer.Meta.fields + (
+            'cart_id', 'expires', 'addons', 'bundled', 'seat', 'sales_channel', 'voucher'
+        )
+
+    def validate_cart_id(self, cid):
+        if cid and not cid.endswith('@api'):
+            raise ValidationError('Cart ID should end in @api or be empty.')
+        return cid
+
+    def create(self, validated_data):
+        validated_data.pop('sales_channel')
+        addons_data = validated_data.pop('addons', None)
+        bundled_data = validated_data.pop('bundled', None)
+
+        cp = super().create(validated_data)
+
+        if addons_data:
+            for addon_data in addons_data:
+                addon_data['addon_to'] = cp
+                addon_data['is_bundled'] = False
+                addon_data['cart_id'] = cp.cart_id
+                super().create(addon_data)
+
+        if bundled_data:
+            for bundle_data in bundled_data:
+                bundle_data['addon_to'] = cp
+                bundle_data['is_bundled'] = True
+                bundle_data['cart_id'] = cp.cart_id
+                super().create(bundle_data)
+
+        return cp
+
+    def validate(self, data):
+        data = super().validate(data)
+
+        # This is currently only a very basic validation of add-ons and bundled products, we don't validate their number
+        # or price. We can always go stricter, as the endpoint is documented as experimental.
+        # However, this serializer should always be *at least* as strict as the order creation serializer.
+
+        if data.get('item') and data.get('addons'):
+            prefetch_related_objects([data['item']], 'addons')
+            for sub_data in data['addons']:
+                if not any(a.addon_category_id == sub_data['item'].category_id for a in data['item'].addons.all()):
+                    raise ValidationError({
+                        'addons': [
+                            'The product "{prod}" can not be used as an add-on product for "{main}".'.format(
+                                prod=str(sub_data['item']),
+                                main=str(data['item']),
+                            )
+                        ]
+                    })
+
+        if data.get('item') and data.get('bundled'):
+            prefetch_related_objects([data['item']], 'bundles')
+            for sub_data in data['bundled']:
+                if not any(
+                    a.bundled_item_id == sub_data['item'].pk and
+                    a.bundled_variation_id == (sub_data['variation'].pk if sub_data.get('variation') else None)
+                    for a in data['item'].bundles.all()
+                ):
+                    raise ValidationError({
+                        'bundled': [
+                            'The product "{prod}" can not be used as an bundled product for "{main}".'.format(
+                                prod=str(sub_data['item']),
+                                main=str(data['item']),
+                            )
+                        ]
+                    })
        return data
--- a/src/pretix/api/serializers/event.py
+++ b/src/pretix/api/serializers/event.py
@@ -59,6 +59,7 @@ from pretix.base.settings import (
    LazyI18nStringList, validate_event_settings,
 )
 from pretix.base.signals import api_event_settings_fields
+from pretix.multidomain.urlreverse import build_absolute_uri

 logger = logging.getLogger(__name__)

@@ -164,6 +165,10 @@ class EventSerializer(I18nAwareModelSerializer):
    timezone = TimeZoneField(required=False, choices=[(a, a) for a in common_timezones])
    valid_keys = ValidKeysField(source='*', read_only=True)
    best_availability_state = serializers.IntegerField(allow_null=True, read_only=True)
+    public_url = serializers.SerializerMethodField('get_event_url', read_only=True)
+
+    def get_event_url(self, event):
+        return build_absolute_uri(event, 'presale:event.index')

    class Meta:
        model = Event
@@ -171,7 +176,7 @@ class EventSerializer(I18nAwareModelSerializer):
                  'date_to', 'date_admission', 'is_public', 'presale_start',
                  'presale_end', 'location', 'geo_lat', 'geo_lon', 'has_subevents', 'meta_data', 'seating_plan',
                  'plugins', 'seat_category_mapping', 'timezone', 'item_meta_properties', 'valid_keys',
-                  'sales_channels', 'best_availability_state')
+                  'sales_channels', 'best_availability_state', 'public_url')

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
@@ -411,7 +416,8 @@ class CloneEventSerializer(EventSerializer):
        has_subevents = validated_data.pop('has_subevents', None)
        tz = validated_data.pop('timezone', None)
        sales_channels = validated_data.pop('sales_channels', None)
-        new_event = super().create(validated_data)
+        date_admission = validated_data.pop('date_admission', None)
+        new_event = super().create({**validated_data, 'plugins': None})

        event = Event.objects.filter(slug=self.context['event'], organizer=self.context['organizer'].pk).first()
        new_event.copy_data_from(event)
@@ -426,6 +432,10 @@ class CloneEventSerializer(EventSerializer):
            new_event.sales_channels = sales_channels
        if has_subevents is not None:
            new_event.has_subevents = has_subevents
+        if has_subevents is not None:
+            new_event.has_subevents = has_subevents
+        if date_admission is not None:
+            new_event.date_admission = date_admission
        new_event.save()
        if tz:
            new_event.settings.timezone = tz
@@ -657,6 +667,7 @@ class EventSettingsSerializer(SettingsSerializer):
        'show_times',
        'show_items_outside_presale_period',
        'display_net_prices',
+        'hide_prices_from_attendees',
        'presale_start_show_date',
        'locales',
        'locale',
@@ -682,6 +693,7 @@ class EventSettingsSerializer(SettingsSerializer):
        'frontpage_subevent_ordering',
        'event_list_type',
        'event_list_available_only',
+        'event_calendar_future_only',
        'frontpage_text',
        'event_info_text',
        'attendee_names_asked',
@@ -755,6 +767,9 @@ class EventSettingsSerializer(SettingsSerializer):
        'invoice_logo_image',
        'cancel_allow_user',
        'cancel_allow_user_until',
+        'cancel_allow_user_unpaid_keep',
+        'cancel_allow_user_unpaid_keep_fees',
+        'cancel_allow_user_unpaid_keep_percentage',
        'cancel_allow_user_paid',
        'cancel_allow_user_paid_until',
        'cancel_allow_user_paid_keep',
@@ -770,6 +785,7 @@ class EventSettingsSerializer(SettingsSerializer):
        'change_allow_user_addons',
        'change_allow_user_until',
        'change_allow_user_price',
+        'change_allow_attendee',
        'primary_color',
        'theme_color_success',
        'theme_color_danger',
--- a/src/pretix/api/serializers/exporters.py
+++ b/src/pretix/api/serializers/exporters.py
@@ -22,6 +22,10 @@
 from django import forms
 from django.http import QueryDict
 from rest_framework import serializers
+from rest_framework.exceptions import ValidationError
+
+from pretix.base.exporter import OrganizerLevelExportMixin
+from pretix.base.timeframes import DateFrameField, SerializerDateFrameField


 class FormFieldWrapperField(serializers.Field):
@@ -49,7 +53,6 @@ simple_mappings = (
    (forms.EmailField, serializers.EmailField, ()),
    (forms.UUIDField, serializers.UUIDField, ()),
    (forms.URLField, serializers.URLField, ()),
-    (forms.NullBooleanField, serializers.NullBooleanField, ()),
    (forms.BooleanField, serializers.BooleanField, ()),
 )

@@ -87,7 +90,7 @@ class JobRunSerializer(serializers.Serializer):
        ex = kwargs.pop('exporter')
        events = kwargs.pop('events', None)
        super().__init__(*args, **kwargs)
-        if events is not None:
+        if events is not None and not isinstance(ex, OrganizerLevelExportMixin):
            self.fields["events"] = serializers.SlugRelatedField(
                queryset=events,
                required=True,
@@ -106,6 +109,12 @@ class JobRunSerializer(serializers.Serializer):
                    )
                    break

+            if isinstance(v, forms.NullBooleanField):
+                self.fields[k] = serializers.BooleanField(
+                    required=v.required,
+                    allow_null=True,
+                    validators=v.validators,
+                )
            if isinstance(v, forms.ModelMultipleChoiceField):
                self.fields[k] = PrimaryKeyRelatedField(
                    queryset=v.queryset,
@@ -135,6 +144,12 @@ class JobRunSerializer(serializers.Serializer):
                    allow_null=not v.required,
                    validators=v.validators,
                )
+            elif isinstance(v, DateFrameField):
+                self.fields[k] = SerializerDateFrameField(
+                    required=v.required,
+                    allow_null=not v.required,
+                    validators=v.validators,
+                )
            else:
                self.fields[k] = FormFieldWrapperField(form_field=v, required=v.required, allow_null=not v.required)

@@ -144,5 +159,40 @@ class JobRunSerializer(serializers.Serializer):
        for k, v in self.fields.items():
            if isinstance(v, serializers.ManyRelatedField) and k not in data:
                data[k] = []
+
+        for fk in self.fields.keys():
+            # Backwards compatibility for exports that used to take e.g. (date_from, date_to) or (event_date_from, event_date_to)
+            # and now only take date_range.
+            if fk.endswith("_range") and isinstance(self.fields[fk], SerializerDateFrameField) and fk not in data:
+                if fk.replace("_range", "_from") in data:
+                    d_from = data.pop(fk.replace("_range", "_from"))
+                    if d_from:
+                        d_from = serializers.DateField().to_internal_value(d_from)
+                else:
+                    d_from = None
+                if fk.replace("_range", "_to") in data:
+                    d_to = data.pop(fk.replace("_range", "_to"))
+                    if d_to:
+                        d_to = serializers.DateField().to_internal_value(d_to)
+                else:
+                    d_to = None
+                data[fk] = f'{d_from.isoformat() if d_from else ""}/{d_to.isoformat() if d_to else ""}'
+
        data = super().to_internal_value(data)
        return data
+
+    def is_valid(self, raise_exception=False):
+        super().is_valid(raise_exception=raise_exception)
+
+        fields_keys = set(self.fields.keys())
+        input_keys = set(self.initial_data.keys())
+
+        additional_fields = input_keys - fields_keys
+
+        if bool(additional_fields):
+            self._errors['fields'] = ['Additional fields not allowed: {}.'.format(list(additional_fields))]
+
+        if self._errors and raise_exception:
+            raise ValidationError(self.errors)
+
+        return not bool(self._errors)
--- a/src/pretix/api/serializers/i18n.py
+++ b/src/pretix/api/serializers/i18n.py
@@ -20,6 +20,7 @@
 # <https://www.gnu.org/licenses/>.
 #
 from django.conf import settings
+from django.core.validators import URLValidator
 from i18nfield.fields import I18nCharField, I18nTextField
 from i18nfield.strings import LazyI18nString
 from rest_framework.exceptions import ValidationError
@@ -69,3 +70,17 @@ class I18nAwareModelSerializer(ModelSerializer):

