Seating: fix handling optional position attribute

Test order deletion: Improve bulk performance (Z#23237160) (#6274 )
* Test order deletion: Improve bulk performance (Z#23237160) * Apply suggestion from @pajowu Co-authored-by: pajowu <engelhardt@pretix.eu> * Fix style issue --------- Co-authored-by: pajowu <engelhardt@pretix.eu>
2026-06-24 03:26:14 +00:00 · 2026-06-23 07:42:17 +02:00 · 2026-06-22 09:49:27 +02:00 · 2026-06-22 09:11:55 +02:00 · 2026-06-22 09:11:47 +02:00 · 2026-06-22 09:11:47 +02:00
375 changed files with 157713 additions and 149880 deletions
@@ -1,5 +1,6 @@
 doc/
 env/
+node_modules/
 res/
 local/
 .git/
@@ -0,0 +1,5 @@
+[*.{js,jsx,ts,tsx,vue}]
+indent_style = tab
+indent_size = 2
+trim_trailing_whitespace = true
+insert_final_newline = true
@@ -46,4 +46,7 @@ jobs:
      - name: Run build
        run: python -m build
      - name: Check files
-        run: unzip -l dist/pretix*whl | grep node_modules || exit 1
+        run: |
+          for pat in 'static.dist/vite/widget/widget.js' 'static.dist/vite/control/assets/checkinrules/main-' 'static.dist/vite/control/assets/webcheckin/main-'; do
+            unzip -l dist/pretix*whl | grep -q "$pat" || { echo "Missing: $pat"; exit 1; }
+          done
@@ -0,0 +1,43 @@
+name: JS Code Style
+
+on:
+  push:
+    branches: [ master ]
+    paths:
+      - 'src/pretix/static/pretixpresale/widget/**'
+      - 'src/pretix/static/pretixcontrol/js/ui/checkinrules/**'
+      - 'src/pretix/plugins/webcheckin/**'
+      - 'eslint.config.mjs'
+      - 'package.json'
+      - 'package-lock.json'
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'src/pretix/static/pretixpresale/widget/**'
+      - 'src/pretix/static/pretixcontrol/js/ui/checkinrules/**'
+      - 'src/pretix/plugins/webcheckin/**'
+      - 'eslint.config.mjs'
+      - 'package.json'
+      - 'package-lock.json'
+
+permissions:
+  contents: read
+
+env:
+  FORCE_COLOR: 1
+
+jobs:
+  eslint:
+    name: eslint
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Node.js 24
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24
+          cache: npm
+      - name: Install Dependencies
+        run: npm ci
+      - name: Run ESLint
+        run: npm run lint:eslint
@@ -72,7 +72,7 @@ jobs:
        run: make all compress
      - name: Run tests
        working-directory: ./src
-        run: PRETIX_CONFIG_FILE=tests/ci_${{ matrix.database }}.cfg py.test -n 3 -p no:sugar --cov=./ --cov-report=xml tests --maxfail=100
+        run: PRETIX_CONFIG_FILE=tests/ci_${{ matrix.database }}.cfg py.test -n 3 -p no:sugar --cov=./ --cov-report=xml tests --ignore=tests/e2e --maxfail=100
      - name: Run concurrency tests
        working-directory: ./src
        run: PRETIX_CONFIG_FILE=tests/ci_${{ matrix.database }}.cfg py.test tests/concurrency_tests/ --reuse-db
@@ -84,3 +84,46 @@ jobs:
          token: ${{ secrets.CODECOV_TOKEN }}
          fail_ci_if_error: false
        if: matrix.database == 'postgres' && matrix.python-version == '3.13'
+  e2e:
+    runs-on: ubuntu-22.04
+    name: E2E Tests
+    services:
+      postgres:
+        image: postgres:15
+        env:
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_DB: pretix
+        options: >-
+          --health-cmd "pg_isready -U postgres -d pretix"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install system dependencies
+        run: sudo apt update && sudo apt install -y gettext
+      - name: Install Python dependencies
+        run: pip3 install uv && uv pip install --system -e ".[dev]" psycopg2-binary
+      - name: Install JS dependencies
+        working-directory: ./src
+        run: make npminstall
+      - name: Compile
+        working-directory: ./src
+        run: make all compress
+      - name: Install Playwright browsers
+        run: playwright install
+      - name: Run E2E tests
+        working-directory: ./src
+        run: PRETIX_CONFIG_FILE=tests/ci_postgres.cfg py.test tests/e2e/ -v --maxfail=10
@@ -24,5 +24,7 @@ local/
 .project
 .pydevproject
 .DS_Store
+node_modules/
+.vite/


@@ -10,9 +10,9 @@ tests:
        - cd src
        - python manage.py check
        - make all compress
-        - PRETIX_CONFIG_FILE=tests/ci_sqlite.cfg py.test -n 3 tests --maxfail=100
+        - PRETIX_CONFIG_FILE=tests/ci_sqlite.cfg py.test -n 3 tests --ignore=tests/e2e --maxfail=100
    except:
-        - pypi
+        - '/^v.*$/'
 pypi:
    stage: release
    image:
@@ -35,7 +35,7 @@ pypi:
        - twine check dist/*
        - twine upload dist/*
    only:
-        - pypi
+        - '/^v.*$/'
    artifacts:
        paths:
            - src/dist/
@@ -1 +1 @@
-17
+24
@@ -0,0 +1 @@
+/*
@@ -1,6 +1,7 @@
 FROM python:3.13-trixie

-RUN apt-get update && \
+RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
+    apt-get update && \
    apt-get install -y --no-install-recommends \
            build-essential \
            gettext \
@@ -21,8 +22,7 @@ RUN apt-get update && \
            libmaxminddb0 \
            libmaxminddb-dev \
            zlib1g-dev \
-            nodejs  \
-            npm && \
+            nodejs && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* && \
    dpkg-reconfigure locales &&  \
@@ -31,6 +31,7 @@ RUN apt-get update && \
    mkdir /etc/pretix && \
    mkdir /data && \
    useradd -ms /bin/bash -d /pretix -u 15371 pretixuser && \
+    chmod 0755 /pretix && \
    echo 'pretixuser ALL=(ALL) NOPASSWD:SETENV: /usr/bin/supervisord' >> /etc/sudoers && \
    mkdir /static && \
    mkdir /etc/supervisord
@@ -49,11 +50,14 @@ COPY deployment/docker/production_settings.py /pretix/src/production_settings.py
 COPY pyproject.toml /pretix/pyproject.toml
 COPY _build /pretix/_build
 COPY src /pretix/src
+COPY package.json /pretix/package.json
+COPY package-lock.json /pretix/package-lock.json
+COPY tsconfig.json /pretix/tsconfig.json
+COPY vite.config.ts /pretix/vite.config.ts

