Bump dnspython to 2.2.*

GitHub Actions: Set FORCE_COLOR = 1
PPv2: Fix CSP issue in 3D secure verification
2026-06-17 02:21:05 +00:00 · 2022-12-20 11:55:52 +01:00 · 2022-12-19 15:31:08 +01:00 · 2022-12-19 14:53:46 +01:00 · 2022-12-19 14:53:32 +01:00 · 2022-12-19 14:52:58 +01:00
249 changed files with 125239 additions and 84138 deletions
@@ -9,6 +9,7 @@ updates:
    directory: "/src"
    schedule:
      interval: "daily"
+    versioning-strategy: increase
  - package-ecosystem: "npm"
    directory: "/src/pretix/static/npm_dir"
    schedule:
@@ -14,16 +14,22 @@ on:
      - 'src/pretix/static/**'
      - 'src/tests/**'

+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
+env:
+  FORCE_COLOR: 1
+
 jobs:
  spelling:
    name: Spellcheck
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v2
-      - name: Set up Python 3.8
+      - name: Set up Python 3.9
        uses: actions/setup-python@v1
        with:
-          python-version: 3.8
+          python-version: 3.9
      - uses: actions/cache@v1
        with:
          path: ~/.cache/pip
@@ -31,7 +37,7 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install system packages
-        run: sudo apt update && sudo apt install enchant hunspell aspell-en
+        run: sudo apt update && sudo apt install enchant-2 hunspell aspell-en
      - name: Install Dependencies
        run: pip3 install -Ur requirements.txt
        working-directory: ./doc
@@ -12,16 +12,22 @@ on:
      - 'doc/**'
      - 'src/pretix/locale/**'

+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
+env:
+  FORCE_COLOR: 1
+
 jobs:
  compile:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    name: Check gettext syntax
    steps:
      - uses: actions/checkout@v2
-      - name: Set up Python 3.8
+      - name: Set up Python 3.9
        uses: actions/setup-python@v1
        with:
-          python-version: 3.8
+          python-version: 3.9
      - uses: actions/cache@v1
        with:
          path: ~/.cache/pip
@@ -40,14 +46,14 @@ jobs:
        run: python manage.py compilejsi18n
        working-directory: ./src
  spelling:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    name: Spellcheck
    steps:
      - uses: actions/checkout@v2
-      - name: Set up Python 3.8
+      - name: Set up Python 3.9
        uses: actions/setup-python@v1
        with:
-          python-version: 3.8
+          python-version: 3.9
      - uses: actions/cache@v1
        with:
          path: ~/.cache/pip
@@ -55,7 +61,7 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install system packages
-        run: sudo apt update && sudo apt install enchant hunspell hunspell-de-de aspell-en aspell-de
+        run: sudo apt update && sudo apt install enchant-2 hunspell hunspell-de-de aspell-en aspell-de
      - name: Install Dependencies
        run: pip3 install -e ".[dev]"
        working-directory: ./src
@@ -12,16 +12,22 @@ on:
      - 'src/pretix/locale/**'
      - 'src/pretix/static/**'

+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
+env:
+  FORCE_COLOR: 1
+
 jobs:
  isort:
    name: isort
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v2
-      - name: Set up Python 3.8
+      - name: Set up Python 3.9
        uses: actions/setup-python@v1
        with:
-          python-version: 3.8
+          python-version: 3.9
      - uses: actions/cache@v1
        with:
          path: ~/.cache/pip
@@ -36,13 +42,13 @@ jobs:
        working-directory: ./src
  flake:
    name: flake8
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v2
-      - name: Set up Python 3.8
+      - name: Set up Python 3.9
        uses: actions/setup-python@v1
        with:
-          python-version: 3.8
+          python-version: 3.9
      - uses: actions/cache@v1
        with:
          path: ~/.cache/pip
@@ -57,13 +63,13 @@ jobs:
        working-directory: ./src
  licenseheader:
    name: licenseheaders
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v2
-      - name: Set up Python 3.8
+      - name: Set up Python 3.9
        uses: actions/setup-python@v1
        with:
-          python-version: 3.8
+          python-version: 3.9
      - name: Install Dependencies
        run: pip3 install licenseheaders
      - name: Run licenseheaders
@@ -12,23 +12,29 @@ on:
      - 'doc/**'
      - 'src/pretix/locale/**'

+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
+env:
+  FORCE_COLOR: 1
+
 jobs:
  test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    name: Tests
    strategy:
      matrix:
-        python-version: ["3.7", "3.8", "3.9"]
+        python-version: ["3.7", "3.9", "3.10"]
        database: [sqlite, postgres, mysql]
        exclude:
          - database: mysql
-            python-version: "3.8"
+            python-version: "3.10"
          - database: mysql
            python-version: "3.9"
          - database: sqlite
            python-version: "3.7"
          - database: sqlite
-            python-version: "3.8"
+            python-version: "3.10"
    steps:
      - uses: actions/checkout@v2
      - uses: getong/mariadb-action@v1.1
@@ -55,9 +61,9 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install system dependencies
-        run: sudo apt update && sudo apt install gettext mariadb-client-10.3
+        run: sudo apt update && sudo apt install gettext mariadb-client
      - name: Install Python dependencies
-        run: pip3 install -e ".[dev]" mysqlclient psycopg2-binary
+        run: pip3 install --ignore-requires-python -e ".[dev]" mysqlclient psycopg2-binary  # We ignore that flake8 needs newer python as we don't run flake8 during tests
        working-directory: ./src
      - name: Run checks
        run: python manage.py check
@@ -76,4 +82,4 @@ jobs:
        with:
          file: src/coverage.xml
          fail_ci_if_error: true
-        if: matrix.database == 'postgres' && matrix.python-version == '3.8'
+        if: matrix.database == 'postgres' && matrix.python-version == '3.10'
@@ -399,9 +399,9 @@ The two ``transport_options`` entries can be omitted in most cases.
 If they are present they need to be a valid JSON dictionary.
 For possible entries in that dictionary see the `Celery documentation`_.

-To use redis with sentinels set the broker or backend to ``sentinel://sentinel_host_1:26379;sentinal_host_2:26379/0``
+To use redis with sentinels set the broker or backend to ``sentinel://sentinel_host_1:26379;sentinel_host_2:26379/0``
 and the respective transport_options to ``{"master_name":"mymaster"}``.
-If your redis instances behind the sentinel have a password use ``sentinel://:my_password@sentinel_host_1:26379;sentinal_host_2:26379/0``.
+If your redis instances behind the sentinel have a password use ``sentinel://:my_password@sentinel_host_1:26379;sentinel_host_2:26379/0``.
 If your redis sentinels themselves have a password set the transport_options to ``{"master_name":"mymaster","sentinel_kwargs":{"password":"my_password"}}``.

 Sentry
@@ -318,6 +318,27 @@ example::
    (venv)$ python -m pretix rebuild
    # systemctl restart pretix-web pretix-worker

+System updates
+--------------
+
+After system updates, such as updates to a new Ubuntu or Debian release, you might be using a new Python version.
+That's great, but requires some adjustments. First, adjust any old version paths in your nginx configuration file.
+Then, re-create your Python environment::
+
+    $ source /var/pretix/venv/bin/activate
+    (venv)$ pip3 freeze > /tmp/pip-backup.txt
+    $ rm -rf /var/pretix/venv
+    $ python3 -m venv /var/pretix/venv
+    $ source /var/pretix/venv/bin/activate
+    (venv)$ pip3 install -U pip wheel setuptools
+    (venv)$ pip3 install -r /tmp/pip-backup.txt
+
+Then, proceed like after any plugin installation::
+
+    (venv)$ python -m pretix migrate
+    (venv)$ python -m pretix rebuild
+    (venv)$ python -m pretix updatestyles
+    # systemctl restart pretix-web pretix-worker

 .. _Postfix: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-16-04
 .. _nginx: https://botleg.com/stories/https-with-lets-encrypt-and-nginx/
@@ -48,10 +48,11 @@ Possible permissions are:
 Compatibility
 -------------

-We currently see pretix' API as a beta-stage feature. We therefore do not give any guarantees
-for compatibility between feature releases of pretix (such as 1.5 and 1.6). However, as always,
-we try not to break things when we don't need to. Any backwards-incompatible changes will be
-prominently noted in the release notes.
+We try to avoid any breaking changes to our API to avoid hassle on your end. If possible, we'll
+build new features in a way that keeps all pre-existing API usage unchanged. In some cases,
+this might not be possible or only possible with restrictions. In these case, any
+backwards-incompatible changes will be prominently noted in the "Changes to the REST API"
+section of our release notes. If possible, we will announce them multiple releases in advance.

 We treat the following types of changes as *backwards-compatible* so we ask you to make sure
 that your clients can deal with them properly:
@@ -60,6 +61,7 @@ that your clients can deal with them properly:
 * Support of new HTTP methods for a given API endpoint
 * Support of new query parameters for a given API endpoint
 * New fields contained in API responses
+* New possible values of enumeration-like fields
 * Response body structure or message texts on failed requests (``4xx``, ``5xx`` response codes)

 We treat the following types of changes as *backwards-incompatible*:
@@ -43,10 +43,6 @@ seat                                  objects                    The assigned se
 └ seat_guid                           string                     Identifier of the seat within the seating plan
 ===================================== ========================== =======================================================

-.. versionchanged:: 3.0
-
-   This ``seat`` attribute has been added.
-
 .. versionchanged:: 4.14

   This ``is_bundled`` attribute has been added and the cart creation endpoints have been updated.
@@ -39,23 +39,6 @@ exit_all_at                           datetime                   Automatically c
 addon_match                           boolean                    If ``true``, tickets on this list can be redeemed by scanning their parent ticket if this still leads to an unambiguous match.
 ===================================== ========================== =======================================================

-.. versionchanged:: 3.9
-
-    The ``subevent`` attribute may now be ``null`` inside event series. The ``allow_multiple_entries``,
-    ``allow_entry_after_exit``, and ``rules`` attributes have been added.
-
-.. versionchanged:: 3.11
-
-    The ``subevent_match`` and ``exclude`` query parameters have been added.
-
-.. versionchanged:: 3.12
-
-    The ``exit_all_at`` attribute has been added.
-
-.. versionchanged:: 3.17
-
-    The ``ends_after`` and ``expand`` query parameters have been added.
-
 .. versionchanged:: 4.12

    The ``addon_match`` attribute has been added.
@@ -52,34 +52,9 @@ sales_channels                        list                       A list of sales
 ===================================== ========================== =======================================================


-.. versionchanged:: 3.3
-
-   The attributes ``geo_lat`` and ``geo_lon`` have been added.
-
-.. versionchanged:: 3.4
-
-   The attribute ``timezone`` has been added.
-
-.. versionchanged:: 3.7
-
-   The attribute ``item_meta_properties`` has been added.
-
-.. versionchanged:: 3.12
-
-   The attribute ``valid_keys`` has been added.
-
-.. versionchanged:: 3.14
-
-    The attribute ``sales_channels`` has been added.
-
-
 Endpoints
 ---------

-.. versionchanged:: 3.3
-
-    The events resource can now be filtered by meta data attributes.
-
 .. versionchanged:: 4.0

    The ``clone_from`` parameter has been added to the event creation endpoint.
@@ -567,10 +542,6 @@ information about the properties.
 .. warning:: This API is intended for advanced users. Even though we take care to validate your input, you will be
             able to break your event using this API by creating situations of conflicting settings. Please take care.

-.. versionchanged:: 3.6
-
-   Initial support for settings has been added to the API.
-
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/settings/

   Get current values of event settings.
@@ -6,10 +6,6 @@ Data exporters
 pretix and it's plugins include a number of data exporters that allow you to bulk download various data from pretix in
 different formats. This page shows you how to use these exporters through the API.

-.. versionchanged:: 3.13
-
-   This feature has been added to the API.
-
 .. warning::

   While we consider the methods listed on this page to be a stable API, the availability and specific input field
@@ -40,10 +40,6 @@ text                                  string                     Custom text of
 Endpoints
 ---------

-.. versionadded:: 3.14
-
-   The transaction list endpoint was added.
-
 .. http:get:: /api/v1/organizers/(organizer)/giftcards/

   Returns a list of all gift cards issued by a given organizer.
@@ -257,10 +253,6 @@ Endpoints
        "value": "15.37"
      }

-   .. versionchanged:: 3.5
-
-      This endpoint now returns status code ``409`` if the transaction would lead to a negative gift card value.
-
   :param organizer: The ``slug`` field of the organizer to modify
   :param id: The ``id`` field of the gift card to modify
   :query boolean include_accepted: Also show gift cards issued by other organizers that are accepted by this organizer.
@@ -108,16 +108,6 @@ internal_reference                    string                     Customer's refe
 ===================================== ========================== =======================================================


-.. versionchanged:: 3.4
-
-   The attribute ``lines.number`` has been added.
-
-.. versionchanged:: 3.17
-
-   The attribute ``invoice_to_*``, ``invoice_from_*``, ``custom_field``, ``lines.item``, ``lines.variation``, ``lines.event_date_from``,
-   ``lines.event_date_to``, and ``lines.attendee_name`` have been added.
-   ``refers`` now returns an invoice number including the prefix.
-
 .. versionchanged:: 4.1

   The attributes ``fee_type`` and ``fee_internal_type`` have been added.
@@ -43,8 +43,13 @@ available_until                       datetime                   The last date t
 hide_without_voucher                  boolean                    If ``true``, this variation is only shown during the voucher
                                                                 redemption process, but not in the normal shop
                                                                 frontend.
+meta_data                             object                     Values set for event-specific meta data parameters.
 ===================================== ========================== =======================================================

+.. versionchanged:: 4.16
+
+   The ``meta_data`` attribute has been added.
+
 Endpoints
 ---------

@@ -94,6 +99,7 @@ Endpoints
            "default_price": "223.00",
            "price": 223.0,
            "original_price": null,
+            "meta_data": {}
          },
          {
            "id": 3,
@@ -108,7 +114,8 @@ Endpoints
            "description": {},
            "position": 1,
            "default_price": null,
-            "price": 15.0
+            "price": 15.0,
+            "meta_data": {}
          }
        ]
      }
@@ -161,7 +168,8 @@ Endpoints
        "available_until": null,
        "hide_without_voucher": false,
        "description": null,
-        "position": 0
+        "position": 0,
+        "meta_data": {}
      }

   :param organizer: The ``slug`` field of the organizer to fetch
@@ -198,7 +206,8 @@ Endpoints
        "available_until": null,
        "hide_without_voucher": false,
        "description": null,
-        "position": 0
+        "position": 0,
+        "meta_data": {}
      }

   **Example response**:
@@ -225,7 +234,8 @@ Endpoints
        "available_until": null,
        "hide_without_voucher": false,
        "description": null,
-        "position": 0
+        "position": 0,
+        "meta_data": {}
      }

   :param organizer: The ``slug`` field of the organizer of the event/item to create a variation for
@@ -283,7 +293,8 @@ Endpoints
        "available_until": null,
        "hide_without_voucher": false,
        "description": null,
-        "position": 1
+        "position": 1,
+        "meta_data": {}
      }

   :param organizer: The ``slug`` field of the organizer to modify
@@ -123,6 +123,7 @@ variations                            list of objects            A list with one
 ├ hide_without_voucher                boolean                    If ``true``, this variation is only shown during the voucher
                                                                 redemption process, but not in the normal shop
                                                                 frontend.
+├ meta_data                           object                     Values set for event-specific meta data parameters.
 └ position                            integer                    An integer, used for sorting
 addons                                list of objects            Definition of add-ons that can be chosen for this item.
                                                                 Only writable during creation,
@@ -146,14 +147,6 @@ bundles                               list of objects            Definition of b
 meta_data                             object                     Values set for event-specific meta data parameters.
 ===================================== ========================== =======================================================

-.. versionchanged:: 3.7
-
-   The attribute ``meta_data`` has been added.
-
-.. versionchanged:: 3.10
-
-   The attribute ``multi_allowed`` has been added to ``addons``.
-
 .. versionchanged:: 4.0

   The attributes ``require_membership``, ``require_membership_types``, ``grant_membership_type``, ``grant_membership_duration_like_event``,
@@ -163,6 +156,10 @@ meta_data                             object                     Values set for

   The attributes ``require_membership_hidden`` attribute has been added.

+.. versionchanged:: 4.16
+
+   The ``variations[x].meta_data`` attribute has been added.
+
 Notes
 -----

@@ -255,6 +252,7 @@ Endpoints
                 "available_until": null,
                 "hide_without_voucher": false,
                 "description": null,
+                 "meta_data": {},
                 "position": 0
              },
              {
@@ -270,6 +268,7 @@ Endpoints
                 "available_until": null,
                 "hide_without_voucher": false,
                 "description": null,
+                 "meta_data": {},
                 "position": 1
              }
            ],
@@ -369,6 +368,7 @@ Endpoints
             "available_from": null,
             "available_until": null,
             "hide_without_voucher": false,
+             "meta_data": {},
             "position": 0
          },
          {
@@ -384,6 +384,7 @@ Endpoints
             "available_until": null,
             "hide_without_voucher": false,
             "description": null,
+             "meta_data": {},
             "position": 1
          }
        ],
@@ -463,6 +464,7 @@ Endpoints
             "available_until": null,
             "hide_without_voucher": false,
             "description": null,
+             "meta_data": {},
             "position": 0
          },
          {
@@ -478,6 +480,7 @@ Endpoints
             "available_until": null,
             "hide_without_voucher": false,
             "description": null,
+             "meta_data": {},
             "position": 1
          }
        ],
@@ -546,6 +549,7 @@ Endpoints
             "available_until": null,
             "hide_without_voucher": false,
             "description": null,
+             "meta_data": {},
             "position": 0
          },
          {
@@ -561,6 +565,7 @@ Endpoints
             "available_until": null,
             "hide_without_voucher": false,
             "description": null,
+             "meta_data": {},
             "position": 1
          }
        ],
@@ -660,6 +665,7 @@ Endpoints
             "available_until": null,
             "hide_without_voucher": false,
             "description": null,
+             "meta_data": {},
             "position": 0
          },
          {
@@ -675,6 +681,7 @@ Endpoints
             "available_until": null,
             "hide_without_voucher": false,
             "description": null,
+             "meta_data": {},
             "position": 1
          }
        ],
@@ -98,30 +98,6 @@ last_modified                         datetime                   Last modificati
 ===================================== ========================== =======================================================


-.. versionchanged:: 3.5
-
-   The ``order.fees.canceled`` attribute has been added.
-
-.. versionchanged:: 3.8
-
-   The ``reactivate`` operation has been added.
-
-.. versionchanged:: 3.10
-
-   The ``search`` query parameter has been added.
-
-.. versionchanged:: 3.11
-
-   The ``exclude`` and ``subevent_after`` query parameter has been added.
-
-.. versionchanged:: 3.13
-
-   The ``subevent_before`` query parameter has been added.
-
-.. versionchanged:: 3.14
-
-   The ``phone`` attribute has been added.
-
 .. versionchanged:: 4.0

   The ``customer`` attribute has been added.
@@ -142,6 +118,10 @@ last_modified                         datetime                   Last modificati

   The ``order.fees.id`` attribute has been added.

+.. versionchanged:: 4.15
+
+   The ``include`` query parameter has been added.
+

 .. _order-position-resource:

@@ -206,27 +186,6 @@ pdf_data                              object                     Data object req
                                                                 ``pdf_data=true`` query parameter to your request.
 ===================================== ========================== =======================================================

-.. versionchanged:: 3.3
-
-  The ``url`` of a ticket ``download`` can now also return a ``text/uri-list`` instead of a file. See
-  :ref:`order-position-ticket-download` for details.
-
-.. versionchanged:: 3.5
-
-  The attribute ``canceled`` has been added.
-
-.. versionchanged:: 3.8
-
-  The attributes ``company``, ``street``, ``zipcode``, ``city``, ``country``, and ``state`` have been added.
-
-.. versionchanged:: 3.9
-
-  The ``checkin.type`` attribute has been added.
-
-.. versionchanged:: 3.16
-
-   Answers to file questions are now returned as an URL.
-
 .. _order-payment-resource:

 Order payment resource
@@ -273,15 +232,20 @@ created                               datetime                   Date and time o
 comment                               string                     Reason for refund (shown to the customer in some cases, can be ``null``).
 execution_date                        datetime                   Date and time of completion of this refund (or ``null``)
 provider                              string                     Identification string of the payment provider
+details                               object                     Refund-specific information. This is a dictionary
+                                                                 with various fields that can be different between
+                                                                 payment providers, versions, payment states, etc. If
+                                                                 you read this field, you always need to be able to
+                                                                 deal with situations where values that you expect are
+                                                                 missing. Mostly, the field contains various IDs that
+                                                                 can be used for matching with other systems. If a
+                                                                 payment provider does not implement this feature,
+                                                                 the object is empty.
 ===================================== ========================== =======================================================

 List of all orders
 ------------------

-.. versionchanged:: 3.5
-
-   The ``include_canceled_positions`` and ``include_canceled_fees`` query parameters have been added.
-
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/

   Returns a list of all orders within a given event.
@@ -449,6 +413,7 @@ List of all orders
   :query datetime subevent_after: Only return orders that contain a ticket for a subevent taking place after the given date. This is an exclusive after, and it considers the **end** of the subevent (or its start, if the end is not set).
   :query datetime subevent_before: Only return orders that contain a ticket for a subevent taking place after the given date. This is an exclusive before, and it considers the **start** of the subevent.
   :query string exclude: Exclude a field from the output, e.g. ``fees`` or ``positions.downloads``. Can be used as a performance optimization. Can be passed multiple times.
+   :query string include: Include only the given field in the output, e.g. ``fees`` or ``positions.downloads``. Can be used as a performance optimization. Can be passed multiple times. ``include`` is applied before ``exclude``, so ``exclude`` takes precedence.
   :param organizer: The ``slug`` field of the organizer to fetch
   :param event: The ``slug`` field of the event to fetch
   :resheader X-Page-Generated: The server time at the beginning of the operation. If you're using this API to fetch
@@ -460,10 +425,6 @@ List of all orders
 Fetching individual orders
 --------------------------

-.. versionchanged:: 3.5
-
-   The ``include_canceled_positions`` and ``include_canceled_fees`` query parameters have been added.
-
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/

   Returns information on one order, identified by its order code.
@@ -1038,10 +999,6 @@ Creating orders
 Order state operations
 ----------------------

-.. versionchanged:: 3.12
-
-   The ``mark_paid`` operation now takes a ``send_email`` parameter.
-
 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_paid/

   Marks a pending or expired order as successfully paid.
@@ -1443,10 +1400,6 @@ Sending e-mails
 List of all order positions
 ---------------------------

-.. versionchanged:: 3.5
-
-   The ``include_canceled_positions`` and ``include_canceled_fees`` query parameters have been added.
-
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orderpositions/

   Returns a list of all order positions within a given event.
@@ -1701,10 +1654,6 @@ Order position ticket download
 Manipulating individual positions
 ---------------------------------

-.. versionchanged:: 3.15
-
-   The ``PATCH`` method has been added for individual positions.
-
 .. versionchanged:: 4.8

   The ``PATCH`` method now supports changing items, variations, subevents, seats, prices, and tax rules.
@@ -2011,14 +1960,6 @@ otherwise, such as splitting an order or changing fees.
 Order payment endpoints
 -----------------------

-.. versionchanged:: 3.6
-
-   Payments can now be created through the API.
-
-.. versionchanged:: 3.12
-
-   The ``confirm`` operation now takes a ``send_email`` parameter.
-
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/payments/

   Returns a list of all payments for an order.
@@ -2324,6 +2265,7 @@ Order refund endpoints
            "created": "2017-12-01T10:00:00Z",
            "execution_date": "2017-12-04T12:13:12Z",
            "comment": "Cancellation",
+            "details": {},
            "provider": "banktransfer"
          }
        ]
@@ -2367,6 +2309,7 @@ Order refund endpoints
        "created": "2017-12-01T10:00:00Z",
        "execution_date": "2017-12-04T12:13:12Z",
        "comment": "Cancellation",
+        "details": {},
        "provider": "banktransfer"
      }

@@ -2424,6 +2367,7 @@ Order refund endpoints
        "created": "2017-12-01T10:00:00Z",
        "execution_date": null,
        "comment": "Cancellation",
+        "details": {},
        "provider": "manual"
      }

@@ -2553,10 +2497,6 @@ Revoked ticket secrets

 With some non-default ticket secret generation methods, a list of revoked ticket secrets is required for proper validation.

-.. versionchanged:: 3.12
-
-   Added revocation lists.
-
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/revokedsecrets/

   Returns a list of all revoked secrets within a given event.
@@ -109,10 +109,6 @@ information about the properties.
 .. warning:: This API is intended for advanced users. Even though we take care to validate your input, you will be
             able to break your shops using this API by creating situations of conflicting settings. Please take care.

-.. versionchanged:: 3.14
-
-   Initial support for settings has been added to the API.
-
 .. http:get:: /api/v1/organizers/(organizer)/settings/

   Get current values of organizer settings.
@@ -76,26 +76,9 @@ dependency_value                      string                     An old version
                                                                 for one value. **Deprecated.**
 ===================================== ========================== =======================================================

-.. versionchanged:: 3.5
-
-  The attribute ``help_text`` has been added.
-
-.. versionchanged:: 3.14
-
-  The attributes ``valid_*`` have been added.
-
-.. versionchanged:: 3.18
-
-  The attribute ``valid_file_portrait`` have been added.
-
 Endpoints
 ---------

-.. versionchanged:: 1.15
-
-   The questions endpoint has been extended by the filter queries ``ask_during_checkin``, ``requred``, and
-   ``identifier``.
-
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/questions/

   Returns a list of all questions within a given event.
@@ -36,10 +36,6 @@ available_number                      integer                    Number of avail
                                                                 slightly out of date. ``null`` means unlimited.
 ===================================== ========================== =======================================================

-.. versionchanged:: 3.10
-
-   The attribute ``release_after_exit`` has been added.
-
 .. versionchanged:: 4.1

    The ``with_availability`` query parameter has been added.
@@ -59,29 +59,13 @@ seat_category_mapping                 object                     An object mappi
 last_modified                         datetime                   Last modification of this object
 ===================================== ========================== =======================================================

-.. versionchanged:: 3.3
+.. versionchanged:: 4.15

-   The attributes ``geo_lat`` and ``geo_lon`` have been added.
-
-.. versionchanged:: 3.10
-
-   The ``disabled`` attribute has been added to ``item_price_overrides`` and ``variation_price_overrides``.
-
-.. versionchanged:: 3.12
-
-   The ``last_modified`` attribute has been added.
-
-.. versionchanged:: 3.18
-
-   The ``available_from``/``available_until`` attributes have been added to ``item_price_overrides`` and ``variation_price_overrides``.
+    The ``search`` query parameter has been added to filter sub-events by their name or location in any language.