 I18nAwareModelSerializer.serializer_field_mapping[I18nCharField] = I18nField
 I18nAwareModelSerializer.serializer_field_mapping[I18nTextField] = I18nField
+
+
+class I18nURLField(I18nField):
+    def to_internal_value(self, value):
+        value = super().to_internal_value(value)
+        if not value:
+            return value
+        if isinstance(value.data, dict):
+            for v in value.data.values():
+                if v:
+                    URLValidator()(v)
+        else:
+            URLValidator()(value.data)
+        return value
--- a/src/pretix/api/serializers/item.py
+++ b/src/pretix/api/serializers/item.py
@@ -47,43 +47,106 @@ from pretix.api.serializers.fields import UploadedFileField
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.models import (
    Item, ItemAddOn, ItemBundle, ItemCategory, ItemMetaValue, ItemVariation,
-    Question, QuestionOption, Quota,
+    ItemVariationMetaValue, Question, QuestionOption, Quota,
 )


 class InlineItemVariationSerializer(I18nAwareModelSerializer):
-    price = serializers.DecimalField(read_only=True, decimal_places=2, max_digits=10,
+    price = serializers.DecimalField(read_only=True, decimal_places=2, max_digits=13,
                                     coerce_to_string=True)
+    meta_data = MetaDataField(required=False, source='*')

    class Meta:
        model = ItemVariation
        fields = ('id', 'value', 'active', 'description',
                  'position', 'default_price', 'price', 'original_price', 'require_approval',
-                  'require_membership', 'require_membership_types',
-                  'require_membership_hidden', 'available_from', 'available_until',
-                  'sales_channels', 'hide_without_voucher',)
+                  'require_membership', 'require_membership_types', 'require_membership_hidden',
+                  'checkin_attention', 'available_from', 'available_until',
+                  'sales_channels', 'hide_without_voucher', 'meta_data')

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.fields['require_membership_types'].queryset = lazy(lambda: self.context['event'].organizer.membership_types.all(), QuerySet)

+    def validate_meta_data(self, value):
+        for key in value['meta_data'].keys():
+            if key not in self.parent.parent.item_meta_properties:
+                raise ValidationError(_('Item meta data property \'{name}\' does not exist.').format(name=key))
+        return value
+

 class ItemVariationSerializer(I18nAwareModelSerializer):
-    price = serializers.DecimalField(read_only=True, decimal_places=2, max_digits=10,
+    price = serializers.DecimalField(read_only=True, decimal_places=2, max_digits=13,
                                     coerce_to_string=True)
+    meta_data = MetaDataField(required=False, source='*')

    class Meta:
        model = ItemVariation
        fields = ('id', 'value', 'active', 'description',
                  'position', 'default_price', 'price', 'original_price', 'require_approval',
-                  'require_membership', 'require_membership_types',
-                  'require_membership_hidden', 'available_from', 'available_until',
-                  'sales_channels', 'hide_without_voucher',)
+                  'require_membership', 'require_membership_types', 'require_membership_hidden',
+                  'checkin_attention', 'available_from', 'available_until',
+                  'sales_channels', 'hide_without_voucher', 'meta_data')

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.fields['require_membership_types'].queryset = self.context['event'].organizer.membership_types.all()

+    @transaction.atomic
+    def create(self, validated_data):
+        meta_data = validated_data.pop('meta_data', None)
+        require_membership_types = validated_data.pop('require_membership_types', [])
+        variation = ItemVariation.objects.create(**validated_data)
+
+        if require_membership_types:
+            variation.require_membership_types.add(*require_membership_types)
+
+        # Meta data
+        if meta_data is not None:
+            for key, value in meta_data.items():
+                ItemVariationMetaValue.objects.create(
+                    property=self.item_meta_properties.get(key),
+                    value=value,
+                    variation=variation
+                )
+        return variation
+
+    @cached_property
+    def item_meta_properties(self):
+        return {
+            p.name: p for p in self.context['request'].event.item_meta_properties.all()
+        }
+
+    def validate_meta_data(self, value):
+        for key in value['meta_data'].keys():
+            if key not in self.item_meta_properties:
+                raise ValidationError(_('Item meta data property \'{name}\' does not exist.').format(name=key))
+        return value
+
+    def update(self, instance, validated_data):
+        meta_data = validated_data.pop('meta_data', None)
+        variation = super().update(instance, validated_data)
+
+        # Meta data
+        if meta_data is not None:
+            current = {mv.property: mv for mv in variation.meta_values.select_related('property')}
+            for key, value in meta_data.items():
+                prop = self.item_meta_properties.get(key)
+                if prop in current:
+                    current[prop].value = value
+                    current[prop].save()
+                else:
+                    variation.meta_values.create(
+                        property=self.item_meta_properties.get(key),
+                        value=value
+                    )
+
+            for prop, current_object in current.items():
+                if prop.name not in meta_data:
+                    current_object.delete()
+
+        return variation
+

 class InlineItemBundleSerializer(serializers.ModelSerializer):
    class Meta:
@@ -171,7 +234,7 @@ class ItemSerializer(I18nAwareModelSerializer):
    class Meta:
        model = Item
        fields = ('id', 'category', 'name', 'internal_name', 'active', 'sales_channels', 'description',
-                  'default_price', 'free_price', 'tax_rate', 'tax_rule', 'admission',
+                  'default_price', 'free_price', 'tax_rate', 'tax_rule', 'admission', 'personalized',
                  'position', 'picture', 'available_from', 'available_until',
                  'require_voucher', 'hide_without_voucher', 'allow_cancel', 'require_bundling',
                  'min_per_order', 'max_per_order', 'checkin_attention', 'has_variations', 'variations',
@@ -179,11 +242,15 @@ class ItemSerializer(I18nAwareModelSerializer):
                  'show_quota_left', 'hidden_if_available', 'allow_waitinglist', 'issue_giftcard', 'meta_data',
                  'require_membership', 'require_membership_types', 'require_membership_hidden', 'grant_membership_type',
                  'grant_membership_duration_like_event', 'grant_membership_duration_days',
-                  'grant_membership_duration_months')
+                  'grant_membership_duration_months', 'validity_mode', 'validity_fixed_from', 'validity_fixed_until',
+                  'validity_dynamic_duration_minutes', 'validity_dynamic_duration_hours', 'validity_dynamic_duration_days',
+                  'validity_dynamic_duration_months', 'validity_dynamic_start_choice', 'validity_dynamic_start_choice_day_limit')
        read_only_fields = ('has_variations',)

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
+        self.fields['default_price'].allow_null = False
+        self.fields['default_price'].required = True
        if not self.read_only:
            self.fields['require_membership_types'].queryset = self.context['event'].organizer.membership_types.all()
            self.fields['grant_membership_type'].queryset = self.context['event'].organizer.membership_types.all()
@@ -197,6 +264,15 @@ class ItemSerializer(I18nAwareModelSerializer):
        Item.clean_per_order(data.get('min_per_order'), data.get('max_per_order'))
        Item.clean_available(data.get('available_from'), data.get('available_until'))

+        if data.get('personalized') and not data.get('admission'):
+            raise ValidationError(_('Only admission products can currently be personalized.'))
+
+        if data.get('admission') and 'personalized' not in data and not self.instance:
+            # Backwards compatibility
+            data['personalized'] = True
+        elif 'admission' in data and not data['admission']:
+            data['personalized'] = False
+
        if data.get('issue_giftcard'):
            if data.get('tax_rule') and data.get('tax_rule').rate > 0:
                raise ValidationError(
@@ -228,9 +304,9 @@ class ItemSerializer(I18nAwareModelSerializer):
        if not self.instance:
            for addon_data in value:
                ItemAddOn.clean_categories(self.context['event'], None, self.instance, addon_data['addon_category'])
-                ItemAddOn.clean_min_count(addon_data['min_count'])
-                ItemAddOn.clean_max_count(addon_data['max_count'])
-                ItemAddOn.clean_max_min_count(addon_data['max_count'], addon_data['min_count'])
+                ItemAddOn.clean_min_count(addon_data.get('min_count', 0))
+                ItemAddOn.clean_max_count(addon_data.get('max_count', 0))
+                ItemAddOn.clean_max_min_count(addon_data.get('max_count', 0), addon_data.get('min_count', 0))
        return value

    @cached_property
@@ -261,9 +337,19 @@ class ItemSerializer(I18nAwareModelSerializer):

        for variation_data in variations_data:
            require_membership_types = variation_data.pop('require_membership_types', [])
+            var_meta_data = variation_data.pop('meta_data', {})
            v = ItemVariation.objects.create(item=item, **variation_data)
            if require_membership_types:
                v.require_membership_types.add(*require_membership_types)
+
+            if var_meta_data is not None:
+                for key, value in var_meta_data.items():
+                    ItemVariationMetaValue.objects.create(
+                        property=self.item_meta_properties.get(key),
+                        value=value,
+                        variation=v
+                    )
+
        for addon_data in addons_data:
            ItemAddOn.objects.create(base_item=item, **addon_data)
        for bundle_data in bundles_data:
--- a/src/pretix/api/serializers/order.py
+++ b/src/pretix/api/serializers/order.py
@@ -29,6 +29,7 @@ import pycountry
 from django.conf import settings
 from django.core.files import File
 from django.db.models import F, Q
+from django.utils.encoding import force_str
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy
 from django_countries.fields import Country
@@ -51,7 +52,8 @@ from pretix.base.models import (
    SubEvent, TaxRule, Voucher,
 )
 from pretix.base.models.orders import (
-    CartPosition, OrderFee, OrderPayment, OrderRefund, RevokedTicketSecret,
+    BlockedTicketSecret, CartPosition, OrderFee, OrderPayment, OrderRefund,
+    RevokedTicketSecret,
 )
 from pretix.base.pdf import get_images, get_variables
 from pretix.base.services.cart import error_messages
@@ -61,14 +63,25 @@ from pretix.base.services.pricing import (
 )
 from pretix.base.settings import COUNTRIES_WITH_STATE_IN_ADDRESS
 from pretix.base.signals import register_ticket_outputs
+from pretix.helpers.countries import CachedCountries
 from pretix.multidomain.urlreverse import build_absolute_uri

 logger = logging.getLogger(__name__)


 class CompatibleCountryField(serializers.Field):
+    countries = CachedCountries()
+    default_error_messages = {
+        'invalid_choice': gettext_lazy('"{input}" is not a valid choice.')
+    }
+
    def to_internal_value(self, data):
-        return {self.field_name: Country(data)}
+        country = self.countries.alpha2(data)
+        if data and not country:
+            country = self.countries.by_name(force_str(data))
+            if not country:
+                self.fail("invalid_choice", input=data)
+        return {self.field_name: Country(country)}

    def to_representation(self, instance: InvoiceAddress):
        if instance.country:
@@ -106,6 +119,10 @@ class InvoiceAddressSerializer(I18nAwareModelSerializer):
            raise ValidationError(
                {'name': ['Do not specify name if you specified name_parts.']}
            )
+
+        if data.get('name_parts') and not isinstance(data.get('name_parts'), dict):
+            raise ValidationError({'name_parts': ['Invalid data type']})
+
        if data.get('name_parts') and '_scheme' not in data.get('name_parts'):
            data['name_parts']['_scheme'] = self.context['request'].event.settings.name_scheme

@@ -284,7 +301,9 @@ class FailedCheckinSerializer(I18nAwareModelSerializer):
 class OrderDownloadsField(serializers.Field):
    def to_representation(self, instance: Order):
        if instance.status != Order.STATUS_PAID:
-            if instance.status != Order.STATUS_PENDING or instance.require_approval or not instance.event.settings.ticket_download_pending:
+            if instance.status != Order.STATUS_PENDING or instance.require_approval or (
+                not instance.valid_if_pending and not instance.event.settings.ticket_download_pending
+            ):
                return []

        request = self.context['request']
@@ -308,7 +327,9 @@ class OrderDownloadsField(serializers.Field):
 class PositionDownloadsField(serializers.Field):
    def to_representation(self, instance: OrderPosition):
        if instance.order.status != Order.STATUS_PAID:
-            if instance.order.status != Order.STATUS_PENDING or instance.order.require_approval or not instance.order.event.settings.ticket_download_pending:
+            if instance.order.status != Order.STATUS_PENDING or instance.order.require_approval or (
+                not instance.order.valid_if_pending and not instance.order.event.settings.ticket_download_pending
+            ):
                return []
        if not instance.generate_ticket:
            return []
@@ -359,10 +380,17 @@ class PdfDataSerializer(serializers.Field):
            for k, v in ev._cached_meta_data.items():
                res['meta:' + k] = v