 RUN pip3 install -U \
        pip \
-        setuptools \
-        wheel && \
+        setuptools && \
    cd /pretix && \
    PRETIX_DOCKER_BUILD=TRUE pip3 install \
        -e ".[memcached]" \
@@ -48,3 +48,8 @@ recursive-include src Makefile
 recursive-exclude doc *
 recursive-exclude deployment *
 recursive-exclude res *
+
+include package.json
+include package-lock.json
+include tsconfig.json
+include vite.config.ts
@@ -192,7 +192,7 @@ Cart position endpoints
   * ``attendee_email`` (optional)
   * ``subevent`` (optional)
   * ``expires`` (optional)
-   * ``includes_tax`` (optional, **deprecated**, do not use, will be removed)
+   * ``includes_tax`` (optional, **DEPRECATED**, do not use, will be removed)
   * ``sales_channel`` (optional)
   * ``voucher`` (optional, expect a voucher code)
   * ``addons`` (optional, expect a list of nested objects of cart positions)
@@ -46,12 +46,14 @@ Checking a ticket in
                        this request twice with the same nonce, the second request will also succeed but will always
                        create only one check-in object even when the previous request was successful as well. This
                        allows for a certain level of idempotency and enables you to re-try after a connection failure.
+   :<json string exchange_medium_type: To perform an exchange to a reusable medium, pass the type of the new reusable medium
+   :<json string exchange_medium_identifier: To perform an exchange to a reusable media, pass the identifier of the new medium
   :<json boolean use_order_locale: Specifies that pretix should use the customer's language (``locale`` field from the
                                    order) when building texts (currently only the ``reason_explanation`` response field).
                                    Defaults to ``false`` in which case the server will determine the language (currently
                                    the event default language, might change in the future with support for the
                                    ``Accept-Language`` header).
-   :>json string status: ``"ok"``, ``"incomplete"``, or ``"error"``
+   :>json string status: ``"ok"``, ``"incomplete"``, ``"exchange"``, or ``"error"``
   :>json string reason: Reason code, only set on status ``"error"``, see below for possible values.
   :>json string reason_explanation: Human-readable explanation, only set on status ``"error"`` and reason ``"rules"``, can be null.
   :>json object position: Copy of the matching order position (if any was found). The contents are the same as the
@@ -67,6 +69,8 @@ Checking a ticket in
   :>json object list: Excerpt of information about the matching :ref:`check-in list <rest-checkinlists>` (if any was found),
                       including the attributes ``id``, ``name``, ``event``, ``subevent``, and ``include_pending``.
   :>json object questions: List of questions to be answered for check-in, only set on status ``"incomplete"``.
+   :>json object media_policy: Reusable media policy (see documentation on items), only set on status ``"exchange"``.
+   :>json object media_type: Reusable media type (see documentation on items), only set on status ``"exchange"``.

   **Example request**:

@@ -224,6 +228,9 @@ Checking a ticket in
   * ``ambiguous`` - Multiple tickets match scan, rejected.
   * ``revoked`` - Ticket code has been revoked.
   * ``unapproved`` - Order has not yet been approved.
+   * ``already_exchanged`` - Ticket already has been exchanged for a reusable medium that must now be used for check-in.
+   * ``medium_invalid`` - Reusable medium identifier given was not found or is not valid.
+   * ``medium_exists`` - Reusable medium identifier already exists, but expected to be new.
   * ``error`` - Internal error.

   In case of reason ``rules`` and ``invalid_time``, there might be an additional response field ``reason_explanation``
@@ -602,7 +602,8 @@ Order position endpoints

      We no longer recommend using this API if you're building a ticket scanning application, as it has a few design
      flaws that can lead to `security issues`_ or compatibility issues due to barcode content characters that are not
-      URL-safe. We recommend to use our new :ref:`check-in API <rest-checkin>` instead.
+      URL-safe. We recommend to use our new :ref:`check-in API <rest-checkin>` instead. Advanced features like medium
+      exchange are only supported on the new API.

   :query boolean untrusted_input: If set to true, the lookup parameter is **always** interpreted as a ``secret``, never
                                   as an ``id``. This should be always set if you are passing through untrusted, scanned
@@ -741,6 +742,9 @@ Order position endpoints
   * ``ambiguous`` - Multiple tickets match scan, rejected.
   * ``revoked`` - Ticket code has been revoked.
   * ``unapproved`` - Order has not yet been approved.
+   * ``already_exchanged`` - Ticket already has been exchanged for a reusable medium that must now be used for check-in.
+   * ``medium_invalid`` - Reusable medium identifier given was not found and could not be automatically created.
+   * ``medium_exists`` - Reusable medium identifier already exists, but expected to be new.

   In case of reason ``rules`` or ``invalid_time``, there might be an additional response field ``reason_explanation``
   with a human-readable description of the violated rules. However, that field can also be missing or be ``null``.
@@ -844,3 +844,187 @@ You can also fetch existing leads (if you are authorized to do so):
   :statuscode 200: No error
   :statuscode 401: Invalid authentication code
   :statuscode 403: Not permitted to access bulk data
+
+Retrieving Vouchers
+"""""""""""""""""""
+
+Vouchers returned by the App API use a different format than described in :ref:`rest-vouchers`.
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the voucher
+code                                  string                     The voucher code that is required to redeem the voucher
+max_usages                            integer                    The maximum number of times this voucher can be
+                                                                 redeemed (default: 1).
+redeemed                              integer                    The number of times this voucher already has been
+                                                                 redeemed.
+valid_until                           datetime                   The voucher expiration date (or ``null``).
+subevent                              string                     Name of the date inside an event series this voucher belongs to (or ``null``).
+tag                                   string                     A string that is used for grouping vouchers
+comment                               string                     An internal exhibitor comment on the voucher.
+items                                 list of strings            A list of items this voucher is restricted to (or ``null``).
+price_mode                            string                     Determines how this voucher affects product prices.
+                                                                 Possible values:
+
+                                                                 * ``none`` – No effect on price
+                                                                 * ``set`` – The product price is set to the given ``value``
+                                                                 * ``subtract`` – The product price is determined by the original price *minus* the given ``value``
+                                                                 * ``percent`` – The product price is determined by the original price reduced by the percentage given in ``value``
+value                                 decimal (string)           The value (see ``price_mode``)
+redemptions                           list of objects            A list of objects, where each object represents an order position that has been purchased using the voucher.
+                                                                 Each entry will contains the fields ``attendee_fields``, ``redemption_date`` and ``subevent``.
+
+                                                                 The attendee data in the ``attendee_fields`` that is shown is based on the event's configuration, and each entry
+                                                                 contains the fields ``id``, ``label``, ``value``, and ``details``. ``details`` is usually empty
+                                                                 except in a few cases where it contains an additional list of objects
+                                                                 with ``value`` and ``label`` keys (e.g. splitting of names).
+===================================== ========================== =======================================================
+
+
+.. http:get:: /exhibitors/api/v1/vouchers/
+
+   Returns a list of all vouchers connected to the exhibitor.
+
+   Note that the ``attendee_fields`` array can contain any number of dynamic keys!
+   Depending on the exhibitors permission and event configuration this might be empty, or contain lots of details.
+   The app should dynamically show these values (read-only) with the labels sent by the server.
+
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /exhibitors/api/v1/vouchers/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "code": "43K6LKM37FBVR2YG",
+            "max_usages": 1,
+            "redeemed": 0,
+            "valid_until": null,
+            "subevent": null,
+            "tag": "testvoucher",
+            "comment": "",
+            "items": [
+                "All"
+            ],
+            "price_mode": "set",
+            "value": "12.00",
+            "redemptions": [
+              {
+                "attendee_fields": [
+                  {
+                    "id": "attendee_name",
+                    "label": "Name",
+                    "value": "Jon Doe",
+                    "details": [
+                      {"label": "Given name", "value": "John"},
+                      {"label": "Family name", "value": "Doe"},
+                    ]
+                  },
+                  {
+                    "id": "attendee_email",
+                    "label": "Email",
+                    "value": "test@example.com",
+                    "details": []
+                  }
+                ],
+                "redemption_date": "2026-05-06",
+                "subevent": null
+              },
+            ]
+          }
+        ]
+      }
+
+   :statuscode 200: No error
+   :statuscode 401: Invalid authentication code
+   :statuscode 403: Not permitted to access bulk data
+
+.. http:get:: /exhibitors/api/v1/vouchers/(id)/
+
+   Returns the details of a single, specific voucher connected to the exhibitor.
+
+   Note that the ``attendee_fields`` array can contain any number of dynamic keys!
+   Depending on the exhibitors permission and event configuration this might be empty, or contain lots of details.
+   The app should dynamically show these values (read-only) with the labels sent by the server.
+
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /exhibitors/api/v1/vouchers/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "code": "43K6LKM37FBVR2YG",
+        "max_usages": 1,
+        "redeemed": 0,
+        "valid_until": null,
+        "subevent": null,
+        "tag": "testvoucher",
+        "comment": "",
+        "items": [
+            "All"
+        ],
+        "price_mode": "set",
+        "value": "12.00",
+        "redemptions": [
+          {
+            "attendee_fields": [
+              {
+                "id": "attendee_name",
+                "label": "Name",
+                "value": "Jon Doe",
+                "details": [
+                  {"label": "Given name", "value": "John"},
+                  {"label": "Family name", "value": "Doe"},
+                ]
+              },
+              {
+                "id": "attendee_email",
+                "label": "Email",
+                "value": "test@example.com",
+                "details": []
+              }
+            ],
+            "redemption_date": "2026-05-06",
+            "subevent": null
+          },
+        ]
+      }
+
+   :param id: The ``id`` field of the voucher to fetch
+   :statuscode 200: No error
+   :statuscode 401: Invalid authentication code
+   :statuscode 403: Not permitted to access bulk data
+   :statuscode 404: Voucher not found in system
@@ -16,6 +16,7 @@ Field                                 Type                       Description
 id                                    integer                    Internal ID of the program time
 start                                 datetime                   The start date time for this program time slot.
 end                                   datetime                   The end date time for this program time slot.
+location                              multi-lingual string       The program time slot's location (or ``null``)
 ===================================== ========================== =======================================================