 Endpoints
 ---------

-.. versionchanged:: 3.3
-
-    The sub-events resource can now be filtered by meta data attributes.
-
 .. versionchanged:: 4.1

    The ``with_availability_for`` parameter has been added.
@@ -147,6 +131,7 @@ Endpoints
   :query is_future: If set to ``true`` (``false``), only events that happen currently or in the future are (not) returned.
   :query is_past: If set to ``true`` (``false``), only events that are over are (not) returned.
   :query ends_after: If set to a date and time, only events that happen during of after the given time are returned.
+   :query search: Only return events matching a given search query.
   :param organizer: The ``slug`` field of a valid organizer
   :param event: The ``slug`` field of the main event
   :query datetime modified_since: Only return objects that have changed since the given date. Be careful: This does not
@@ -50,10 +50,6 @@ show_hidden_items                     boolean                    Only if set to
 ===================================== ========================== =======================================================


-.. versionchanged:: 3.4
-
-   The attribute ``seat`` has been added.
-
 Endpoints
 ---------

@@ -30,12 +30,6 @@ subevent                              integer                    ID of the date
 ===================================== ========================== =======================================================


-.. versionchanged:: 1.15
-
-   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added as well as a method to send out
-   vouchers.
-
-
 Endpoints
 ---------

@@ -126,6 +126,8 @@ The provider class

   .. automethod:: api_payment_details

+   .. automethod:: api_refund_details
+
   .. automethod:: matching_id

   .. automethod:: shred_payment_info
@@ -136,6 +138,10 @@ The provider class

   .. autoattribute:: is_meta

+   .. autoattribute:: execute_payment_needs_user
+
+   .. autoattribute:: multi_use_supported
+
   .. autoattribute:: test_mode_message

   .. autoattribute:: requires_invoice_immediately
@@ -184,11 +184,6 @@ Most of these methods work identically on :class:`pretix.base.models.TeamAPIToke
 Staff sessions
 --------------

-.. versionchanged:: 1.14
-
-   In 1.14, the ``User.is_superuser`` attribute has been deprecated and statically set to return ``False``. Staff
-   sessions have been newly introduced.
-
 System administrators of a pretix instance are identified by the ``is_staff`` attribute on the user model. By default,
 the regular permission rules apply for users with ``is_staff = True``. The only difference is that such users can
 temporarily turn on "staff mode" via a button in the user interface that grants them **all permissions** as long as
@@ -91,6 +91,7 @@ Field                                 Type                       Description
 ===================================== ========================== =======================================================
 id                                    integer                    Internal content ID
 title                                 multi-lingual string       The content title (required)
+internal_name                         string                     An optional name that is only used in the backend
 content_type                          string                     The type of content, valid values are ``webinar``, ``video``, ``livestream``, ``link``, ``file``
 url                                   string                     The location of the digital content
 file                                  file                       A downloadable file. Either ``url`` or ``file`` must be ``null``.
@@ -447,8 +447,4 @@ Hosted or pretix Enterprise are active, you can pass the following fields:
    </script>


-.. versionchanged:: 3.6
-
-   Dynamically opening the widget has been added in pretix 3.6.
-
 .. _Let's Encrypt: https://letsencrypt.org/
@@ -19,4 +19,4 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-__version__ = "4.15.0.dev0"
+__version__ = "4.16.0.dev0"
@@ -0,0 +1,77 @@
+# Generated by Django 3.2.16 on 2022-12-17 18:47
+
+import uuid
+
+import django.db.models.deletion
+import oauth2_provider.generators
+import oauth2_provider.models
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0226_itemvariationmetavalue'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('pretixapi', '0008_webhookcallretry'),
+    ]
+    run_before = [
+        ('oauth2_provider', '0002_auto_20190406_1805'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='oauthapplication',
+            name='algorithm',
+            field=models.CharField(default='', max_length=5),
+        ),
+        migrations.AddField(
+            model_name='oauthgrant',
+            name='claims',
+            field=models.TextField(default=''),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name='oauthgrant',
+            name='code_challenge',
+            field=models.CharField(default='', max_length=128),
+        ),
+        migrations.AddField(
+            model_name='oauthgrant',
+            name='code_challenge_method',
+            field=models.CharField(default='', max_length=10),
+        ),
+        migrations.AddField(
+            model_name='oauthgrant',
+            name='nonce',
+            field=models.CharField(default='', max_length=255),
+        ),
+        migrations.AlterField(
+            model_name='oauthapplication',
+            name='client_secret',
+            field=oauth2_provider.models.ClientSecretField(db_index=True, default=oauth2_provider.generators.generate_client_secret, max_length=255),
+        ),
+        migrations.CreateModel(
+            name='OAuthIDToken',
+            fields=[
+                ('id', models.BigAutoField(primary_key=True, serialize=False)),
+                ('jti', models.UUIDField(default=uuid.uuid4, unique=True)),
+                ('expires', models.DateTimeField()),
+                ('scope', models.TextField()),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('updated', models.DateTimeField(auto_now=True)),
+                ('application', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.OAUTH2_PROVIDER_APPLICATION_MODEL)),
+                ('organizers', models.ManyToManyField(to='pretixbase.Organizer')),
+                ('user', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='pretixapi_oauthidtoken', to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'abstract': False,
+            },
+        ),
+        migrations.AddField(
+            model_name='oauthaccesstoken',
+            name='id_token',
+            field=models.OneToOneField(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='access_token', to='pretixapi.oauthidtoken'),
+        ),
+    ]
@@ -29,8 +29,8 @@ from oauth2_provider.generators import (
    generate_client_id, generate_client_secret,
 )
 from oauth2_provider.models import (
-    AbstractAccessToken, AbstractApplication, AbstractGrant,
-    AbstractRefreshToken,
+    AbstractAccessToken, AbstractApplication, AbstractGrant, AbstractIDToken,
+    AbstractRefreshToken, ClientSecretField,
 )
 from oauth2_provider.validators import URIValidator

@@ -46,7 +46,7 @@ class OAuthApplication(AbstractApplication):
        verbose_name=_("Client ID"),
        max_length=100, unique=True, default=generate_client_id, db_index=True
    )
-    client_secret = models.CharField(
+    client_secret = ClientSecretField(
        verbose_name=_("Client secret"),
        max_length=255, blank=False, default=generate_client_secret, db_index=True
    )
@@ -67,12 +67,26 @@ class OAuthGrant(AbstractGrant):
    redirect_uri = models.CharField(max_length=2500)  # Only 255 in AbstractGrant, which caused problems


+class OAuthIDToken(AbstractIDToken):
+    application = models.ForeignKey(
+        OAuthApplication, on_delete=models.CASCADE,
+    )
+    organizers = models.ManyToManyField('pretixbase.Organizer')
+
+
 class OAuthAccessToken(AbstractAccessToken):
    source_refresh_token = models.OneToOneField(
        # unique=True implied by the OneToOneField
        'OAuthRefreshToken', on_delete=models.SET_NULL, blank=True, null=True,
        related_name="refreshed_access_token"
    )
+    id_token = models.OneToOneField(
+        OAuthIDToken,
+        on_delete=models.CASCADE,
+        blank=True,
+        null=True,
+        related_name="access_token",
+    )
    application = models.ForeignKey(
        OAuthApplication, on_delete=models.CASCADE, blank=True, null=True,
    )
@@ -47,13 +47,14 @@ from pretix.api.serializers.fields import UploadedFileField
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.models import (
    Item, ItemAddOn, ItemBundle, ItemCategory, ItemMetaValue, ItemVariation,
-    Question, QuestionOption, Quota,
+    ItemVariationMetaValue, Question, QuestionOption, Quota,
 )


 class InlineItemVariationSerializer(I18nAwareModelSerializer):
    price = serializers.DecimalField(read_only=True, decimal_places=2, max_digits=10,
                                     coerce_to_string=True)
+    meta_data = MetaDataField(required=False, source='*')

    class Meta:
        model = ItemVariation
@@ -61,16 +62,23 @@ class InlineItemVariationSerializer(I18nAwareModelSerializer):
                  'position', 'default_price', 'price', 'original_price', 'require_approval',
                  'require_membership', 'require_membership_types',
                  'require_membership_hidden', 'available_from', 'available_until',
-                  'sales_channels', 'hide_without_voucher',)
+                  'sales_channels', 'hide_without_voucher', 'meta_data')

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.fields['require_membership_types'].queryset = lazy(lambda: self.context['event'].organizer.membership_types.all(), QuerySet)

+    def validate_meta_data(self, value):
+        for key in value['meta_data'].keys():
+            if key not in self.parent.parent.item_meta_properties:
+                raise ValidationError(_('Item meta data property \'{name}\' does not exist.').format(name=key))
+        return value
+

 class ItemVariationSerializer(I18nAwareModelSerializer):
    price = serializers.DecimalField(read_only=True, decimal_places=2, max_digits=10,
                                     coerce_to_string=True)
+    meta_data = MetaDataField(required=False, source='*')

    class Meta:
        model = ItemVariation
@@ -78,12 +86,63 @@ class ItemVariationSerializer(I18nAwareModelSerializer):
                  'position', 'default_price', 'price', 'original_price', 'require_approval',
                  'require_membership', 'require_membership_types',
                  'require_membership_hidden', 'available_from', 'available_until',
-                  'sales_channels', 'hide_without_voucher',)
+                  'sales_channels', 'hide_without_voucher', 'meta_data')

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.fields['require_membership_types'].queryset = self.context['event'].organizer.membership_types.all()

+    @transaction.atomic
+    def create(self, validated_data):
+        meta_data = validated_data.pop('meta_data', None)
+        variation = ItemVariation.objects.create(**validated_data)
+
+        # Meta data
+        if meta_data is not None:
+            for key, value in meta_data.items():
+                ItemVariationMetaValue.objects.create(
+                    property=self.item_meta_properties.get(key),
+                    value=value,
+                    variation=variation
+                )
+        return variation
+
+    @cached_property
+    def item_meta_properties(self):
+        return {
+            p.name: p for p in self.context['request'].event.item_meta_properties.all()
+        }
+
+    def validate_meta_data(self, value):
+        for key in value['meta_data'].keys():
+            if key not in self.item_meta_properties:
+                raise ValidationError(_('Item meta data property \'{name}\' does not exist.').format(name=key))
+        return value
+
+    def update(self, instance, validated_data):
+        meta_data = validated_data.pop('meta_data', None)
+        variation = super().update(instance, validated_data)
+
+        # Meta data
+        if meta_data is not None:
+            current = {mv.property: mv for mv in variation.meta_values.select_related('property')}
+            for key, value in meta_data.items():
+                prop = self.item_meta_properties.get(key)
+                if prop in current:
+                    current[prop].value = value
+                    current[prop].save()
+                else:
+                    variation.meta_values.create(
+                        property=self.item_meta_properties.get(key),
+                        value=value
+                    )
+
+            for prop, current_object in current.items():
+                if prop.name not in meta_data:
+                    current_object.delete()
+
+        return variation
+

 class InlineItemBundleSerializer(serializers.ModelSerializer):
    class Meta:
@@ -263,9 +322,19 @@ class ItemSerializer(I18nAwareModelSerializer):

        for variation_data in variations_data:
            require_membership_types = variation_data.pop('require_membership_types', [])
+            var_meta_data = variation_data.pop('meta_data', {})
            v = ItemVariation.objects.create(item=item, **variation_data)
            if require_membership_types:
                v.require_membership_types.add(*require_membership_types)
+
+            if var_meta_data is not None:
+                for key, value in var_meta_data.items():
+                    ItemVariationMetaValue.objects.create(
+                        property=self.item_meta_properties.get(key),
+                        value=value,
+                        variation=v
+                    )
+
        for addon_data in addons_data:
            ItemAddOn.objects.create(base_item=item, **addon_data)
        for bundle_data in bundles_data:
@@ -29,6 +29,7 @@ import pycountry
 from django.conf import settings
 from django.core.files import File
 from django.db.models import F, Q
+from django.utils.encoding import force_str
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy
 from django_countries.fields import Country
@@ -61,14 +62,25 @@ from pretix.base.services.pricing import (
 )
 from pretix.base.settings import COUNTRIES_WITH_STATE_IN_ADDRESS
 from pretix.base.signals import register_ticket_outputs
+from pretix.helpers.countries import CachedCountries
 from pretix.multidomain.urlreverse import build_absolute_uri

 logger = logging.getLogger(__name__)


 class CompatibleCountryField(serializers.Field):
+    countries = CachedCountries()
+    default_error_messages = {
+        'invalid_choice': gettext_lazy('"{input}" is not a valid choice.')
+    }
+
    def to_internal_value(self, data):
-        return {self.field_name: Country(data)}
+        country = self.countries.alpha2(data)
+        if data and not country:
+            country = self.countries.by_name(force_str(data))
+            if not country:
+                self.fail("invalid_choice", input=data)
+        return {self.field_name: Country(country)}

    def to_representation(self, instance: InvoiceAddress):
        if instance.country:
@@ -359,10 +371,19 @@ class PdfDataSerializer(serializers.Field):
            for k, v in ev._cached_meta_data.items():
                res['meta:' + k] = v

-            if not hasattr(instance.item, '_cached_meta_data'):
-                instance.item._cached_meta_data = instance.item.meta_data
-            for k, v in instance.item._cached_meta_data.items():
-                res['itemmeta:' + k] = v
+            if instance.variation_id:
+                print(instance, instance.variation, instance.variation_id, instance.item)
+                if not hasattr(instance.variation, '_cached_meta_data'):
+                    instance.variation.item = instance.item  # saves some database lookups
+                    instance.variation._cached_meta_data = instance.variation.meta_data
+                print(instance.variation._cached_meta_data.items())
+                for k, v in instance.variation._cached_meta_data.items():
+                    res['itemmeta:' + k] = v
+            else:
+                if not hasattr(instance.item, '_cached_meta_data'):
+                    instance.item._cached_meta_data = instance.item.meta_data
+                for k, v in instance.item._cached_meta_data.items():
+                    res['itemmeta:' + k] = v

            res['images'] = {}

@@ -553,12 +574,22 @@ class OrderPaymentSerializer(I18nAwareModelSerializer):
                  'details')


+class RefundDetailsField(serializers.Field):
+    def to_representation(self, value: OrderRefund):
+        pp = value.payment_provider
+        if not pp:
+            return {}
+        return pp.api_refund_details(value)
+
+
 class OrderRefundSerializer(I18nAwareModelSerializer):
    payment = SlugRelatedField(slug_field='local_id', read_only=True)
+    details = RefundDetailsField(source='*', allow_null=True, read_only=True)

    class Meta:
        model = OrderRefund
-        fields = ('local_id', 'state', 'source', 'amount', 'payment', 'created', 'execution_date', 'comment', 'provider')
+        fields = ('local_id', 'state', 'source', 'amount', 'payment', 'created', 'execution_date', 'comment', 'provider',
+                  'details')


 class OrderURLField(serializers.URLField):
@@ -600,6 +631,32 @@ class OrderSerializer(I18nAwareModelSerializer):
        if not self.context['pdf_data']:
            self.fields['positions'].child.fields.pop('pdf_data', None)

+        includes = set(self.context['include'])
+        if includes:
+            for fname, field in list(self.fields.items()):
+                if fname in includes:
+                    continue
+                elif hasattr(field, 'child'):  # Nested list serializers
+                    found_any = False
+                    for childfname, childfield in list(field.child.fields.items()):
+                        if f'{fname}.{childfname}' not in includes:
+                            field.child.fields.pop(childfname)
+                        else:
+                            found_any = True
+                    if not found_any:
+                        self.fields.pop(fname)
+                elif isinstance(field, serializers.Serializer):  # Nested serializers
+                    found_any = False
+                    for childfname, childfield in list(field.fields.items()):
+                        if f'{fname}.{childfname}' not in includes:
+                            field.fields.pop(childfname)
+                        else:
+                            found_any = True
+                    if not found_any:
+                        self.fields.pop(fname)
+                else:
+                    self.fields.pop(fname)
+
        for exclude_field in self.context['exclude']:
            p = exclude_field.split('.')
            if p[0] in self.fields:
@@ -35,7 +35,8 @@
 import importlib

 from django.apps import apps
-from django.conf.urls import include, re_path
+from django.conf.urls import re_path
+from django.urls import include
 from rest_framework import routers

 from pretix.api.views import cart
@@ -332,6 +332,7 @@ with scopes_disabled():
        ends_after = django_filters.rest_framework.IsoDateTimeFilter(method='ends_after_qs')
        modified_since = django_filters.IsoDateTimeFilter(field_name='last_modified', lookup_expr='gte')
        sales_channel = django_filters.rest_framework.CharFilter(method='sales_channel_qs')
+        search = django_filters.rest_framework.CharFilter(method='search_qs')

        class Meta:
            model = SubEvent
@@ -367,6 +368,12 @@ with scopes_disabled():
        def sales_channel_qs(self, queryset, name, value):
            return queryset.filter(event__sales_channels__contains=value)

+        def search_qs(self, queryset, name, value):
+            return queryset.filter(
+                Q(name__icontains=i18ncomp(value))
+                | Q(location__icontains=i18ncomp(value))
+            )
+

 class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
    serializer_class = SubEventSerializer
@@ -84,7 +84,9 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):

    def get_queryset(self):
        return self.request.event.items.select_related('tax_rule').prefetch_related(
-            'variations', 'addons', 'bundles', 'meta_values'
+            'variations', 'addons', 'bundles', 'meta_values', 'meta_values__property',
+            'variations__meta_values', 'variations__meta_values__property',
+            'require_membership_types', 'variations__require_membership_types',
        ).all()

    def perform_create(self, serializer):
@@ -147,7 +149,11 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
        return get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)

    def get_queryset(self):
-        return self.item.variations.all()
+        return self.item.variations.all().prefetch_related(
+            'meta_values',
+            'meta_values__property',
+            'require_membership_types'
+        )

    def get_serializer_context(self):
        ctx = super().get_serializer_context()
@@ -65,9 +65,10 @@ from pretix.api.views import RichOrderingFilter
 from pretix.base.i18n import language
 from pretix.base.models import (
    CachedCombinedTicket, CachedTicket, Checkin, Device, EventMetaValue,
-    Invoice, InvoiceAddress, ItemMetaValue, Order, OrderFee, OrderPayment,
-    OrderPosition, OrderRefund, Quota, SubEvent, SubEventMetaValue, TaxRule,
-    TeamAPIToken, generate_secret,
+    Invoice, InvoiceAddress, ItemMetaValue, ItemVariation,
+    ItemVariationMetaValue, Order, OrderFee, OrderPayment, OrderPosition,
+    OrderRefund, Quota, SubEvent, SubEventMetaValue, TaxRule, TeamAPIToken,
+    generate_secret,
 )
 from pretix.base.models.orders import QuestionAnswer, RevokedTicketSecret
 from pretix.base.payment import PaymentException
@@ -191,6 +192,7 @@ class OrderViewSet(viewsets.ModelViewSet):
        ctx['event'] = self.request.event
        ctx['pdf_data'] = self.request.query_params.get('pdf_data', 'false') == 'true'
        ctx['exclude'] = self.request.query_params.getlist('exclude')
+        ctx['include'] = self.request.query_params.getlist('include')
        return ctx

    def get_queryset(self):
@@ -231,7 +233,9 @@ class OrderViewSet(viewsets.ModelViewSet):
                    Prefetch('item', queryset=self.request.event.items.prefetch_related(
                        Prefetch('meta_values', ItemMetaValue.objects.select_related('property'), to_attr='meta_values_cached')
                    )),
-                    'variation',
+                    Prefetch('variation', queryset=ItemVariation.objects.prefetch_related(
+                        Prefetch('meta_values', ItemVariationMetaValue.objects.select_related('property'), to_attr='meta_values_cached')
+                    )),
                    'answers', 'answers__options', 'answers__question',
                    'item__category',
                    'addon_to__answers', 'addon_to__answers__options', 'addon_to__answers__question',
@@ -699,8 +703,8 @@ class OrderViewSet(viewsets.ModelViewSet):
                    subject_attendees_template = request.event.settings.mail_subject_order_placed_attendee

                _order_placed_email(
-                    request.event, order, payment.payment_provider if payment else None, email_template, subject_template,
-                    log_entry, invoice, payment, is_free=free_flow
+                    request.event, order, email_template, subject_template,
+                    log_entry, invoice, [payment] if payment else [], is_free=free_flow
                )
                if email_attendees:
                    for p in order.positions.all():
@@ -998,7 +1002,11 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
                                Prefetch('meta_values', ItemMetaValue.objects.select_related('property'),
                                         to_attr='meta_values_cached')
                            )),
-                            'variation', 'answers', 'answers__options', 'answers__question',
+                            Prefetch('variation', queryset=self.request.event.items.prefetch_related(
+                                Prefetch('meta_values', ItemVariationMetaValue.objects.select_related('property'),
+                                         to_attr='meta_values_cached')
+                            )),
+                            'answers', 'answers__options', 'answers__question',
                            'item__category',
                            Prefetch('subevent', queryset=self.request.event.subevents.prefetch_related(
                                Prefetch('meta_values', to_attr='meta_values_cached',
@@ -0,0 +1,227 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020 Raphael Michel and contributors
+# Copyright (C) 2020-2021 rami.io GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+from collections import defaultdict
+
+from django.core.exceptions import ValidationError
+from django.utils.translation import gettext_lazy as _
+from localflavor.ar.forms import ARPostalCodeField
+from localflavor.at.forms import ATZipCodeField
+from localflavor.au.forms import AUPostCodeField
+from localflavor.be.forms import BEPostalCodeField
+from localflavor.br.forms import BRZipCodeField
+from localflavor.ca.forms import CAPostalCodeField
+from localflavor.ch.forms import CHZipCodeField
+from localflavor.cn.forms import CNPostCodeField
+from localflavor.cu.forms import CUPostalCodeField
+from localflavor.cz.forms import CZPostalCodeField
+from localflavor.de.forms import DEZipCodeField
+from localflavor.dk.forms import DKPostalCodeField
+from localflavor.ee.forms import EEZipCodeField
+from localflavor.es.forms import ESPostalCodeField
+from localflavor.fi.forms import FIZipCodeField
+from localflavor.fr.forms import FRZipCodeField
+from localflavor.gb.forms import GBPostcodeField
+from localflavor.gr.forms import GRPostalCodeField
+from localflavor.hr.forms import HRPostalCodeField
+from localflavor.id_.forms import IDPostCodeField
+from localflavor.ie.forms import EircodeField
+from localflavor.il.forms import ILPostalCodeField
+from localflavor.in_.forms import INZipCodeField
+from localflavor.ir.forms import IRPostalCodeField
+from localflavor.is_.is_postalcodes import IS_POSTALCODES
+from localflavor.it.forms import ITZipCodeField
+from localflavor.jp.forms import JPPostalCodeField
+from localflavor.lt.forms import LTPostalCodeField
+from localflavor.lv.forms import LVPostalCodeField
+from localflavor.ma.forms import MAPostalCodeField
+from localflavor.mt.forms import MTPostalCodeField
+from localflavor.mx.forms import MXZipCodeField
+from localflavor.nl.forms import NLZipCodeField
+from localflavor.no.forms import NOZipCodeField
+from localflavor.nz.forms import NZPostCodeField
+from localflavor.pk.forms import PKPostCodeField
+from localflavor.pl.forms import PLPostalCodeField
+from localflavor.pt.forms import PTZipCodeField
+from localflavor.ro.forms import ROPostalCodeField
+from localflavor.ru.forms import RUPostalCodeField
+from localflavor.se.forms import SEPostalCodeField
+from localflavor.sg.forms import SGPostCodeField
+from localflavor.si.si_postalcodes import SI_POSTALCODES
+from localflavor.sk.forms import SKPostalCodeField
+from localflavor.tr.forms import TRPostalCodeField
+from localflavor.ua.forms import UAPostalCodeField
+from localflavor.us.forms import USZipCodeField
+from localflavor.za.forms import ZAPostCodeField
+
+from pretix.base.settings import COUNTRIES_WITH_STATE_IN_ADDRESS
+
+_validator_classes = defaultdict(list)
+
+COUNTRIES_WITH_STREET_ZIPCODE_AND_CITY_REQUIRED = {
+    # We don't presume this for countries we don't have knowledge about, there are countries in the
+    # world e.g. without zipcodes
+    'AR', 'AT', 'AU', 'BE', 'BR', 'CA', 'CH', 'CN', 'CU', 'CZ', 'DE', 'DK', 'EE', 'ES', 'FI', 'FR',
+    'GB', 'GR', 'HR', 'ID', 'IE', 'IL', 'IN', 'IR', 'IS', 'IT', 'JP', 'LT', 'LV', 'MA', 'MT', 'MX',
+    'NL', 'NO', 'NZ', 'PK', 'PL', 'PT', 'RO', 'RU', 'SE', 'SG', 'SI', 'SK', 'TR', 'UA', 'US', 'ZA',
+}
+
+
+def validate_address(address: dict, all_optional=False):
+    """
+    :param address: A dictionary with at least the entries ``street``, ``zipcode``, ``city``, ``country``,
+                    ``state``
+    :return: The dictionary, possibly with changes
+    """
+    if not address.get('street') and not address.get('zipcode') and not address.get('city'):
+        # Consider the actual address part to be empty, no further validation necessary, if the
+        # address should be required, it's the callers job to validate that at least one of these
+        # fields is filled
+        return address
+
+    if not address.get('country'):
+        raise ValidationError({'country': [_('This field is required.')]})
+
+    if str(address['country']) in COUNTRIES_WITH_STATE_IN_ADDRESS and not address.get('state') and not all_optional:
+        raise ValidationError({'state': [_('This field is required.')]})
+
+    if str(address['country']) in COUNTRIES_WITH_STREET_ZIPCODE_AND_CITY_REQUIRED and not all_optional:
+        for f in ('street', 'zipcode', 'city'):
+            if not address.get(f):
+                raise ValidationError({f: [_('This field is required.')]})
+
+    for klass in _validator_classes[str(address['country'])]:
+        validator = klass()
+        try:
+            if address.get('zipcode'):
+                address['zipcode'] = validator.validate_zipcode(address['zipcode'])
+        except ValidationError as e:
+            raise ValidationError({'zipcode': list(e)})
+
+    return address
+
+
+def register_validator_for(country):
+    def inner(klass):
+        _validator_classes[country].append(klass)
+        return klass
+
+    return inner
+
+
+class BaseValidator:
+    required_fields = []
+
+    def validate_zipcode(self, value):
+        return value
+
+
+"""
+Currently, mostly have validators that are auto-generated from django-localflavor
+but custom ones can be added like this:
+
+@register_validator_for('DE')
+class DEValidator(BaseValidator):
+    def validate_zipcode(value):
+        return value
+
+In the future, we can also add additional methods to validate that e.g. a city
+is plausible for a given zip code.
+"""
+
+_zip_code_fields = {
+    'AR': ARPostalCodeField,
+    'AT': ATZipCodeField,
+    'AU': AUPostCodeField,
+    'BE': BEPostalCodeField,
+    'BR': BRZipCodeField,
+    'CA': CAPostalCodeField,
+    'CH': CHZipCodeField,
+    'CN': CNPostCodeField,
+    'CU': CUPostalCodeField,
+    'CZ': CZPostalCodeField,
+    'DE': DEZipCodeField,
+    'DK': DKPostalCodeField,
+    'EE': EEZipCodeField,
+    'ES': ESPostalCodeField,
+    'FI': FIZipCodeField,
+    'FR': FRZipCodeField,
+    'GB': GBPostcodeField,
+    'GR': GRPostalCodeField,
+    'HR': HRPostalCodeField,
+    'ID': IDPostCodeField,
+    'IE': EircodeField,
+    'IL': ILPostalCodeField,
+    'IN': INZipCodeField,
+    'IR': IRPostalCodeField,
+    'IT': ITZipCodeField,
+    'JP': JPPostalCodeField,
+    'LT': LTPostalCodeField,
+    'LV': LVPostalCodeField,
+    'MA': MAPostalCodeField,
+    'MT': MTPostalCodeField,
+    'MX': MXZipCodeField,
+    'NL': NLZipCodeField,
+    'NO': NOZipCodeField,
+    'NZ': NZPostCodeField,
+    'PK': PKPostCodeField,
+    'PL': PLPostalCodeField,
+    'PT': PTZipCodeField,
+    'RO': ROPostalCodeField,
+    'RU': RUPostalCodeField,
+    'SE': SEPostalCodeField,
+    'SG': SGPostCodeField,
+    'SK': SKPostalCodeField,
+    'TR': TRPostalCodeField,
+    'UA': UAPostalCodeField,
+    'US': USZipCodeField,
+    'ZA': ZAPostCodeField,
+}
+
+
+def _generate_class_from_zipcode_field(field_class):
+    class _GeneratedValidator(BaseValidator):
+        def validate_zipcode(self, value):
+            return field_class().clean(value)
+    return _GeneratedValidator
+
+
+for cc, field_class in _zip_code_fields.items():
+    register_validator_for(cc)(_generate_class_from_zipcode_field(field_class))
+
+
+@register_validator_for('IS')
+class ISValidator(BaseValidator):
+    def validate_zipcode(self, value):
+        if value not in [entry[0] for entry in IS_POSTALCODES]:
+            raise ValidationError(_('Enter a postal code in the format XXX.'), code='invalid')
+        return value
+
+
+@register_validator_for('SI')
+class SIValidator(BaseValidator):
+    def validate_zipcode(self, value):
+        try:
+            if int(value) not in [entry[0] for entry in SI_POSTALCODES]:
+                raise ValidationError(_('Enter a postal code in the format XXXX.'), code='invalid')
+        except ValueError:
+            raise ValidationError(_('Enter a postal code in the format XXXX.'), code='invalid')
+        return value
@@ -320,13 +320,18 @@ def get_email_context(**kwargs):
    return ctx