-            if not hasattr(instance.item, '_cached_meta_data'):
-                instance.item._cached_meta_data = instance.item.meta_data
-            for k, v in instance.item._cached_meta_data.items():
-                res['itemmeta:' + k] = v
+            if instance.variation_id:
+                if not hasattr(instance.variation, '_cached_meta_data'):
+                    instance.variation.item = instance.item  # saves some database lookups
+                    instance.variation._cached_meta_data = instance.variation.meta_data
+                for k, v in instance.variation._cached_meta_data.items():
+                    res['itemmeta:' + k] = v
+            else:
+                if not hasattr(instance.item, '_cached_meta_data'):
+                    instance.item._cached_meta_data = instance.item.meta_data
+                for k, v in instance.item._cached_meta_data.items():
+                    res['itemmeta:' + k] = v

            res['images'] = {}

@@ -410,13 +438,14 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
    class Meta:
        model = OrderPosition
        fields = ('id', 'order', 'positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts',
-                  'company', 'street', 'zipcode', 'city', 'country', 'state',
+                  'company', 'street', 'zipcode', 'city', 'country', 'state', 'discount',
                  'attendee_email', 'voucher', 'tax_rate', 'tax_value', 'secret', 'addon_to', 'subevent', 'checkins',
-                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data', 'seat', 'canceled')
+                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data', 'seat', 'canceled',
+                  'valid_from', 'valid_until', 'blocked')
        read_only_fields = (
            'id', 'order', 'positionid', 'item', 'variation', 'price', 'voucher', 'tax_rate', 'tax_value', 'secret',
            'addon_to', 'subevent', 'checkins', 'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data',
-            'seat', 'canceled'
+            'seat', 'canceled', 'discount', 'valid_from', 'valid_until', 'blocked'
        )

    def __init__(self, *args, **kwargs):
@@ -438,7 +467,7 @@ class OrderPositionSerializer(I18nAwareModelSerializer):

 class RequireAttentionField(serializers.Field):
    def to_representation(self, instance: OrderPosition):
-        return instance.order.checkin_attention or instance.item.checkin_attention
+        return instance.require_checkin_attention


 class AttendeeNameField(serializers.Field):
@@ -483,7 +512,7 @@ class CheckinListOrderPositionSerializer(OrderPositionSerializer):
                  'company', 'street', 'zipcode', 'city', 'country', 'state',
                  'attendee_email', 'voucher', 'tax_rate', 'tax_value', 'secret', 'addon_to', 'subevent', 'checkins',
                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data', 'seat', 'require_attention',
-                  'order__status')
+                  'order__status', 'valid_from', 'valid_until', 'blocked')

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
@@ -553,12 +582,22 @@ class OrderPaymentSerializer(I18nAwareModelSerializer):
                  'details')


+class RefundDetailsField(serializers.Field):
+    def to_representation(self, value: OrderRefund):
+        pp = value.payment_provider
+        if not pp:
+            return {}
+        return pp.api_refund_details(value)
+
+
 class OrderRefundSerializer(I18nAwareModelSerializer):
    payment = SlugRelatedField(slug_field='local_id', read_only=True)
+    details = RefundDetailsField(source='*', allow_null=True, read_only=True)

    class Meta:
        model = OrderRefund
-        fields = ('local_id', 'state', 'source', 'amount', 'payment', 'created', 'execution_date', 'comment', 'provider')
+        fields = ('local_id', 'state', 'source', 'amount', 'payment', 'created', 'execution_date', 'comment', 'provider',
+                  'details')


 class OrderURLField(serializers.URLField):
@@ -587,7 +626,7 @@ class OrderSerializer(I18nAwareModelSerializer):
            'code', 'status', 'testmode', 'secret', 'email', 'phone', 'locale', 'datetime', 'expires', 'payment_date',
            'payment_provider', 'fees', 'total', 'comment', 'custom_followup_at', 'invoice_address', 'positions', 'downloads',
            'checkin_attention', 'last_modified', 'payments', 'refunds', 'require_approval', 'sales_channel',
-            'url', 'customer'
+            'url', 'customer', 'valid_if_pending'
        )
        read_only_fields = (
            'code', 'status', 'testmode', 'secret', 'datetime', 'expires', 'payment_date',
@@ -600,6 +639,32 @@ class OrderSerializer(I18nAwareModelSerializer):
        if not self.context['pdf_data']:
            self.fields['positions'].child.fields.pop('pdf_data', None)

+        includes = set(self.context['include'])
+        if includes:
+            for fname, field in list(self.fields.items()):
+                if fname in includes:
+                    continue
+                elif hasattr(field, 'child'):  # Nested list serializers
+                    found_any = False
+                    for childfname, childfield in list(field.child.fields.items()):
+                        if f'{fname}.{childfname}' not in includes:
+                            field.child.fields.pop(childfname)
+                        else:
+                            found_any = True
+                    if not found_any:
+                        self.fields.pop(fname)
+                elif isinstance(field, serializers.Serializer):  # Nested serializers
+                    found_any = False
+                    for childfname, childfield in list(field.fields.items()):
+                        if f'{fname}.{childfname}' not in includes:
+                            field.fields.pop(childfname)
+                        else:
+                            found_any = True
+                    if not found_any:
+                        self.fields.pop(fname)
+                else:
+                    self.fields.pop(fname)
+
        for exclude_field in self.context['exclude']:
            p = exclude_field.split('.')
            if p[0] in self.fields:
@@ -616,7 +681,8 @@ class OrderSerializer(I18nAwareModelSerializer):
    def update(self, instance, validated_data):
        # Even though all fields that shouldn't be edited are marked as read_only in the serializer
        # (hopefully), we'll be extra careful here and be explicit about the model fields we update.
-        update_fields = ['comment', 'custom_followup_at', 'checkin_attention', 'email', 'locale', 'phone']
+        update_fields = ['comment', 'custom_followup_at', 'checkin_attention', 'email', 'locale', 'phone',
+                         'valid_if_pending']

        if 'invoice_address' in validated_data:
            iadata = validated_data.pop('invoice_address')
@@ -713,16 +779,18 @@ class OrderPositionCreateSerializer(I18nAwareModelSerializer):
    attendee_name = serializers.CharField(required=False, allow_null=True)
    seat = serializers.CharField(required=False, allow_null=True)
    price = serializers.DecimalField(required=False, allow_null=True, decimal_places=2,
-                                     max_digits=10)
+                                     max_digits=13)
    voucher = serializers.SlugRelatedField(slug_field='code', queryset=Voucher.objects.none(),
                                           required=False, allow_null=True)
    country = CompatibleCountryField(source='*')
+    requested_valid_from = serializers.DateTimeField(required=False, allow_null=True)

    class Meta:
        model = OrderPosition
        fields = ('positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts', 'attendee_email',
-                  'company', 'street', 'zipcode', 'city', 'country', 'state',
-                  'secret', 'addon_to', 'subevent', 'answers', 'seat', 'voucher')
+                  'company', 'street', 'zipcode', 'city', 'country', 'state', 'is_bundled',
+                  'secret', 'addon_to', 'subevent', 'answers', 'seat', 'voucher', 'valid_from', 'valid_until',
+                  'requested_valid_from')

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
@@ -784,6 +852,10 @@ class OrderPositionCreateSerializer(I18nAwareModelSerializer):
            raise ValidationError(
                {'attendee_name': ['Do not specify attendee_name if you specified attendee_name_parts.']}
            )
+
+        if data.get('attendee_name_parts') and not isinstance(data.get('attendee_name_parts'), dict):
+            raise ValidationError({'attendee_name_parts': ['Invalid data type']})
+
        if data.get('attendee_name_parts') and '_scheme' not in data.get('attendee_name_parts'):
            data['attendee_name_parts']['_scheme'] = self.context['request'].event.settings.name_scheme

@@ -876,7 +948,8 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
        model = Order
        fields = ('code', 'status', 'testmode', 'email', 'phone', 'locale', 'payment_provider', 'fees', 'comment', 'sales_channel',
                  'invoice_address', 'positions', 'checkin_attention', 'payment_info', 'payment_date', 'consume_carts',
-                  'force', 'send_email', 'simulate', 'customer', 'custom_followup_at', 'require_approval')
+                  'force', 'send_email', 'simulate', 'customer', 'custom_followup_at', 'require_approval',
+                  'valid_if_pending')

    def validate_payment_provider(self, pp):
        if pp is None:
@@ -1086,6 +1159,10 @@ class OrderCreateSerializer(I18nAwareModelSerializer):

                seated = pos_data.get('item').seat_category_mappings.filter(subevent=pos_data.get('subevent')).exists()
                if pos_data.get('seat'):
+                    if pos_data.get('addon_to'):
+                        errs[i]['seat'] = ['Seats are currently not supported for add-on products.']
+                        continue
+
                    if not seated:
                        errs[i]['seat'] = ['The specified product does not allow to choose a seat.']
                    try:
@@ -1100,6 +1177,20 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                elif seated:
                    errs[i]['seat'] = ['The specified product requires to choose a seat.']

+                requested_valid_from = pos_data.pop('requested_valid_from', None)
+                if 'valid_from' not in pos_data and 'valid_until' not in pos_data:
+                    valid_from, valid_until = pos_data['item'].compute_validity(
+                        requested_start=(
+                            max(requested_valid_from, now())
+                            if requested_valid_from and pos_data['item'].validity_dynamic_start_choice
+                            else now()
+                        ),
+                        enforce_start_limit=True,
+                        override_tz=self.context['event'].timezone,
+                    )
+                    pos_data['valid_from'] = valid_from
+                    pos_data['valid_until'] = valid_until
+
            if not force:
                for i, pos_data in enumerate(positions_data):
                    if pos_data.get('voucher'):
@@ -1281,6 +1372,9 @@ class OrderCreateSerializer(I18nAwareModelSerializer):

            if not simulate:
                for cp in delete_cps:
+                    if cp.addon_to_id:
+                        continue
+                    cp.addons.all().delete()
                    cp.delete()

        order.total = sum([p.price for p in pos_map.values()])
@@ -1412,9 +1506,9 @@ class InvoiceSerializer(I18nAwareModelSerializer):
                  'invoice_to', 'invoice_to_company', 'invoice_to_name', 'invoice_to_street', 'invoice_to_zipcode',
                  'invoice_to_city', 'invoice_to_state', 'invoice_to_country', 'invoice_to_vat_id', 'invoice_to_beneficiary',
                  'custom_field', 'date', 'refers', 'locale',
-                  'introductory_text', 'additional_text', 'payment_provider_text', 'footer_text', 'lines',
-                  'foreign_currency_display', 'foreign_currency_rate', 'foreign_currency_rate_date',
-                  'internal_reference')
+                  'introductory_text', 'additional_text', 'payment_provider_text', 'payment_provider_stamp',
+                  'footer_text', 'lines', 'foreign_currency_display', 'foreign_currency_rate',
+                  'foreign_currency_rate_date', 'internal_reference')


 class OrderPaymentCreateSerializer(I18nAwareModelSerializer):
@@ -1460,3 +1554,10 @@ class RevokedTicketSecretSerializer(I18nAwareModelSerializer):
    class Meta:
        model = RevokedTicketSecret
        fields = ('id', 'secret', 'created')
+
+
+class BlockedTicketSecretSerializer(I18nAwareModelSerializer):
+
+    class Meta:
+        model = BlockedTicketSecret
+        fields = ('id', 'secret', 'updated', 'blocked')
--- a/src/pretix/api/serializers/orderchange.py
+++ b/src/pretix/api/serializers/orderchange.py
@@ -24,6 +24,7 @@ import os

 import pycountry
 from django.core.files import File
+from django.core.validators import RegexValidator
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError

@@ -46,14 +47,14 @@ class OrderPositionCreateForExistingOrderSerializer(OrderPositionCreateSerialize
    attendee_name = serializers.CharField(required=False, allow_null=True)
    seat = serializers.CharField(required=False, allow_null=True)
    price = serializers.DecimalField(required=False, allow_null=True, decimal_places=2,
-                                     max_digits=10)
+                                     max_digits=13)
    country = CompatibleCountryField(source='*')

    class Meta:
        model = OrderPosition
        fields = ('order', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts', 'attendee_email',
                  'company', 'street', 'zipcode', 'city', 'country', 'state',
-                  'secret', 'addon_to', 'subevent', 'answers', 'seat')
+                  'secret', 'addon_to', 'subevent', 'answers', 'seat', 'valid_from', 'valid_until')

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
@@ -89,6 +90,8 @@ class OrderPositionCreateForExistingOrderSerializer(OrderPositionCreateSerialize
                addon_to=validated_data.get('addon_to'),
                subevent=validated_data.get('subevent'),
                seat=validated_data.get('seat'),
+                valid_from=validated_data.get('valid_from'),
+                valid_until=validated_data.get('valid_until'),
            )
            if self.context.get('commit', True):
                ocm.commit()
@@ -158,12 +161,14 @@ class OrderPositionInfoPatchSerializer(serializers.ModelSerializer):
                a.question_id: a for a in instance.answers.all()
            }
            for answ_data in answers_data:
+                if not answ_data.get('answer'):
+                    continue
                options = answ_data.pop('options', [])
                if answ_data['question'].pk in qs_seen:
                    raise ValidationError(f'Question {answ_data["question"]} was sent twice.')
                if answ_data['question'].pk in answercache:
                    a = answercache[answ_data['question'].pk]
-                    if isinstance(answ_data['answer'], File):
+                    if isinstance(answ_data.get('answer'), File):
                        a.file.save(answ_data['answer'].name, answ_data['answer'], save=False)
                        a.answer = 'file://' + a.file.name
                    elif a.answer.startswith('file://') and answ_data['answer'] == "file:keep":
@@ -173,7 +178,7 @@ class OrderPositionInfoPatchSerializer(serializers.ModelSerializer):
                            setattr(a, attr, value)
                    a.save()
                else:
-                    if isinstance(answ_data['answer'], File):
+                    if isinstance(answ_data.get('answer'), File):
                        an = answ_data.pop('answer')
                        a = instance.answers.create(**answ_data, answer='')
                        a.file.save(os.path.basename(an.name), an, save=False)
@@ -196,7 +201,7 @@ class OrderPositionChangeSerializer(serializers.ModelSerializer):
    class Meta:
        model = OrderPosition
        fields = (
-            'item', 'variation', 'subevent', 'seat', 'price', 'tax_rule',
+            'item', 'variation', 'subevent', 'seat', 'price', 'tax_rule', 'valid_from', 'valid_until'
        )

    def __init__(self, *args, **kwargs):
@@ -262,6 +267,8 @@ class OrderPositionChangeSerializer(serializers.ModelSerializer):
        price = validated_data.get('price', instance.price)
        seat = validated_data.get('seat', current_seat)
        tax_rule = validated_data.get('tax_rule', instance.tax_rule)
+        valid_from = validated_data.get('valid_from', instance.valid_from)
+        valid_until = validated_data.get('valid_until', instance.valid_until)

        change_item = None
        if item != instance.item or variation != instance.variation:
@@ -288,6 +295,12 @@ class OrderPositionChangeSerializer(serializers.ModelSerializer):
            if tax_rule != instance.tax_rule:
                ocm.change_tax_rule(instance, tax_rule)

+            if valid_from != instance.valid_from:
+                ocm.change_valid_from(instance, valid_from)
+
+            if valid_until != instance.valid_until:
+                ocm.change_valid_until(instance, valid_until)
+
            if self.context.get('commit', True):
                ocm.commit()
                instance.refresh_from_db()
@@ -421,3 +434,7 @@ class OrderChangeOperationSerializer(serializers.Serializer):
            seen_positions.add(d['fee'])

        return data
+
+
+class BlockNameSerializer(serializers.Serializer):
+    name = serializers.CharField(validators=[RegexValidator('^(admin|api:[a-zA-Z0-9._]+)$')])
--- a/src/pretix/api/serializers/organizer.py
+++ b/src/pretix/api/serializers/organizer.py
@@ -41,15 +41,21 @@ from pretix.base.models import (
 from pretix.base.models.seating import SeatingPlanLayoutValidator
 from pretix.base.services.mail import SendMailException, mail
 from pretix.base.settings import validate_organizer_settings
-from pretix.helpers.urls import build_absolute_uri
+from pretix.helpers.urls import build_absolute_uri as build_global_uri
+from pretix.multidomain.urlreverse import build_absolute_uri

 logger = logging.getLogger(__name__)


 class OrganizerSerializer(I18nAwareModelSerializer):
+    public_url = serializers.SerializerMethodField('get_organizer_url', read_only=True)
+
+    def get_organizer_url(self, organizer):
+        return build_absolute_uri(organizer, 'presale:organizer.index')
+
    class Meta:
        model = Organizer
-        fields = ('name', 'slug')
+        fields = ('name', 'slug', 'public_url')


 class SeatingPlanSerializer(I18nAwareModelSerializer):
@@ -79,6 +85,13 @@ class CustomerSerializer(I18nAwareModelSerializer):
            validated_data['external_identifier'] = instance.external_identifier
        return super().update(instance, validated_data)

+    def validate(self, data):
+        if data.get('name_parts') and not isinstance(data.get('name_parts'), dict):
+            raise ValidationError({'name_parts': ['Invalid data type']})
+        if data.get('name_parts') and '_scheme' not in data.get('name_parts'):
+            data['name_parts']['_scheme'] = self.context['request'].organizer.settings.name_scheme
+        return data
+

 class CustomerCreateSerializer(CustomerSerializer):
    send_email = serializers.BooleanField(default=False, required=False, allow_null=True)
@@ -115,7 +128,7 @@ class MembershipSerializer(I18nAwareModelSerializer):


 class GiftCardSerializer(I18nAwareModelSerializer):
-    value = serializers.DecimalField(max_digits=10, decimal_places=2, min_value=Decimal('0.00'))
+    value = serializers.DecimalField(max_digits=13, decimal_places=2, min_value=Decimal('0.00'))

    def validate(self, data):
        data = super().validate(data)
@@ -220,7 +233,7 @@ class TeamInviteSerializer(serializers.ModelSerializer):
                    'user': self,
                    'organizer': self.context['organizer'].name,
                    'team': instance.team.name,
-                    'url': build_absolute_uri('control:auth.invite', kwargs={
+                    'url': build_global_uri('control:auth.invite', kwargs={
                        'token': instance.token
                    })
                },
--- a/src/pretix/api/serializers/voucher.py
+++ b/src/pretix/api/serializers/voucher.py
@@ -61,7 +61,7 @@ class VoucherSerializer(I18nAwareModelSerializer):

    class Meta:
        model = Voucher
-        fields = ('id', 'code', 'max_usages', 'redeemed', 'valid_until', 'block_quota',
+        fields = ('id', 'code', 'max_usages', 'redeemed', 'min_usages', 'valid_until', 'block_quota',
                  'allow_ignore_quota', 'price_mode', 'value', 'item', 'variation', 'quota',
                  'tag', 'comment', 'subevent', 'show_hidden_items', 'seat')
        read_only_fields = ('id', 'redeemed')
--- a/src/pretix/api/serializers/webhooks.py
+++ b/src/pretix/api/serializers/webhooks.py
@@ -55,7 +55,7 @@ class WebHookSerializer(I18nAwareModelSerializer):

    class Meta:
        model = WebHook
-        fields = ('id', 'enabled', 'target_url', 'all_events', 'limit_events', 'action_types')
+        fields = ('id', 'enabled', 'target_url', 'all_events', 'limit_events', 'action_types', 'comment')

    def validate(self, data):
        data = super().validate(data)
--- a/src/pretix/api/urls.py
+++ b/src/pretix/api/urls.py
@@ -35,7 +35,8 @@
 import importlib

 from django.apps import apps
-from django.conf.urls import include, re_path
+from django.conf.urls import re_path
+from django.urls import include
 from rest_framework import routers

 from pretix.api.views import cart
@@ -80,6 +81,7 @@ event_router.register(r'orders', order.OrderViewSet)
 event_router.register(r'orderpositions', order.OrderPositionViewSet)
 event_router.register(r'invoices', order.InvoiceViewSet)
 event_router.register(r'revokedsecrets', order.RevokedSecretViewSet, basename='revokedsecrets')
+event_router.register(r'blockedsecrets', order.BlockedSecretViewSet, basename='blockedsecrets')
 event_router.register(r'taxrules', event.TaxRuleViewSet)
 event_router.register(r'waitinglistentries', waitinglist.WaitingListViewSet)
 event_router.register(r'checkinlists', checkin.CheckinListViewSet)
--- a/src/pretix/api/views/init.py
+++ b/src/pretix/api/views/init.py
@@ -24,10 +24,11 @@ from calendar import timegm
 from django.db.models import Max
 from django.http import HttpResponse
 from django.utils.http import http_date, parse_http_date_safe
-from rest_framework.filters import OrderingFilter
+
+from pretix.api.pagination import TotalOrderingFilter


-class RichOrderingFilter(OrderingFilter):
+class RichOrderingFilter(TotalOrderingFilter):

    def filter_queryset(self, request, queryset, view):
        ordering = self.get_ordering(request, queryset, view)
--- a/src/pretix/api/views/cart.py
+++ b/src/pretix/api/views/cart.py
@@ -19,26 +19,35 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
+from collections import Counter
+from typing import List
+
 from django.db import transaction
+from django.utils.crypto import get_random_string
+from django.utils.functional import cached_property
+from django.utils.translation import gettext as _
 from rest_framework import status, viewsets
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.filters import OrderingFilter
 from rest_framework.mixins import CreateModelMixin, DestroyModelMixin
 from rest_framework.response import Response
-from rest_framework.settings import api_settings
+from rest_framework.serializers import as_serializer_error