 .. versionchanged:: TODO
@@ -54,17 +55,20 @@ Endpoints
            {
               "id": 2,
               "start": "2025-08-14T22:00:00Z",
-               "end": "2025-08-15T00:00:00Z"
+               "end": "2025-08-15T00:00:00Z",
+               "location": null
            },
            {
               "id": 3,
               "start": "2025-08-12T22:00:00Z",
-               "end": "2025-08-13T22:00:00Z"
+               "end": "2025-08-13T22:00:00Z",
+               "location": null
            },
            {
               "id": 14,
               "start": "2025-08-15T22:00:00Z",
-               "end": "2025-08-17T22:00:00Z"
+               "end": "2025-08-17T22:00:00Z",
+               "location": null
            }
        ]
      }
@@ -99,7 +103,8 @@ Endpoints
      {
         "id": 1,
         "start": "2025-08-15T22:00:00Z",
-         "end": "2025-10-27T23:00:00Z"
+         "end": "2025-10-27T23:00:00Z",
+         "location": null
      }

   :param organizer: The ``slug`` field of the organizer to fetch
@@ -125,7 +130,8 @@ Endpoints

      {
        "start": "2025-08-15T10:00:00Z",
-        "end": "2025-08-15T22:00:00Z"
+        "end": "2025-08-15T22:00:00Z",
+        "location": null
      }

   **Example response**:
@@ -139,7 +145,8 @@ Endpoints
      {
        "id": 17,
        "start": "2025-08-15T10:00:00Z",
-        "end": "2025-08-15T22:00:00Z"
+        "end": "2025-08-15T22:00:00Z",
+        "location": null
      }

   :param organizer: The ``slug`` field of the organizer of the event/item to create a program time for
@@ -131,7 +131,7 @@ allow_waitinglist                       boolean                    If ``false``,
                                                                   product when it is sold out.
 issue_giftcard                          boolean                    If ``true``, buying this product will yield a gift card.
 media_policy                            string                     Policy on how to handle reusable media (experimental feature).
-                                                                   Possible values are ``null``, ``"new"``, ``"reuse"``, and ``"reuse_or_new"``.
+                                                                   Possible values are ``null``, ``"new"``, ``"reuse"``, ``"reuse_or_new"``, ``"append"``, and ``"append_or_new"``.
 media_type                              string                     Type of reusable media to work on (experimental feature). See :ref:`rest-reusablemedia` for possible choices.
 show_quota_left                         boolean                    Publicly show how many tickets are still available.
                                                                   If this is ``null``, the event default is used.
@@ -1069,7 +1069,7 @@ Creating orders
      * ``valid_from`` (optional, if both ``valid_from`` and ``valid_until`` are **missing** (not ``null``) the availability will be computed from the given product)
      * ``valid_until`` (optional, if both ``valid_from`` and ``valid_until`` are **missing** (not ``null``) the availability will be computed from the given product)
      * ``requested_valid_from`` (optional, can be set **instead** of ``valid_from`` and ``valid_until`` to signal a user choice for the start time that may or may not be respected)
-      * ``use_reusable_medium`` (optional, causes the new ticket to take over the given reusable medium, identified by its ID)
+      * ``use_reusable_medium`` (optional, causes the new ticket to be connected to the given reusable medium, identified by its ID)
      * ``discount`` (optional, only possible if ``price`` is set; attention: if this is set to not-``null`` on any position, automatic calculation of discounts will not run)
      * ``answers``

@@ -21,12 +21,16 @@ id                                    integer                    Internal ID of
 type                                  string                     Type of medium, e.g. ``"barcode"``, ``"nfc_uid"`` or ``"nfc_mf0aes"``.
 organizer                             string                     Organizer slug of the organizer who "owns" this medium.
 identifier                            string                     Unique identifier of the medium. The format depends on the ``type``.
+claim_token                           string                     Secret token to claim ownership of the medium (or ``null``)
+label                                 string                     Label to identify the medium, usually something human readable (or ``null``)
 active                                boolean                    Whether this medium may be used.
 created                               datetime                   Date of creation
 updated                               datetime                   Date of last modification
 expires                               datetime                   Expiry date (or ``null``)
 customer                              string                     Identifier of a customer account this medium belongs to.
-linked_orderposition                  integer                    Internal ID of a ticket this medium is linked to.
+linked_orderpositions                 list of integers           Internal IDs of tickets this medium is linked to.
+linked_orderposition                  integer                    **DEPRECATED.** ID of the ticket the medium is linked to, if it is linked to 
+                                                                 only one ticket. ``null``, if the medium is linked to none or multiple tickets.
 linked_giftcard                       integer                    Internal ID of a gift card this medium is linked to.
 info                                  object                     Additional data, content depends on the ``type``. Consider
                                                                 this internal to the system and don't use it for your own data.
@@ -39,6 +43,14 @@ Existing media types are:
 - ``nfc_uid``
 - ``nfc_mf0aes``

+
+.. versionchanged:: 2026.5
+
+   The ``claim_token``, ``label``, ``linked_orderpositions`` attributes have been added, the ``linked_orderposition`` attribute has been
+   deprecated. Note: To maintain backwards compatibility ``linked_orderposition`` contains the internal ID of the linked order position
+   if the medium has exactly one order position in ``linked_orderpositions``.
+
+
 Endpoints
 ---------