-def _placeholder_payment(order, payment):
-    if not payment:
-        return None
-    if 'payment' in inspect.signature(payment.payment_provider.order_pending_mail_render).parameters:
-        return str(payment.payment_provider.order_pending_mail_render(order, payment))
+def _placeholder_payments(order, payments):
+    d = []
+    for payment in payments:
+        if 'payment' in inspect.signature(payment.payment_provider.order_pending_mail_render).parameters:
+            d.append(str(payment.payment_provider.order_pending_mail_render(order, payment)))
+        else:
+            d.append(str(payment.payment_provider.order_pending_mail_render(order)))
+    d = [line for line in d if line.strip()]
+    if d:
+        return '\n\n'.join(d)
    else:
-        return str(payment.payment_provider.order_pending_mail_render(order))
+        return ''


 def get_best_name(position_or_address, parts=False):
@@ -376,6 +381,14 @@ def base_placeholders(sender, **kwargs):
        SimpleFunctionalMailTextPlaceholder(
            'currency', ['event'], lambda event: event.currency, lambda event: event.currency
        ),
+        SimpleFunctionalMailTextPlaceholder(
+            'order_email', ['order'], lambda order: order.email, 'john@example.org'
+        ),
+        SimpleFunctionalMailTextPlaceholder(
+            'invoice_number', ['invoice'],
+            lambda invoice: invoice.full_invoice_no,
+            f'{sender.settings.invoice_numbers_prefix or (sender.slug.upper() + "-")}00000'
+        ),
        SimpleFunctionalMailTextPlaceholder(
            'refund_amount', ['event_or_subevent', 'refund_amount'],
            lambda event_or_subevent, refund_amount: LazyCurrencyNumber(refund_amount, event_or_subevent.currency),
@@ -617,7 +630,7 @@ def base_placeholders(sender, **kwargs):
            _('An individual text with a reason can be inserted here.'),
        ),
        SimpleFunctionalMailTextPlaceholder(
-            'payment_info', ['order', 'payment'], _placeholder_payment,
+            'payment_info', ['order', 'payments'], _placeholder_payments,
            _('The amount has been charged to your card.'),
        ),
        SimpleFunctionalMailTextPlaceholder(
@@ -29,7 +29,7 @@ from openpyxl.utils import get_column_letter
 from ...helpers.safe_openpyxl import SafeCell
 from ..channels import get_all_sales_channels
 from ..exporter import ListExporter
-from ..models import ItemMetaValue
+from ..models import ItemMetaValue, ItemVariation, ItemVariationMetaValue
 from ..signals import register_data_exporters


@@ -106,18 +106,27 @@ class ItemDataExporter(ListExporter):
        yield row

        for i in self.event.items.prefetch_related(
-            'variations',
            Prefetch(
                'meta_values',
                ItemMetaValue.objects.select_related('property'),
                to_attr='meta_values_cached'
-            )
+            ),
+            Prefetch(
+                'variations',
+                queryset=ItemVariation.objects.prefetch_related(
+                    Prefetch(
+                        'meta_values',
+                        ItemVariationMetaValue.objects.select_related('property'),
+                        to_attr='meta_values_cached'
+                    ),
+                ),
+            ),
        ).select_related('category', 'tax_rule'):
-            m = i.meta_data
            vars = list(i.variations.all())

            if vars:
                for v in vars:
+                    m = v.meta_data
                    row = [
                        i.pk,
                        v.pk,
@@ -160,6 +169,7 @@ class ItemDataExporter(ListExporter):
                    yield row

            else:
+                m = i.meta_data
                row = [
                    i.pk,
                    "",
@@ -36,9 +36,11 @@ import json
 from decimal import Decimal

 from django.core.serializers.json import DjangoJSONEncoder
+from django.db.models import Prefetch
 from django.dispatch import receiver

 from ..exporter import BaseExporter
+from ..models import ItemMetaValue, ItemVariation, ItemVariationMetaValue
 from ..signals import register_data_exporters


@@ -106,9 +108,26 @@ class JSONExporter(BaseExporter):
                                'available_from': variation.available_from,
                                'available_until': variation.available_until,
                                'hide_without_voucher': variation.hide_without_voucher,
+                                'meta_data': variation.meta_data,
                            } for variation in item.variations.all()
                        ]
-                    } for item in self.event.items.select_related('tax_rule').prefetch_related('variations')
+                    } for item in self.event.items.select_related('tax_rule').prefetch_related(
+                        Prefetch(
+                            'meta_values',
+                            ItemMetaValue.objects.select_related('property'),
+                            to_attr='meta_values_cached'
+                        ),
+                        Prefetch(
+                            'variations',
+                            queryset=ItemVariation.objects.prefetch_related(
+                                Prefetch(
+                                    'meta_values',
+                                    ItemVariationMetaValue.objects.select_related('property'),
+                                    to_attr='meta_values_cached'
+                                ),
+                            ),
+                        ),
+                    )
                ],
                'questions': [
                    {
@@ -303,6 +303,8 @@ class OrderListExporter(MultiSheetListExporter):
            for id, vn in payment_methods:
                headers.append(_('Paid by {method}').format(method=vn))

+        # get meta_data labels from first cached event
+        headers += next(iter(self.event_object_cache.values())).meta_data.keys()
        yield headers

        full_fee_sum_cache = {
@@ -416,6 +418,7 @@ class OrderListExporter(MultiSheetListExporter):
                        payment_sum_cache.get((order.id, id), Decimal('0.00')) -
                        refund_sum_cache.get((order.id, id), Decimal('0.00'))
                    )
+            row += self.event_object_cache[order.event_id].meta_data.values()
            yield row

    def iterate_fees(self, form_data: dict):
@@ -465,6 +468,9 @@ class OrderListExporter(MultiSheetListExporter):

        headers.append(_('External customer ID'))
        headers.append(_('Payment providers'))
+
+        # get meta_data labels from first cached event
+        headers += next(iter(self.event_object_cache.values())).meta_data.keys()
        yield headers

        yield self.ProgressSetTotal(total=qs.count())
@@ -512,6 +518,7 @@ class OrderListExporter(MultiSheetListExporter):
                str(self.providers.get(p, p)) for p in sorted(set((op.payment_providers or '').split(',')))
                if p and p != 'free'
            ]))
+            row += self.event_object_cache[order.event_id].meta_data.values()
            yield row

    def iterate_positions(self, form_data: dict):
@@ -533,6 +540,7 @@ class OrderListExporter(MultiSheetListExporter):
            'order', 'order__invoice_address', 'order__customer', 'item', 'variation',
            'voucher', 'tax_rule'
        ).prefetch_related(
+            'subevent', 'subevent__meta_values',
            'answers', 'answers__question', 'answers__options'
        )
        if form_data['paid_only']:
@@ -624,6 +632,10 @@ class OrderListExporter(MultiSheetListExporter):
            _('Payment providers'),
        ]

+        # get meta_data labels from first cached event
+        meta_data_labels = next(iter(self.event_object_cache.values())).meta_data.keys()
+        if has_subevents:
+            headers += meta_data_labels
        yield headers

        all_ids = list(base_qs.order_by('order__datetime', 'positionid').values_list('pk', flat=True))
@@ -747,6 +759,12 @@ class OrderListExporter(MultiSheetListExporter):
                    str(self.providers.get(p, p)) for p in sorted(set((op.payment_providers or '').split(',')))
                    if p and p != 'free'
                ]))
+
+                if has_subevents:
+                    if op.subevent:
+                        row += op.subevent.meta_data.values()
+                    else:
+                        row += [''] * len(meta_data_labels)
                yield row

    def get_filename(self):
@@ -135,6 +135,10 @@ class NamePartsWidget(forms.MultiWidget):
            data.append(value.get(fname, ""))
        if '_legacy' in value and not data[-1]:
            data[-1] = value.get('_legacy', '')
+        elif not any(d for d in data) and '_scheme' in value:
+            scheme = PERSON_NAME_SCHEMES[value['_scheme']]
+            data[-1] = scheme['concatenation'](value).strip()
+
        return data

    def render(self, name: str, value, attrs=None, renderer=None) -> str:
@@ -915,6 +919,7 @@ class BaseQuestionsForm(forms.Form):

 class BaseInvoiceAddressForm(forms.ModelForm):
    vat_warning = False
+    address_validation = False

    class Meta:
        model = InvoiceAddress
@@ -1050,6 +1055,9 @@ class BaseInvoiceAddressForm(forms.ModelForm):
                v.widget.attrs['autocomplete'] = 'section-invoice billing ' + v.widget.attrs.get('autocomplete', '')

    def clean(self):
+        from pretix.base.addressvalidation import \
+            validate_address  # local import to prevent impact on startup time
+
        data = self.cleaned_data
        if not data.get('is_business'):
            data['company'] = ''
@@ -1065,9 +1073,8 @@ class BaseInvoiceAddressForm(forms.ModelForm):
        if 'vat_id' in self.changed_data or not data.get('vat_id'):
            self.instance.vat_id_validated = False

-        if data.get('city') and data.get('country') and str(data['country']) in COUNTRIES_WITH_STATE_IN_ADDRESS:
-            if not data.get('state'):
-                self.add_error('state', _('This field is required.'))
+        if self.address_validation:
+            self.cleaned_data = data = validate_address(data, self.all_optional)

        self.instance.name_parts = data.get('name_parts')

@@ -23,6 +23,7 @@ import logging
 from collections import defaultdict
 from decimal import Decimal
 from io import BytesIO
+from itertools import groupby
 from typing import Tuple

 import bleach
@@ -241,6 +242,12 @@ class BaseReportlabInvoiceRenderer(BaseInvoiceRenderer):
        buffer.seek(0)
        return 'invoice.pdf', 'application/pdf', buffer.read()

+    def _clean_text(self, text, tags=None):
+        return bleach.clean(
+            text,
+            tags=tags or []
+        ).strip().replace('<br>', '<br />').replace('\n', '<br />\n')
+

 class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
    identifier = 'classic'
@@ -265,7 +272,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
    invoice_to_top = 52 * mm

    def _draw_invoice_to(self, canvas):
-        p = Paragraph(bleach.clean(self.invoice.address_invoice_to, tags=[]).strip().replace('\n', '<br />\n'),
+        p = Paragraph(self._clean_text(self.invoice.address_invoice_to),
                      style=self.stylesheet['Normal'])
        p.wrapOn(canvas, self.invoice_to_width, self.invoice_to_height)
        p_size = p.wrap(self.invoice_to_width, self.invoice_to_height)
@@ -278,7 +285,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):

    def _draw_invoice_from(self, canvas):
        p = Paragraph(
-            bleach.clean(self.invoice.full_invoice_from, tags=[]).strip().replace('\n', '<br />\n'),
+            self._clean_text(self.invoice.full_invoice_from),
            style=self.stylesheet['InvoiceFrom']
        )
        p.wrapOn(canvas, self.invoice_from_width, self.invoice_from_height)
@@ -473,8 +480,8 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
        if self.invoice.custom_field:
            story.append(Paragraph(
                '{}: {}'.format(
-                    bleach.clean(str(self.invoice.event.settings.invoice_address_custom_field), tags=[]).strip().replace('\n', '<br />\n'),
-                    bleach.clean(self.invoice.custom_field, tags=[]).strip().replace('\n', '<br />\n'),
+                    self._clean_text(str(self.invoice.event.settings.invoice_address_custom_field)),
+                    self._clean_text(self.invoice.custom_field),
                ),
                self.stylesheet['Normal']
            ))
@@ -482,7 +489,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
        if self.invoice.internal_reference:
            story.append(Paragraph(
                pgettext('invoice', 'Customer reference: {reference}').format(
-                    reference=bleach.clean(self.invoice.internal_reference, tags=[]).strip().replace('\n', '<br />\n'),
+                    reference=self._clean_text(self.invoice.internal_reference),
                ),
                self.stylesheet['Normal']
            ))
@@ -490,20 +497,20 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
        if self.invoice.invoice_to_vat_id:
            story.append(Paragraph(
                pgettext('invoice', 'Customer VAT ID') + ': ' +
-                bleach.clean(self.invoice.invoice_to_vat_id, tags=[]).replace("\n", "<br />\n"),
+                self._clean_text(self.invoice.invoice_to_vat_id),
                self.stylesheet['Normal']
            ))

        if self.invoice.invoice_to_beneficiary:
            story.append(Paragraph(
                pgettext('invoice', 'Beneficiary') + ':<br />' +
-                bleach.clean(self.invoice.invoice_to_beneficiary, tags=[]).replace("\n", "<br />\n"),
+                self._clean_text(self.invoice.invoice_to_beneficiary),
                self.stylesheet['Normal']
            ))

        if self.invoice.introductory_text:
            story.append(Paragraph(
-                self.invoice.introductory_text,
+                self._clean_text(self.invoice.introductory_text, tags=['br']),
                self.stylesheet['Normal']
            ))
            story.append(Spacer(1, 10 * mm))
@@ -554,31 +561,47 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                pgettext('invoice', 'Amount'),
            )]

+        def _group_key(line):
+            return (line.description, line.tax_rate, line.tax_name, line.net_value, line.gross_value, line.subevent_id,
+                    line.event_date_from, line.event_date_to)
+
        total = Decimal('0.00')
-        for line in self.invoice.lines.all():
+        for (description, tax_rate, tax_name, net_value, gross_value, *ignored), lines in groupby(self.invoice.lines.all(), key=_group_key):
+            lines = list(lines)
            if has_taxes:
+                if len(lines) > 1:
+                    single_price_line = pgettext('invoice', 'Single price: {net_price} net / {gross_price} gross').format(
+                        net_price=money_filter(net_value, self.invoice.event.currency),
+                        gross_price=money_filter(gross_value, self.invoice.event.currency),
+                    )
+                    description = description + "\n" + single_price_line
                tdata.append((
                    Paragraph(
-                        bleach.clean(line.description, tags=['br']).strip().replace('<br>', '<br/>').replace('\n', '<br />\n'),
+                        self._clean_text(description, tags=['br']),
                        self.stylesheet['Normal']
                    ),
-                    "1",
-                    localize(line.tax_rate) + " %",
-                    money_filter(line.net_value, self.invoice.event.currency),
-                    money_filter(line.gross_value, self.invoice.event.currency),
+                    str(len(lines)),
+                    localize(tax_rate) + " %",
+                    money_filter(net_value * len(lines), self.invoice.event.currency),
+                    money_filter(gross_value * len(lines), self.invoice.event.currency),
                ))
            else:
+                if len(lines) > 1:
+                    single_price_line = pgettext('invoice', 'Single price: {price}').format(
+                        price=money_filter(gross_value, self.invoice.event.currency),
+                    )
+                    description = description + "\n" + single_price_line
                tdata.append((
                    Paragraph(
-                        bleach.clean(line.description, tags=['br']).strip().replace('<br>', '<br/>').replace('\n', '<br />\n'),
+                        self._clean_text(description, tags=['br']),
                        self.stylesheet['Normal']
                    ),
-                    "1",
-                    money_filter(line.gross_value, self.invoice.event.currency),
+                    str(len(lines)),
+                    money_filter(gross_value * len(lines), self.invoice.event.currency),
                ))
-            taxvalue_map[line.tax_rate, line.tax_name] += line.tax_value
-            grossvalue_map[line.tax_rate, line.tax_name] += line.gross_value
-            total += line.gross_value
+            taxvalue_map[tax_rate, tax_name] += (gross_value - net_value) * len(lines)
+            grossvalue_map[tax_rate, tax_name] += gross_value * len(lines)
+            total += gross_value * len(lines)

        if has_taxes:
            tdata.append([
@@ -640,7 +663,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):

        if self.invoice.additional_text:
            story.append(Paragraph(
-                self.invoice.additional_text,
+                self._clean_text(self.invoice.additional_text, tags=['br']),
                self.stylesheet['Normal']
            ))
            story.append(Spacer(1, 5 * mm))
@@ -777,7 +800,7 @@ class Modern1Renderer(ClassicInvoiceRenderer):
        if not self.invoice.invoice_from:
            return
        c = [
-            bleach.clean(l, tags=[]).strip().replace('\n', '<br />\n')
+            self._clean_text(l)
            for l in self.invoice.address_invoice_from.strip().split('\n')
        ]
        p = Paragraph(' · '.join(c), style=self.stylesheet['Sender'])
@@ -224,6 +224,11 @@ def _merge_csp(a, b):
        if k not in a:
            a[k] = b[k]

+    for k, v in a.items():
+        if "'unsafe-inline'" in v:
+            # If we need unsafe-inline, drop any hashes or nonce as they will be ignored otherwise
+            a[k] = [i for i in v if not i.startswith("'nonce-") and not i.startswith("'sha-")]
+

 class SecurityMiddleware(MiddlewareMixin):
    CSP_EXEMPT = (
@@ -301,7 +306,7 @@ class SecurityMiddleware(MiddlewareMixin):
            resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain,
                                                                    media=mediadomain)
            for k, v in h.items():
-                h[k] = ' '.join(v).format(static=staticdomain, dynamic=dynamicdomain, media=mediadomain).split(' ')
+                h[k] = sorted(set(' '.join(v).format(static=staticdomain, dynamic=dynamicdomain, media=mediadomain).split(' ')))
            resp['Content-Security-Policy'] = _render_csp(h)
        elif 'Content-Security-Policy' in resp:
            del resp['Content-Security-Policy']
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.16 on 2022-11-14 11:32
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0223_voucher_min_usages'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='eventmetaproperty',
+            name='filter_allowed',
+            field=models.BooleanField(default=True),
+        ),
+    ]
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.16 on 2022-11-17 15:27
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0224_eventmetaproperty_filter_allowed'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='orderpayment',
+            name='process_initiated',
+            field=models.BooleanField(null=True),
+        ),
+    ]
@@ -0,0 +1,29 @@
+# Generated by Django 3.2.16 on 2022-12-09 10:06
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+import pretix.base.models.base
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0225_orderpayment_process_initiated'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ItemVariationMetaValue',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False)),
+                ('value', models.TextField()),
+                ('property', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='variation_values', to='pretixbase.itemmetaproperty')),
+                ('variation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='meta_values', to='pretixbase.itemvariation')),
+            ],
+            options={
+                'unique_together': {('variation', 'property')},
+            },
+            bases=(models.Model, pretix.base.models.base.LoggingMixin),
+        ),
+    ]
@@ -34,8 +34,8 @@ from .giftcards import GiftCard, GiftCardAcceptance, GiftCardTransaction
 from .invoices import Invoice, InvoiceLine, invoice_filename
 from .items import (
    Item, ItemAddOn, ItemBundle, ItemCategory, ItemMetaProperty, ItemMetaValue,
-    ItemVariation, Question, QuestionOption, Quota, SubEventItem,
-    SubEventItemVariation, itempicture_upload_to,
+    ItemVariation, ItemVariationMetaValue, Question, QuestionOption, Quota,
+    SubEventItem, SubEventItemVariation, itempicture_upload_to,
 )
 from .log import LogEntry
 from .memberships import Membership, MembershipType
@@ -28,6 +28,7 @@ from typing import Dict, Optional, Tuple
 from django.core.exceptions import ValidationError
 from django.core.validators import MinValueValidator
 from django.db import models
+from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _, pgettext_lazy
 from django_scopes import ScopedManager

@@ -198,6 +199,14 @@ class Discount(LoggedModel):
            'subevent_mode': self.subevent_mode,
        })

+    def is_available_by_time(self, now_dt=None) -> bool:
+        now_dt = now_dt or now()
+        if self.available_from and self.available_from > now_dt:
+            return False
+        if self.available_until and self.available_until < now_dt:
+            return False
+        return True
+
    def _apply_min_value(self, positions, idx_group, result):
        if self.condition_min_value and sum(positions[idx][2] for idx in idx_group) < self.condition_min_value:
            return
@@ -728,7 +728,7 @@ class Event(EventMixin, LoggedModel):
        from ..signals import event_copy_data
        from . import (
            Discount, Item, ItemAddOn, ItemBundle, ItemCategory, ItemMetaValue,
-            Question, Quota,
+            ItemVariationMetaValue, Question, Quota,
        )

        #  Note: avoid self.set_active_plugins(), it causes trouble e.g. for the badges plugin.
@@ -804,12 +804,18 @@ class Event(EventMixin, LoggedModel):
                v.item = i
                v.save(force_insert=True)

-        for imv in ItemMetaValue.objects.filter(item__event=other).prefetch_related('item', 'property'):
+        for imv in ItemMetaValue.objects.filter(item__event=other):
            imv.pk = None
-            imv.property = item_meta_properties_map[imv.property.pk]
+            imv.property = item_meta_properties_map[imv.property_id]
            imv.item = item_map[imv.item.pk]
            imv.save(force_insert=True)

+        for imv in ItemVariationMetaValue.objects.filter(variation__item__event=other):
+            imv.pk = None
+            imv.property = item_meta_properties_map[imv.property_id]
+            imv.variation = variation_map[imv.variation_id]
+            imv.save(force_insert=True)
+
        for ia in ItemAddOn.objects.filter(base_item__event=other).prefetch_related('base_item', 'addon_category'):
            ia.pk = None
            ia.base_item = item_map[ia.base_item.pk]
@@ -1580,6 +1586,11 @@ class EventMetaProperty(LoggedModel):
        verbose_name=_("Valid values"),
        help_text=_("If you keep this empty, any value is allowed. Otherwise, enter one possible value per line.")
    )
+    filter_allowed = models.BooleanField(
+        default=True, verbose_name=_("Can be used for filtering"),
+        help_text=_("This field will be shown to filter events or reports in the backend, and it can also be used "
+                    "for hidden filter parameters in the frontend (e.g. using the widget).")
+    )

    def full_clean(self, exclude=None, validate_unique=True):
        super().full_clean(exclude, validate_unique)
@@ -581,18 +581,15 @@ class Item(LoggedModel):
    def tax(self, price=None, base_price_is='auto', currency=None, invoice_address=None, override_tax_rate=None, include_bundled=False):
        price = price if price is not None else self.default_price