+from pretix.api.pagination import TotalOrderingFilter
 from pretix.api.serializers.cart import (
    CartPositionCreateSerializer, CartPositionSerializer,
 )
 from pretix.base.models import CartPosition
+from pretix.base.services.cart import (
+    _get_quota_availability, _get_voucher_availability, error_messages,
+)
 from pretix.base.services.locking import NoLockManager


 class CartPositionViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
    serializer_class = CartPositionSerializer
    queryset = CartPosition.objects.none()
-    filter_backends = (OrderingFilter,)
+    filter_backends = (TotalOrderingFilter,)
    ordering = ('datetime',)
    ordering_fields = ('datetime', 'cart_id')
    lookup_field = 'id'
@@ -54,18 +63,17 @@ class CartPositionViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnly
    def get_serializer_context(self):
        ctx = super().get_serializer_context()
        ctx['event'] = self.request.event
-        ctx['quota_cache'] = {}
+        ctx['quotas_for_item_cache'] = {}
+        ctx['quotas_for_variation_cache'] = {}
        return ctx

    def create(self, request, *args, **kwargs):
-        serializer = CartPositionCreateSerializer(data=request.data, context=self.get_serializer_context())
+        ctx = self.get_serializer_context()
+        serializer = CartPositionCreateSerializer(data=request.data, context=ctx)
        serializer.is_valid(raise_exception=True)
-        with transaction.atomic(), self.request.event.lock():
-            self.perform_create(serializer)
-        cp = serializer.instance
-        serializer = CartPositionSerializer(cp, context=serializer.context)
+        results = self._create(serializers=[serializer], raise_exception=True, ctx=ctx)
        headers = self.get_success_headers(serializer.data)
-        return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)
+        return Response(results[0]['data'], status=status.HTTP_201_CREATED, headers=headers)

    @action(detail=False, methods=['POST'])
    def bulk_create(self, request, *args, **kwargs):
@@ -73,42 +81,163 @@ class CartPositionViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnly
            return Response({"error": "Please supply a list"}, status=status.HTTP_400_BAD_REQUEST)

        ctx = self.get_serializer_context()
-        with transaction.atomic():
-            serializers = [
-                CartPositionCreateSerializer(data=d, context=ctx)
-                for d in request.data
-            ]
-
-            lockfn = self.request.event.lock
-            if not any(s.is_valid(raise_exception=False) for s in serializers):
-                lockfn = NoLockManager
-
-            results = []
-            with lockfn():
-                for s in serializers:
-                    if s.is_valid(raise_exception=False):
-                        try:
-                            cp = s.save()
-                        except ValidationError as e:
-                            results.append({
-                                'success': False,
-                                'data': None,
-                                'errors': {api_settings.NON_FIELD_ERRORS_KEY: e.detail},
-                            })
-                        else:
-                            results.append({
-                                'success': True,
-                                'data': CartPositionSerializer(cp, context=ctx).data,
-                                'errors': None,
-                            })
-                    else:
-                        results.append({
-                            'success': False,
-                            'data': None,
-                            'errors': s.errors,
-                        })
+        serializers = [
+            CartPositionCreateSerializer(data=d, context=ctx)
+            for d in request.data
+        ]

+        results = self._create(serializers=serializers, raise_exception=False, ctx=ctx)
        return Response({'results': results}, status=status.HTTP_200_OK)

    def perform_create(self, serializer):
-        serializer.save()
+        raise NotImplementedError()
+
+    @transaction.atomic()
+    def perform_destroy(self, instance):
+        instance.addons.all().delete()
+        instance.delete()
+
+    def _require_locking(self, quota_diff, voucher_use_diff, seat_diff):
+        if voucher_use_diff or seat_diff:
+            # If any vouchers or seats are used, we lock to make sure we don't redeem them to often
+            return True
+
+        if quota_diff and any(q.size is not None for q in quota_diff):
+            # If any quotas are affected that are not unlimited, we lock
+            return True
+
+        return False
+
+    @cached_property
+    def _create_default_cart_id(self):
+        cid = "{}@api".format(get_random_string(48))
+        while CartPosition.objects.filter(cart_id=cid).exists():
+            cid = "{}@api".format(get_random_string(48))
+        return cid
+
+    def _create(self, serializers: List[CartPositionCreateSerializer], ctx, raise_exception=False):
+        voucher_use_diff = Counter()
+        quota_diff = Counter()
+        seat_diff = Counter()
+        results = [{} for pserializer in serializers]
+
+        for i, pserializer in enumerate(serializers):
+            if not pserializer.is_valid(raise_exception=raise_exception):
+                results[i] = {
+                    'success': False,
+                    'data': None,
+                    'errors': pserializer.errors,
+                }
+
+        for pserializer in serializers:
+            if pserializer.errors:
+                continue
+
+            validated_data = pserializer.validated_data
+            if not validated_data.get('cart_id'):
+                validated_data['cart_id'] = self._create_default_cart_id
+
+            if validated_data.get('voucher'):
+                voucher_use_diff[validated_data['voucher']] += 1
+
+            if validated_data.get('seat'):
+                seat_diff[validated_data['seat']] += 1
+
+            for q in validated_data['_quotas']:
+                quota_diff[q] += 1
+            for sub_data in validated_data.get('addons', []) + validated_data.get('bundled', []):
+                for q in sub_data['_quotas']:
+                    quota_diff[q] += 1
+
+        seats_seen = set()
+
+        lockfn = NoLockManager
+        if self._require_locking(quota_diff, voucher_use_diff, seat_diff):
+            lockfn = self.request.event.lock
+
+        with lockfn() as now_dt, transaction.atomic():
+            vouchers_ok, vouchers_depend_on_cart = _get_voucher_availability(
+                self.request.event,
+                voucher_use_diff,
+                now_dt,
+                exclude_position_ids=[],
+            )
+            quotas_ok = _get_quota_availability(quota_diff, now_dt)
+
+            for i, pserializer in enumerate(serializers):
+                if results[i]:
+                    continue
+
+                try:
+                    validated_data = pserializer.validated_data
+
+                    if validated_data.get('seat'):
+                        # Assumption: Add-ons currently can't have seats
+                        if validated_data['seat'] in seats_seen:
+                            raise ValidationError(error_messages['seat_multiple'])
+                        seats_seen.add(validated_data['seat'])
+
+                    quotas_needed = Counter()
+                    for q in validated_data['_quotas']:
+                        quotas_needed[q] += 1
+                    for sub_data in validated_data.get('addons', []) + validated_data.get('bundled', []):
+                        for q in sub_data['_quotas']:
+                            quotas_needed[q] += 1
+
+                    for q, needed in quotas_needed.items():
+                        if quotas_ok[q] < needed:
+                            raise ValidationError(
+                                _('There is not enough quota available on quota "{}" to perform the operation.').format(
+                                    q.name
+                                )
+                            )
+
+                    if validated_data.get('voucher'):
+                        # Assumption: Add-ons currently can't have vouchers, thus we only need to check the main voucher
+                        if vouchers_ok[validated_data['voucher']] < 1:
+                            raise ValidationError(
+                                {'voucher': [_('The specified voucher has already been used the maximum number of times.')]}
+                            )
+
+                    if validated_data.get('seat'):
+                        # Assumption: Add-ons currently can't have seats, thus we only need to check the main product
+                        if not validated_data['seat'].is_available(
+                            sales_channel=validated_data.get('sales_channel', 'web'),
+                            distance_ignore_cart_id=validated_data['cart_id'],
+                            ignore_voucher_id=validated_data['voucher'].pk if validated_data.get('voucher') else None,
+                        ):
+                            raise ValidationError(
+                                {'seat': [_('The selected seat "{seat}" is not available.').format(seat=validated_data['seat'].name)]}
+                            )
+
+                    for q, needed in quotas_needed.items():
+                        quotas_ok[q] -= needed
+                    if validated_data.get('voucher'):
+                        vouchers_ok[validated_data['voucher']] -= 1
+
+                    if any(qa < 0 for qa in quotas_ok.values()):
+                        # Safeguard, should never happen because of conditions above
+                        raise ValidationError(error_messages['unavailable'])
+
+                    cp = pserializer.create(validated_data)
+
+                    d = CartPositionSerializer(cp, context=ctx).data
+                    addons = sorted(cp.addons.all(), key=lambda a: a.pk)  # order of creation, safe since they are created in the same transaction
+                    d['addons'] = CartPositionSerializer([a for a in addons if not a.is_bundled], many=True, context=ctx).data
+                    d['bundled'] = CartPositionSerializer([a for a in addons if a.is_bundled], many=True, context=ctx).data
+
+                    results[i] = {
+                        'success': True,
+                        'data': d,
+                        'errors': None,
+                    }
+                except ValidationError as e:
+                    if raise_exception:
+                        raise
+                    results[i] = {
+                        'success': False,
+                        'data': None,
+                        'errors': as_serializer_error(e),
+                    }
+
+        return results
--- a/src/pretix/api/views/checkin.py
+++ b/src/pretix/api/views/checkin.py
@@ -93,8 +93,10 @@ with scopes_disabled():
 class CheckinListViewSet(viewsets.ModelViewSet):
    serializer_class = CheckinListSerializer
    queryset = CheckinList.objects.none()
-    filter_backends = (DjangoFilterBackend,)
+    filter_backends = (DjangoFilterBackend, RichOrderingFilter)
    filterset_class = CheckinListFilter
+    ordering = ('subevent__date_from', 'name', 'id')
+    ordering_fields = ('subevent__date_from', 'id', 'name',)

    def _get_permission_name(self, request):
        if request.path.endswith('/failed_checkins/'):
@@ -271,7 +273,13 @@ with scopes_disabled():
        def check_rules_qs(self, queryset, name, value):
            if not self.checkinlist.rules:
                return queryset
-            return queryset.filter(SQLLogic(self.checkinlist).apply(self.checkinlist.rules))
+            return queryset.filter(
+                SQLLogic(self.checkinlist).apply(self.checkinlist.rules)
+            ).filter(
+                Q(valid_from__isnull=True) | Q(valid_from__lte=now()),
+                Q(valid_until__isnull=True) | Q(valid_until__gte=now()),
+                blocked__isnull=True,
+            )