@@ -77,6 +89,7 @@ Endpoints
            "active": True,
            "expires": None,
            "customer": None,
+            "linked_orderpositions": [],
            "linked_orderposition": None,
            "linked_giftcard": None,
            "notes": None,
@@ -92,10 +105,13 @@ Endpoints
   :query string customer: Only show media linked to the given customer.
   :query string created_since: Only show media created since a given date.
   :query string updated_since: Only show media updated since a given date.
+   :query integer linked_orderpositions: Only show media linked to the given tickets. Note: you can pass multiple ticket IDs by passing
+                                         ``linked_orderpositions`` multiple times. Any medium matching any linked orderposition will be returned.
   :query integer linked_orderposition: Only show media linked to the given ticket.
   :query integer linked_giftcard: Only show media linked to the given gift card.
-   :query string expand: If you pass ``"linked_giftcard"``, ``"linked_giftcard.owner_ticket"``, ``"linked_orderposition"``,
-                         or ``"customer"``, the respective field will be shown as a nested value instead of just an ID.
+   :query string expand: If you pass ``"linked_giftcard"``, ``"linked_giftcard.owner_ticket"``, ``"linked_orderpositions"``,
+                         ``"linked_orderposition"`` (**DEPRECATED**), or ``"customer"``, the respective field will be shown 
+                         as a nested value instead of just an ID.
                         The nested objects are identical to the respective resources, except that order positions
                         will have an attribute of the format ``"order": {"code": "ABCDE", "event": "eventslug"}`` to make
                         matching easier. The parameter can be given multiple times.
@@ -134,6 +150,7 @@ Endpoints
        "active": True,
        "expires": None,
        "customer": None,
+        "linked_orderpositions": [],
        "linked_orderposition": None,
        "linked_giftcard": None,
        "notes": None,
@@ -191,6 +208,7 @@ Endpoints
        "active": True,
        "expires": None,
        "customer": None,
+        "linked_orderpositions": [],
        "linked_orderposition": None,
        "linked_giftcard": None,
        "notes": None,
@@ -198,9 +216,9 @@ Endpoints
      }

   :param organizer: The ``slug`` field of the organizer to look up a medium for
-   :query string expand: If you pass ``"linked_giftcard"``, ``"linked_orderposition"``, oder ``"customer"``, the respective
+   :query string expand: If you pass ``"linked_giftcard"``, ``"linked_orderpositions"``, or ``"customer"``, the respective
                         field will be shown as a nested value instead of just an ID. The nested objects are identical to
-                         the respective resources, except that the ``linked_orderposition`` will have an attribute of the
+                         the respective resources, except that the ``linked_orderpositions`` each will have an attribute of the
                         format ``"order": {"code": "ABCDE", "event": "eventslug"}`` to make matching easier. The parameter
                         can be given multiple times.
   :statuscode 201: no error
@@ -227,6 +245,7 @@ Endpoints
        "active": True,
        "expires": None,
        "customer": None,
+        "linked_orderpositions": [],
        "linked_orderposition": None,
        "linked_giftcard": None,
        "notes": None,
@@ -251,6 +270,7 @@ Endpoints
        "active": True,
        "expires": None,
        "customer": None,
+        "linked_orderpositions": [],
        "linked_orderposition": None,
        "linked_giftcard": None,
        "notes": None,
@@ -258,7 +278,7 @@ Endpoints
      }

   :param organizer: The ``slug`` field of the organizer to create a medium for
-   :query string expand: If you pass ``"linked_giftcard"``, ``"linked_orderposition"``, oder ``"customer"``, the respective
+   :query string expand: If you pass ``"linked_giftcard"``, ``"linked_orderpositions"``, or ``"customer"``, the respective
                         field will be shown as a nested value instead of just an ID. The nested objects are identical to
                         the respective resources, except that the ``linked_orderposition`` will have an attribute of the
                         format ``"order": {"code": "ABCDE", "event": "eventslug"}`` to make matching easier. The parameter
@@ -287,7 +307,7 @@ Endpoints
      Content-Length: 94

      {
-        "linked_orderposition": 13
+        "linked_orderpositions": [13, 29]
      }

   **Example response**:
@@ -308,7 +328,8 @@ Endpoints
        "active": True,
        "expires": None,
        "customer": None,
-        "linked_orderposition": 13,
+        "linked_orderpositions": [13, 29],
+        "linked_orderposition": None,
        "linked_giftcard": None,
        "notes": None,
        "info": {}
@@ -316,7 +337,7 @@ Endpoints

   :param organizer: The ``slug`` field of the organizer to modify
   :param id: The ``id`` field of the medium to modify
-   :query string expand: If you pass ``"linked_giftcard"``, ``"linked_orderposition"``, oder ``"customer"``, the respective
+   :query string expand: If you pass ``"linked_giftcard"``, ``"linked_orderpositions"``, or ``"customer"``, the respective
                         field will be shown as a nested value instead of just an ID. The nested objects are identical to
                         the respective resources, except that the ``linked_orderposition`` will have an attribute of the
                         format ``"order": {"code": "ABCDE", "event": "eventslug"}`` to make matching easier. The parameter
@@ -70,6 +70,7 @@ The following values for ``action_types`` are valid with pretix core:
    * ``pretix.subevent.changed``
    * ``pretix.subevent.deleted``
    * ``pretix.event.item.*``
+    * ``pretix.event.quota.*``
    * ``pretix.event.live.activated``
    * ``pretix.event.live.deactivated``
    * ``pretix.event.testmode.activated``
@@ -64,8 +64,8 @@ Backend

 .. automodule:: pretix.control.signals
   :members: nav_event, html_head, html_page_start, quota_detail_html, nav_topbar, nav_global, nav_organizer, nav_event_settings,
-             order_info, event_settings_widget, oauth_application_registered, order_position_buttons, subevent_forms,
-             item_formsets, order_search_filter_q, order_search_forms
+             order_info, order_approve_info, event_settings_widget, oauth_application_registered,
+             order_position_buttons, subevent_forms, item_formsets, order_search_filter_q, order_search_forms, subevent_detail_html

 .. automodule:: pretix.base.signals
   :no-index:
@@ -86,7 +86,7 @@ individual commits, we use "Rebase and merge" instead. Merge commits should be a
 .. _PEP 8: https://legacy.python.org/dev/peps/pep-0008/
 .. _flake8: https://pypi.python.org/pypi/flake8
 .. _Django Coding Style: https://docs.djangoproject.com/en/dev/internals/contributing/writing-code/coding-style/
-.. _translation: https://docs.djangoproject.com/en/1.11/topics/i18n/translation/
-.. _class-based views: https://docs.djangoproject.com/en/1.11/topics/class-based-views/
+.. _translation: https://docs.djangoproject.com/en/6.0/topics/i18n/translation/
+.. _class-based views: https://docs.djangoproject.com/en/6.0/topics/class-based-views/
 .. _pytest-style: https://docs.pytest.org/en/latest/assert.html
 .. _fixtures: https://docs.pytest.org/en/latest/fixture.html
@@ -81,7 +81,7 @@ is a python method that emulates a behavior similar to ``reverse``:

 If you need to communicate the URL externally, you can use a different method to ensure that it is always an absolute URL:

-.. autofunction:: pretix.multidomain.urlreverse.build_absolute_uri
+.. autofunction:: pretix.multidomain.urlreverse.eventreverse_absolute

 In addition, there is a template tag that works similar to ``url`` but takes an event or organizer object
 as its first argument and can be used like this::
@@ -110,6 +110,56 @@ process::

 However, beware that code changes will not auto-reload within Celery.