-        if not self.tax_rule:
-            t = TaxedPrice(gross=price, net=price, tax=Decimal('0.00'),
-                           rate=Decimal('0.00'), name='')
-        else:
-            t = self.tax_rule.tax(price, base_price_is=base_price_is, invoice_address=invoice_address,
-                                  override_tax_rate=override_tax_rate, currency=currency or self.event.currency)
-
+        bundled_sum = Decimal('0.00')
+        bundled_sum_net = Decimal('0.00')
+        bundled_sum_tax = Decimal('0.00')
        if include_bundled:
            for b in self.bundles.all():
                if b.designated_price and b.bundled_item.tax_rule_id != self.tax_rule_id:
                    if b.bundled_variation:
-                        bprice = b.bundled_variation.tax(b.designated_price * b.count, base_price_is='gross',
+                        bprice = b.bundled_variation.tax(b.designated_price * b.count,
+                                                         base_price_is='gross',
                                                         invoice_address=invoice_address,
                                                         currency=currency)
                    else:
@@ -600,17 +597,23 @@ class Item(LoggedModel):
                                                    invoice_address=invoice_address,
                                                    base_price_is='gross',
                                                    currency=currency)
-                    if not self.tax_rule:
-                        compare_price = TaxedPrice(gross=b.designated_price * b.count, net=b.designated_price * b.count,
-                                                   tax=Decimal('0.00'), rate=Decimal('0.00'), name='')
-                    else:
-                        compare_price = self.tax_rule.tax(b.designated_price * b.count,
-                                                          override_tax_rate=override_tax_rate,
-                                                          invoice_address=invoice_address,
-                                                          currency=currency)
-                    t.net += bprice.net - compare_price.net
-                    t.tax += bprice.tax - compare_price.tax
-                    t.name = "MIXED!"
+                    bundled_sum += bprice.gross
+                    bundled_sum_net += bprice.net
+                    bundled_sum_tax += bprice.tax
+
+        if not self.tax_rule:
+            t = TaxedPrice(gross=price - bundled_sum, net=price - bundled_sum, tax=Decimal('0.00'),
+                           rate=Decimal('0.00'), name='')
+        else:
+            t = self.tax_rule.tax(price, base_price_is=base_price_is, invoice_address=invoice_address,
+                                  override_tax_rate=override_tax_rate, currency=currency or self.event.currency,
+                                  subtract_from_gross=bundled_sum)
+
+        if bundled_sum:
+            t.name = "MIXED!"
+            t.gross += bundled_sum
+            t.net += bundled_sum_net
+            t.tax += bundled_sum_tax

        return t

@@ -1005,6 +1008,16 @@ class ItemVariation(models.Model):
            return False
        return True

+    @property
+    def meta_data(self):
+        data = self.item.meta_data
+        if hasattr(self, 'meta_values_cached'):
+            data.update({v.property.name: v.value for v in self.meta_values_cached})
+        else:
+            data.update({v.property.name: v.value for v in self.meta_values.select_related('property').all()})
+
+        return OrderedDict((k, v) for k, v in sorted(data.items(), key=lambda k: k[0]))
+

 class ItemAddOn(models.Model):
    """
@@ -1381,8 +1394,10 @@ class Question(LoggedModel):
        if self.type == Question.TYPE_CHOICE:
            if isinstance(answer, QuestionOption):
                return answer
+            if not isinstance(answer, (int, str)):
+                raise ValidationError(_('Invalid input type.'))
            q = Q(identifier=answer)
-            if isinstance(answer, int) or answer.isdigit():
+            if isinstance(answer, int) or (isinstance(answer, str) and answer.isdigit()):
                q |= Q(pk=answer)
            o = self.options.filter(q).first()
            if not o:
@@ -1782,8 +1797,21 @@ class ItemMetaValue(LoggedModel):
    class Meta:
        unique_together = ('item', 'property')

-    def delete(self, *args, **kwargs):
-        super().delete(*args, **kwargs)

-    def save(self, *args, **kwargs):
-        super().save(*args, **kwargs)
+class ItemVariationMetaValue(LoggedModel):
+    """
+    A meta-data value assigned to an item variation, overriding the value on the item.
+
+    :param variation: The variation this metadata is valid for
+    :type variation: ItemVariation
+    :param property: The property this value belongs to
+    :type property: ItemMetaProperty
+    :param value: The actual value
+    :type value: str
+    """
+    variation = models.ForeignKey('ItemVariation', on_delete=models.CASCADE, related_name='meta_values')
+    property = models.ForeignKey('ItemMetaProperty', on_delete=models.CASCADE, related_name='variation_values')
+    value = models.TextField()
+
+    class Meta:
+        unique_together = ('variation', 'property')
@@ -80,6 +80,7 @@ from pretix.base.settings import PERSON_NAME_SCHEMES
 from pretix.base.signals import order_gracefully_delete

 from ...helpers.countries import CachedCountries, FastCountryField
+from ...helpers.format import format_map
 from ._transactions import (
    _fail, _transactions_mark_order_clean, _transactions_mark_order_dirty,
 )
@@ -996,7 +997,7 @@ class Order(LockModel, LoggedModel):
                         position and the attendee email will be used if available.
        """
        from pretix.base.services.mail import (
-            SendMailException, TolerantDict, mail, render_mail,
+            SendMailException, mail, render_mail,
        )

        if not self.email and not (position and position.attendee_email):
@@ -1012,7 +1013,7 @@ class Order(LockModel, LoggedModel):

            try:
                email_content = render_mail(template, context)
-                subject = str(subject).format_map(TolerantDict(context))
+                subject = format_map(subject, context)
                mail(
                    recipient, subject, template, context,
                    self.event, self.locale, self, headers=headers, sender=sender,
@@ -1509,6 +1510,9 @@ class OrderPayment(models.Model):
    :type info: str
    :param fee: The ``OrderFee`` object used to track the fee for this order.
    :type fee: pretix.base.models.OrderFee
+    :param process_initiated: Only for internal use inside pretix.presale to check which payments have started
+                              the execution process.
+    :type process_initiated: bool
    """
    PAYMENT_STATE_CREATED = 'created'
    PAYMENT_STATE_PENDING = 'pending'
@@ -1559,6 +1563,9 @@ class OrderPayment(models.Model):
        null=True, blank=True, related_name='payments', on_delete=models.SET_NULL
    )
    migrated = models.BooleanField(default=False)
+    process_initiated = models.BooleanField(
+        null=True  # null = created before this field was introduced
+    )

    objects = ScopedManager(organizer='order__event__organizer')

@@ -1645,7 +1652,7 @@ class OrderPayment(models.Model):
        }, user=user, auth=auth)

    def confirm(self, count_waitinglist=True, send_mail=True, force=False, user=None, auth=None, mail_text='',
-                ignore_date=False, lock=True, payment_date=None):
+                ignore_date=False, lock=True, payment_date=None, generate_invoice=True):
        """
        Marks the payment as complete. If possible, this also marks the order as paid if no further
        payment is required
@@ -1708,10 +1715,11 @@ class OrderPayment(models.Model):
            ))
            return

-        self._mark_order_paid(count_waitinglist, send_mail, force, user, auth, mail_text, ignore_date, lock, payment_sum - refund_sum)
+        self._mark_order_paid(count_waitinglist, send_mail, force, user, auth, mail_text, ignore_date, lock, payment_sum - refund_sum,
+                              generate_invoice)

    def _mark_order_paid(self, count_waitinglist=True, send_mail=True, force=False, user=None, auth=None, mail_text='',
-                         ignore_date=False, lock=True, payment_refund_sum=0):
+                         ignore_date=False, lock=True, payment_refund_sum=0, allow_generate_invoice=True):
        from pretix.base.services.invoices import (
            generate_invoice, invoice_qualified,
        )
@@ -1728,7 +1736,7 @@ class OrderPayment(models.Model):
                                  ignore_date=ignore_date)

        invoice = None
-        if invoice_qualified(self.order):
+        if invoice_qualified(self.order) and allow_generate_invoice:
            invoices = self.order.invoices.filter(is_cancellation=False).count()
            cancellations = self.order.invoices.filter(is_cancellation=True).count()
            gen_invoice = (
@@ -2407,7 +2415,7 @@ class OrderPosition(AbstractPosition):
        :param attach_ical: Attach relevant ICS files
        """
        from pretix.base.services.mail import (
-            SendMailException, TolerantDict, mail, render_mail,
+            SendMailException, mail, render_mail,
        )

        if not self.attendee_email:
@@ -2420,7 +2428,7 @@ class OrderPosition(AbstractPosition):
            recipient = self.attendee_email
            try:
                email_content = render_mail(template, context)
-                subject = str(subject).format_map(TolerantDict(context))
+                subject = format_map(subject, context)
                mail(
                    recipient, subject, template, context,
                    self.event, self.order.locale, order=self.order, headers=headers, sender=sender,
@@ -2737,6 +2745,7 @@ class CartPosition(AbstractPosition):
            tax_rule=self.item.tax_rule,
            invoice_address=invoice_address,
            bundled_sum=sum([b.price_after_voucher for b in bundled_positions]),
+            is_bundled=self.is_bundled,
        )
        if line_price.gross != self.line_price_gross or line_price.rate != self.tax_rate:
            self.line_price_gross = line_price.gross
@@ -63,14 +63,14 @@ from pretix.base.models import (
    OrderRefund, Quota,
 )
 from pretix.base.reldate import RelativeDateField, RelativeDateWrapper
-from pretix.base.services.cart import get_fees
 from pretix.base.settings import SettingsSandbox
 from pretix.base.signals import register_payment_providers
 from pretix.base.templatetags.money import money_filter
 from pretix.base.templatetags.rich_text import rich_text
 from pretix.helpers.countries import CachedCountries
+from pretix.helpers.format import format_map
 from pretix.helpers.money import DecimalTextInput
-from pretix.multidomain.urlreverse import build_absolute_uri, eventreverse
+from pretix.multidomain.urlreverse import build_absolute_uri
 from pretix.presale.views import get_cart, get_cart_total
 from pretix.presale.views.cart import cart_session, get_or_create_cart_id

@@ -138,6 +138,50 @@ class BasePaymentProvider:
        """
        return self.settings.get('_enabled', as_type=bool)

+    @property
+    def multi_use_supported(self) -> bool:
+        """
+        Returns whether or whether not this payment provider supports being used multiple times in the same
+        checkout, or in addition to a different payment provider. This is usually only useful for payment providers
+        that represent gift cards, i.e. payment methods with an upper limit per payment instrument that can usually
+        be combined with other instruments.
+
+        If you set this property to ``True``, the behavior of how pretix interacts with your payment provider changes
+        and you will need to respect the following rules:
+
+        - ``payment_form_render`` must not depend on session state, it must always allow a user to add a new payment.
+           Editing a payment is not possible, but pretix will give users an option to delete it.
+
+        - Returning ``True`` from ``checkout_prepare`` is no longer enough. Instead, you must *also* call
+          ``pretix.base.services.cart.add_payment_to_cart(request, provider, min_value, max_value, info_data)``
+          to add the payment to the session. You are still allowed to do a redirect from ``checkout_prepare`` and then
+          call this function upon return.
+
+        - Unlike in the general case, when ``checkout_prepare`` is called, the ``cart['total']`` parameter will _not yet_
+          include payment fees charged by your provider as we don't yet know the amount of the charge, so you need to
+          take care of that yourself when setting your maximum amount.
+
+        - ``payment_is_valid_session`` will not be called during checkout, don't rely on it. If you called
+          ``add_payment_to_cart``, we'll trust the payment is okay and your next chance to change that will be
+          ``execute_payment``.
+
+        The changed behavior currently only affects the behavior during initial checkout (i.e. ``checkout_prepare``),
+        for ``payment_prepare`` the regular behavior applies and you are expected to just modify the amount of the
+        ``OrderPayment`` object if you need to.
+        """
+        return False
+
+    @property
+    def execute_payment_needs_user(self) -> bool:
+        """
+        Set this to ``True`` if your ``execute_payment`` function needs to be triggered by a user request, i.e. either
+        needs the ``request`` object or might require a browser redirect. If this is ``False``, you will not receive
+        a ``request`` and may not redirect since execute_payment might be called server-side. You should ensure that
+        your ``execute_payment`` method has a limited execution time (i.e. by using ``timeout`` for all external calls)
+        and handles all error cases appropriately.
+        """
+        return True
+
    @property
    def test_mode_message(self) -> str:
        """
@@ -281,16 +325,6 @@ class BasePaymentProvider:
                 help_text=_('Users will not be able to choose this payment provider after the given date.'),
                 required=False,
             )),
-            ('_invoice_text',
-             I18nFormField(
-                 label=_('Text on invoices'),
-                 help_text=_('Will be printed just below the payment figures and above the closing text on invoices. '
-                             'This will only be used if the invoice is generated before the order is paid. If the '
-                             'invoice is generated later, it will show a text stating that it has already been paid.'),
-                 required=False,
-                 widget=I18nTextarea,
-                 widget_kwargs={'attrs': {'rows': '2'}}
-             )),
            ('_total_min',
             forms.DecimalField(
                 label=_('Minimum order total'),
@@ -338,6 +372,16 @@ class BasePaymentProvider:
                             'above!').format(docs_url='https://docs.pretix.eu/en/latest/user/payments/fees.html'),
                 required=False
             )),
+            ('_invoice_text',
+             I18nFormField(
+                 label=_('Text on invoices'),
+                 help_text=_('Will be printed just below the payment figures and above the closing text on invoices. '
+                             'This will only be used if the invoice is generated before the order is paid. If the '
+                             'invoice is generated later, it will show a text stating that it has already been paid.'),
+                 required=False,
+                 widget=I18nTextarea,
+                 widget_kwargs={'attrs': {'rows': '2'}}
+             )),
            ('_restricted_countries',
             forms.MultipleChoiceField(
                 label=_('Restrict to countries'),
@@ -574,7 +618,7 @@ class BasePaymentProvider:
        ctx = {'request': request, 'form': form}
        return template.render(ctx)

-    def checkout_confirm_render(self, request, order: Order=None) -> str:
+    def checkout_confirm_render(self, request, order: Order=None, info_data: dict=None) -> str:
        """
        If the user has successfully filled in their payment data, they will be redirected
        to a confirmation page which lists all details of their order for a final review.
@@ -584,7 +628,9 @@ class BasePaymentProvider:
        In most cases, this should include a short summary of the user's input and
        a short explanation on how the payment process will continue.

+        :param request: The current HTTP request.
        :param order: Only set when this is a change to a new payment method for an existing order.
+        :param info_data: The ``info_data`` dictionary you set during ``add_payment_to_cart`` (only filled if ``multi_use_supported`` is set)
        """
        raise NotImplementedError()  # NOQA

@@ -618,6 +664,10 @@ class BasePaymentProvider:
        .. IMPORTANT:: If this is called, the user has not yet confirmed their order.
           You may NOT do anything which actually moves money.

+        Note: The behavior of this method changes significantly when you set
+              ``multi_use_supported``. Please refer to the ``multi_use_supported`` documentation
+              for more information.
+
        :param cart: This dictionary contains at least the following keys:

            positions:
@@ -657,9 +707,9 @@ class BasePaymentProvider:
        You will be passed an :py:class:`pretix.base.models.OrderPayment` object that contains
        the amount of money that should be paid.

-        If you need any special behavior, you can return a string
-        containing the URL the user will be redirected to. If you are done with your process
-        you should return the user to the order's detail page.
+        If you need any special behavior, you can return a string containing the URL the user will be redirected to.
+        If you are done with your process you should return the user to the order's detail page. Redirection is not
+        allowed if you set ``execute_payment_needs_user`` to ``True``.

        If the payment is completed, you should call ``payment.confirm()``. Please note that this might
        raise a ``Quota.QuotaExceededException`` if (and only if) the payment term of this order is over and
@@ -671,7 +721,7 @@ class BasePaymentProvider:

        On errors, you should raise a ``PaymentException``.

-        :param order: The order object
+        :param request: A HTTP request, except if ``execute_payment_needs_user`` is ``False``
        :param payment: An ``OrderPayment`` instance
        """
        return None
@@ -877,6 +927,15 @@ class BasePaymentProvider:
        """
        return {}

+    def api_refund_details(self, refund: OrderRefund):
+        """
+        Will be called to populate the ``details`` parameter of the refund in the REST API.
+
+        :param refund: The refund in question.
+        :return: A serializable dictionary
+        """
+        return {}
+
    def matching_id(self, payment: OrderPayment):
        """
        Will be called to get an ID for matching this payment when comparing pretix records with records of an external
@@ -896,6 +955,7 @@ class FreeOrderProvider(BasePaymentProvider):
    is_implicit = True
    is_enabled = True
    identifier = "free"
+    execute_payment_needs_user = False

    def checkout_confirm_render(self, request: HttpRequest) -> str:
        return _("No payment is required as this order only includes products which are free of charge.")
@@ -959,6 +1019,9 @@ class BoxOfficeProvider(BasePaymentProvider):
            "payment_data": payment.info_data.get('payment_data', {}),
        }

+    def api_refund_details(self, refund: OrderRefund):
+        return self.api_payment_details(refund)
+
    def payment_control_render(self, request, payment) -> str:
        if not payment.info:
            return
@@ -979,6 +1042,7 @@ class BoxOfficeProvider(BasePaymentProvider):
 class ManualPayment(BasePaymentProvider):
    identifier = 'manual'
    verbose_name = _('Manual payment')
+    execute_payment_needs_user = False

    @property
    def test_mode_message(self):
@@ -1059,12 +1123,12 @@ class ManualPayment(BasePaymentProvider):
        }

    def order_pending_mail_render(self, order, payment) -> str:
-        msg = str(self.settings.get('email_instructions', as_type=LazyI18nString)).format_map(self.format_map(order, payment))
+        msg = format_map(self.settings.get('email_instructions', as_type=LazyI18nString), self.format_map(order, payment))
        return msg

    def payment_pending_render(self, request, payment) -> str:
        return rich_text(
-            str(self.settings.get('pending_description', as_type=LazyI18nString)).format_map(self.format_map(payment.order, payment))
+            format_map(self.settings.get('pending_description', as_type=LazyI18nString), self.format_map(payment.order, payment))
        )


@@ -1119,18 +1183,42 @@ class OffsettingProvider(BasePaymentProvider):

 class GiftCardPayment(BasePaymentProvider):
    identifier = "giftcard"
-    verbose_name = _("Gift card")
    priority = 10
+    multi_use_supported = True
+    execute_payment_needs_user = False
+    verbose_name = _("Gift card")
+
+    @property
+    def public_name(self) -> str:
+        return str(self.settings.get("public_name", as_type=LazyI18nString)) or _(
+            "Gift card"
+        )

    @property
    def settings_form_fields(self):
-        f = super().settings_form_fields
+        fields = [
+            (
+                "public_name",
+                I18nFormField(
+                    label=_("Payment method name"), widget=I18nTextInput, required=False
+                ),
+            ),
+            (
+                "public_description",
+                I18nFormField(
+                    label=_("Payment method description"), widget=I18nTextarea, required=False
+                ),
+            ),
+        ]
+
+        f = OrderedDict(fields + list(super().settings_form_fields.items()))
        del f['_fee_abs']
        del f['_fee_percent']
        del f['_fee_reverse_calc']
        del f['_total_min']
        del f['_total_max']
        del f['_invoice_text']
+        f.move_to_end("_enabled", last=False)
        return f

    @property
@@ -1144,10 +1232,14 @@ class GiftCardPayment(BasePaymentProvider):
        return super().order_change_allowed(order) and self.event.organizer.has_gift_cards

    def payment_form_render(self, request: HttpRequest, total: Decimal) -> str:
-        return get_template('pretixcontrol/giftcards/checkout.html').render({})
+        return get_template('pretixcontrol/giftcards/checkout.html').render({
+            'request': request,
+        })

-    def checkout_confirm_render(self, request) -> str:
-        return get_template('pretixcontrol/giftcards/checkout_confirm.html').render({})
+    def checkout_confirm_render(self, request, order=None, info_data=None) -> str:
+        return get_template('pretixcontrol/giftcards/checkout_confirm.html').render({
+            'info_data': info_data,
+        })

    def refund_control_render(self, request, refund) -> str:
        from .models import GiftCard
@@ -1191,6 +1283,9 @@ class GiftCardPayment(BasePaymentProvider):
            }
        }

+    def api_refund_details(self, refund: OrderRefund):
+        return self.api_payment_details(refund)
+
    def payment_partial_refund_supported(self, payment: OrderPayment) -> bool:
        return True

@@ -1198,6 +1293,8 @@ class GiftCardPayment(BasePaymentProvider):
        return True

    def checkout_prepare(self, request: HttpRequest, cart: Dict[str, Any]) -> Union[bool, str, None]:
+        from pretix.base.services.cart import add_payment_to_cart
+
        for p in get_cart(request):
            if p.item.issue_giftcard:
                messages.error(request, _("You cannot pay with gift cards when buying a gift card."))
@@ -1206,7 +1303,7 @@ class GiftCardPayment(BasePaymentProvider):
        cs = cart_session(request)
        try:
            gc = self.event.organizer.accepted_gift_cards.get(
-                secret=request.POST.get("giftcard")
+                secret=request.POST.get("giftcard").strip()
            )
            if gc.currency != self.event.currency:
                messages.error(request, _("This gift card does not support this currency."))
@@ -1223,34 +1320,22 @@ class GiftCardPayment(BasePaymentProvider):
            if gc.value <= Decimal("0.00"):
                messages.error(request, _("All credit on this gift card has been used."))
                return
-            if 'gift_cards' not in cs:
-                cs['gift_cards'] = []
-            elif gc.pk in cs['gift_cards']:
-                messages.error(request, _("This gift card is already used for your payment."))
-                return
-            cs['gift_cards'] = cs['gift_cards'] + [gc.pk]

-            total = sum(p.total for p in cart['positions'])
-            # Recompute fees. Some plugins, e.g. pretix-servicefees, change their fee schedule if a gift card is
-            # applied.
-            fees = get_fees(
-                self.event, request, total, cart['invoice_address'], cs.get('payment'),
-                cart['raw']
+            for p in cs.get('payments', []):
+                if p['provider'] == self.identifier and p['info_data']['gift_card'] == gc.pk:
+                    messages.error(request, _("This gift card is already used for your payment."))
+                    return
+
+            add_payment_to_cart(
+                request,
+                self,
+                max_value=gc.value,
+                info_data={
+                    'gift_card': gc.pk,
+                    'gift_card_secret': gc.secret,
+                }
            )
-            total += sum([f.value for f in fees])
-            remainder = total
-            if remainder > Decimal('0.00'):
-                del cs['payment']
-                messages.success(request, _("Your gift card has been applied, but {} still need to be paid. Please select a payment method.").format(
-                    money_filter(remainder, self.event.currency)
-                ))
-            else:
-                messages.success(request, _("Your gift card has been applied."))
-
-            kwargs = {'step': 'payment'}
-            if request.resolver_match and 'cart_namespace' in request.resolver_match.kwargs:
-                kwargs['cart_namespace'] = request.resolver_match.kwargs['cart_namespace']
-            return eventreverse(self.event, 'presale:event.checkout', kwargs=kwargs)
+            return True
        except GiftCard.DoesNotExist:
            if self.event.vouchers.filter(code__iexact=request.POST.get("giftcard")).exists():
                messages.warning(request, _("You entered a voucher instead of a gift card. Vouchers can only be entered on the first page of the shop below "
@@ -1268,7 +1353,7 @@ class GiftCardPayment(BasePaymentProvider):

        try:
            gc = self.event.organizer.accepted_gift_cards.get(
-                secret=request.POST.get("giftcard")
+                secret=request.POST.get("giftcard").strip()
            )
            if gc.currency != self.event.currency:
                messages.error(request, _("This gift card does not support this currency."))
@@ -1287,6 +1372,7 @@ class GiftCardPayment(BasePaymentProvider):
                return
            payment.info_data = {
                'gift_card': gc.pk,
+                'gift_card_secret': gc.secret,
                'retry': True
            }
            payment.amount = min(payment.amount, gc.value)
@@ -1294,7 +1380,7 @@ class GiftCardPayment(BasePaymentProvider):

            return True
        except GiftCard.DoesNotExist:
-            if self.event.vouchers.filter(code__iexact=request.POST.get("giftcard")).exists():
+            if self.event.vouchers.filter(code__iexact=request.POST.get("giftcard").strip()).exists():
                messages.warning(request, _("You entered a voucher instead of a gift card. Vouchers can only be entered on the first page of the shop below "
                                            "the product selection."))
            else:
@@ -1302,37 +1388,46 @@ class GiftCardPayment(BasePaymentProvider):
        except GiftCard.MultipleObjectsReturned:
            messages.error(request, _("This gift card can not be redeemed since its code is not unique. Please contact the organizer of this event."))