 def _handle_file_upload(data, user, auth):
@@ -323,7 +331,13 @@ def _checkin_list_position_queryset(checkinlists, ignore_status=False, ignore_pr
        if checkinlist.subevent:
            list_q &= Q(subevent=checkinlist.subevent)
        if not ignore_status:
-            list_q &= Q(order__status__in=[Order.STATUS_PAID, Order.STATUS_PENDING] if checkinlist.include_pending else [Order.STATUS_PAID])
+            if checkinlist.include_pending:
+                list_q &= Q(order__status__in=[Order.STATUS_PAID, Order.STATUS_PENDING])
+            else:
+                list_q &= Q(
+                    Q(order__status=Order.STATUS_PAID) |
+                    Q(order__status=Order.STATUS_PENDING, order__valid_if_pending=True)
+                )
        if not checkinlist.all_products and not ignore_products:
            list_q &= Q(item__in=checkinlist.limit_products.values_list('id', flat=True))
        lists_qs.append(list_q)
@@ -580,7 +594,7 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
                'status': 'error',
                'reason': Checkin.REASON_AMBIGUOUS,
                'reason_explanation': None,
-                'require_attention': op.item.checkin_attention or op.order.checkin_attention,
+                'require_attention': op.require_checkin_attention,
                'position': CheckinListOrderPositionSerializer(op, context=_make_context(context, op.order.event)).data,
                'list': MiniCheckinListSerializer(list_by_event[op.order.event_id]).data,
            }, status=400)
@@ -625,7 +639,7 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
        except RequiredQuestionsError as e:
            return Response({
                'status': 'incomplete',
-                'require_attention': op.item.checkin_attention or op.order.checkin_attention,
+                'require_attention': op.require_checkin_attention,
                'position': CheckinListOrderPositionSerializer(op, context=_make_context(context, op.order.event)).data,
                'questions': [
                    QuestionSerializer(q).data for q in e.questions
@@ -654,14 +668,14 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
                'status': 'error',
                'reason': e.code,
                'reason_explanation': e.reason,
-                'require_attention': op.item.checkin_attention or op.order.checkin_attention,
+                'require_attention': op.require_checkin_attention,
                'position': CheckinListOrderPositionSerializer(op, context=_make_context(context, op.order.event)).data,
                'list': MiniCheckinListSerializer(list_by_event[op.order.event_id]).data,
            }, status=400)
        else:
            return Response({
                'status': 'ok',
-                'require_attention': op.item.checkin_attention or op.order.checkin_attention,
+                'require_attention': op.require_checkin_attention,
                'position': CheckinListOrderPositionSerializer(op, context=_make_context(context, op.order.event)).data,
                'list': MiniCheckinListSerializer(list_by_event[op.order.event_id]).data,
            }, status=201)
@@ -682,7 +696,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
    serializer_class = CheckinListOrderPositionSerializer
    queryset = OrderPosition.all.none()
    filter_backends = (ExtendedBackend, RichOrderingFilter)
-    ordering = (F('attendee_name_cached').asc(nulls_last=True), 'positionid')
+    ordering = (F('attendee_name_cached').asc(nulls_last=True), 'pk')
    ordering_fields = (
        'order__code', 'order__datetime', 'positionid', 'attendee_name',
        'last_checked_in', 'order__email',
--- a/src/pretix/api/views/discount.py
+++ b/src/pretix/api/views/discount.py
@@ -36,8 +36,8 @@ from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from django_scopes import scopes_disabled
 from rest_framework import viewsets
 from rest_framework.exceptions import PermissionDenied
-from rest_framework.filters import OrderingFilter

+from pretix.api.pagination import TotalOrderingFilter
 from pretix.api.serializers.discount import DiscountSerializer
 from pretix.api.views import ConditionalListView
 from pretix.base.models import CartPosition, Discount
@@ -52,7 +52,7 @@ with scopes_disabled():
 class DiscountViewSet(ConditionalListView, viewsets.ModelViewSet):
    serializer_class = DiscountSerializer
    queryset = Discount.objects.none()
-    filter_backends = (DjangoFilterBackend, OrderingFilter)
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
    filterset_class = DiscountFilter
    ordering_fields = ('id', 'position')
    ordering = ('position', 'id')
--- a/src/pretix/api/views/event.py
+++ b/src/pretix/api/views/event.py
@@ -33,16 +33,18 @@
 # License for the specific language governing permissions and limitations under the License.

 import django_filters
+from django.conf import settings
 from django.db import transaction
 from django.db.models import Prefetch, ProtectedError, Q
 from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from django_scopes import scopes_disabled
-from rest_framework import filters, serializers, views, viewsets
+from rest_framework import serializers, views, viewsets
 from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.response import Response

 from pretix.api.auth.permission import EventCRUDPermission
+from pretix.api.pagination import TotalOrderingFilter
 from pretix.api.serializers.event import (
    CloneEventSerializer, DeviceEventSettingsSerializer, EventSerializer,
    EventSettingsSerializer, SubEventSerializer, TaxRuleSerializer,
@@ -70,7 +72,7 @@ with scopes_disabled():

        class Meta:
            model = Event
-            fields = ['is_public', 'live', 'has_subevents']
+            fields = ['is_public', 'live', 'has_subevents', 'testmode']

        def ends_after_qs(self, queryset, name, value):
            expr = (
@@ -126,7 +128,7 @@ class EventViewSet(viewsets.ModelViewSet):
    lookup_url_kwarg = 'event'
    lookup_value_regex = '[^/]+'
    permission_classes = (EventCRUDPermission,)
-    filter_backends = (DjangoFilterBackend, filters.OrderingFilter)
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
    ordering = ('slug',)
    ordering_fields = ('date_from', 'slug')
    filterset_class = EventFilter
@@ -241,13 +243,17 @@ class EventViewSet(viewsets.ModelViewSet):
            except Event.DoesNotExist:
                raise ValidationError('Event to copy from was not found')

+        # Ensure that .installed() is only called when we NOT clone
+        plugins = serializer.validated_data.pop('plugins', None)
+        serializer.validated_data['plugins'] = None
+
        new_event = serializer.save(organizer=self.request.organizer)

        if copy_from:
            new_event.copy_data_from(copy_from)

-            if 'plugins' in serializer.validated_data:
-                new_event.set_active_plugins(serializer.validated_data['plugins'])
+            if plugins is not None:
+                new_event.set_active_plugins(plugins)
            if 'is_public' in serializer.validated_data:
                new_event.is_public = serializer.validated_data['is_public']
            if 'testmode' in serializer.validated_data:
@@ -256,12 +262,17 @@ class EventViewSet(viewsets.ModelViewSet):
                new_event.sales_channels = serializer.validated_data['sales_channels']
            if 'has_subevents' in serializer.validated_data:
                new_event.has_subevents = serializer.validated_data['has_subevents']
+            if 'date_admission' in serializer.validated_data:
+                new_event.date_admission = serializer.validated_data['date_admission']
            new_event.save()
            if 'timezone' in serializer.validated_data:
                new_event.settings.timezone = serializer.validated_data['timezone']
        else:
            serializer.instance.set_defaults()

+            new_event.set_active_plugins(plugins if plugins is not None else settings.PRETIX_PLUGINS_DEFAULT.split(','))
+            new_event.save(update_fields=['plugins'])
+
        serializer.instance.log_action(
            'pretix.event.added',
            user=self.request.user,
@@ -322,6 +333,7 @@ with scopes_disabled():
        ends_after = django_filters.rest_framework.IsoDateTimeFilter(method='ends_after_qs')
        modified_since = django_filters.IsoDateTimeFilter(field_name='last_modified', lookup_expr='gte')
        sales_channel = django_filters.rest_framework.CharFilter(method='sales_channel_qs')
+        search = django_filters.rest_framework.CharFilter(method='search_qs')

        class Meta:
            model = SubEvent
@@ -357,12 +369,18 @@ with scopes_disabled():
        def sales_channel_qs(self, queryset, name, value):
            return queryset.filter(event__sales_channels__contains=value)

+        def search_qs(self, queryset, name, value):
+            return queryset.filter(
+                Q(name__icontains=i18ncomp(value))
+                | Q(location__icontains=i18ncomp(value))
+            )
+

 class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
    serializer_class = SubEventSerializer
    queryset = SubEvent.objects.none()
    write_permission = 'can_change_event_settings'
-    filter_backends = (DjangoFilterBackend, filters.OrderingFilter)
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
    filterset_class = SubEventFilter
    ordering = ('date_from',)
    ordering_fields = ('id', 'date_from', 'last_modified')
--- a/src/pretix/api/views/exporters.py
+++ b/src/pretix/api/views/exporters.py
@@ -35,7 +35,8 @@ from rest_framework.reverse import reverse
 from pretix.api.serializers.exporters import (
    ExporterSerializer, JobRunSerializer,
 )
-from pretix.base.models import CachedFile, Device, TeamAPIToken
+from pretix.base.exporter import OrganizerLevelExportMixin
+from pretix.base.models import CachedFile, Device, Event, TeamAPIToken
 from pretix.base.services.export import export, multiexport
 from pretix.base.signals import (
    register_data_exporters, register_multievent_data_exporters,
@@ -155,7 +156,19 @@ class OrganizerExportersViewSet(ExportersMixin, viewsets.ViewSet):
            organizer=self.request.organizer
        )
        responses = register_multievent_data_exporters.send(self.request.organizer)
-        for ex in sorted([response(events, self.request.organizer) for r, response in responses if response], key=lambda ex: str(ex.verbose_name)):
+        raw_exporters = [
+            response(Event.objects.none() if issubclass(response, OrganizerLevelExportMixin) else events, self.request.organizer)
+            for r, response in responses
+            if response
+        ]
+        raw_exporters = [
+            ex for ex in raw_exporters
+            if (
+                not isinstance(ex, OrganizerLevelExportMixin) or
+                perm_holder.has_organizer_permission(self.request.organizer, ex.organizer_required_permission, self.request)
+            )
+        ]
+        for ex in sorted(raw_exporters, key=lambda ex: str(ex.verbose_name)):
            ex._serializer = JobRunSerializer(exporter=ex, events=events)
            exporters.append(ex)
        return exporters
--- a/src/pretix/api/views/item.py
+++ b/src/pretix/api/views/item.py
@@ -41,9 +41,9 @@ from django_scopes import scopes_disabled
 from rest_framework import viewsets
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
-from rest_framework.filters import OrderingFilter
 from rest_framework.response import Response

+from pretix.api.pagination import TotalOrderingFilter
 from pretix.api.serializers.item import (
    ItemAddOnSerializer, ItemBundleSerializer, ItemCategorySerializer,
    ItemSerializer, ItemVariationSerializer, QuestionOptionSerializer,
@@ -75,7 +75,7 @@ with scopes_disabled():
 class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
    serializer_class = ItemSerializer
    queryset = Item.objects.none()
-    filter_backends = (DjangoFilterBackend, OrderingFilter)
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
    ordering_fields = ('id', 'position')
    ordering = ('position', 'id')
    filterset_class = ItemFilter
@@ -84,7 +84,9 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):

    def get_queryset(self):
        return self.request.event.items.select_related('tax_rule').prefetch_related(
-            'variations', 'addons', 'bundles', 'meta_values'
+            'variations', 'addons', 'bundles', 'meta_values', 'meta_values__property',
+            'variations__meta_values', 'variations__meta_values__property',
+            'require_membership_types', 'variations__require_membership_types',
        ).all()

    def perform_create(self, serializer):
@@ -136,7 +138,7 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
 class ItemVariationViewSet(viewsets.ModelViewSet):
    serializer_class = ItemVariationSerializer
    queryset = ItemVariation.objects.none()
-    filter_backends = (DjangoFilterBackend, OrderingFilter,)
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter,)
    ordering_fields = ('id', 'position')
    ordering = ('id',)
    permission = None
@@ -147,7 +149,11 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
        return get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)

    def get_queryset(self):
-        return self.item.variations.all()
+        return self.item.variations.all().prefetch_related(
+            'meta_values',
+            'meta_values__property',
+            'require_membership_types'
+        )