+Running the local development server will also automatically start a vite dev server for all control vue components.
+
+Run the widget development server
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To locally develop the presale widget you need to start a separate vite dev server using::
+
+    npm run dev:widget
+
+You can control the org, event and much more via query parameters like this::
+
+    http://localhost:5180/?org=testorg&event=testevent
+
+The following query parameters are supported:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 20 20 60
+
+   * - Parameter
+     - Default
+     - Description
+   * - ``org``
+     - ``testorg``
+     - Organization slug
+   * - ``event``
+     - ``testevent``
+     - Event slug
+   * - ``host``
+     - ``http://localhost:8000``
+     - Backend host URL
+   * - ``type``
+     - ``widget``
+     - Element type: ``widget`` or ``button``
+   * - ``mode``
+     - ``dev``
+     - ``dev`` loads the Vite dev source, ``prod`` loads the built ``v2.{lang}.js``
+   * - ``lang``
+     - ``de``
+     - Language code for the prod script
+   * - ``button-text``
+     - ``Buy tickets!``
+     - Text content for the button (only used when ``type=button``)
+
+Any other query parameter is passed through as an attribute on the widget/button element.
+For example, ``?skip-ssl-check&list-type=calendar&items=123`` adds those attributes directly.
+
+
+
+
 .. _`checksandtests`:

 Code checks and unit tests
@@ -0,0 +1,108 @@
+import { defineConfig, globalIgnores } from 'eslint/config'
+import globals from 'globals'
+import js from '@eslint/js'
+import ts from 'typescript-eslint'
+import stylistic from '@stylistic/eslint-plugin'
+import vue from 'eslint-plugin-vue'
+import vuePug from 'eslint-plugin-vue-pug'
+
+const ignores = globalIgnores([
+	'**/node_modules',
+	'**/dist'
+])
+
+export default defineConfig([
+	ignores,
+	...ts.config(
+		js.configs.recommended,
+		ts.configs.recommended
+	),
+	stylistic.configs.customize({
+		indent: 'tab',
+		braceStyle: '1tbs',
+		quoteProps: 'as-needed'
+	}),
+	...vue.configs['flat/recommended'],
+	...vuePug.configs['flat/recommended'],
+	{
+		languageOptions: {
+			globals: {
+				...globals.browser,
+				...globals.node,
+				localStorage: false,
+				$: 'readonly',
+				$$: 'readonly',
+				$ref: 'readonly',
+				$computed: 'readonly',
+			},
+			parserOptions: {
+				parser: '@typescript-eslint/parser'
+			}
+		},
+
+		rules: {
+			'no-debugger': 'off',
+			curly: 0,
+			'no-return-assign': 0,
+			'no-console': 'off',
+			'vue/require-default-prop': 0,
+			'vue/require-v-for-key': 0,
+			'vue/valid-v-for': 'warn',
+			'vue/no-reserved-keys': 0,
+			'vue/no-setup-props-destructure': 0,
+			'vue/multi-word-component-names': 0,
+			'vue/max-attributes-per-line': 0,
+			'vue/attribute-hyphenation': ['warn', 'never'],
+			'vue/v-on-event-hyphenation': ['warn', 'never'],
+			'import/first': 0,
+			'@typescript-eslint/ban-ts-comment': 0,
+			'@typescript-eslint/no-explicit-any': 0,
+			'no-use-before-define': 'off',
+			'no-var': 'error',
+
+			'@typescript-eslint/no-use-before-define': ['error', {
+				typedefs: false,
+				functions: false,
+			}],
+
+			'@typescript-eslint/no-unused-vars': ['error', {
+				args: 'all',
+				argsIgnorePattern: '^_',
+				caughtErrors: 'all',
+				caughtErrorsIgnorePattern: '^_',
+				destructuredArrayIgnorePattern: '^_',
+				varsIgnorePattern: '^_',
+				ignoreRestSiblings: true
+			}],
+
+			'@stylistic/comma-dangle': 0,
+			'@stylistic/space-before-function-paren': ['error', 'always'],
+			'@stylistic/max-statements-per-line': ['error', { max: 1, ignoredNodes: ['BreakStatement'] }],
+			'@stylistic/member-delimiter-style': 0,
+			'@stylistic/arrow-parens': 0,
+			'@stylistic/generator-star-spacing': 0,
+			'@stylistic/yield-star-spacing': ['error', 'after'],
+		},
+	},
+	{
+		files: [
+			'src/pretix/static/pretixcontrol/js/ui/checkinrules/**/*.vue',
+			'src/pretix/plugins/webcheckin/**/*.vue',
+		],
+		languageOptions: {
+			globals: {
+				moment: 'readonly',
+			},
+		},
+	},
+	{
+		files: [
+			'src/pretix/static/pretixpresale/widget/**/*.{ts,vue}',
+		],
+		languageOptions: {
+			globals: {
+				LANG: 'readonly',
+			},
+		},
+	},
+])
@@ -0,0 +1,52 @@
+{
+  "name": "pretix",
+  "version": "1.0.0",
+  "description": "",
+  "homepage": "https://github.com/pretix/pretix#readme",
+  "bugs": {
+    "url": "https://github.com/pretix/pretix/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/pretix/pretix.git"
+  },
+  "license": "SEE LICENSE IN LICENSE",
+  "author": "",
+  "type": "module",
+  "main": "index.js",
+  "directories": {
+    "doc": "doc"
+  },
+  "scripts": {
+    "dev:control": "vite",
+    "dev:widget": "vite src/pretix/static/pretixpresale/widget",
+    "build": "npm run build:control -s && npm run build:widget -s",
+    "build:control": "vite build",
+    "build:widget": "vite build src/pretix/static/pretixpresale/widget",
+    "lint:eslint": "eslint src/pretix/static/pretixpresale/widget src/pretix/static/pretixcontrol/js/ui/checkinrules src/pretix/plugins/webcheckin",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "vue": "^3.5.30"
+  },
+  "devDependencies": {
+    "@eslint/js": "^10.0.1",
+    "@stylistic/eslint-plugin": "^5.10.0",
+    "@types/jquery": "^3.5.33",
+    "@types/moment": "^2.11.29",
+    "@types/node": "^25.5.0",
+    "@vitejs/plugin-vue": "^6.0.5",
+    "@vue/eslint-config-typescript": "^14.7.0",
+    "@vue/language-plugin-pug": "^3.2.5",
+    "eslint": "^10.0.3",
+    "eslint-plugin-vue": "^10.8.0",
+    "eslint-plugin-vue-pug": "^1.0.0-alpha.5",
+    "globals": "^17.4.0",
+    "pug": "^3.0.3",
+    "sass-embedded": "^1.98.0",
+    "smol-toml": "^1.6.1",
+    "stylus": "^0.64.0",
+    "typescript-eslint": "^8.57.0",
+    "vite": "^8.0.0"
+  }
+}
@@ -27,23 +27,23 @@ classifiers = [
 ]