-    def execute_payment(self, request: HttpRequest, payment: OrderPayment) -> str:
-        # This method will only be called when retrying payments, e.g. after a payment_prepare call. It is not called
-        # during the order creation phase because this payment provider is a special case.
-        for p in payment.order.positions.all():  # noqa - just a safeguard
+    def execute_payment(self, request: HttpRequest, payment: OrderPayment, is_early_special_case=False) -> str:
+        for p in payment.order.positions.all():
            if p.item.issue_giftcard:
                raise PaymentException(_("You cannot pay with gift cards when buying a gift card."))

        gcpk = payment.info_data.get('gift_card')
-        if not gcpk or not payment.info_data.get('retry'):
+        if not gcpk:
            raise PaymentException("Invalid state, should never occur.")
-        with transaction.atomic():
-            gc = GiftCard.objects.select_for_update().get(pk=gcpk)
-            if gc.currency != self.event.currency:  # noqa - just a safeguard
-                raise PaymentException(_("This gift card does not support this currency."))
-            if not gc.accepted_by(self.event.organizer):  # noqa - just a safeguard
-                raise PaymentException(_("This gift card is not accepted by this event organizer."))
-            if payment.amount > gc.value:  # noqa - just a safeguard
-                raise PaymentException(_("This gift card was used in the meantime. Please try again."))
-            if gc.expires and gc.expires < now():  # noqa - just a safeguard
-                messages.error(request, _("This gift card is no longer valid."))
-                return
-            trans = gc.transactions.create(
-                value=-1 * payment.amount,
-                order=payment.order,
-                payment=payment
-            )
-            payment.info_data = {
-                'gift_card': gc.pk,
-                'transaction_id': trans.pk,
-            }
-            payment.confirm()
+        try:
+            with transaction.atomic():
+                try:
+                    gc = GiftCard.objects.select_for_update().get(pk=gcpk)
+                except GiftCard.DoesNotExist:
+                    raise PaymentException(_("This gift card does not support this currency."))
+                if gc.currency != self.event.currency:  # noqa - just a safeguard
+                    raise PaymentException(_("This gift card does not support this currency."))
+                if not gc.accepted_by(self.event.organizer):
+                    raise PaymentException(_("This gift card is not accepted by this event organizer."))
+                if payment.amount > gc.value:
+                    raise PaymentException(_("This gift card was used in the meantime. Please try again."))
+                if gc.testmode and not payment.order.testmode:
+                    raise PaymentException(_("This gift card can only be used in test mode."))
+                if not gc.testmode and payment.order.testmode:
+                    raise PaymentException(_("Only test gift cards can be used in test mode."))
+                if gc.expires and gc.expires < now():
+                    raise PaymentException(_("This gift card is no longer valid."))
+
+                trans = gc.transactions.create(
+                    value=-1 * payment.amount,
+                    order=payment.order,
+                    payment=payment
+                )
+                payment.info_data = {
+                    'gift_card': gc.pk,
+                    'transaction_id': trans.pk,
+                }
+                payment.confirm(send_mail=not is_early_special_case, generate_invoice=not is_early_special_case)
+        except PaymentException as e:
+            payment.fail(info={'error': str(e)})
+            raise e

    def payment_is_valid_session(self, request: HttpRequest) -> bool:
        return True
@@ -746,6 +746,8 @@ class Renderer:

            def replace(x):
                if x.group(1).startswith('itemmeta:'):
+                    if op.variation_id:
+                        return op.variation.meta_data.get(x.group(1)[9:]) or ''
                    return op.item.meta_data.get(x.group(1)[9:]) or ''
                elif x.group(1).startswith('meta:'):
                    return ev.meta_data.get(x.group(1)[5:]) or ''
@@ -766,6 +768,8 @@ class Renderer:
            return re.sub(r'\{([a-zA-Z0-9:_]+)\}', replace, text)

        elif o['content'].startswith('itemmeta:'):
+            if op.variation_id:
+                return op.variation.meta_data.get(o['content'][9:]) or ''
            return op.item.meta_data.get(o['content'][9:]) or ''

        elif o['content'].startswith('meta:'):
@@ -65,7 +65,14 @@ def get_all_plugins(event=None) -> List[type]:
    )


-class PluginConfig(AppConfig):
+class PluginConfigMeta(type):
+    def __getattribute__(cls, item):
+        if item == "default" and cls is PluginConfig:
+            return False
+        return super().__getattribute__(item)
+
+
+class PluginConfig(AppConfig, metaclass=PluginConfigMeta):
    IGNORE = False

    def __init__(self, *args, **kwargs):
@@ -35,12 +35,13 @@ from pretix.base.models import (
    SubEvent, User, WaitingListEntry,
 )
 from pretix.base.services.locking import LockTimeoutException
-from pretix.base.services.mail import SendMailException, TolerantDict, mail
+from pretix.base.services.mail import SendMailException, mail
 from pretix.base.services.orders import (
    OrderChangeManager, OrderError, _cancel_order, _try_auto_refund,
 )
 from pretix.base.services.tasks import ProfiledEventTask
 from pretix.celery_app import app
+from pretix.helpers.format import format_map

 logger = logging.getLogger(__name__)

@@ -51,7 +52,7 @@ def _send_wle_mail(wle: WaitingListEntry, subject: LazyI18nString, message: Lazy
        try:
            mail(
                wle.email,
-                str(subject).format_map(TolerantDict(email_context)),
+                format_map(subject, email_context),
                message,
                email_context,
                wle.event,
@@ -71,7 +72,7 @@ def _send_mail(order: Order, subject: LazyI18nString, message: LazyI18nString, s

        email_context = get_email_context(event_or_subevent=subevent or order.event, refund_amount=refund_amount,
                                          order=order, position_or_address=ia, event=order.event)
-        real_subject = str(subject).format_map(TolerantDict(email_context))
+        real_subject = format_map(subject, email_context)
        try:
            order.send_mail(
                real_subject, message, email_context,
@@ -86,7 +87,7 @@ def _send_mail(order: Order, subject: LazyI18nString, message: LazyI18nString, s
                continue

            if p.addon_to_id is None and p.attendee_email and p.attendee_email != order.email:
-                real_subject = str(subject).format_map(TolerantDict(email_context))
+                real_subject = format_map(subject, email_context)
                email_context = get_email_context(event_or_subevent=p.subevent or order.event,
                                                  event=order.event,
                                                  refund_amount=refund_amount,
@@ -31,7 +31,7 @@
 # Unless required by applicable law or agreed to in writing, software distributed under the Apache License 2.0 is
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations under the License.
-
+import uuid
 from collections import Counter, defaultdict, namedtuple
 from datetime import datetime, time, timedelta
 from decimal import Decimal
@@ -453,12 +453,15 @@ class CartManager:
            if cp.is_bundled:
                bundle = cp.addon_to.item.bundles.filter(bundled_item=cp.item, bundled_variation=cp.variation).first()
                if bundle:
-                    listed_price = bundle.designated_price or 0
+                    listed_price = bundle.designated_price or Decimal('0.00')
                else:
                    listed_price = cp.price
                price_after_voucher = listed_price
            else:
-                listed_price = get_listed_price(cp.item, cp.variation, cp.subevent)
+                if cp.addon_to_id and is_included_for_free(cp.item, cp.addon_to):
+                    listed_price = Decimal('0.00')
+                else:
+                    listed_price = get_listed_price(cp.item, cp.variation, cp.subevent)
                if cp.voucher:
                    price_after_voucher = cp.voucher.calculate_price(listed_price)
                else:
@@ -1262,44 +1265,71 @@ class CartManager:
                raise CartError(err)


-def get_fees(event, request, total, invoice_address, provider, positions):
+def add_payment_to_cart(request, provider, min_value: Decimal=None, max_value: Decimal=None, info_data: dict=None):
+    """
+    :param request: The current HTTP request context.
+    :param provider: The instance of your payment provider.
+    :param min_value: The minimum value this payment instrument supports, or ``None`` for unlimited.
+    :param max_value: The maximum value this payment instrument supports, or ``None`` for unlimited. Highly discouraged
+                      to use for payment providers which charge a payment fee, as this can be very user-unfriendly if
+                      users need a second payment method just for the payment fee of the first method.
+    :param info_data: A dictionary of information that will be passed through to the ``OrderPayment.info_data`` attribute.
+    :return:
+    """
    from pretix.presale.views.cart import cart_session

+    cs = cart_session(request)
+    cs.setdefault('payments', [])
+
+    cs['payments'].append({
+        'id': str(uuid.uuid4()),
+        'provider': provider.identifier,
+        'multi_use_supported': provider.multi_use_supported,
+        'min_value': str(min_value) if min_value is not None else None,
+        'max_value': str(max_value) if max_value is not None else None,
+        'info_data': info_data or {},
+    })
+
+
+def get_fees(event, request, total, invoice_address, payments, positions):
+    if payments and not isinstance(payments, list):
+        raise TypeError("payments must now be a list")
+
    fees = []
    for recv, resp in fee_calculation_for_cart.send(sender=event, request=request, invoice_address=invoice_address,
-                                                    total=total, positions=positions):
+                                                    total=total, positions=positions, payment_requests=payments):
        if resp:
            fees += resp

    total = total + sum(f.value for f in fees)

-    cs = cart_session(request)
-    if cs.get('gift_cards'):
-        gcs = cs['gift_cards']
-        gc_qs = event.organizer.accepted_gift_cards.filter(pk__in=cs.get('gift_cards'), currency=event.currency)
-        for gc in gc_qs:
-            if gc.testmode != event.testmode:
-                gcs.remove(gc.pk)
+    if total != 0 and payments:
+        total_remaining = total
+        for p in payments:
+            # This algorithm of treating min/max values and fees needs to stay in sync between the following
+            # places in the code base:
+            # - pretix.base.services.cart.get_fees
+            # - pretix.base.services.orders._get_fees
+            # - pretix.presale.views.CartMixin.current_selected_payments
+            if p.get('min_value') and total_remaining < Decimal(p['min_value']):
                continue
-            fval = Decimal(gc.value)  # TODO: don't require an extra query
-            fval = min(fval, total)
-            if fval > 0:
-                total -= fval
-                fees.append(OrderFee(
-                    fee_type=OrderFee.FEE_TYPE_GIFTCARD,
-                    internal_type='giftcard',
-                    description=gc.secret,
-                    value=-1 * fval,
-                    tax_rate=Decimal('0.00'),
-                    tax_value=Decimal('0.00'),
-                    tax_rule=TaxRule.zero()
-                ))
-        cs['gift_cards'] = gcs

-    if provider and total != 0:
-        provider = event.get_payment_providers().get(provider)
-        if provider:
-            payment_fee = provider.calculate_fee(total)
+            to_pay = total_remaining
+            if p.get('max_value') and to_pay > Decimal(p['max_value']):
+                to_pay = min(to_pay, Decimal(p['max_value']))
+
+            pprov = event.get_payment_providers(cached=True).get(p['provider'])
+            if not pprov:
+                continue
+
+            payment_fee = pprov.calculate_fee(to_pay)
+            total_remaining += payment_fee
+            to_pay += payment_fee
+
+            if p.get('max_value') and to_pay > Decimal(p['max_value']):
+                to_pay = min(to_pay, Decimal(p['max_value']))
+
+            total_remaining -= to_pay

            if payment_fee:
                payment_fee_tax_rule = event.settings.tax_rate_default or TaxRule.zero()
@@ -452,17 +452,19 @@ def build_preview_invoice_pdf(event):

        if event.tax_rules.exists():
            for i, tr in enumerate(event.tax_rules.all()):
-                tax = tr.tax(Decimal('100.00'), base_price_is='gross')
-                InvoiceLine.objects.create(
-                    invoice=invoice, description=_("Sample product {}").format(i + 1),
-                    gross_value=tax.gross, tax_value=tax.tax,
-                    tax_rate=tax.rate
-                )
+                for j in range(5):
+                    tax = tr.tax(Decimal('100.00'), base_price_is='gross')
+                    InvoiceLine.objects.create(
+                        invoice=invoice, description=_("Sample product {}").format(i + 1),
+                        gross_value=tax.gross, tax_value=tax.tax,
+                        tax_rate=tax.rate
+                    )
        else:
-            InvoiceLine.objects.create(
-                invoice=invoice, description=_("Sample product A"),
-                gross_value=100, tax_value=0, tax_rate=0
-            )
+            for i in range(5):
+                InvoiceLine.objects.create(
+                    invoice=invoice, description=_("Sample product A"),
+                    gross_value=100, tax_value=0, tax_rate=0
+                )

        return event.invoice_renderer.generate(invoice)

@@ -76,6 +76,7 @@ from pretix.base.services.tasks import TransactionAwareTask
 from pretix.base.services.tickets import get_tickets_for_order
 from pretix.base.signals import email_filter, global_email_filter
 from pretix.celery_app import app
+from pretix.helpers.format import format_map
 from pretix.helpers.hierarkey import clean_filename
 from pretix.multidomain.urlreverse import build_absolute_uri
 from pretix.presale.ical import get_private_icals
@@ -98,7 +99,8 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
         context: Dict[str, Any] = None, event: Event = None, locale: str = None, order: Order = None,
         position: OrderPosition = None, *, headers: dict = None, sender: str = None, organizer: Organizer = None,
         customer: Customer = None, invoices: Sequence = None, attach_tickets=False, auto_email=True, user=None,
-         attach_ical=False, attach_cached_files: Sequence = None, attach_other_files: list=None):
+         attach_ical=False, attach_cached_files: Sequence = None, attach_other_files: list=None,
+         plain_text_only=False, no_order_links=False):
    """
    Sends out an email to a user. The mail will be sent synchronously or asynchronously depending on the installation.

@@ -109,7 +111,7 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La

    :param template: The filename of a template to be used. It will be rendered with the locale given in the locale
        argument and the context given in the next argument. Alternatively, you can pass a LazyI18nString and
-        ``context`` will be used as the argument to a  Python ``.format_map()`` call on the template.
+        ``context`` will be used as the argument to a ``pretix.helpers.format.format_map(template, context)`` call on the template.

    :param context: The context for rendering the template (see ``template`` parameter)

@@ -148,12 +150,21 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La

    :param attach_other_files: A list of file paths on our storage to attach.

+    :param plain_text_only: If set to ``True``, rendering a HTML version will be skipped.
+
+    :param no_order_links: If set to ``True``, no link to the order confirmation page will be auto-appended. Currently
+                           only allowed to use together with ``plain_text_only`` since HTML renderers add their own
+                           links.
+
    :raises MailOrderException: on obvious, immediate failures. Not raising an exception does not necessarily mean
        that the email has been sent, just that it has been queued by the email backend.
    """
    if email == INVALID_ADDRESS:
        return

+    if no_order_links and not plain_text_only:
+        raise ValueError('If you set no_order_links, you also need to set plain_text_only.')
+
    headers = headers or {}
    if auto_email:
        headers['X-Auto-Response-Suppress'] = 'OOF, NRN, AutoReply, RN'
@@ -242,7 +253,7 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
            if order and order.testmode:
                subject = "[TESTMODE] " + subject

-            if order and position:
+            if order and position and not no_order_links:
                body_plain += _(
                    "You are receiving this email because someone placed an order for {event} for you."
                ).format(event=event.name)
@@ -258,7 +269,7 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
                        }
                    )
                )
-            elif order:
+            elif order and not no_order_links:
                body_plain += _(
                    "You are receiving this email because you placed an order for {event}."
                ).format(event=event.name)
@@ -278,7 +289,9 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La

        with override(timezone):
            try:
-                if 'position' in inspect.signature(renderer.render).parameters:
+                if plain_text_only:
+                    body_html = None
+                elif 'position' in inspect.signature(renderer.render).parameters:
                    body_html = renderer.render(content_plain, signature, raw_subject, order, position)
                else:
                    # Backwards compatibility
@@ -608,7 +621,7 @@ def render_mail(template, context):
    if isinstance(template, LazyI18nString):
        body = str(template)
        if context:
-            body = body.format_map(TolerantDict(context))
+            body = format_map(body, context)
    else:
        tpl = get_template(template)
        body = tpl.render(context)
@@ -74,7 +74,7 @@ from pretix.base.models.orders import (
 )
 from pretix.base.models.organizer import TeamAPIToken
 from pretix.base.models.tax import TAXED_ZERO, TaxedPrice, TaxRule
-from pretix.base.payment import BasePaymentProvider, PaymentException
+from pretix.base.payment import GiftCardPayment, PaymentException
 from pretix.base.reldate import RelativeDateWrapper
 from pretix.base.secrets import assign_ticket_secret
 from pretix.base.services import tickets
@@ -793,68 +793,75 @@ def _check_positions(event: Event, now_dt: datetime, positions: List[CartPositio
        raise OrderError(err, errargs)


-def _get_fees(positions: List[CartPosition], payment_provider: BasePaymentProvider, address: InvoiceAddress,
-              meta_info: dict, event: Event, gift_cards: List[GiftCard]):
+def _get_fees(positions: List[CartPosition], payment_requests: List[dict], address: InvoiceAddress,
+              meta_info: dict, event: Event, require_approval=False):
    fees = []
    total = sum([c.price for c in positions])

-    for recv, resp in order_fee_calculation.send(sender=event, invoice_address=address, total=total,
+    gift_cards = []  # for backwards compatibility
+    for p in payment_requests:
+        if p['provider'] == 'giftcard':
+            gift_cards.append(GiftCard.objects.get(pk=p['info_data']['gift_card']))
+
+    for recv, resp in order_fee_calculation.send(sender=event, invoice_address=address, total=total, payment_requests=payment_requests,
                                                 meta_info=meta_info, positions=positions, gift_cards=gift_cards):
        if resp:
            fees += resp
    total += sum(f.value for f in fees)

-    gift_card_values = {}
-    for gc in gift_cards:
-        fval = Decimal(gc.value)  # TODO: don't require an extra query
-        fval = min(fval, total)
-        if fval > 0:
-            total -= fval
-            gift_card_values[gc] = fval
+    total_remaining = total
+    for p in payment_requests:
+        # This algorithm of treating min/max values and fees needs to stay in sync between the following
+        # places in the code base:
+        # - pretix.base.services.cart.get_fees
+        # - pretix.base.services.orders._get_fees
+        # - pretix.presale.views.CartMixin.current_selected_payments
+        if p.get('min_value') and total_remaining < Decimal(p['min_value']):
+            p['payment_amount'] = Decimal('0.00')
+            continue

-    if payment_provider:
-        payment_fee = payment_provider.calculate_fee(total)
-    else:
-        payment_fee = 0
-    pf = None
-    if payment_fee:
-        pf = OrderFee(fee_type=OrderFee.FEE_TYPE_PAYMENT, value=payment_fee,
-                      internal_type=payment_provider.identifier)
-        fees.append(pf)
+        to_pay = total_remaining
+        if p.get('max_value') and to_pay > Decimal(p['max_value']):
+            to_pay = min(to_pay, Decimal(p['max_value']))

-    return fees, pf, gift_card_values
+        payment_fee = p['pprov'].calculate_fee(to_pay)
+        total_remaining += payment_fee
+        to_pay += payment_fee
+
+        if p.get('max_value') and to_pay > Decimal(p['max_value']):
+            to_pay = min(to_pay, Decimal(p['max_value']))
+
+        total_remaining -= to_pay
+
+        p['payment_amount'] = to_pay
+        if payment_fee:
+            pf = OrderFee(fee_type=OrderFee.FEE_TYPE_PAYMENT, value=payment_fee,
+                          internal_type=p['pprov'].identifier)
+            fees.append(pf)
+            p['fee'] = pf
+
+    if total_remaining != Decimal('0.00') and not require_approval:
+        raise OrderError(_("The selected payment methods do not cover the total balance."))
+
+    return fees


 def _create_order(event: Event, email: str, positions: List[CartPosition], now_dt: datetime,
-                  payment_provider: BasePaymentProvider, locale: str=None, address: InvoiceAddress=None,
-                  meta_info: dict=None, sales_channel: str='web', gift_cards: list=None, shown_total=None,
+                  payment_requests: List[dict], locale: str=None, address: InvoiceAddress=None,
+                  meta_info: dict=None, sales_channel: str='web', shown_total=None,
                  customer=None):
-    p = None
+    payments = []
    sales_channel = get_all_sales_channels()[sales_channel]

    with transaction.atomic():
-        checked_gift_cards = []
-        if gift_cards:
-            gc_qs = GiftCard.objects.select_for_update().filter(pk__in=gift_cards)
-            for gc in gc_qs:
-                if gc.currency != event.currency:
-                    raise OrderError(_("This gift card does not support this currency."))
-                if gc.testmode and not event.testmode:
-                    raise OrderError(_("This gift card can only be used in test mode."))
-                if not gc.testmode and event.testmode:
-                    raise OrderError(_("Only test gift cards can be used in test mode."))
-                if not gc.accepted_by(event.organizer):
-                    raise OrderError(_("This gift card is not accepted by this event organizer."))
-                checked_gift_cards.append(gc)
-        if checked_gift_cards and any(c.item.issue_giftcard for c in positions):
-            raise OrderError(_("You cannot pay with gift cards when buying a gift card."))

        try:
            validate_memberships_in_order(customer, positions, event, lock=True, testmode=event.testmode)
        except ValidationError as e:
            raise OrderError(e.message)

-        fees, pf, gift_card_values = _get_fees(positions, payment_provider, address, meta_info, event, checked_gift_cards)
+        require_approval = any(p.requires_approval(invoice_address=address) for p in positions)
+        fees = _get_fees(positions, payment_requests, address, meta_info, event, require_approval=require_approval)
        total = pending_sum = sum([c.price for c in positions]) + sum([c.value for c in fees])

        order = Order(
@@ -867,7 +874,7 @@ def _create_order(event: Event, email: str, positions: List[CartPosition], now_d
            total=total,
            testmode=True if sales_channel.testmode_supported and event.testmode else False,
            meta_info=json.dumps(meta_info or {}),
-            require_approval=any(p.requires_approval(invoice_address=address) for p in positions),
+            require_approval=require_approval,
            sales_channel=sales_channel.identifier,
            customer=customer,
        )
@@ -891,28 +898,11 @@ def _create_order(event: Event, email: str, positions: List[CartPosition], now_d
                fee.tax_rule = None  # TODO: deprecate
            fee.save()

-        for gc, val in gift_card_values.items():
-            p = order.payments.create(
-                state=OrderPayment.PAYMENT_STATE_CONFIRMED,
-                provider='giftcard',
-                amount=val,
-                fee=pf
-            )
-            trans = gc.transactions.create(
-                value=-1 * val,
-                order=order,
-                payment=p
-            )
-            p.info_data = {
-                'gift_card': gc.pk,
-                'transaction_id': trans.pk,
-            }
-            p.save()
-            pending_sum -= val
-
        # Safety check: Is the amount we're now going to charge the same amount the user has been shown when they
        # pressed "Confirm purchase"? If not, we should better warn the user and show the confirmation page again.
-        # The only *known* case where this happens is if a gift card is used in two concurrent sessions.
+        # We used to have a *known* case where this happened is if a gift card is used in two concurrent sessions,
+        # but this is now a payment error instead. So currently this code branch is usually only triggered by bugs
+        # in other places (e.g. tax calculation).
        if shown_total is not None:
            if Decimal(shown_total) != pending_sum:
                raise OrderError(
@@ -921,13 +911,17 @@ def _create_order(event: Event, email: str, positions: List[CartPosition], now_d
                      'check the prices below and try again.')
                )

-        if payment_provider and not order.require_approval:
-            p = order.payments.create(
-                state=OrderPayment.PAYMENT_STATE_CREATED,
-                provider=payment_provider.identifier,
-                amount=pending_sum,
-                fee=pf
-            )
+        if payment_requests and not order.require_approval:
+            for p in payment_requests:
+                if not p.get('multi_use_supported') or p['payment_amount'] > Decimal('0.00'):
+                    payments.append(order.payments.create(
+                        state=OrderPayment.PAYMENT_STATE_CREATED,
+                        provider=p['provider'],
+                        amount=p['payment_amount'],
+                        fee=p.get('fee'),
+                        info=json.dumps(p['info_data']),
+                        process_initiated=False,
+                    ))

        orderpositions = OrderPosition.transform_cart_positions(positions, order)
        order.create_transactions(positions=orderpositions, fees=fees, is_new=True)
@@ -939,12 +933,12 @@ def _create_order(event: Event, email: str, positions: List[CartPosition], now_d
                order.log_action('pretix.event.order.consent', data={'msg': msg})

    order_placed.send(event, order=order)
-    return order, p
+    return order, payments


-def _order_placed_email(event: Event, order: Order, pprov: BasePaymentProvider, email_template, subject_template,
-                        log_entry: str, invoice, payment: OrderPayment, is_free=False):
-    email_context = get_email_context(event=event, order=order, payment=payment if pprov else None)
+def _order_placed_email(event: Event, order: Order, email_template, subject_template,
+                        log_entry: str, invoice, payments: List[OrderPayment], is_free=False):
+    email_context = get_email_context(event=event, order=order, payments=payments)
    try:
        order.send_mail(
            subject_template, email_template, email_context,
@@ -979,15 +973,13 @@ def _order_placed_email_attendee(event: Event, order: Order, position: OrderPosi
        logger.exception('Order received email could not be sent to attendee')


-def _perform_order(event: Event, payment_provider: str, position_ids: List[str],
+def _perform_order(event: Event, payment_requests: List[dict], position_ids: List[str],
                   email: str, locale: str, address: int, meta_info: dict=None, sales_channel: str='web',
-                   gift_cards: list=None, shown_total=None, customer=None):
-    if payment_provider:
-        pprov = event.get_payment_providers().get(payment_provider)
-        if not pprov:
+                   shown_total=None, customer=None):
+    for p in payment_requests:
+        p['pprov'] = event.get_payment_providers(cached=True)[p['provider']]
+        if not p['pprov']:
            raise OrderError(error_messages['internal'])
-    else:
-        pprov = None

    if customer:
        customer = event.organizer.customers.get(pk=customer)
@@ -1017,8 +1009,17 @@ def _perform_order(event: Event, payment_provider: str, position_ids: List[str],
        id__in=position_ids, event=event
    )

-    validate_order.send(event, payment_provider=pprov, email=email, positions=positions, locale=locale,
-                        invoice_address=addr, meta_info=meta_info, customer=customer)
+    validate_order.send(
+        event,
+        payment_provider=payment_requests[0]['provider'] if payment_requests else None,  # only for backwards compatibility
+        payments=payment_requests,
+        email=email,
+        positions=positions,
+        locale=locale,
+        invoice_address=addr,
+        meta_info=meta_info,
+        customer=customer,
+    )

    lockfn = NoLockManager
    locked = False
@@ -1028,6 +1029,9 @@ def _perform_order(event: Event, payment_provider: str, position_ids: List[str],
        locked = True
        lockfn = event.lock