    def get_serializer_context(self):
        ctx = super().get_serializer_context()
@@ -202,7 +208,7 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
 class ItemBundleViewSet(viewsets.ModelViewSet):
    serializer_class = ItemBundleSerializer
    queryset = ItemBundle.objects.none()
-    filter_backends = (DjangoFilterBackend, OrderingFilter,)
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter,)
    ordering_fields = ('id',)
    ordering = ('id',)
    permission = None
@@ -254,7 +260,7 @@ class ItemBundleViewSet(viewsets.ModelViewSet):
 class ItemAddOnViewSet(viewsets.ModelViewSet):
    serializer_class = ItemAddOnSerializer
    queryset = ItemAddOn.objects.none()
-    filter_backends = (DjangoFilterBackend, OrderingFilter,)
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter,)
    ordering_fields = ('id', 'position')
    ordering = ('id',)
    permission = None
@@ -312,7 +318,7 @@ class ItemCategoryFilter(FilterSet):
 class ItemCategoryViewSet(ConditionalListView, viewsets.ModelViewSet):
    serializer_class = ItemCategorySerializer
    queryset = ItemCategory.objects.none()
-    filter_backends = (DjangoFilterBackend, OrderingFilter)
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
    filterset_class = ItemCategoryFilter
    ordering_fields = ('id', 'position')
    ordering = ('position', 'id')
@@ -367,7 +373,7 @@ with scopes_disabled():
 class QuestionViewSet(ConditionalListView, viewsets.ModelViewSet):
    serializer_class = QuestionSerializer
    queryset = Question.objects.none()
-    filter_backends = (DjangoFilterBackend, OrderingFilter)
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
    filterset_class = QuestionFilter
    ordering_fields = ('id', 'position')
    ordering = ('position', 'id')
@@ -412,7 +418,7 @@ class QuestionViewSet(ConditionalListView, viewsets.ModelViewSet):
 class QuestionOptionViewSet(viewsets.ModelViewSet):
    serializer_class = QuestionOptionSerializer
    queryset = QuestionOption.objects.none()
-    filter_backends = (DjangoFilterBackend, OrderingFilter,)
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter,)
    ordering_fields = ('id', 'position')
    ordering = ('position',)
    permission = None
@@ -469,7 +475,7 @@ with scopes_disabled():
 class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
    serializer_class = QuotaSerializer
    queryset = Quota.objects.none()
-    filter_backends = (DjangoFilterBackend, OrderingFilter,)
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter,)
    filterset_class = QuotaFilter
    ordering_fields = ('id', 'size')
    ordering = ('id',)
--- a/src/pretix/api/views/oauth.py
+++ b/src/pretix/api/views/oauth.py
@@ -34,6 +34,7 @@ from oauth2_provider.views import (

 from pretix.api.models import OAuthApplication
 from pretix.base.models import Organizer
+from pretix.control.views.user import RecentAuthenticationRequiredMixin

 logger = logging.getLogger(__name__)

@@ -54,7 +55,7 @@ class OAuthAllowForm(AllowForm):
            del self.fields['organizers']


-class AuthorizationView(BaseAuthorizationView):
+class AuthorizationView(RecentAuthenticationRequiredMixin, BaseAuthorizationView):
    template_name = "pretixcontrol/auth/oauth_authorization.html"
    form_class = OAuthAllowForm

@@ -111,6 +112,7 @@ class AuthorizationView(BaseAuthorizationView):
        self.request.user.log_action('pretix.user.oauth.authorized', user=self.request.user, data={
            'application_id': application.pk,
            'application_name': application.name,
+            'organizers': [o.pk for o in form.cleaned_data.get("organizers")] if form.cleaned_data.get("organizers") else []
        })

        return self.redirect(self.success_url, application)
--- a/src/pretix/api/views/order.py
+++ b/src/pretix/api/views/order.py
@@ -43,32 +43,36 @@ from rest_framework.decorators import action
 from rest_framework.exceptions import (
    APIException, NotFound, PermissionDenied, ValidationError,
 )
-from rest_framework.filters import OrderingFilter
 from rest_framework.mixins import CreateModelMixin
 from rest_framework.response import Response

 from pretix.api.models import OAuthAccessToken
+from pretix.api.pagination import TotalOrderingFilter
 from pretix.api.serializers.order import (
-    InvoiceSerializer, OrderCreateSerializer, OrderPaymentCreateSerializer,
-    OrderPaymentSerializer, OrderPositionSerializer,
-    OrderRefundCreateSerializer, OrderRefundSerializer, OrderSerializer,
-    PriceCalcSerializer, RevokedTicketSecretSerializer,
-    SimulatedOrderSerializer,
+    BlockedTicketSecretSerializer, InvoiceSerializer, OrderCreateSerializer,
+    OrderPaymentCreateSerializer, OrderPaymentSerializer,
+    OrderPositionSerializer, OrderRefundCreateSerializer,
+    OrderRefundSerializer, OrderSerializer, PriceCalcSerializer,
+    RevokedTicketSecretSerializer, SimulatedOrderSerializer,
 )
 from pretix.api.serializers.orderchange import (
-    OrderChangeOperationSerializer, OrderFeeChangeSerializer,
-    OrderPositionChangeSerializer,
+    BlockNameSerializer, OrderChangeOperationSerializer,
+    OrderFeeChangeSerializer, OrderPositionChangeSerializer,
    OrderPositionCreateForExistingOrderSerializer,
    OrderPositionInfoPatchSerializer,
 )
+from pretix.api.views import RichOrderingFilter
 from pretix.base.i18n import language
 from pretix.base.models import (
    CachedCombinedTicket, CachedTicket, Checkin, Device, EventMetaValue,
-    Invoice, InvoiceAddress, ItemMetaValue, Order, OrderFee, OrderPayment,
-    OrderPosition, OrderRefund, Quota, SubEvent, SubEventMetaValue, TaxRule,
-    TeamAPIToken, generate_secret,
+    Invoice, InvoiceAddress, ItemMetaValue, ItemVariation,
+    ItemVariationMetaValue, Order, OrderFee, OrderPayment, OrderPosition,
+    OrderRefund, Quota, SubEvent, SubEventMetaValue, TaxRule, TeamAPIToken,
+    generate_secret,
+)
+from pretix.base.models.orders import (
+    BlockedTicketSecret, QuestionAnswer, RevokedTicketSecret,
 )
-from pretix.base.models.orders import QuestionAnswer, RevokedTicketSecret
 from pretix.base.payment import PaymentException
 from pretix.base.pdf import get_images
 from pretix.base.secrets import assign_ticket_secret
@@ -101,9 +105,9 @@ with scopes_disabled():
        subevent_after = django_filters.IsoDateTimeFilter(method='subevent_after_qs')
        subevent_before = django_filters.IsoDateTimeFilter(method='subevent_before_qs')
        search = django_filters.CharFilter(method='search_qs')
-        item = django_filters.CharFilter(field_name='all_positions', lookup_expr='item_id')
-        variation = django_filters.CharFilter(field_name='all_positions', lookup_expr='variation_id')
-        subevent = django_filters.CharFilter(field_name='all_positions', lookup_expr='subevent_id')
+        item = django_filters.CharFilter(field_name='all_positions', lookup_expr='item_id', distinct=True)
+        variation = django_filters.CharFilter(field_name='all_positions', lookup_expr='variation_id', distinct=True)
+        subevent = django_filters.CharFilter(field_name='all_positions', lookup_expr='subevent_id', distinct=True)

        class Meta:
            model = Order
@@ -177,7 +181,7 @@ with scopes_disabled():
 class OrderViewSet(viewsets.ModelViewSet):
    serializer_class = OrderSerializer
    queryset = Order.objects.none()
-    filter_backends = (DjangoFilterBackend, OrderingFilter)
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
    ordering = ('datetime',)
    ordering_fields = ('datetime', 'code', 'status', 'last_modified')
    filterset_class = OrderFilter
@@ -190,6 +194,7 @@ class OrderViewSet(viewsets.ModelViewSet):
        ctx['event'] = self.request.event
        ctx['pdf_data'] = self.request.query_params.get('pdf_data', 'false') == 'true'
        ctx['exclude'] = self.request.query_params.getlist('exclude')
+        ctx['include'] = self.request.query_params.getlist('include')
        return ctx

    def get_queryset(self):
@@ -230,7 +235,9 @@ class OrderViewSet(viewsets.ModelViewSet):
                    Prefetch('item', queryset=self.request.event.items.prefetch_related(
                        Prefetch('meta_values', ItemMetaValue.objects.select_related('property'), to_attr='meta_values_cached')
                    )),
-                    'variation',
+                    Prefetch('variation', queryset=ItemVariation.objects.prefetch_related(
+                        Prefetch('meta_values', ItemVariationMetaValue.objects.select_related('property'), to_attr='meta_values_cached')
+                    )),
                    'answers', 'answers__options', 'answers__question',
                    'item__category',
                    'addon_to__answers', 'addon_to__answers__options', 'addon_to__answers__question',
@@ -282,7 +289,7 @@ class OrderViewSet(viewsets.ModelViewSet):
        if order.status in (Order.STATUS_CANCELED, Order.STATUS_EXPIRED):
            raise PermissionDenied("Downloads are not available for canceled or expired orders.")

-        if order.status == Order.STATUS_PENDING and not request.event.settings.ticket_download_pending:
+        if order.status == Order.STATUS_PENDING and not (order.valid_if_pending or request.event.settings.ticket_download_pending):
            raise PermissionDenied("Downloads are not available for pending orders.")

        ct = CachedCombinedTicket.objects.filter(
@@ -679,28 +686,33 @@ class OrderViewSet(viewsets.ModelViewSet):
                )
                if order.require_approval:
                    email_template = request.event.settings.mail_text_order_placed_require_approval
+                    subject_template = request.event.settings.mail_subject_order_placed_require_approval
                    log_entry = 'pretix.event.order.email.order_placed_require_approval'
                    email_attendees = False
                elif free_flow:
                    email_template = request.event.settings.mail_text_order_free
+                    subject_template = request.event.settings.mail_subject_order_free
                    log_entry = 'pretix.event.order.email.order_free'
                    email_attendees = request.event.settings.mail_send_order_free_attendee
                    email_attendees_template = request.event.settings.mail_text_order_free_attendee
+                    subject_attendees_template = request.event.settings.mail_subject_order_free_attendee
                else:
                    email_template = request.event.settings.mail_text_order_placed
+                    subject_template = request.event.settings.mail_subject_order_placed
                    log_entry = 'pretix.event.order.email.order_placed'
                    email_attendees = request.event.settings.mail_send_order_placed_attendee
                    email_attendees_template = request.event.settings.mail_text_order_placed_attendee
+                    subject_attendees_template = request.event.settings.mail_subject_order_placed_attendee

                _order_placed_email(
-                    request.event, order, payment.payment_provider if payment else None, email_template,
-                    log_entry, invoice, payment, is_free=free_flow
+                    request.event, order, email_template, subject_template,
+                    log_entry, invoice, [payment] if payment else [], is_free=free_flow
                )
                if email_attendees:
                    for p in order.positions.all():
                        if p.addon_to_id is None and p.attendee_email and p.attendee_email != order.email:
-                            _order_placed_email_attendee(request.event, order, p, email_attendees_template, log_entry,
-                                                         is_free=free_flow)
+                            _order_placed_email_attendee(request.event, order, p, email_attendees_template, subject_attendees_template,
+                                                         log_entry, is_free=free_flow)

                if not free_flow and order.status == Order.STATUS_PAID and payment:
                    payment._send_paid_mail(invoice, None, '')
@@ -753,6 +765,16 @@ class OrderViewSet(viewsets.ModelViewSet):
                    }
                )