 dependencies = [
-  "arabic-reshaper==3.0.0",  # Support for Arabic in reportlab
+  "arabic-reshaper==3.0.1",  # Support for Arabic in reportlab
  "babel",
-  "BeautifulSoup4==4.14.*",
-  "bleach==6.3.*",
+  "BeautifulSoup4==4.15.*",
+  "bleach==6.4.*",
  "celery==5.6.*",
  "chardet==5.2.*",
-  "cryptography>=46.0.7",
+  "cryptography>=49.0.0",
  "css-inline==0.20.*",
  "defusedcsv>=3.0.0",
  "dnspython==2.*",
  "Django[argon2]==5.2.*",
  "django-bootstrap3==26.1",
  "django-compressor==4.6.0",
-  "django-countries==8.2.*",
+  "django-countries==9.0.*",
  "django-filter==25.1",
  "django-formset-js-improved==0.5.0.5",
-  "django-formtools==2.5.1",
+  "django-formtools==2.6.1",
  "django-hierarkey==2.0.*,>=2.0.1",
  "django-hijack==3.7.*",
  "django-i18nfield==1.11.*",
@@ -56,7 +56,7 @@ dependencies = [
  "django-redis==6.0.*",
  "django-scopes==2.0.*",
  "django-statici18n==2.7.*",
-  "djangorestframework==3.16.*",
+  "djangorestframework==3.17.*",
  "dnspython==2.8.*",
  "drf_ujson2==1.7.*",
  "geoip2==5.*",
@@ -74,11 +74,11 @@ dependencies = [
  "packaging",
  "paypalrestsdk==1.13.*",
  "paypal-checkout-serversdk==1.0.*",
-  "PyJWT==2.12.*",
+  "PyJWT==2.13.*",
  "phonenumberslite==9.0.*",
  "Pillow==12.2.*",
  "pretix-plugin-build",
-  "protobuf==7.34.*",
+  "protobuf==7.35.*",
  "psycopg2-binary",
  "pycountry",
  "pycparser==3.0",
@@ -91,9 +91,9 @@ dependencies = [
  "pyuca",
  "qrcode==8.2",
  "redis==7.4.*",
-  "reportlab==4.4.*",
+  "reportlab==4.5.*",
  "requests==2.32.*",
-  "sentry-sdk==2.58.*",
+  "sentry-sdk==2.62.*",
  "sepaxml==2.7.*",
  "stripe==7.9.*",
  "text-unidecode==1.*",
@@ -101,30 +101,32 @@ dependencies = [
  "tqdm==4.*",
  "ua-parser==1.0.*",
  "vobject==0.9.*",
-  "webauthn==2.7.*",
+  "webauthn==2.8.*",
  "zeep==4.3.*"
 ]

 [project.optional-dependencies]
 memcached = ["pylibmc"]
 dev = [
-  "aiohttp==3.13.*",
+  "aiohttp==3.14.*",
  "coverage",
  "coveralls",
-  "fakeredis==2.34.*",
+  "fakeredis==2.36.*",
  "flake8==7.3.*",
  "freezegun",
  "isort==8.0.*",
  "pep8-naming==0.15.*",
  "potypo",
-  "pytest-asyncio>=1.3.0",
+  "pytest-asyncio>=1.4.0",
  "pytest-cache",
  "pytest-cov",
  "pytest-django==4.*",
  "pytest-mock==3.15.*",
  "pytest-sugar",
  "pytest-xdist==3.8.*",
-  "pytest==9.0.*",
+  "pytest-playwright",
+  "pytest==9.1.*",
+  "playwright",
  "responses",
 ]

@@ -137,8 +139,6 @@ build-backend = "backend"
 backend-path = ["_build"]
 requires = [
  "setuptools",
-  "setuptools-rust",
-  "wheel",
  "importlib_metadata",
  "tomli",
 ]
@@ -37,4 +37,9 @@ ignore =
    CONTRIBUTING.md
    Dockerfile
    SECURITY.md
+    eslint.config.mjs
+    package-lock.json
+    package.json
+    tsconfig.json
+    vite.config.js

@@ -9,10 +9,10 @@ localegen:
 	./manage.py makemessages --keep-pot --ignore "pretix/static/npm_dir/*" $(LNGS)
 	./manage.py makemessages --keep-pot -d djangojs --ignore "pretix/static/npm_dir/*" --ignore "pretix/helpers/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static.dist/*" --ignore "data/*" --ignore "pretix/static/rrule/*" --ignore "build/*" $(LNGS)

-staticfiles: jsi18n
+staticfiles: npminstall npmbuild jsi18n
 	./manage.py collectstatic --noinput

-compress: npminstall
+compress:
 	./manage.py compress

 jsi18n: localecompile
@@ -25,8 +25,8 @@ coverage:
 	coverage run -m py.test

 npminstall:
-	# keep this in sync with pretix/_build.py!
-	mkdir -p pretix/static.dist/node_prefix/
-	cp -r pretix/static/npm_dir/* pretix/static.dist/node_prefix/
-	npm ci --prefix=pretix/static.dist/node_prefix
+	npm ci
+
+npmbuild:
+	npm run build

@@ -19,4 +19,4 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-__version__ = "2026.4.0.dev0"
+__version__ = "2026.6.0.dev0"
@@ -37,9 +37,11 @@ INSTALLED_APPS = [
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
-    'django.contrib.staticfiles',
    'django.contrib.humanize',
+    # pretix needs to go before staticfiles
+    # so we can override the runserver command
    'pretix.base',
+    'django.contrib.staticfiles',
    'pretix.control',
    'pretix.presale',
    'pretix.multidomain',
@@ -243,7 +245,6 @@ STORAGES = {

 COMPRESS_PRECOMPILERS = (
    ('text/x-scss', 'django_libsass.SassCompiler'),
-    ('text/vue', 'pretix.helpers.compressor.VueCompiler'),
 )

 COMPRESS_OFFLINE_CONTEXT = {
@@ -21,13 +21,13 @@
 #

 import os
-import shutil
 import subprocess

 from setuptools.command.build import build
 from setuptools.command.build_ext import build_ext

 here = os.path.abspath(os.path.dirname(__file__))
+project_root = os.path.abspath(os.path.join(here, '..', '..'))
 npm_installed = False


@@ -35,14 +35,14 @@ def npm_install():
    global npm_installed

    if not npm_installed:
-        # keep this in sync with Makefile!
-        node_prefix = os.path.join(here, 'static.dist', 'node_prefix')
-        os.makedirs(node_prefix, exist_ok=True)
-        shutil.copytree(os.path.join(here, 'static', 'npm_dir'), node_prefix, dirs_exist_ok=True)
-        subprocess.check_call('npm ci', shell=True, cwd=node_prefix)
+        subprocess.check_call('npm ci', shell=True, cwd=project_root)
        npm_installed = True


+def npm_build():
+    subprocess.check_call('npm run build', shell=True, cwd=project_root)
+
+
 class CustomBuild(build):
    def run(self):
        if "src" not in os.listdir(".") or "pretix" not in os.listdir("src"):
@@ -62,6 +62,7 @@ class CustomBuild(build):
        settings.COMPRESS_OFFLINE = True

        npm_install()
+        npm_build()
        management.call_command('compilemessages', verbosity=1)
        management.call_command('compilejsi18n', verbosity=1)
        management.call_command('collectstatic', verbosity=1, interactive=False)
@@ -47,3 +47,5 @@ HAS_MEMCACHED = False
 HAS_CELERY = False
 HAS_GEOIP = False
 SENTRY_ENABLED = False
+VITE_DEV_MODE = False
+VITE_IGNORE = False
@@ -110,6 +110,8 @@ class PretixScanSecurityProfile(AllowListSecurityProfile):
        ('POST', 'api-v1:checkinrpc.redeem'),
        ('GET', 'api-v1:checkinrpc.search'),
        ('GET', 'api-v1:reusablemedium-list'),
+        ('POST', 'api-v1:reusablemedium-lookup'),
+        ('PATCH', 'api-v1:reusablemedium-detail')
    )