+    warnings = []
+    any_payment_failed = False
+
    with lockfn() as now_dt:
        positions = list(
            positions.select_related('item', 'variation', 'subevent', 'seat', 'addon_to').prefetch_related('addons')
@@ -1038,21 +1042,55 @@ def _perform_order(event: Event, payment_provider: str, position_ids: List[str],
        if len(position_ids) != len(positions):
            raise OrderError(error_messages['internal'])
        _check_positions(event, now_dt, positions, address=addr, sales_channel=sales_channel, customer=customer)
-        order, payment = _create_order(event, email, positions, now_dt, pprov,
-                                       locale=locale, address=addr, meta_info=meta_info, sales_channel=sales_channel,
-                                       gift_cards=gift_cards, shown_total=shown_total, customer=customer)
+        order, payment_objs = _create_order(event, email, positions, now_dt, payment_requests,
+                                            locale=locale, address=addr, meta_info=meta_info, sales_channel=sales_channel,
+                                            shown_total=shown_total, customer=customer)
+        try:
+            for p in payment_objs:
+                if p.provider == 'free':
+                    p.confirm(send_mail=False, lock=not locked, generate_invoice=False)
+        except Quota.QuotaExceededException:
+            pass

-        free_order_flow = payment and payment_provider == 'free' and order.pending_sum == Decimal('0.00') and not order.require_approval
-        if free_order_flow:
+    # We give special treatment to GiftCardPayment here because our invoice renderer expects gift cards to already be
+    # processed, and because we historically treat gift card orders like free orders with regards to email texts.
+    # It would be great to give external gift card plugins the same special treatment, but it feels to risky for now, as
+    # (a) there would be no email at all if the plugin fails in a weird way and (b) we'd be able to run into
+    # contradictions when a plugin set both execute_payment_needs_user=False as well as requires_invoice_immediately=True
+    for p in payment_objs:
+        if isinstance(p.payment_provider, GiftCardPayment):
            try:
-                payment.confirm(send_mail=False, lock=not locked)
-            except Quota.QuotaExceededException:
-                pass
+                p.process_initiated = True
+                p.save(update_fields=['process_initiated'])
+                p.payment_provider.execute_payment(None, p, is_early_special_case=True)
+            except PaymentException as e:
+                warnings.append(str(e))
+                any_payment_failed = True
+            except Exception:
+                logger.exception('Error during payment attempt')
+
+    pending_sum = order.pending_sum
+    free_order_flow = (
+        payment_objs and
+        (
+            any(p['provider'] == 'free' for p in payment_requests) or
+            all(p['provider'] == 'giftcard' for p in payment_requests)
+        ) and
+        pending_sum == Decimal('0.00') and
+        not order.require_approval
+    )

    invoice = order.invoices.last()  # Might be generated by plugin already
    if not invoice and invoice_qualified(order):
-        if event.settings.get('invoice_generate') == 'True' or (
-                event.settings.get('invoice_generate') == 'paid' and payment.payment_provider.requires_invoice_immediately):
+        invoice_required = (
+            event.settings.get('invoice_generate') == 'True' or (
+                event.settings.get('invoice_generate') == 'paid' and (
+                    any(p['pprov'].requires_invoice_immediately for p in payment_requests) or
+                    pending_sum <= Decimal('0.00')
+                )
+            )
+        )
+        if invoice_required:
            invoice = generate_invoice(
                order,
                trigger_pdf=not event.settings.invoice_email_attachment or not order.email
@@ -1084,7 +1122,7 @@ def _perform_order(event: Event, payment_provider: str, position_ids: List[str],
            subject_attendees_template = event.settings.mail_subject_order_placed_attendee

        if sales_channel in event.settings.mail_sales_channel_placed_paid:
-            _order_placed_email(event, order, pprov, email_template, subject_template, log_entry, invoice, payment,
+            _order_placed_email(event, order, email_template, subject_template, log_entry, invoice, payment_objs,
                                is_free=free_order_flow)
            if email_attendees:
                for p in order.positions.all():
@@ -1092,7 +1130,32 @@ def _perform_order(event: Event, payment_provider: str, position_ids: List[str],
                        _order_placed_email_attendee(event, order, p, email_attendees_template, subject_attendees_template, log_entry,
                                                     is_free=free_order_flow)

-    return order.id
+    if not any_payment_failed:
+        for p in payment_objs:
+            if not p.payment_provider.execute_payment_needs_user and not p.process_initiated:
+                try:
+                    p.process_initiated = True
+                    p.save(update_fields=['process_initiated'])
+                    resp = p.payment_provider.execute_payment(None, p)
+                    if isinstance(resp, str):
+                        logger.warning('Payment provider returned URL from execute_payment even though execute_payment_needs_user is not set')
+                except PaymentException as e:
+                    warnings.append(str(e))
+                    any_payment_failed = True
+                except Exception:
+                    logger.exception('Error during payment attempt')
+
+    if any_payment_failed:
+        # Cancel all other payments because their amount might be wrong now.
+        for p in payment_objs:
+            if p.state == OrderPayment.PAYMENT_STATE_CREATED:
+                p.state = OrderPayment.PAYMENT_STATE_CANCELED
+                p.save(update_fields=['state'])
+
+    return {
+        'order_id': order.id,
+        'warnings': warnings,
+    }


@receiver(signal=periodic_task)
@@ -2394,14 +2457,14 @@ class OrderChangeManager:


@app.task(base=ProfiledEventTask, bind=True, max_retries=5, default_retry_delay=1, throws=(OrderError,))
-def perform_order(self, event: Event, payment_provider: str, positions: List[str],
+def perform_order(self, event: Event, payments: List[dict], positions: List[str],
                  email: str=None, locale: str=None, address: int=None, meta_info: dict=None,
-                  sales_channel: str='web', gift_cards: list=None, shown_total=None, customer=None):
+                  sales_channel: str='web', shown_total=None, customer=None):
    with language(locale):
        try:
            try:
-                return _perform_order(event, payment_provider, positions, email, locale, address, meta_info,
-                                      sales_channel, gift_cards, shown_total, customer)
+                return _perform_order(event, payments, positions, email, locale, address, meta_info,
+                                      sales_channel, shown_total, customer)
            except LockTimeoutException:
                self.retry()
        except (MaxRetriesExceededError, LockTimeoutException):
@@ -117,7 +117,7 @@ def get_listed_price(item: Item, variation: ItemVariation = None, subevent: SubE


 def get_line_price(price_after_voucher: Decimal, custom_price_input: Decimal, custom_price_input_is_net: bool,
-                   tax_rule: TaxRule, invoice_address: InvoiceAddress, bundled_sum: Decimal) -> TaxedPrice:
+                   tax_rule: TaxRule, invoice_address: InvoiceAddress, bundled_sum: Decimal, is_bundled=False) -> TaxedPrice:
    if not tax_rule:
        tax_rule = TaxRule(
            name='',
@@ -135,7 +135,8 @@ def get_line_price(price_after_voucher: Decimal, custom_price_input: Decimal, cu
            price = tax_rule.tax(max(custom_price_input, price.gross), base_price_is='gross', override_tax_rate=price.rate,
                                 invoice_address=invoice_address, subtract_from_gross=bundled_sum)
    else:
-        price = tax_rule.tax(price_after_voucher, invoice_address=invoice_address, subtract_from_gross=bundled_sum)
+        price = tax_rule.tax(price_after_voucher, invoice_address=invoice_address, subtract_from_gross=bundled_sum,
+                             base_price_is='gross' if is_bundled else 'auto')

    return price

@@ -743,6 +743,18 @@ DEFAULTS = {
        'default': 'True',
        'type': bool
    },
+    'payment_giftcard_public_name': {
+        'default': LazyI18nString.from_gettext(gettext_noop('Gift card')),
+        'type': LazyI18nString
+    },
+    'payment_giftcard_public_description': {
+        'default': LazyI18nString.from_gettext(gettext_noop(
+            'If you have a gift card, please enter the gift card code here. If the gift card does not have '
+            'enough credit to pay for the full order, you will be shown this page again and you can either '
+            'redeem another gift card or select a different payment method for the difference.'
+        )),
+        'type': LazyI18nString
+    },
    'payment_resellers__restrict_to_sales_channels': {
        'default': ['resellers'],
        'type': list
@@ -307,7 +307,7 @@ The ``sender`` keyword argument will contain an organizer.
 validate_order = EventPluginSignal(
 )
 """
-Arguments: ``payment_provider``, ``positions``, ``email``, ``locale``, ``invoice_address``,
+Arguments: ``payments``, ``positions``, ``email``, ``locale``, ``invoice_address``,
 ``meta_info``, ``customer``

 This signal is sent out when the user tries to confirm the order, before we actually create
@@ -316,6 +316,9 @@ but you can raise an OrderError with an appropriate exception message if you lik
 the order. We strongly discourage making changes to the order here.

 As with all event-plugin signals, the ``sender`` keyword argument will contain the event.
+
+**DEPRECTATION:** Stop listening to the ``payment_provider`` attribute, it will be removed
+in the future, as the ``payments`` attribute gives more information.
 """

 validate_cart = EventPluginSignal()
@@ -564,7 +567,7 @@ an OrderedDict of (setting name, form field).

 order_fee_calculation = EventPluginSignal()
 """
-Arguments: ``positions``, ``invoice_address``, ``meta_info``, ``total``, ``gift_cards``
+Arguments: ``positions``, ``invoice_address``, ``meta_info``, ``total``, ``gift_cards``, ``payment_requests``

 This signals allows you to add fees to an order while it is being created. You are expected to
 return a list of ``OrderFee`` objects that are not yet saved to the database
@@ -574,8 +577,10 @@ As with all plugin signals, the ``sender`` keyword argument will contain the eve
 argument will contain the cart positions and ``invoice_address`` the invoice address (useful for
 tax calculation). The argument ``meta_info`` contains the order's meta dictionary. The ``total``
 keyword argument will contain the total cart sum without any fees. You should not rely on this
-``total`` value for fee calculations as other fees might interfere. The ``gift_cards`` argument lists
-the gift cards in use.
+``total`` value for fee calculations as other fees might interfere. The ``gift_cards`` argument
+lists the gift cards in use.
+
+**DEPRECTATION:** Stop listening to the ``gift_cards`` attribute, it will be removed in the future.
 """

 order_fee_type_name = EventPluginSignal()
@@ -28,7 +28,7 @@ from django.urls import reverse


 def _is_samesite_referer(request):
-    referer = request.META.get('HTTP_REFERER')
+    referer = request.headers.get('referer')
    if referer is None:
        return False

@@ -1171,8 +1171,8 @@ class MailSettingsForm(SettingsForm):
        widget=I18nTextarea,
    )
    base_context = {
-        'mail_text_order_placed': ['event', 'order', 'payment'],
-        'mail_subject_order_placed': ['event', 'order', 'payment'],
+        'mail_text_order_placed': ['event', 'order', 'payments'],
+        'mail_subject_order_placed': ['event', 'order', 'payments'],
        'mail_text_order_placed_attendee': ['event', 'order', 'position'],
        'mail_subject_order_placed_attendee': ['event', 'order', 'position'],
        'mail_text_order_placed_require_approval': ['event', 'order'],
@@ -77,6 +77,31 @@ def get_all_payment_providers():
    if PAYMENT_PROVIDERS:
        return PAYMENT_PROVIDERS

+    class FakeSettings:
+        def __init__(self, orig_settings):
+            self.orig_settings = orig_settings
+
+        def set(self, *args, **kwargs):
+            pass
+
+        def __getattr__(self, item):
+            return getattr(self.orig_settings, item)
+
+    class FakeEvent:
+        def __init__(self, orig_event):
+            self.orig_event = orig_event
+
+        @property
+        def settings(self):
+            return FakeSettings(self.orig_event.settings)
+
+        def __getattr__(self, item):
+            return getattr(self.orig_event, item)
+
+        @property
+        def __class__(self):  # hackhack
+            return Event
+
    with rolledback_transaction():
        event = Event.objects.create(
            plugins=",".join([app.name for app in apps.get_app_configs()]),
@@ -84,6 +109,7 @@ def get_all_payment_providers():
            date_from=now(),
            organizer=Organizer.objects.create(name="INTERNAL")
        )
+        event = FakeEvent(event)
        provs = register_payment_providers.send(
            sender=event
        )
@@ -766,6 +792,12 @@ class OrderSearchFilterForm(OrderFilterForm):
                )
            )

+    def use_query_hack(self):
+        return (
+            self.cleaned_data.get('query') or
+            self.cleaned_data.get('status') in ('overpaid', 'partially_paid', 'underpaid', 'pendingpaid')
+        )
+
    def filter_qs(self, qs):
        fdata = self.cleaned_data
        qs = super().filter_qs(qs)
@@ -806,7 +838,8 @@ class OrderSearchFilterForm(OrderFilterForm):
        # We ignore superuser permissions here. This is intentional – we do not want to show super
        # users a form with all meta properties ever assigned.
        return EventMetaProperty.objects.filter(
-            organizer_id__in=self.request.user.teams.values_list('organizer', flat=True)
+            organizer_id__in=self.request.user.teams.values_list('organizer', flat=True),
+            filter_allowed=True,
        )


@@ -1545,12 +1578,13 @@ class EventFilterForm(FilterForm):
    @cached_property
    def meta_properties(self):
        if self.organizer:
-            return self.organizer.meta_properties.all()
+            return self.organizer.meta_properties.filter(filter_allowed=True)
        else:
            # We ignore superuser permissions here. This is intentional – we do not want to show super
            # users a form with all meta properties ever assigned.
            return EventMetaProperty.objects.filter(
-                organizer_id__in=self.request.user.teams.values_list('organizer', flat=True)
+                organizer_id__in=self.request.user.teams.values_list('organizer', flat=True),
+                filter_allowed=True,
            )


@@ -38,10 +38,13 @@ from decimal import Decimal
 from urllib.parse import urlencode

 from django import forms
+from django.conf import settings
 from django.core.exceptions import ValidationError
+from django.core.files.uploadedfile import UploadedFile
 from django.db.models import Max
 from django.forms.formsets import DELETION_FIELD_NAME
 from django.urls import reverse
+from django.utils.functional import cached_property
 from django.utils.html import escape
 from django.utils.safestring import mark_safe
 from django.utils.translation import (
@@ -61,7 +64,8 @@ from pretix.base.models import (
 from pretix.base.models.items import ItemAddOn, ItemBundle, ItemMetaValue
 from pretix.base.signals import item_copy_data
 from pretix.control.forms import (
-    ItemMultipleChoiceField, SplitDateTimeField, SplitDateTimePickerWidget,
+    ItemMultipleChoiceField, SizeValidationMixin, SplitDateTimeField,
+    SplitDateTimePickerWidget,
 )
 from pretix.control.forms.widgets import Select2
 from pretix.helpers.models import modelcopy
@@ -433,12 +437,21 @@ class ItemCreateForm(I18nModelForm):
                    v.pk = None
                    v.item = instance
                    v.save()
+                    for mv in variation.meta_values.all():
+                        mv.pk = None
+                        mv.variation = v
+                        mv.save(force_insert=True)
            else:
                ItemVariation.objects.create(
                    item=instance, value=__('Standard')
                )

        if self.cleaned_data.get('copy_from'):
+            for mv in self.cleaned_data['copy_from'].meta_values.all():
+                mv.pk = None
+                mv.item = instance
+                mv.save(force_insert=True)
+
            for question in self.cleaned_data['copy_from'].questions.all():
                question.items.add(instance)
                question.log_action('pretix.event.question.changed', user=self.user, data={
@@ -584,6 +597,14 @@ class ItemUpdateForm(I18nModelForm):
                )
        return d

+    def clean_picture(self):
+        value = self.cleaned_data.get('picture')
+        if isinstance(value, UploadedFile) and value.size > settings.FILE_UPLOAD_MAX_SIZE_IMAGE:
+            raise forms.ValidationError(_("Please do not upload files larger than {size}!").format(
+                size=SizeValidationMixin._sizeof_fmt(settings.FILE_UPLOAD_MAX_SIZE_IMAGE)
+            ))
+        return value
+
    class Meta:
        model = Item
        localized_fields = '__all__'
@@ -716,6 +737,31 @@ class ItemVariationForm(I18nModelForm):
            del self.fields['require_membership']
            del self.fields['require_membership_types']

+        self.meta_fields = []
+        meta_defaults = {}
+        if self.instance.pk:
+            for mv in self.instance.meta_values.all():
+                meta_defaults[mv.property_id] = mv.value
+        for p in self.meta_properties:
+            self.initial[f'meta_{p.name}'] = meta_defaults.get(p.pk)
+            self.fields[f'meta_{p.name}'] = forms.CharField(
+                label=p.name,
+                widget=forms.TextInput(
+                    attrs={
+                        'placeholder': _('Use value from product'),
+                        'data-typeahead-url': reverse('control:event.items.meta.typeahead', kwargs={
+                            'organizer': self.event.organizer.slug,
+                            'event': self.event.slug
+                        }) + '?' + urlencode({
+                            'property': p.name,
+                        }),
+                    },
+                ),
+                required=False,
+
+            )
+            self.meta_fields.append(f'meta_{p.name}')
+
    class Meta:
        model = ItemVariation
        localized_fields = '__all__'
@@ -746,6 +792,26 @@ class ItemVariationForm(I18nModelForm):
            }),
        }

+    def save(self, commit=True):
+        instance = super().save(commit)
+        self.meta_fields = []
+        current_values = {v.property_id: v for v in instance.meta_values.all()}
+        for p in self.meta_properties:
+            if self.cleaned_data[f'meta_{p.name}']:
+                if p.pk in current_values:
+                    current_values[p.pk].value = self.cleaned_data[f'meta_{p.name}']
+                    current_values[p.pk].save()
+                else:
+                    instance.meta_values.create(property=p, value=self.cleaned_data[f'meta_{p.name}'])
+            elif p.pk in current_values:
+                current_values[p.pk].delete()
+
+    @property
+    def meta_properties(self):
+        if not hasattr(self.event, '_cached_item_meta_properties'):
+            self.event._cached_item_meta_properties = self.event.item_meta_properties.all()
+        return self.event._cached_item_meta_properties
+

 class ItemAddOnsFormSet(I18nFormSet):
    title = _('Add-ons')
@@ -834,6 +900,7 @@ class ItemBundleFormSet(I18nFormSet):
    def _construct_form(self, i, **kwargs):
        kwargs['event'] = self.event
        kwargs['item'] = self.item
+        kwargs['item_qs'] = self.item_qs
        return super()._construct_form(i, **kwargs)

    @property
@@ -845,12 +912,17 @@ class ItemBundleFormSet(I18nFormSet):
            empty_permitted=True,
            use_required_attribute=False,
            locales=self.locales,
+            item_qs=self.item_qs,
            item=self.item,
            event=self.event
        )
        self.add_fields(form, None)
        return form

+    @cached_property
+    def item_qs(self):
+        return self.event.items.prefetch_related('variations').all()
+
    def clean(self):
        super().clean()
        ivs = set()
@@ -878,6 +950,7 @@ class ItemBundleForm(I18nModelForm):

    def __init__(self, *args, **kwargs):
        self.item = kwargs.pop('item')
+        self.item_qs = kwargs.pop('item_qs')
        super().__init__(*args, **kwargs)
        instance = kwargs.get('instance', None)
        initial = kwargs.get('initial', {})
@@ -895,7 +968,7 @@ class ItemBundleForm(I18nModelForm):
        super().__init__(*args, **kwargs)

        choices = []
-        for i in self.event.items.prefetch_related('variations').all():
+        for i in self.item_qs:
            pname = str(i)
            if not i.is_available():
                pname += ' ({})'.format(_('inactive'))
@@ -182,7 +182,7 @@ class OrganizerUpdateForm(OrganizerForm):
 class EventMetaPropertyForm(forms.ModelForm):
    class Meta:
        model = EventMetaProperty
-        fields = ['name', 'default', 'required', 'protected', 'allowed_values']
+        fields = ['name', 'default', 'required', 'protected', 'allowed_values', 'filter_allowed']
        widgets = {
            'default': forms.TextInput()
        }
@@ -0,0 +1,56 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020 Raphael Michel and contributors
+# Copyright (C) 2020-2021 rami.io GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+from django.urls import reverse
+from django_scopes.forms import SafeModelChoiceField
+
+from pretix.base.forms import I18nModelForm
+from pretix.base.models import WaitingListEntry
+from pretix.control.forms.widgets import Select2
+
+
+class WaitingListEntryTransferForm(I18nModelForm):
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+        if self.event.has_subevents:
+            self.fields['subevent'].required = True
+            self.fields['subevent'].queryset = self.event.subevents.all()
+            self.fields['subevent'].widget = Select2(
+                attrs={
+                    'data-model-select2': 'event',
+                    'data-select2-url': reverse('control:event.subevents.select2', kwargs={
+                        'event': self.event.slug,
+                        'organizer': self.event.organizer.slug,
+                    }),
+                }
+            )
+            self.fields['subevent'].widget.choices = self.fields['subevent'].choices
+
+    class Meta:
+        model = WaitingListEntry
+        fields = [
+            'subevent',
+        ]
+        field_classes = {
+            'subevent': SafeModelChoiceField,
+        }
@@ -487,6 +487,7 @@ def pretixcontrol_logentry_display(sender: Event, logentry: LogEntry, **kwargs):
        'pretix.event.permissions.deleted': _('A user has been removed from the event team.'),
        'pretix.waitinglist.voucher': _('A voucher has been sent to a person on the waiting list.'),
        'pretix.event.orders.waitinglist.deleted': _('An entry has been removed from the waiting list.'),
+        'pretix.event.orders.waitinglist.transferred': _('An entry has been transferred to another waiting list.'),
        'pretix.event.orders.waitinglist.changed': _('An entry has been changed on the waiting list.'),
        'pretix.event.orders.waitinglist.added': _('An entry has been added to the waiting list.'),
        'pretix.team.created': _('The team has been created.'),
@@ -1,10 +1,5 @@
 {% load i18n %}
+{% load rich_text %}

-<p>
-    {% blocktrans %}
-        If you have a gift card, please enter the gift card code here. If the gift card does not have
-        enough credit to pay for the full order, you will be shown this page again and you can either
-        redeem another gift card or select a different payment method for the difference.
-    {% endblocktrans %}
-</p>
+{{ request.event.settings.payment_giftcard_public_description|rich_text }}
 <input name="giftcard" class="form-control" placeholder="{% trans "Gift card code" %}">
@@ -1,8 +1,7 @@
 {% load i18n %}

