* Do not create useless cart session accessing invoice address
* Skip useless code paths in CartMixin
* Do not create cart session on view with active session
* Create regression tests
* Data model draft
* Refactor query and assignment usages of old permissions
* Backend UI
* API serializer
* Big string replace
* Docs, tests and fixes for teams api
* Update docs for device auth
* Eliminate old names
* Make tests pass
* Use new permissions, remove inconsistencies
* Add test for translations
* Show plugin permissions
* Add permission for seating plans
* Fix plugin activation
* Fix failing test
* Refactor to permission groups
* Update doc/api/resources/devices.rst
Co-authored-by: luelista <weller@rami.io>
* Update doc/api/resources/events.rst
Co-authored-by: luelista <weller@rami.io>
* Update src/pretix/api/serializers/organizer.py
Co-authored-by: luelista <weller@rami.io>
* Fix typo
* Fix python version compat
* Replacement after rebase
* Add proper permission handling for exports
* Docs for exporters
* Runtime linting of permission names
* Fix typos
* Show export page even without orders permission
* More legacy compat
* Do not strongly validate before plugins are loaded
* Rebase migration
* Add permission for outgoing mails
* Review notes
* Update doc/api/resources/teams.rst
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* Clean up logic around exporters
* Review and failures
* Fix migration leading to forbidden combination
* Handle permissions on event copying
* Remove print-statements
* Make test clearer
* Review feedback
* Add AnyPermissionOf
* migration safety
---------
Co-authored-by: luelista <weller@rami.io>
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* adds safeguard to prevent empty giftcard transactions on giftcards of value 0.00
* implement giftcard payment via order create
* styling
* let create_transactions() handle all the mailing
* docs
* provide more context for failed transactions
* documentation lectoring
* reject duplicate gift card secrets
* make payment_provider and use_gift_cards exclusive
* handle unknown gift cards
* Apply suggestion from @pajowu
Co-authored-by: pajowu <engelhardt@pretix.eu>
* Update src/pretix/control/templates/pretixcontrol/giftcards/payment.html
Co-authored-by: pajowu <engelhardt@pretix.eu>
---------
Co-authored-by: pajowu <engelhardt@pretix.eu>
* initial implementation
* handle permissions
* split out organizer list endpoint
* remove left over empty lines
* revert import changes
* tidying up
* revert no longer needed test changes
* revert no longer needed test changes
* Apply suggestions from code review
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* add event to api response
* prefetch
* handle auth
* document event
* bump querycounts for prefetches
* Use existing Permission Denied Error Message
---------
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* add edit view for waitinglist entry
* add test and fix behaviour when name isn't asked for
* fix linting
* add testcases for new edit view
* fix test
* fix linting
* add search to the waitinglist view
* repair settings check
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* make name and phone field optional by removing them
* remove item and variation fields from form
rather set those values during clean
* change label from "Item and Variation" to "Product"
* include only products with an enabled waitinglist in the product field
* combine edit.html and transfer.html
* change transfer to edit
* add tests
* code style
* Update src/pretix/control/forms/waitinglist.py
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* Update src/pretix/control/forms/waitinglist.py
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* Update src/pretix/control/urls.py
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* Update src/pretix/control/templates/pretixcontrol/waitinglist/edit.html
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* Update src/pretix/control/templates/pretixcontrol/waitinglist/index.html
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* Update src/pretix/control/views/waitinglist.py
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* Update src/pretix/control/views/waitinglist.py
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* Update src/pretix/control/views/waitinglist.py
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* remove validations
* remove validations
* replace widget
* implement small review items
* add better assertions
* add test for the different edit form variations
* add queryset to prefetch only active ItemVariations
* add queryset to prefetch only active ItemVariations
* propper use of WrappedPhoneNumberPrefixWidget
* cleanup
* add validation tests
* small review changes
* handle products with only inactive variations
* styling
---------
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* reduce default RecentAuthenticationRequiredMixin timeout to 15 min
* never cache pages with RecentAuthenticationRequiredMixin
* show emergency codes only once after generating
The field Voucher.price_mode is sometimes called "Price mode" and
sometimes "Price effect" in the UI, which is inconsistent. I think
"price effect" is a little clearer, but I don't really care as long as
it is consistent.
* Tax rounding: Allow to apply only for B2B (Z#23220106)
Most effective in combination with #5807
* Update src/pretix/base/settings.py
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
---------
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* Order changes: Do not allow to double-book add-ons
* tests
* Update src/pretix/presale/templates/pretixpresale/event/fragment_addon_choice.html
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
---------
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* Send security notification when recovery code is used or created by admin
"Where to store recovery codes" is one of these problems there is no
right answer to, so many people store them in a less-than-optimal place.
If that's the reality we live in, this PR adds at least a little
security so one notices when they get used :)
* Add sentence
* Invoices: Allow issuing invoices only to businesses
In situations where every invoice has a significant accounting cost and
consumers usually do not need invoices, this can save a lot of money or
effort.
* Improve backend UI if not qualified for invoice
* Allow to combine language variant with region (fixes#3947, Z#23220951)
This only affects babel-based formatting (currently: currencies and phone numbers),
**not** Django-based formatting (currently: date and time formats).
* Remove tests where I don'T actually know whats right
* Fix lookup order
* Add option to restrict anonymous access to order URLs
By default, users who place orders while logged in can still access
their order URLs without authentication. This raises potential
security risks, particularly if order confirmation emails are
forwarded.
This commit introduces an organiser-level setting to disable anonymous
access for such orders. When enabled, unauthenticated attempts to access
URLs starting with `/order/`, which are intended for the customer, are
redirected to the login page. Upon successful authentication, the user
is redirected back to the original order URL.
It is important to note that this change does not impact routes intended
for attendees (e.g., `/ticket/*`), which remain accessible without
authentication.
* Change name of setting for future clarity
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
* Update message wording
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
* Eliminate database query
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
* Rename feature flag to fix breaking tests
* Refactor order access verification code into `OrderDetailsMixin`
* Add test for logged-in customer accessing another customer's order
* Refactor order access conditions to remove nesting
* Handle case where customer is not yet verified
* Add additional information to help message
* Fix multidomain issue
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
* Merge order/position variants into single tests
* Add docstring explaining return type of `order` property
* Apply suggestion from @raphaelm
* Fix indentation
---------
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>
Co-authored-by: Raphael Michel <michel@rami.io>
* OrderChangeManager: Add support for custom operations
* OrderChangeManager: Add callback to AddPosition operation
This is also meant as a way to fix#5548
* Refs #5557: Checkstyle fix
* Refs #5557: Added tests
* Refs #5557: Changes requested in the PR review
* Refs #5557: Fix error in previous merge conflict
* Refs #5557: PR review
* Bank transfer: Allow dashes in event slug to be missing (Z#23216859)
* Update src/pretix/plugins/banktransfer/tasks.py
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* Update src/pretix/plugins/banktransfer/tasks.py
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
* Apply suggestions from code review
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
---------
Co-authored-by: Richard Schreiber <schreiber@pretix.eu>
Move generation of QR code contents out of the HTML template and into Python code, so it can
be reused in plugins and tested with unit tests. Add the SPAYD QR code format which is used in
Czech Republic and Slovakia [1]. Display BezahlCode QR codes only for German IBANs.
[1] https://en.wikipedia.org/wiki/Short_Payment_Descriptor