+            if 'valid_if_pending' in self.request.data and serializer.instance.valid_if_pending != self.request.data.get('valid_if_pending'):
+                serializer.instance.log_action(
+                    'pretix.event.order.valid_if_pending',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data={
+                        'new_value': self.request.data.get('valid_if_pending')
+                    }
+                )
+
            if 'email' in self.request.data and serializer.instance.email != self.request.data.get('email'):
                serializer.instance.email_known_to_work = False
                serializer.instance.log_action(
@@ -930,7 +952,7 @@ with scopes_disabled():
 class OrderPositionViewSet(viewsets.ModelViewSet):
    serializer_class = OrderPositionSerializer
    queryset = OrderPosition.all.none()
-    filter_backends = (DjangoFilterBackend, OrderingFilter)
+    filter_backends = (DjangoFilterBackend, RichOrderingFilter)
    ordering = ('order__datetime', 'positionid')
    ordering_fields = ('order__code', 'order__datetime', 'positionid', 'attendee_name', 'order__status',)
    filterset_class = OrderPositionFilter
@@ -992,7 +1014,11 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
                                Prefetch('meta_values', ItemMetaValue.objects.select_related('property'),
                                         to_attr='meta_values_cached')
                            )),
-                            'variation', 'answers', 'answers__options', 'answers__question',
+                            Prefetch('variation', queryset=self.request.event.items.prefetch_related(
+                                Prefetch('meta_values', ItemVariationMetaValue.objects.select_related('property'),
+                                         to_attr='meta_values_cached')
+                            )),
+                            'answers', 'answers__options', 'answers__question',
                            'item__category',
                            Prefetch('subevent', queryset=self.request.event.subevents.prefetch_related(
                                Prefetch('meta_values', to_attr='meta_values_cached',
@@ -1169,7 +1195,7 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
        if pos.order.status in (Order.STATUS_CANCELED, Order.STATUS_EXPIRED):
            raise PermissionDenied("Downloads are not available for canceled or expired orders.")

-        if pos.order.status == Order.STATUS_PENDING and not request.event.settings.ticket_download_pending:
+        if pos.order.status == Order.STATUS_PENDING and not (pos.order.valid_if_pending or request.event.settings.ticket_download_pending):
            raise PermissionDenied("Downloads are not available for pending orders.")
        if not pos.generate_ticket:
            raise PermissionDenied("Downloads are not enabled for this product.")
@@ -1211,6 +1237,54 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
            raise ValidationError(str(e))
        return self.retrieve(request, [], **kwargs)

+    @action(detail=True, methods=['POST'])
+    def add_block(self, request, **kwargs):
+        serializer = BlockNameSerializer(
+            data=request.data,
+            context=self.get_serializer_context(),
+        )
+        serializer.is_valid(raise_exception=True)
+        instance = self.get_object()
+        try:
+            ocm = OrderChangeManager(
+                instance.order,
+                user=self.request.user if self.request.user.is_authenticated else None,
+                auth=self.request.auth,
+                notify=False,
+                reissue_invoice=False,
+            )
+            ocm.add_block(instance, serializer.validated_data['name'])
+            ocm.commit()
+        except OrderError as e:
+            raise ValidationError(str(e))
+        except Quota.QuotaExceededException as e:
+            raise ValidationError(str(e))
+        return self.retrieve(request, [], **kwargs)
+
+    @action(detail=True, methods=['POST'])
+    def remove_block(self, request, **kwargs):
+        serializer = BlockNameSerializer(
+            data=request.data,
+            context=self.get_serializer_context(),
+        )
+        serializer.is_valid(raise_exception=True)
+        instance = self.get_object()
+        try:
+            ocm = OrderChangeManager(
+                instance.order,
+                user=self.request.user if self.request.user.is_authenticated else None,
+                auth=self.request.auth,
+                notify=False,
+                reissue_invoice=False,
+            )
+            ocm.remove_block(instance, serializer.validated_data['name'])
+            ocm.commit()
+        except OrderError as e:
+            raise ValidationError(str(e))
+        except Quota.QuotaExceededException as e:
+            raise ValidationError(str(e))
+        return self.retrieve(request, [], **kwargs)
+
    def perform_destroy(self, instance):
        try:
            ocm = OrderChangeManager(
@@ -1433,7 +1507,7 @@ class PaymentViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
    @action(detail=True, methods=['POST'])
    def refund(self, request, **kwargs):
        payment = self.get_object()
-        amount = serializers.DecimalField(max_digits=10, decimal_places=2).to_internal_value(
+        amount = serializers.DecimalField(max_digits=13, decimal_places=2).to_internal_value(
            request.data.get('amount', str(payment.amount))
        )
        if 'mark_refunded' in request.data:
@@ -1465,21 +1539,27 @@ class PaymentViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
            source=OrderRefund.REFUND_SOURCE_ADMIN,
            state=OrderRefund.REFUND_STATE_CREATED,
            amount=amount,
-            provider=payment.provider
+            provider=payment.provider,
+            info='{}',
        )
+        payment.order.log_action('pretix.event.order.refund.created', {
+            'local_id': r.local_id,
+            'provider': r.provider,
+        }, user=self.request.user if self.request.user.is_authenticated else None, auth=self.request.auth)

        try:
            r.payment_provider.execute_refund(r)
        except PaymentException as e:
            r.state = OrderRefund.REFUND_STATE_FAILED
            r.save()
+            payment.order.log_action('pretix.event.order.refund.failed', {
+                'local_id': r.local_id,
+                'provider': r.provider,
+                'error': str(e)
+            })
            return Response({'detail': 'External error: {}'.format(str(e))},
                            status=status.HTTP_400_BAD_REQUEST)
        else:
-            payment.order.log_action('pretix.event.order.refund.created', {
-                'local_id': r.local_id,
-                'provider': r.provider,
-            }, user=self.request.user if self.request.user.is_authenticated else None, auth=self.request.auth)
            if payment.order.pending_sum > 0:
                if mark_refunded:
                    mark_order_refunded(payment.order,
@@ -1604,6 +1684,17 @@ class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
                user=request.user if request.user.is_authenticated else None,
                auth=request.auth
            )
+
+            if r.state in (OrderRefund.REFUND_STATE_DONE, OrderRefund.REFUND_STATE_CANCELED, OrderRefund.REFUND_STATE_FAILED):
+                r.order.log_action(
+                    f'pretix.event.order.refund.{r.state}', {
+                        'local_id': r.local_id,
+                        'provider': r.provider,
+                    },
+                    user=request.user if request.user.is_authenticated else None,
+                    auth=request.auth
+                )
+
            if mark_refunded:
                try:
                    mark_order_refunded(
@@ -1658,7 +1749,7 @@ class RetryException(APIException):
 class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
    serializer_class = InvoiceSerializer
    queryset = Invoice.objects.none()
-    filter_backends = (DjangoFilterBackend, OrderingFilter)
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
    ordering = ('nr',)
    ordering_fields = ('nr', 'date')
    filterset_class = InvoiceFilter
@@ -1751,7 +1842,7 @@ with scopes_disabled():
 class RevokedSecretViewSet(viewsets.ReadOnlyModelViewSet):
    serializer_class = RevokedTicketSecretSerializer
    queryset = RevokedTicketSecret.objects.none()
-    filter_backends = (DjangoFilterBackend, OrderingFilter)
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
    ordering = ('-created',)
    ordering_fields = ('created', 'secret')
    filterset_class = RevokedSecretFilter
@@ -1760,3 +1851,25 @@ class RevokedSecretViewSet(viewsets.ReadOnlyModelViewSet):

    def get_queryset(self):
        return RevokedTicketSecret.objects.filter(event=self.request.event)
+
+
+with scopes_disabled():
+    class BlockedSecretFilter(FilterSet):
+        updated_since = django_filters.IsoDateTimeFilter(field_name='updated', lookup_expr='gte')
+
+        class Meta:
+            model = BlockedTicketSecret
+            fields = ['blocked']
+
+
+class BlockedSecretViewSet(viewsets.ReadOnlyModelViewSet):
+    serializer_class = BlockedTicketSecretSerializer
+    queryset = BlockedTicketSecret.objects.none()
+    filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
+    ordering = ('-updated', '-pk')
+    filterset_class = BlockedSecretFilter
+    permission = 'can_view_orders'
+    write_permission = 'can_change_orders'
+
+    def get_queryset(self):
+        return BlockedTicketSecret.objects.filter(event=self.request.event)
--- a/src/pretix/api/views/organizer.py
+++ b/src/pretix/api/views/organizer.py
@@ -28,9 +28,7 @@ from django.shortcuts import get_object_or_404
 from django.utils.functional import cached_property
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from django_scopes import scopes_disabled
-from rest_framework import (
-    filters, mixins, serializers, status, views, viewsets,
-)
+from rest_framework import mixins, serializers, status, views, viewsets
 from rest_framework.decorators import action
 from rest_framework.exceptions import MethodNotAllowed, PermissionDenied
 from rest_framework.mixins import CreateModelMixin, DestroyModelMixin
@@ -38,6 +36,7 @@ from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet

 from pretix.api.models import OAuthAccessToken
+from pretix.api.pagination import TotalOrderingFilter
 from pretix.api.serializers.organizer import (
    CustomerCreateSerializer, CustomerSerializer, DeviceSerializer,
    GiftCardSerializer, GiftCardTransactionSerializer, MembershipSerializer,
@@ -51,6 +50,7 @@ from pretix.base.models import (
    User,
 )
 from pretix.base.settings import SETTINGS_AFFECTING_CSS
+from pretix.helpers import OF_SELF
 from pretix.helpers.dicts import merge_dicts
 from pretix.presale.style import regenerate_organizer_css

@@ -61,7 +61,7 @@ class OrganizerViewSet(viewsets.ReadOnlyModelViewSet):
    lookup_field = 'slug'
    lookup_url_kwarg = 'organizer'
    lookup_value_regex = '[^/]+'
-    filter_backends = (filters.OrderingFilter,)
+    filter_backends = (TotalOrderingFilter,)
    ordering = ('slug',)
    ordering_fields = ('name', 'slug')

@@ -178,7 +178,7 @@ class GiftCardViewSet(viewsets.ModelViewSet):
    def perform_update(self, serializer):
        if 'include_accepted' in self.request.GET:
            raise PermissionDenied("Accepted gift cards cannot be updated, use transact instead.")
-        GiftCard.objects.select_for_update().get(pk=self.get_object().pk)
+        GiftCard.objects.select_for_update(of=OF_SELF).get(pk=self.get_object().pk)
        old_value = serializer.instance.value
        value = serializer.validated_data.pop('value')
        inst = serializer.save(secret=serializer.instance.secret, currency=serializer.instance.currency,
@@ -196,8 +196,8 @@ class GiftCardViewSet(viewsets.ModelViewSet):
    @action(detail=True, methods=["POST"])
    @transaction.atomic()
    def transact(self, request, **kwargs):
-        gc = GiftCard.objects.select_for_update().get(pk=self.get_object().pk)
-        value = serializers.DecimalField(max_digits=10, decimal_places=2).to_internal_value(
+        gc = GiftCard.objects.select_for_update(of=OF_SELF).get(pk=self.get_object().pk)
+        value = serializers.DecimalField(max_digits=13, decimal_places=2).to_internal_value(
            request.data.get('value')
        )
        text = serializers.CharField(allow_blank=True, allow_null=True).to_internal_value(
--- a/Show More
+++ b/Show More