 <p>
-    {% blocktrans %}
-        Your gift card will be used to pay for this order. If the credit on the gift card is lower than the order total, you will be able to pay the
-        difference with a different payment method. If the credit is higher than the order total, you will be able to re-use the gift card in the future.
+    {% blocktrans trimmed with card=info_data.gift_card_secret %}
+        Your gift card {{ card }} will be used to pay for this order.
    {% endblocktrans %}
 </p>
@@ -1,6 +1,7 @@
 {% load i18n %}
 {% load bootstrap3 %}
 {% load formset_tags %}
+{% load getitem %}
 <div class="formset" data-formset data-formset-prefix="{{ formset.prefix }}" id="item_variations">
    {{ formset.management_form }}
    {% bootstrap_formset_errors formset %}
@@ -29,16 +30,20 @@
                            {% endif %}
                        </div>
                        <div class="col-md-2 col-xs-6">
-                            <span class="fa fa-clock-o fa-fw text-muted variation-timeframe variation-icon-hidden" data-toggle="tooltip" title="{% trans "Only available in a limited timeframe" %}"></span>
-                            <span class="fa fa-tags fa-fw text-muted variation-voucher variation-icon-hidden" data-toggle="tooltip"
-                                    title="{% trans "Only visible with a voucher" %}"></span>
-                            <span class="fa fa-id-badge fa-fw text-muted variation-membership variation-icon-hidden" data-toggle="tooltip"
-                                    title="{% trans "Require a valid membership" %}"></span>
+                            <span class="fa fa-clock-o fa-fw text-muted variation-timeframe variation-icon-hidden"
+                                  data-toggle="tooltip"
+                                  title="{% trans "Only available in a limited timeframe" %}"></span>
+                            <span class="fa fa-tags fa-fw text-muted variation-voucher variation-icon-hidden"
+                                  data-toggle="tooltip"
+                                  title="{% trans "Only visible with a voucher" %}"></span>
+                            <span class="fa fa-id-badge fa-fw text-muted variation-membership variation-icon-hidden"
+                                  data-toggle="tooltip"
+                                  title="{% trans "Require a valid membership" %}"></span>
                        </div>
                        <div class="col-md-2 col-xs-6">
                            {% for k, c in sales_channels.items %}
                                <span class="fa fa-fw fa-{{ c.icon }} text-muted variation-channel-{{ k }} variation-icon-hidden"
-                                        data-toggle="tooltip" title="{% trans c.verbose_name %}"></span>
+                                      data-toggle="tooltip" title="{% trans c.verbose_name %}"></span>
                            {% endfor %}
                        </div>
                        <div class="col-md-1 col-xs-6 text-right flip variation-price">
@@ -69,6 +74,27 @@
                    {% bootstrap_field form.default_price addon_after=request.event.currency layout="control" %}
                    {% bootstrap_field form.original_price addon_after=request.event.currency layout="control" %}
                    {% bootstrap_field form.description layout="control" %}
+                    {% if form.meta_fields %}
+                        <div class="form-group metadata-group">
+                            <label class="col-md-3 control-label">{% trans "Meta data" %}</label>
+                            <div class="col-md-9">
+                                {% for fname in form.meta_fields %}
+                                    {% with form|getitem:fname as field %}
+                                        <div class="row">
+                                            <div class="col-md-4">
+                                                <label for="{{ field.id_for_label }}">
+                                                    {{ field.label }}
+                                                </label>
+                                            </div>
+                                            <div class="col-md-8">
+                                                {% bootstrap_field field layout="inline" %}
+                                            </div>
+                                        </div>
+                                    {% endwith %}
+                                {% endfor %}
+                            </div>
+                        </div>
+                    {% endif %}
                    {% bootstrap_field form.available_from layout="control" %}
                    {% bootstrap_field form.available_until layout="control" %}
                    {% bootstrap_field form.sales_channels layout="control" %}
@@ -110,16 +136,20 @@
                            {% endif %}
                        </div>
                        <div class="col-md-2 col-xs-6">
-                            <span class="fa fa-clock-o fa-fw text-muted variation-timeframe variation-icon-hidden" data-toggle="tooltip" title="{% trans "Only available in a limited timeframe" %}"></span>
-                            <span class="fa fa-tags fa-fw text-muted variation-voucher variation-icon-hidden" data-toggle="tooltip"
-                                    title="{% trans "Only visible with a voucher" %}"></span>
-                            <span class="fa fa-id-badge fa-fw text-muted variation-membership variation-icon-hidden" data-toggle="tooltip"
-                                    title="{% trans "Require a valid membership" %}"></span>
+                            <span class="fa fa-clock-o fa-fw text-muted variation-timeframe variation-icon-hidden"
+                                  data-toggle="tooltip"
+                                  title="{% trans "Only available in a limited timeframe" %}"></span>
+                            <span class="fa fa-tags fa-fw text-muted variation-voucher variation-icon-hidden"
+                                  data-toggle="tooltip"
+                                  title="{% trans "Only visible with a voucher" %}"></span>
+                            <span class="fa fa-id-badge fa-fw text-muted variation-membership variation-icon-hidden"
+                                  data-toggle="tooltip"
+                                  title="{% trans "Require a valid membership" %}"></span>
                        </div>
                        <div class="col-md-2 col-xs-6">
                            {% for k, c in sales_channels.items %}
                                <span class="fa fa-fw fa-{{ c.icon }} text-muted variation-channel-{{ k }} variation-icon-hidden"
-                                        data-toggle="tooltip" title="{% trans c.verbose_name %}"></span>
+                                      data-toggle="tooltip" title="{% trans c.verbose_name %}"></span>
                            {% endfor %}
                        </div>
                        <div class="col-md-1 col-xs-6 text-right flip variation-price">
@@ -141,6 +171,27 @@
                    {% bootstrap_field formset.empty_form.default_price addon_after=request.event.currency layout="control" %}
                    {% bootstrap_field formset.empty_form.original_price addon_after=request.event.currency layout="control" %}
                    {% bootstrap_field formset.empty_form.description layout="control" %}
+                    {% if formset.empty_form.meta_fields %}
+                        <div class="form-group metadata-group">
+                            <label class="col-md-3 control-label">{% trans "Meta data" %}</label>
+                            <div class="col-md-9">
+                                {% for fname in formset.empty_form.meta_fields %}
+                                    {% with formset.empty_form|getitem:fname as field %}
+                                        <div class="row">
+                                            <div class="col-md-4">
+                                                <label for="{{ field.id_for_label }}">
+                                                    {{ field.label }}
+                                                </label>
+                                            </div>
+                                            <div class="col-md-8">
+                                                {% bootstrap_field field layout="inline" %}
+                                            </div>
+                                        </div>
+                                    {% endwith %}
+                                {% endfor %}
+                            </div>
+                        </div>
+                    {% endif %}
                    {% bootstrap_field formset.empty_form.available_from layout="control" %}
                    {% bootstrap_field formset.empty_form.available_until layout="control" %}
                    {% bootstrap_field formset.empty_form.sales_channels layout="control" %}
@@ -22,54 +22,72 @@
                    </h3>
                </div>
                <div class="panel-body">
-                    <form action="" method="post">
+                    <form action="" method="post" class="row">
                        {% csrf_token %}
-                        <dl class="dl-horizontal">
-                            <dt>{% trans "Customer ID" %}</dt>
-                            <dd>#{{ customer.identifier }}</dd>
-                            {% if customer.provider %}
-                                <dt>{% trans "SSO provider" %}</dt>
-                                <dd>{{ customer.provider.name }}</dd>
-                            {% endif %}
-                            {% if customer.external_identifier %}
-                                <dt>{% trans "External identifier" %}</dt>
-                                <dd>{{ customer.external_identifier }}</dd>
-                            {% endif %}
-                            <dt>{% trans "Status" %}</dt>
-                            <dd>
-                                {% if not customer.is_active %}
-                                    {% trans "disabled" %}
-                                {% elif not customer.is_verified %}
-                                    {% trans "not yet activated" %}
-                                {% else %}
-                                    {% trans "active" %}
+                        <dl class="dl-horizontal col-lg-6 col-sm-12">
+                                <dt>{% trans "Customer ID" %}</dt>
+                                <dd>#{{ customer.identifier }}</dd>
+                                {% if customer.provider %}
+                                    <dt>{% trans "SSO provider" %}</dt>
+                                    <dd>{{ customer.provider.name }}</dd>
                                {% endif %}
-                            </dd>
-                            <dt>{% trans "E-mail" %}</dt>
-                            <dd>
-                                {{ customer.email|default_if_none:"" }}
-                                {% if customer.email and not customer.provider %}
-                                    <button type="submit" name="action" value="pwreset" class="btn btn-xs btn-default">
-                                    {% trans "Send password reset link" %}
-                                    </button>
+                                {% if customer.external_identifier %}
+                                    <dt>{% trans "External identifier" %}</dt>
+                                    <dd>{{ customer.external_identifier }}</dd>
                                {% endif %}
-                            </dd>
-                            <dt>{% trans "Name" %}</dt>
-                            <dd>{{ customer.name }}</dd>
-                        {% if customer.phone %}
-                            <dt>{% trans "Phone" %}</dt>
-                            <dd>{{ customer.phone }}</dd>
-                        {% endif %}
-                            <dt>{% trans "Locale" %}</dt>
-                            <dd>{{ display_locale }}</dd>
-                            <dt>{% trans "Registration date" %}</dt>
-                            <dd>{{ customer.date_joined|date:"SHORT_DATETIME_FORMAT" }}</dd>
-                            <dt>{% trans "Last login" %}</dt>
-                            <dd>{% if customer.last_login %}{{ customer.last_login|date:"SHORT_DATETIME_FORMAT" }}{% else %}
-                                –{% endif %}</dd>
-                        {% if customer.notes %}
-                            <dt>{% trans "Notes" %}</dt>
-                            <dd>{{ customer.notes|linebreaks }}</dd>
+                                <dt>{% trans "Status" %}</dt>
+                                <dd>
+                                    {% if not customer.is_active %}
+                                        {% trans "disabled" %}
+                                    {% elif not customer.is_verified %}
+                                        {% trans "not yet activated" %}
+                                    {% else %}
+                                        {% trans "active" %}
+                                    {% endif %}
+                                </dd>
+                                <dt>{% trans "E-mail" %}</dt>
+                                <dd>
+                                    {{ customer.email|default_if_none:"" }}
+                                    {% if customer.email and not customer.provider %}
+                                        <button type="submit" name="action" value="pwreset" class="btn btn-xs btn-default">
+                                        {% trans "Send password reset link" %}
+                                        </button>
+                                    {% endif %}
+                                </dd>
+                                <dt>{% trans "Name" %}</dt>
+                                <dd>{{ customer.name }}</dd>
+                            {% if customer.phone %}
+                                <dt>{% trans "Phone" %}</dt>
+                                <dd>{{ customer.phone }}</dd>
+                            {% endif %}
+                                <dt>{% trans "Locale" %}</dt>
+                                <dd>{{ display_locale }}</dd>
+                                <dt>{% trans "Registration date" %}</dt>
+                                <dd>{{ customer.date_joined|date:"SHORT_DATETIME_FORMAT" }}</dd>
+                                <dt>{% trans "Last login" %}</dt>
+                                <dd>{% if customer.last_login %}{{ customer.last_login|date:"SHORT_DATETIME_FORMAT" }}{% else %}
+                                    –{% endif %}</dd>
+                            {% if customer.notes %}
+                                <dt>{% trans "Notes" %}</dt>
+                                <dd>{{ customer.notes|linebreaks }}</dd>
+                            {% endif %}
+                        </dl>
+                        <dl class="col-lg-6 col-sm-12 text-right">
+                            <dt class="text-muted"
+                                data-toggle="tooltip"
+                                title="{% trans "This includes all paid orders by this customer across all your events." %}">
+                                {% trans "Lifetime spending" %}
+                            </dt>
+                        {% if lifetime_spending %}
+                            {% for s in lifetime_spending %}
+                                {% if s.spending >= 0 %}
+                                    <dd class="text-success text-h3">{{ s.spending|money:s.currency }}</dd>
+                                {% elif s.spending < 0 %}
+                                    <dd class="text-error text-h3">{{ s.spending|money:s.currency }}</dd>
+                                {% endif %}
+                            {% endfor %}
+                        {% else %}
+                            <dd class="text-muted text-h3">{{ 0|floatformat:2 }}</dd>
                        {% endif %}
                        </dl>
                    </form>
@@ -242,6 +242,13 @@
                                    data-toggle="tooltip" title="{% trans "Move to the end of the list" %}">
                                    <span class="fa fa-thumbs-down"></span>
                                </button>
+                                {% if request.event.has_subevents %}
+                                    <a href="{% url "control:event.orders.waitinglist.transfer" organizer=request.event.organizer.slug event=request.event.slug entry=e.id %}"
+                                       class="btn btn-default btn-sm" title="{% trans "Transfer to other date" context "subevent" %}"
+                                        data-toggle="tooltip">
+                                        <i class="fa fa-calendar" aria-hidden="true"></i>
+                                    </a>
+                                {% endif %}
                                <a href="{% url "control:event.orders.waitinglist.delete" organizer=request.event.organizer.slug event=request.event.slug entry=e.id %}?next={{ request.get_full_path|urlencode }}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
                            {% else %}
                                <button class="btn btn-default btn-sm disabled">
@@ -261,9 +268,11 @@
        {% if "can_change_orders" in request.eventpermset %}
            <div class="batch-select-actions">
                <button type="submit" class="btn btn-danger btn-save" name="action" value="delete">
-                    <i class="fa fa-trash"></i>{% trans "Delete selected" %}
+                    <i class="fa fa-trash"></i>
+                    {% trans "Delete selected" %}
                </button>
            </div>
+
        {% endif %}
    </form>
    {% include "pretixcontrol/pagination.html" %}
@@ -0,0 +1,23 @@
+{% extends "pretixcontrol/event/base.html" %}
+{% load i18n %}
+{% load bootstrap3 %}
+{% block title %}{% trans "Transfer entry" %}{% endblock %}
+{% block content %}
+    <h1>{% trans "Transfer entry" %}</h1>
+    <form action="" method="post" class="form-horizontal">
+        {% csrf_token %}
+        <p>{% blocktrans trimmed context "subevent" %}
+            Please select the date to which the following waiting list entry should be
+            transferred: <strong>{{ entry }}</strong>?
+        {% endblocktrans %}</p>
+        {% bootstrap_field form.subevent layout="control" %}
+        <div class="form-group submit-group">
+            <a href="{% url "control:event.orders.waitinglist" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default btn-cancel">
+                {% trans "Cancel" %}
+            </a>
+            <button type="submit" class="btn btn-primary btn-save">
+                {% trans "Transfer" %}
+            </button>
+        </div>
+    </form>
+{% endblock %}
@@ -33,7 +33,8 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations under the License.

-from django.conf.urls import include, re_path
+from django.conf.urls import re_path
+from django.urls import include
 from django.views.generic.base import RedirectView

 from pretix.control.views import (
@@ -401,6 +402,8 @@ urlpatterns = [
        re_path(r'^waitinglist/auto_assign$', waitinglist.AutoAssign.as_view(), name='event.orders.waitinglist.auto'),
        re_path(r'^waitinglist/(?P<entry>\d+)/delete$', waitinglist.EntryDelete.as_view(),
                name='event.orders.waitinglist.delete'),
+        re_path(r'^waitinglist/(?P<entry>\d+)/transfer$', waitinglist.EntryTransfer.as_view(),
+                name='event.orders.waitinglist.transfer'),
        re_path(r'^checkins/$', checkin.CheckinListView.as_view(), name='event.orders.checkins'),
        re_path(r'^checkinlists/$', checkin.CheckinListList.as_view(), name='event.orders.checkinlists'),
        re_path(r'^checkinlists/add$', checkin.CheckinListCreate.as_view(), name='event.orders.checkinlists.add'),
@@ -61,6 +61,7 @@ from pretix.base.forms.auth import (
 )
 from pretix.base.models import TeamInvite, U2FDevice, User, WebAuthnDevice
 from pretix.base.services.mail import SendMailException
+from pretix.helpers.http import redirect_to_url
 from pretix.helpers.webauthn import generate_challenge

 logger = logging.getLogger(__name__)
@@ -81,7 +82,7 @@ def process_login(request, user, keep_logged_in):
        twofa_url = reverse('control:auth.login.2fa')
        if next_url and url_has_allowed_host_and_scheme(next_url, allowed_hosts=None):
            twofa_url += '?next=' + quote(next_url)
-        return redirect(twofa_url)
+        return redirect_to_url(twofa_url)
    else:
        auth_login(request, user)
        request.session['pretix_auth_login_time'] = int(time.time())
@@ -110,7 +111,7 @@ def login(request):
    if request.user.is_authenticated:
        next_url = backend.get_next_url(request) or 'control:index'
        if next_url and url_has_allowed_host_and_scheme(next_url, allowed_hosts=None):
-            return redirect(next_url)
+            return redirect_to_url(next_url)
        return redirect(reverse('control:index'))
    if request.method == 'POST':
        form = LoginForm(backend=backend, data=request.POST, request=request)
@@ -136,8 +137,8 @@ def logout(request):
    if 'next' in request.GET and url_has_allowed_host_and_scheme(request.GET.get('next'), allowed_hosts=None):
        next += '?next=' + quote(request.GET.get('next'))
    if 'back' in request.GET and url_has_allowed_host_and_scheme(request.GET.get('back'), allowed_hosts=None):
-        return redirect(request.GET.get('back'))
-    return redirect(next)
+        return redirect_to_url(request.GET.get('back'))
+    return redirect_to_url(next)


 def register(request):
@@ -443,7 +444,7 @@ class Login2FAView(TemplateView):
            del request.session['pretix_auth_2fa_user']
            del request.session['pretix_auth_2fa_time']
            if "next" in request.GET and url_has_allowed_host_and_scheme(request.GET.get("next"), allowed_hosts=None):
-                return redirect(request.GET.get("next"))
+                return redirect_to_url(request.GET.get("next"))
            return redirect(reverse('control:index'))
        else:
            messages.error(request, _('Invalid code, please try again.'))
@@ -51,7 +51,7 @@ from django.utils import formats
 from django.utils.formats import date_format
 from django.utils.html import escape
 from django.utils.timezone import now
-from django.utils.translation import gettext_lazy as _, pgettext, ungettext
+from django.utils.translation import gettext_lazy as _, ngettext, pgettext

 from pretix.base.decimal import round_decimal
 from pretix.base.models import (
@@ -555,7 +555,7 @@ def widgets_for_event_qs(request, qs, user, nmax, lazy=False):
                            'event': event.slug,
                            'organizer': event.organizer.slug
                        }),
-                        orders_text=ungettext('{num} order', '{num} orders', event.order_count or 0).format(
+                        orders_text=ngettext('{num} order', '{num} orders', event.order_count or 0).format(
                            num=event.order_count or 0
                        )
                    ) if user.has_active_staff_session(request.session.session_key) or event.pk in events_with_orders else ''
@@ -93,8 +93,8 @@ from ...base.i18n import language
 from ...base.models.items import (
    Item, ItemCategory, ItemMetaProperty, Question, Quota,
 )
-from ...base.services.mail import TolerantDict
 from ...base.settings import SETTINGS_AFFECTING_CSS, LazyI18nStringList
+from ...helpers.format import format_map
 from ..logdisplay import OVERVIEW_BANLIST
 from . import CreateView, PaginationMixin, UpdateView

@@ -387,7 +387,7 @@ class EventPlugins(EventSettingsViewMixin, EventPermissionRequiredMixin, Templat
                if key.startswith("plugin:"):
                    module = key.split(":")[1]
                    if value == "enable" and module in plugins_available:
-                        if getattr(plugins_available[module], 'restricted', False):
+                        if getattr(plugins_available[module].app, 'restricted', False):
                            if module not in request.event.settings.allowed_restricted_plugins:
                                continue

@@ -734,10 +734,10 @@ class MailSettingsPreview(EventPermissionRequiredMixin, View):
                if idx in self.supported_locale:
                    with language(self.supported_locale[idx], self.request.event.settings.region):
                        if k.startswith('mail_subject_'):
-                            msgs[self.supported_locale[idx]] = bleach.clean(v).format_map(self.placeholders(preview_item))
+                            msgs[self.supported_locale[idx]] = format_map(bleach.clean(v), self.placeholders(preview_item))
                        else:
                            msgs[self.supported_locale[idx]] = markdown_compile_email(
-                                v.format_map(self.placeholders(preview_item))
+                                format_map(v, self.placeholders(preview_item))
                            )

        return JsonResponse({
@@ -761,7 +761,7 @@ class MailSettingsRendererPreview(MailSettingsPreview):

    def get(self, request, *args, **kwargs):
        v = str(request.event.settings.mail_text_order_placed)
-        v = v.format_map(TolerantDict(self.placeholders('mail_text_order_placed')))
+        v = format_map(v, self.placeholders('mail_text_order_placed'))
        renderers = request.event.get_html_mail_renderers()
        if request.GET.get('renderer') in renderers:
            with rolledback_transaction():
@@ -1426,7 +1426,7 @@ class ItemUpdateGeneral(ItemDetailMixin, EventPermissionRequiredMixin, MetaDataE
                can_order=True, can_delete=True, extra=0
            )(
                self.request.POST if self.request.method == "POST" else None,
-                queryset=ItemVariation.objects.filter(item=self.get_object()),
+                queryset=ItemVariation.objects.filter(item=self.get_object()).prefetch_related('meta_values', 'require_membership_types'),
                event=self.request.event, prefix="variations"
            )),
            ('addons', inlineformset_factory(
@@ -257,7 +257,10 @@ class EventWizard(SafeSessionWizardView):
    def done(self, form_list, form_dict, **kwargs):
        foundation_data = self.get_cleaned_data_for_step('foundation')
        basics_data = self.get_cleaned_data_for_step('basics')
-        copy_data = self.get_cleaned_data_for_step('copy')
+        try:
+            copy_data = self.get_cleaned_data_for_step('copy')
+        except KeyError:
+            copy_data = None

        with transaction.atomic(), language(basics_data['locale']):
            event = form_dict['basics'].instance
@@ -65,6 +65,10 @@ class OAuthApplicationRegistrationView(ApplicationRegistration):
    def form_valid(self, form):
        form.instance.client_type = 'confidential'
        form.instance.authorization_grant_type = 'authorization-code'
+        secret = generate_client_secret()
+        messages.success(self.request, _('Your application has been created and an application secret has been generated. '
+                                         'Please copy and save it right now as it will not be shown again: {secret}').format(secret=secret))
+        form.instance.client_secret = secret
        oauth_application_registered.send(
            sender=self.request, user=self.request.user, application=form.instance
        )
@@ -74,18 +78,14 @@ class OAuthApplicationRegistrationView(ApplicationRegistration):
 class ApplicationUpdateForm(forms.ModelForm):
    class Meta:
        model = OAuthApplication
-        fields = ("name", "client_id", "client_secret", "redirect_uris")
+        fields = ("name", "client_id", "redirect_uris")

    def clean_client_id(self):
        return self.instance.client_id

-    def clean_client_secret(self):
-        return self.instance.client_secret
-
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.fields['client_id'].widget.attrs['readonly'] = True
-        self.fields['client_secret'].widget.attrs['readonly'] = True


 class OAuthApplicationUpdateView(ApplicationUpdate):
@@ -103,8 +103,10 @@ class OAuthApplicationRollView(ApplicationDetail):

    def post(self, request, *args, **kwargs):
        self.object = self.get_object()
-        messages.success(request, _('A new client secret has been generated and is now effective.'))
-        self.object.client_secret = generate_client_secret()
+        secret = generate_client_secret()
+        messages.success(request, _('A new client secret has been generated. Please copy and save it right now as '
+                                    'it will not be shown again: {secret}').format(secret=secret))
+        self.object.client_secret = secret
        self.object.save()
        return HttpResponseRedirect(self.object.get_absolute_url())

@@ -62,7 +62,7 @@ from django.urls import reverse
 from django.utils import formats
 from django.utils.formats import date_format, get_format
 from django.utils.functional import cached_property
-from django.utils.http import is_safe_url
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.timezone import make_aware, now
 from django.utils.translation import gettext, gettext_lazy as _, ngettext
 from django.views.generic import (
@@ -93,9 +93,7 @@ from pretix.base.services.invoices import (
    invoice_qualified, regenerate_invoice,
 )
 from pretix.base.services.locking import LockTimeoutException
-from pretix.base.services.mail import (
-    SendMailException, TolerantDict, render_mail,
-)
+from pretix.base.services.mail import SendMailException, render_mail
 from pretix.base.services.orders import (
    OrderChangeManager, OrderError, approve_order, cancel_order, deny_order,
    extend_order, mark_order_expired, mark_order_refunded,
@@ -127,6 +125,7 @@ from pretix.control.forms.orders import (
 from pretix.control.permissions import EventPermissionRequiredMixin
 from pretix.control.signals import order_search_forms
 from pretix.control.views import PaginationMixin
+from pretix.helpers.format import format_map
 from pretix.helpers.safedownload import check_token
 from pretix.presale.signals import question_form_fields

@@ -681,7 +680,7 @@ class OrderRefundCancel(OrderView):
            messages.success(self.request, _('The refund has been canceled.'))
        else:
            messages.error(self.request, _('This refund can not be canceled at the moment.'))
-        if "next" in self.request.GET and is_safe_url(self.request.GET.get("next"), allowed_hosts=None):
+        if "next" in self.request.GET and url_has_allowed_host_and_scheme(self.request.GET.get("next"), allowed_hosts=None):
            return redirect(self.request.GET.get("next"))
        return redirect(self.get_order_url())

@@ -717,7 +716,7 @@ class OrderRefundProcess(OrderView):
            messages.success(self.request, _('The refund has been processed.'))
        else:
            messages.error(self.request, _('This refund can not be processed at the moment.'))
-        if "next" in self.request.GET and is_safe_url(self.request.GET.get("next"), allowed_hosts=None):
+        if "next" in self.request.GET and url_has_allowed_host_and_scheme(self.request.GET.get("next"), allowed_hosts=None):
            return redirect(self.request.GET.get("next"))
        return redirect(self.get_order_url())

@@ -743,7 +742,7 @@ class OrderRefundDone(OrderView):
            messages.success(self.request, _('The refund has been marked as done.'))
        else:
            messages.error(self.request, _('This refund can not be processed at the moment.'))
-        if "next" in self.request.GET and is_safe_url(self.request.GET.get("next"), allowed_hosts=None):
+        if "next" in self.request.GET and url_has_allowed_host_and_scheme(self.request.GET.get("next"), allowed_hosts=None):
            return redirect(self.request.GET.get("next"))
        return redirect(self.get_order_url())

@@ -2032,7 +2031,7 @@ class OrderSendMail(EventPermissionRequiredMixin, OrderViewMixin, FormView):
        with language(order.locale, self.request.event.settings.region):
            email_context = get_email_context(event=order.event, order=order)
        email_template = LazyI18nString(form.cleaned_data['message'])
-        email_subject = str(form.cleaned_data['subject']).format_map(TolerantDict(email_context))
+        email_subject = format_map(str(form.cleaned_data['subject']), email_context)
        email_content = render_mail(email_template, email_context)
        if self.request.POST.get('action') == 'preview':
            self.preview_output = {
@@ -2097,7 +2096,7 @@ class OrderPositionSendMail(OrderSendMail):
        with language(position.order.locale, self.request.event.settings.region):
            email_context = get_email_context(event=position.order.event, order=position.order, position=position)
        email_template = LazyI18nString(form.cleaned_data['message'])
-        email_subject = str(form.cleaned_data['subject']).format_map(TolerantDict(email_context))
+        email_subject = format_map(str(form.cleaned_data['subject']), email_context)
        email_content = render_mail(email_template, email_context)
        if self.request.POST.get('action') == 'preview':
            self.preview_output = {
@@ -45,8 +45,8 @@ from django.core.exceptions import PermissionDenied, ValidationError
 from django.core.files import File
 from django.db import connections, transaction
 from django.db.models import (
-    Count, Exists, IntegerField, Max, Min, OuterRef, Prefetch, ProtectedError,
-    Q, Subquery, Sum,
+    Count, Exists, F, IntegerField, Max, Min, OuterRef, Prefetch,
+    ProtectedError, Q, Subquery, Sum,
 )
 from django.db.models.functions import Coalesce, Greatest
 from django.forms import DecimalField
@@ -109,6 +109,7 @@ from pretix.control.views import PaginationMixin
 from pretix.control.views.mailsetup import MailSettingsSetupView
 from pretix.helpers import GroupConcat
 from pretix.helpers.dicts import merge_dicts
+from pretix.helpers.format import format_map
 from pretix.helpers.urls import build_absolute_uri as build_global_uri
 from pretix.multidomain.urlreverse import build_absolute_uri
 from pretix.presale.forms.customer import TokenGenerator
@@ -205,7 +206,7 @@ class OrganizerDetail(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin
        ctx = super().get_context_data(**kwargs)
        ctx['filter_form'] = self.filter_form
        ctx['meta_fields'] = [
-            self.filter_form['meta_{}'.format(p.name)] for p in self.organizer.meta_properties.all()
+            self.filter_form['meta_{}'.format(p.name)] for p in self.organizer.meta_properties.filter(filter_allowed=True)
        ]
        return ctx

@@ -335,10 +336,10 @@ class MailSettingsPreview(OrganizerPermissionRequiredMixin, View):
                if idx in self.supported_locale:
                    with language(self.supported_locale[idx], self.request.organizer.settings.region):
                        if k.startswith('mail_subject_'):
-                            msgs[self.supported_locale[idx]] = bleach.clean(v).format_map(self.placeholders(preview_item))
+                            msgs[self.supported_locale[idx]] = format_map(bleach.clean(v), self.placeholders(preview_item))
                        else:
                            msgs[self.supported_locale[idx]] = markdown_compile_email(
-                                v.format_map(self.placeholders(preview_item))
+                                format_map(v, self.placeholders(preview_item))
                            )

        return JsonResponse({
@@ -1403,7 +1404,7 @@ class GiftCardDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi
                    messages.error(request, _('The transaction could not be reversed.'))
                else:
                    messages.success(request, _('The transaction has been reversed.'))
-        elif 'value' in request.POST:
+        elif request.POST.get('value'):
            try:
                value = DecimalField(localize=True).to_python(request.POST.get('value'))
            except ValidationError:
@@ -2214,7 +2215,7 @@ class CustomerDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi

    def get_queryset(self):
        q = Q(customer=self.customer)
-        if self.request.organizer.settings.customer_accounts_link_by_email:
+        if self.request.organizer.settings.customer_accounts_link_by_email and self.customer.email:
            # This is safe because we only let customers with verified emails log in
            q |= Q(email__iexact=self.customer.email)
        qs = Order.objects.filter(
@@ -2311,6 +2312,14 @@ class CustomerDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi
            o.icnt = annotated.get(o.pk)['icnt']
            o.sales_channel_obj = scs[o.sales_channel]

+        ctx["lifetime_spending"] = (
+            self.get_queryset()
+            .filter(status=Order.STATUS_PAID)
+            .values(currency=F("event__currency"))
+            .order_by("currency")
+            .annotate(spending=Sum("total"))
+        )
+
        return ctx


@@ -156,8 +156,8 @@ class BaseEditorView(EventPermissionRequiredMixin, TemplateView):
            p = PdfWriter()
            try:
                p.add_blank_page(
-                    width=float(request.POST.get('width')) * mm,
-                    height=float(request.POST.get('height')) * mm,
+                    width=Decimal('%.5f' % (float(request.POST.get('width')) * mm)),
+                    height=Decimal('%.5f' % (float(request.POST.get('height')) * mm)),
                )
            except ValueError:
                return JsonResponse({
@@ -49,7 +49,7 @@ class OrderSearch(PaginationMixin, ListView):
            self.filter_form[k] for k in self.filter_form.fields if k.startswith('meta_')
        ]

-        # Only compute this annotations for this page (query optimization)
+        # Only compute these annotations for this page (query optimization)
        s = OrderPosition.objects.filter(
            order=OuterRef('pk')
        ).order_by().values('order').annotate(k=Count('id')).values('k')
@@ -91,7 +91,7 @@ class OrderSearch(PaginationMixin, ListView):
        if self.filter_form.is_valid():
            qs = self.filter_form.filter_qs(qs)

-            if self.filter_form.cleaned_data.get('query'):
+            if self.filter_form.use_query_hack():
                """
                We need to work around a bug in PostgreSQL's (and likely MySQL's) query plan optimizer here.
                The database lacks statistical data to predict how common our search filter is and therefore
@@ -100,8 +100,14 @@ class OrderSearch(PaginationMixin, ListView):
                look for something rare (such as an email address used once within hundreds of thousands of
                orders, this ends up to be pathologically slow.