@@ -88,11 +88,19 @@ class CheckinRPCRedeemInputSerializer(serializers.Serializer):
    nonce = serializers.CharField(required=False, allow_null=True)
    datetime = serializers.DateTimeField(required=False, allow_null=True)
    answers = serializers.JSONField(required=False, allow_null=True)
+    exchange_medium_type = serializers.ChoiceField(required=False, choices=MEDIA_TYPES)
+    exchange_medium_identifier = serializers.CharField(required=False)

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.fields['lists'].child_relation.queryset = CheckinList.objects.filter(event__in=self.context['events']).select_related('event')

+    def validate(self, attrs):
+        exchange_fields = ["exchange_medium_type", "exchange_medium_identifier"]
+        if any(attrs.get(k) is None for k in exchange_fields) and not all(attrs.get(k) is None for k in exchange_fields):
+            raise ValidationError("If you set any of exchange_medium_type or exchange_medium_identifier, you need to set both of them.")
+        return attrs
+

 class MiniCheckinListSerializer(I18nAwareModelSerializer):
    event = serializers.SlugRelatedField(slug_field='slug', read_only=True)
@@ -73,7 +73,7 @@ from pretix.base.settings import (
    LazyI18nStringList, validate_event_settings,
 )
 from pretix.base.signals import api_event_settings_fields
-from pretix.multidomain.urlreverse import build_absolute_uri
+from pretix.multidomain.urlreverse import eventreverse_absolute

 logger = logging.getLogger(__name__)

@@ -173,7 +173,7 @@ class EventSerializer(SalesChannelMigrationMixin, I18nAwareModelSerializer):
    )

    def get_event_url(self, event):
-        return build_absolute_uri(event, 'presale:event.index')
+        return eventreverse_absolute(event, 'presale:event.index')

    class Meta:
        model = Event
@@ -871,6 +871,7 @@ class EventSettingsSerializer(SettingsSerializer):
        'og_image',
        'name_scheme',
        'reusable_media_active',
+        'reusable_media_usage_enforced',
        'reusable_media_type_barcode',
        'reusable_media_type_barcode_identifier_length',
        'reusable_media_type_nfc_uid',
@@ -885,6 +886,7 @@ class EventSettingsSerializer(SettingsSerializer):
    readonly_fields = [
        # These are read-only since they are currently only settable on organizers, not events
        'reusable_media_active',
+        'reusable_media_usage_enforced',
        'reusable_media_type_barcode',
        'reusable_media_type_barcode_identifier_length',
        'reusable_media_type_nfc_uid',
@@ -970,6 +972,7 @@ class DeviceEventSettingsSerializer(EventSettingsSerializer):
        'reusable_media_type_nfc_uid',
        'reusable_media_type_nfc_mf0aes',
        'reusable_media_type_nfc_mf0aes_random_uid',
+        'reusable_media_usage_enforced',
        'system_question_order',
        'tax_rule_payment',
        'tax_rule_cancellation',
@@ -133,37 +133,43 @@ class JobRunSerializer(serializers.Serializer):
        return not bool(self._errors)


+class ExportFormDataField(serializers.Field):
+    def get_attribute(self, instance):
+        return (instance.export_identifier, instance.export_form_data)
+
+    def to_representation(self, value):
+        export_identifier, export_form_data = value
+        exporter = self.context['exporters'].get(export_identifier)
+        if exporter:
+            return JobRunSerializer(exporter=exporter).to_representation(export_form_data)
+        else:
+            return export_form_data
+
+    def get_value(self, dictionary):
+        return dictionary
+
+    def to_internal_value(self, data):
+        if "export_form_data" in data:
+            identifier = data.get('export_identifier', self.parent.instance.export_identifier if self.parent.instance else None)
+            exporter = self.context['exporters'].get(identifier)
+            if exporter:
+                return JobRunSerializer(exporter=exporter).to_internal_value(data["export_form_data"])
+            else:
+                return data['export_form_data']
+
+
 class ScheduledExportSerializer(serializers.ModelSerializer):
    schedule_next_run = serializers.DateTimeField(read_only=True)
    export_identifier = serializers.ChoiceField(choices=[])
    locale = serializers.ChoiceField(choices=settings.LANGUAGES, default='en')
    owner = serializers.SlugRelatedField(slug_field='email', read_only=True)
    error_counter = serializers.IntegerField(read_only=True)
+    export_form_data = ExportFormDataField()

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.fields['export_identifier'].choices = [(e, e) for e in self.context['exporters']]

-    def validate(self, attrs):
-        if attrs.get("export_form_data"):
-            identifier = attrs.get('export_identifier', self.instance.export_identifier if self.instance else None)
-            exporter = self.context['exporters'].get(identifier)
-            if exporter:
-                try:
-                    attrs["export_form_data"] = JobRunSerializer(exporter=exporter).to_internal_value(attrs["export_form_data"])
-                except ValidationError as e:
-                    raise ValidationError({"export_form_data": e.detail})
-            else:
-                raise ValidationError({"export_identifier": ["Unknown exporter."]})
-        return attrs
-
-    def to_representation(self, instance):
-        repr = super().to_representation(instance)
-        exporter = self.context['exporters'].get(instance.export_identifier)
-        if exporter:
-            repr["export_form_data"] = JobRunSerializer(exporter=exporter).to_representation(repr["export_form_data"])
-        return repr
-
    def validate_mail_additional_recipients(self, value):
        d = value.replace(' ', '')
        if len(d.split(',')) > 25:
@@ -115,10 +115,10 @@ class PluginsField(serializers.Field):

    def to_representation(self, obj):
        from pretix.base.plugins import get_all_plugins
-
+        active_plugins = set(obj.get_plugins())
        return sorted([
            p.module for p in get_all_plugins()
-            if not p.name.startswith('.') and getattr(p, 'visible', True) and p.module in obj.get_plugins()
+            if not p.name.startswith('.') and getattr(p, 'visible', True) and p.module in active_plugins
        ])

    def to_internal_value(self, data):
@@ -45,6 +45,12 @@ class PrimaryKeyRelatedField(serializers.PrimaryKeyRelatedField):
            return value
        return super().to_representation(value)

+    def to_internal_value(self, data):
+        value = super().to_internal_value(data)
+        if value is not None:
+            return value.pk
+        return value
+

 class FormFieldWrapperField(serializers.Field):
    def __init__(self, *args, **kwargs):
@@ -191,7 +191,7 @@ class InlineItemAddOnSerializer(serializers.ModelSerializer):
 class InlineItemProgramTimeSerializer(serializers.ModelSerializer):
    class Meta:
        model = ItemProgramTime
-        fields = ('start', 'end')
+        fields = ('start', 'end', 'location')


 class ItemBundleSerializer(serializers.ModelSerializer):
@@ -222,7 +222,7 @@ class ItemBundleSerializer(serializers.ModelSerializer):
 class ItemProgramTimeSerializer(serializers.ModelSerializer):
    class Meta:
        model = ItemProgramTime
-        fields = ('id', 'start', 'end')
+        fields = ('id', 'start', 'end', 'location')

    def validate(self, data):
        data = super().validate(data)
@@ -66,13 +66,14 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
+        expand_nested = self.context['request'].query_params.getlist('expand')