+                Generally, PostgreSQL tries to make these decisions on statistical data and generally, they *can*
+                only be made on statistical data, so it's a little bit of a stretch that we try to do it better
+                than PostgreSQL here. However, experience suggests applying this tricks works specifically in the
+                cases where the WHERE part of the statement is very hard to compute, e.g. uses a complicated
+                condition that can't utilize indices well.
+
                For some search queries on pretix.eu, we see search times of >30s, just due to the ORDER BY and
-                LIMIT clause. Without them. the query runs in roughly 0.6s. This heuristical approach tries to
+                LIMIT clause. Without them. the query runs in roughly 0.6s. This heuristic approach tries to
                detect these cases and rewrite the query as a nested subquery that strongly suggests sorting
                before filtering. However, since even that fails in some cases because PostgreSQL thinks it knows
                better, we literally force it by evaluating the subquery explicitly. We only do this for n<=200,
@@ -111,15 +117,8 @@ class OrderSearch(PaginationMixin, ListView):

                Phew.
                """
-
-                page = self.kwargs.get(self.page_kwarg) or self.request.GET.get(self.page_kwarg) or 1
-                limit = self.get_paginate_by(None)
-                try:
-                    offset = (int(page) - 1) * limit
-                except ValueError:
-                    offset = 0
                resultids = list(qs.order_by().values_list('id', flat=True)[:201])
-                if len(resultids) <= 200 and len(resultids) <= offset + limit:
+                if len(resultids) <= 200:
                    qs = Order.objects.using(settings.DATABASE_REPLICA).filter(
                        id__in=resultids
                    )
@@ -134,7 +133,7 @@ class OrderSearch(PaginationMixin, ListView):
        """
        return qs.only(
            'id', 'invoice_address__name_cached', 'invoice_address__name_parts', 'code', 'event', 'email',
-            'datetime', 'total', 'status', 'require_approval', 'testmode'
+            'datetime', 'total', 'status', 'require_approval', 'testmode', 'custom_followup_at', 'expires'
        ).prefetch_related(
            'event', 'event__organizer'
        ).select_related('invoice_address')
@@ -48,7 +48,7 @@ from django.utils.translation import gettext as _, pgettext

 from pretix.base.models import (
    EventMetaProperty, EventMetaValue, ItemMetaProperty, ItemMetaValue,
-    ItemVariation, Order, Organizer, User, Voucher,
+    ItemVariation, ItemVariationMetaValue, Order, Organizer, User, Voucher,
 )
 from pretix.control.forms.event import EventWizardCopyForm
 from pretix.control.permissions import (
@@ -747,6 +747,10 @@ def item_meta_values(request, organizer, event):
        value__icontains=q,
        property__name=propname
    )
+    var_matches = ItemVariationMetaValue.objects.filter(
+        value__icontains=q,
+        property__name=propname
+    )
    defaults = ItemMetaProperty.objects.filter(
        name=propname,
        default__icontains=q
@@ -758,6 +762,7 @@ def item_meta_values(request, organizer, event):

    defaults = defaults.filter(event__organizer_id=organizer.pk)
    matches = matches.filter(item__event__organizer_id=organizer.pk)
+    var_matches = var_matches.filter(variation__item__event__organizer_id=organizer.pk)
    all_access = (
        request.user.has_active_staff_session(request.session.session_key)
        or request.user.teams.filter(all_events=True, organizer=organizer, can_change_items=True).exists()
@@ -773,10 +778,19 @@ def item_meta_values(request, organizer, event):
                'limit_events__id', flat=True
            )
        )
+        var_matches = matches.filter(
+            variation__item__event__id__in=request.user.teams.filter(can_change_items=True).values_list(
+                'limit_events__id', flat=True
+            )
+        )

    return JsonResponse({
        'results': [
            {'name': v, 'id': v}
-            for v in sorted(set(defaults.values_list('default', flat=True)[:10]) | set(matches.values_list('value', flat=True)[:10]))
+            for v in sorted(
+                set(defaults.values_list('default', flat=True)[:10]) |
+                set(matches.values_list('value', flat=True)[:10]) |
+                set(var_matches.values_list('value', flat=True)[:10])
+            )
        ]
    })
@@ -71,6 +71,7 @@ from pretix.control.permissions import (
    AdministratorPermissionRequiredMixin, StaffMemberRequiredMixin,
 )
 from pretix.control.views.auth import get_u2f_appid
+from pretix.helpers.http import redirect_to_url
 from pretix.helpers.webauthn import generate_challenge, generate_ukey

 REAL_DEVICE_TYPES = (TOTPDevice, WebAuthnDevice, U2FDevice)
@@ -138,7 +139,7 @@ class ReauthView(TemplateView):
            request.session['pretix_auth_last_used'] = t
            next_url = get_auth_backends()[request.user.auth_backend].get_next_url(request)
            if next_url and url_has_allowed_host_and_scheme(next_url, allowed_hosts=None):
-                return redirect(next_url)
+                return redirect_to_url(next_url)
            return redirect(reverse('control:index'))
        else:
            messages.error(request, _('The password you entered was invalid, please try again.'))
@@ -153,7 +154,7 @@ class ReauthView(TemplateView):
            request.session['pretix_auth_login_time'] = t
            request.session['pretix_auth_last_used'] = t
            if next_url and url_has_allowed_host_and_scheme(next_url, allowed_hosts=None):
-                return redirect(next_url)
+                return redirect_to_url(next_url)
            return redirect(reverse('control:index'))
        return super().get(request, *args, **kwargs)

@@ -749,7 +750,7 @@ class StartStaffSession(StaffMemberRequiredMixin, RecentAuthenticationRequiredMi
            )

        if "next" in request.GET and url_has_allowed_host_and_scheme(request.GET.get("next"), allowed_hosts=None):
-            return redirect(request.GET.get("next"))
+            return redirect_to_url(request.GET.get("next"))
        else:
            return redirect(reverse("control:index"))

@@ -40,10 +40,10 @@ from django.db import transaction
 from django.db.models import F, Max, Min, Q, Sum
 from django.db.models.functions import Coalesce
 from django.http import Http404, HttpResponse, HttpResponseRedirect
-from django.shortcuts import redirect, render
+from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
 from django.utils.functional import cached_property
-from django.utils.http import is_safe_url
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _, pgettext
 from django.views import View
@@ -54,9 +54,12 @@ from pretix.base.models import Item, Quota, WaitingListEntry
 from pretix.base.models.waitinglist import WaitingListException
 from pretix.base.services.waitinglist import assign_automatically
 from pretix.base.views.tasks import AsyncAction
+from pretix.control.forms.waitinglist import WaitingListEntryTransferForm
 from pretix.control.permissions import EventPermissionRequiredMixin
 from pretix.control.views import PaginationMixin

+from . import UpdateView
+

 class AutoAssign(EventPermissionRequiredMixin, AsyncAction, View):
    task = assign_automatically
@@ -141,7 +144,7 @@ class WaitingListActionView(EventPermissionRequiredMixin, WaitingListQuerySetMix
    permission = 'can_change_orders'

    def _redirect_back(self):
-        if "next" in self.request.GET and is_safe_url(self.request.GET.get("next"), allowed_hosts=None):
+        if "next" in self.request.GET and url_has_allowed_host_and_scheme(self.request.GET.get("next"), allowed_hosts=None):
            return redirect(self.request.GET.get("next"))
        return redirect(reverse('control:event.orders.waitinglist', kwargs={
            'event': self.request.event.slug,
@@ -357,7 +360,7 @@ class EntryDelete(EventPermissionRequiredMixin, DeleteView):
        self.object.log_action('pretix.event.orders.waitinglist.deleted', user=self.request.user)
        self.object.delete()
        messages.success(self.request, _('The selected entry has been deleted.'))
-        if "next" in self.request.GET and is_safe_url(self.request.GET.get("next"), allowed_hosts=None):
+        if "next" in self.request.GET and url_has_allowed_host_and_scheme(self.request.GET.get("next"), allowed_hosts=None):
            return redirect(self.request.GET.get("next"))
        return HttpResponseRedirect(success_url)

@@ -366,3 +369,40 @@ class EntryDelete(EventPermissionRequiredMixin, DeleteView):
            'event': self.request.event.slug,
            'organizer': self.request.event.organizer.slug
        })
+
+
+class EntryTransfer(EventPermissionRequiredMixin, UpdateView):
+    model = WaitingListEntry
+    template_name = 'pretixcontrol/waitinglist/transfer.html'
+    permission = 'can_change_orders'
+    form_class = WaitingListEntryTransferForm
+    context_object_name = 'entry'
+
+    def dispatch(self, request, *args, **kwargs):
+        if not self.request.event.has_subevents:
+            raise Http404(_("This is not an event series."))
+        return super().dispatch(request, *args, **kwargs)
+
+    def get_object(self, queryset=None) -> WaitingListEntry:
+        return get_object_or_404(WaitingListEntry, pk=self.kwargs['entry'], event=self.request.event, voucher__isnull=True)
+
+    @transaction.atomic
+    def form_valid(self, form):
+        messages.success(self.request, _('The waitinglist entry has been transferred.'))
+        if form.has_changed():
+            self.object.log_action(
+                'pretix.event.order.waitinglist.transferred', user=self.request.user, data={
+                    k: form.cleaned_data.get(k) for k in form.changed_data
+                }
+            )
+        return super().form_valid(form)
+
+    def form_invalid(self, form):
+        messages.error(self.request, _('We could not save your changes. See below for details.'))
+        return super().form_invalid(form)
+
+    def get_success_url(self) -> str:
+        return reverse('control:event.orders.waitinglist', kwargs={
+            'event': self.request.event.slug,
+            'organizer': self.request.event.organizer.slug
+        })
@@ -0,0 +1,55 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020 Raphael Michel and contributors
+# Copyright (C) 2020-2021 rami.io GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+import logging
+from string import Formatter
+
+logger = logging.getLogger(__name__)
+
+
+class SafeFormatter(Formatter):
+    """
+    Customized version of ``str.format`` that (a) behaves just like ``str.format_map`` and
+    (b) does not allow any unwanted shenanigans like attribute access or format specifiers.
+    """
+    def __init__(self, context):
+        self.context = context
+
+    def get_field(self, field_name, args, kwargs):
+        if '.' in field_name or '[' in field_name:
+            logger.warning(f'Ignored invalid field name "{field_name}"')
+            return ('{' + str(field_name) + '}', field_name)
+        return super().get_field(field_name, args, kwargs)
+
+    def get_value(self, key, args, kwargs):
+        if key not in self.context:
+            return '{' + str(key) + '}'
+        return self.context[key]
+
+    def format_field(self, value, format_spec):
+        # Ignore format _spec
+        return super().format_field(value, '')
+
+
+def format_map(template, context):
+    if not isinstance(template, str):
+        template = str(template)
+    return SafeFormatter(context).format(template)
@@ -20,7 +20,9 @@
 # <https://www.gnu.org/licenses/>.
 #
 from django.conf import settings
-from django.http import StreamingHttpResponse
+from django.http import (
+    HttpResponsePermanentRedirect, HttpResponseRedirect, StreamingHttpResponse,
+)


 class ChunkBasedFileResponse(StreamingHttpResponse):
@@ -36,7 +38,12 @@ class ChunkBasedFileResponse(StreamingHttpResponse):
 def get_client_ip(request):
    ip = request.META.get('REMOTE_ADDR')
    if settings.TRUST_X_FORWARDED_FOR:
-        x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR')
+        x_forwarded_for = request.headers.get('x-forwarded-for')
        if x_forwarded_for:
            ip = x_forwarded_for.split(',')[0]
    return ip
+
+
+def redirect_to_url(to, permanent=False):
+    redirect_class = HttpResponsePermanentRedirect if permanent else HttpResponseRedirect
+    return redirect_class(to)
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.16 on 2022-11-21 17:22
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixhelpers', '0002_auto_20180320_1219'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='thumbnail',
+            name='created',
+            field=models.DateTimeField(auto_now_add=True, null=True),
+        ),
+    ]
@@ -29,6 +29,7 @@ class Thumbnail(models.Model):
    source = models.CharField(max_length=255)
    size = models.CharField(max_length=255)
    thumb = models.FileField(upload_to='pub/thumbs/', max_length=255)
+    created = models.DateTimeField(auto_now_add=True, null=True)

    class Meta:
        unique_together = (('source', 'size'),)
@@ -24,8 +24,7 @@ from inspect import isgenerator

 from openpyxl import Workbook
 from openpyxl.cell.cell import (
-    ILLEGAL_CHARACTERS_RE, KNOWN_TYPES, TIME_TYPES, TYPE_FORMULA, TYPE_STRING,
-    Cell,
+    KNOWN_TYPES, TIME_TYPES, TYPE_FORMULA, TYPE_STRING, Cell,
 )
 from openpyxl.compat import NUMERIC_TYPES
 from openpyxl.utils import column_index_from_string
@@ -49,6 +48,12 @@ There are mainly two problems this solves:
 - It removes characters considered invalid by Excel to avoid exporter crashes.
 """

+ILLEGAL_CHARACTERS_RE = re.compile(
+    # From the XML specification
+    # Char ::= #x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF]
+    r'[^\u0020-\uD7FF\u0009\u000A\u000D\uE000-\uFFFD\U00010000-\U0010FFFF]'
+)
+

 def remove_invalid_excel_chars(val):
    if isinstance(val, Cell):
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-11-07 15:22+0000\n"
+"POT-Creation-Date: 2022-12-14 13:09+0000\n"
 "PO-Revision-Date: 2021-09-15 11:22+0000\n"
 "Last-Translator: Mohamed Tawfiq <mtawfiq@wafyapp.com>\n"
 "Language-Team: Arabic <https://translate.pretix.eu/projects/pretix/pretix-js/"
@@ -132,18 +132,18 @@ msgstr ""
 msgid "Mercado Pago"
 msgstr ""

-#: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:159
+#: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:163
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:48
 msgid "Continue"
 msgstr "المتابعة"

-#: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:217
+#: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:221
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:152
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:183
 msgid "Confirming your payment …"
 msgstr "جاري تأكيد الدفع الخاص بك …"

-#: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:242
+#: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:246
 msgid "Payment method unavailable"
 msgstr ""

@@ -486,48 +486,48 @@ msgstr "الدقائق"
 msgid "Check-in QR"
 msgstr "QR الدخول"

-#: pretix/static/pretixcontrol/js/ui/editor.js:378
+#: pretix/static/pretixcontrol/js/ui/editor.js:384
 msgid "The PDF background file could not be loaded for the following reason:"
 msgstr "لا يمكن تحميل ملف PDF الخلفية للأسباب التالية:"

-#: pretix/static/pretixcontrol/js/ui/editor.js:648
+#: pretix/static/pretixcontrol/js/ui/editor.js:653
 msgid "Group of objects"
 msgstr "مجموعة من العناصر"

-#: pretix/static/pretixcontrol/js/ui/editor.js:654
+#: pretix/static/pretixcontrol/js/ui/editor.js:659
 msgid "Text object"
 msgstr "عنصر نص"

-#: pretix/static/pretixcontrol/js/ui/editor.js:656
+#: pretix/static/pretixcontrol/js/ui/editor.js:661
 msgid "Barcode area"
 msgstr "منطقة باركود"

-#: pretix/static/pretixcontrol/js/ui/editor.js:658
+#: pretix/static/pretixcontrol/js/ui/editor.js:663
 msgid "Image area"
 msgstr "منطقة صورة"

-#: pretix/static/pretixcontrol/js/ui/editor.js:660
+#: pretix/static/pretixcontrol/js/ui/editor.js:665
 msgid "Powered by pretix"
 msgstr "مدعوم من pretix"

-#: pretix/static/pretixcontrol/js/ui/editor.js:662
+#: pretix/static/pretixcontrol/js/ui/editor.js:667
 msgid "Object"
 msgstr "عنصر"

-#: pretix/static/pretixcontrol/js/ui/editor.js:666
+#: pretix/static/pretixcontrol/js/ui/editor.js:671
 msgid "Ticket design"
 msgstr "تصميم التذكرة"

-#: pretix/static/pretixcontrol/js/ui/editor.js:956
+#: pretix/static/pretixcontrol/js/ui/editor.js:961
 msgid "Saving failed."
 msgstr "فشلت عملية الحفظ."

-#: pretix/static/pretixcontrol/js/ui/editor.js:1006
-#: pretix/static/pretixcontrol/js/ui/editor.js:1045
+#: pretix/static/pretixcontrol/js/ui/editor.js:1011
+#: pretix/static/pretixcontrol/js/ui/editor.js:1050
 msgid "Error while uploading your PDF file, please try again."
 msgstr "حصل خطأ أثناء رفع ملف PDF الخاص بك، يرجى المحاولة مرة أخرى."

-#: pretix/static/pretixcontrol/js/ui/editor.js:1030
+#: pretix/static/pretixcontrol/js/ui/editor.js:1035
 msgid "Do you really want to leave the editor without saving your changes?"
 msgstr "هل تريد أن تغادر المحرر دون حفظ التعديلات؟"

@@ -573,15 +573,15 @@ msgstr "البحث في الاستفسارات"
 msgid "Selected only"
 msgstr "المختارة فقط"

-#: pretix/static/pretixcontrol/js/ui/main.js:858
+#: pretix/static/pretixcontrol/js/ui/main.js:862
 msgid "Use a different name internally"
 msgstr "قم باستخدم اسم مختلف داخليا"

-#: pretix/static/pretixcontrol/js/ui/main.js:894
+#: pretix/static/pretixcontrol/js/ui/main.js:898
 msgid "Click to close"
 msgstr "اضغط لاغلاق الصفحة"

-#: pretix/static/pretixcontrol/js/ui/main.js:966
+#: pretix/static/pretixcontrol/js/ui/main.js:970
 msgid "You have unsaved changes!"
 msgstr "لم تقم بحفظ التعديلات!"

@@ -655,20 +655,20 @@ msgstr "ستسترد %(currency)%(amount)"
 msgid "Please enter the amount the organizer can keep."
 msgstr "الرجاء إدخال المبلغ الذي يمكن للمنظم الاحتفاظ به."

-#: pretix/static/pretixpresale/js/ui/main.js:388
+#: pretix/static/pretixpresale/js/ui/main.js:393
 msgid "Please enter a quantity for one of the ticket types."
 msgstr "الرجاء إدخال عدد لأحد أنواع التذاكر."

-#: pretix/static/pretixpresale/js/ui/main.js:424
+#: pretix/static/pretixpresale/js/ui/main.js:429
 msgid "required"
 msgstr "مطلوب"

-#: pretix/static/pretixpresale/js/ui/main.js:527
-#: pretix/static/pretixpresale/js/ui/main.js:546
+#: pretix/static/pretixpresale/js/ui/main.js:532
+#: pretix/static/pretixpresale/js/ui/main.js:551
 msgid "Time zone:"
 msgstr "المنطقة الزمنية:"

-#: pretix/static/pretixpresale/js/ui/main.js:537
+#: pretix/static/pretixpresale/js/ui/main.js:542
 msgid "Your local time:"
 msgstr "التوقيت المحلي:"

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-11-07 15:22+0000\n"
+"POT-Creation-Date: 2022-12-14 13:09+0000\n"
 "PO-Revision-Date: 2020-12-19 07:00+0000\n"
 "Last-Translator: albert <albert.serra.monner@gmail.com>\n"
 "Language-Team: Catalan <https://translate.pretix.eu/projects/pretix/pretix-"
@@ -129,18 +129,18 @@ msgstr ""
 msgid "Mercado Pago"
 msgstr ""

-#: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:159
+#: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:163
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:48
 msgid "Continue"
 msgstr ""

-#: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:217
+#: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:221
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:152
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:183
 msgid "Confirming your payment …"
 msgstr ""

-#: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:242
+#: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:246
 msgid "Payment method unavailable"
 msgstr ""

@@ -469,48 +469,48 @@ msgstr ""
 msgid "Check-in QR"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/editor.js:378
+#: pretix/static/pretixcontrol/js/ui/editor.js:384
 msgid "The PDF background file could not be loaded for the following reason:"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/editor.js:648
+#: pretix/static/pretixcontrol/js/ui/editor.js:653
 msgid "Group of objects"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/editor.js:654
+#: pretix/static/pretixcontrol/js/ui/editor.js:659
 msgid "Text object"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/editor.js:656
+#: pretix/static/pretixcontrol/js/ui/editor.js:661
 msgid "Barcode area"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/editor.js:658
+#: pretix/static/pretixcontrol/js/ui/editor.js:663
 msgid "Image area"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/editor.js:660
+#: pretix/static/pretixcontrol/js/ui/editor.js:665
 msgid "Powered by pretix"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/editor.js:662
+#: pretix/static/pretixcontrol/js/ui/editor.js:667
 msgid "Object"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/editor.js:666
+#: pretix/static/pretixcontrol/js/ui/editor.js:671
 msgid "Ticket design"
 msgstr "Disseny del tiquet"

-#: pretix/static/pretixcontrol/js/ui/editor.js:956
+#: pretix/static/pretixcontrol/js/ui/editor.js:961
 msgid "Saving failed."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/editor.js:1006
-#: pretix/static/pretixcontrol/js/ui/editor.js:1045
+#: pretix/static/pretixcontrol/js/ui/editor.js:1011
+#: pretix/static/pretixcontrol/js/ui/editor.js:1050
 msgid "Error while uploading your PDF file, please try again."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/editor.js:1030
+#: pretix/static/pretixcontrol/js/ui/editor.js:1035
 msgid "Do you really want to leave the editor without saving your changes?"
 msgstr ""

@@ -556,15 +556,15 @@ msgstr ""
 msgid "Selected only"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:858
+#: pretix/static/pretixcontrol/js/ui/main.js:862
 msgid "Use a different name internally"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:894
+#: pretix/static/pretixcontrol/js/ui/main.js:898
 msgid "Click to close"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:966
+#: pretix/static/pretixcontrol/js/ui/main.js:970
 msgid "You have unsaved changes!"
 msgstr ""

@@ -628,22 +628,22 @@ msgstr ""
 msgid "Please enter the amount the organizer can keep."
 msgstr ""

-#: pretix/static/pretixpresale/js/ui/main.js:388
+#: pretix/static/pretixpresale/js/ui/main.js:393
 msgid "Please enter a quantity for one of the ticket types."
 msgstr ""

-#: pretix/static/pretixpresale/js/ui/main.js:424
+#: pretix/static/pretixpresale/js/ui/main.js:429
 #, fuzzy
 #| msgid "Cart expired"
 msgid "required"
 msgstr "Cistella expirada"

-#: pretix/static/pretixpresale/js/ui/main.js:527
-#: pretix/static/pretixpresale/js/ui/main.js:546
+#: pretix/static/pretixpresale/js/ui/main.js:532
+#: pretix/static/pretixpresale/js/ui/main.js:551
 msgid "Time zone:"
 msgstr ""

-#: pretix/static/pretixpresale/js/ui/main.js:537
+#: pretix/static/pretixpresale/js/ui/main.js:542
 msgid "Your local time:"
 msgstr ""

--- a/Show More
+++ b/Show More