-        if 'linked_giftcard' in self.context['request'].query_params.getlist('expand'):
+        if 'linked_giftcard' in expand_nested:
            if not self.context["can_read_giftcards"]:
                raise PermissionDenied("No permission to access gift card details.")

            self.fields['linked_giftcard'] = NestedGiftCardSerializer(read_only=True, context=self.context)
-            if 'linked_giftcard.owner_ticket' in self.context['request'].query_params.getlist('expand'):
+            if 'linked_giftcard.owner_ticket' in expand_nested:
                self.fields['linked_giftcard'].fields['owner_ticket'] = NestedOrderPositionSerializer(read_only=True, context=self.context)
        else:
            self.fields['linked_giftcard'] = serializers.PrimaryKeyRelatedField(
@@ -81,17 +82,27 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
                queryset=self.context['organizer'].issued_gift_cards.all()
            )

-        if 'linked_orderposition' in self.context['request'].query_params.getlist('expand'):
-            # Permission Check performed in to_representation
-            self.fields['linked_orderposition'] = NestedOrderPositionSerializer(read_only=True)
+        # keep linked_orderposition (singular) for backwards compatibility, will be overwritten in self.validate
+        self.fields['linked_orderposition'] = serializers.PrimaryKeyRelatedField(
+            required=False,
+            allow_null=True,
+            queryset=OrderPosition.all.filter(order__event__organizer=self.context['organizer']),
+        )
+
+        if 'linked_orderposition' in expand_nested or 'linked_orderpositions' in expand_nested:
+            self.fields['linked_orderpositions'] = NestedOrderPositionSerializer(
+                many=True,
+                read_only=True
+            )
        else:
-            self.fields['linked_orderposition'] = serializers.PrimaryKeyRelatedField(
+            self.fields['linked_orderpositions'] = serializers.PrimaryKeyRelatedField(
+                many=True,
                required=False,
                allow_null=True,
                queryset=OrderPosition.all.filter(order__event__organizer=self.context['organizer']),
            )

-        if 'customer' in self.context['request'].query_params.getlist('expand'):
+        if 'customer' in expand_nested:
            if not self.context["can_read_customers"]:
                raise PermissionDenied("No permission to access customer details.")

@@ -106,6 +117,21 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):

    def validate(self, data):
        data = super().validate(data)
+        if 'linked_orderposition' in data:
+            linked_orderposition = data['linked_orderposition']
+            # backwards-compatibility
+            if 'linked_orderpositions' in data:
+                raise ValidationError({
+                    'linked_orderposition': 'You cannot use linked_orderposition and linked_orderpositions at the same time.'
+                })
+            if self.instance and self.instance.linked_orderpositions.count() > 1:
+                raise ValidationError({
+                    'linked_orderposition': 'There are more than one linked_orderposition. You need to use linked_orderpositions.'
+                })
+
+            data['linked_orderpositions'] = [linked_orderposition] if linked_orderposition else []
+            del data['linked_orderposition']
+
        if 'type' in data and 'identifier' in data:
            qs = self.context['organizer'].reusable_media.filter(
                identifier=data['identifier'], type=data['type']
@@ -121,14 +147,28 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
    def to_representation(self, instance):
        r = super().to_representation(instance)
        request = self.context.get('request')
+
+        ops = r.get('linked_orderpositions', [])
        # late permission evaluations for checks that depend on the actual linked events
        expand_nested = self.context['request'].query_params.getlist('expand')
        perm_holder = request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user
-        if 'linked_orderposition' in expand_nested:
-            if instance.linked_orderposition is not None:
-                event = instance.linked_orderposition.order.event
+        if ops and 'linked_orderposition' in expand_nested or 'linked_orderpositions' in expand_nested:
+            ops_noperm = []
+            for lop in instance.linked_orderpositions.all():
+                event = lop.order.event
                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
-                    r['linked_orderposition'] = {'id': instance.linked_orderposition.id}
+                    ops_noperm.append(lop.id)
+            if ops_noperm:
+                ops = [
+                    {'id': op['id']} if op['id'] in ops_noperm
+                    else op
+                    for op in ops
+                ]
+                r['linked_orderpositions'] = ops
+
+        # add linked_orderposition (singular) for backwards compatibility
+        if len(ops) < 2:
+            r['linked_orderposition'] = ops[0] if ops else None

        if 'linked_giftcard.owner_ticket' in expand_nested:
            gc = instance.linked_giftcard
@@ -148,10 +188,12 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
            'updated',
            'type',
            'identifier',
+            'claim_token',
+            'label',
            'active',
            'expires',
            'customer',
-            'linked_orderposition',
+            'linked_orderpositions',
            'linked_giftcard',
            'info',
            'notes',
@@ -76,7 +76,7 @@ from pretix.base.settings import (
 )
 from pretix.base.signals import register_ticket_outputs
 from pretix.helpers.countries import CachedCountries
-from pretix.multidomain.urlreverse import build_absolute_uri
+from pretix.multidomain.urlreverse import eventreverse_absolute

 logger = logging.getLogger(__name__)

@@ -757,7 +757,7 @@ class PaymentURLField(serializers.URLField):
    def to_representation(self, instance: OrderPayment):
        if instance.state != OrderPayment.PAYMENT_STATE_CREATED:
            return None
-        return build_absolute_uri(instance.order.event, 'presale:event.order.pay', kwargs={
+        return eventreverse_absolute(instance.order.event, 'presale:event.order.pay', kwargs={
            'order': instance.order.code,
            'secret': instance.order.secret,
            'payment': instance.pk,
@@ -806,7 +806,7 @@ class OrderRefundSerializer(I18nAwareModelSerializer):

 class OrderURLField(serializers.URLField):
    def to_representation(self, instance: Order):
-        return build_absolute_uri(instance.event, 'presale:event.order', kwargs={
+        return eventreverse_absolute(instance.event, 'presale:event.order', kwargs={
            'order': instance.code,
            'secret': instance.secret,
        })
@@ -1149,6 +1149,7 @@ class OrderPositionCreateSerializer(I18nAwareModelSerializer):
            raise ValidationError(
                {'discount': ['You can only specify a discount if you do the price computation, but price is not set.']}
            )
+
        return data


@@ -1416,6 +1417,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
        qa = QuotaAvailability()
        qa.queue(*[q for q, d in quota_diff_for_locking.items() if d > 0])
        qa.compute()
+        v_avail = {}

        # These are not technically correct as diff use due to the time offset applied above, so let's prevent accidental
        # use further down
@@ -1445,11 +1447,13 @@ class OrderCreateSerializer(I18nAwareModelSerializer):

                voucher_usage[v] += 1
                if voucher_usage[v] > 0:
-                    redeemed_in_carts = CartPosition.objects.filter(
-                        Q(voucher=pos_data['voucher']) & Q(event=self.context['event']) & Q(expires__gte=now_dt)
-                    ).exclude(pk__in=[cp.pk for cp in delete_cps])
-                    v_avail = v.max_usages - v.redeemed - redeemed_in_carts.count()
-                    if v_avail < voucher_usage[v]:
+                    if v not in v_avail:
+                        v.refresh_from_db(fields=['redeemed'])
+                        redeemed_in_carts = CartPosition.objects.filter(
+                            Q(voucher=v) & Q(event=self.context['event']) & Q(expires__gte=now_dt)
+                        ).exclude(pk__in=[cp.pk for cp in delete_cps])
+                        v_avail[v] = v.max_usages - v.redeemed - redeemed_in_carts.count()
+                    if v_avail[v] < voucher_usage[v]:
                        errs[i]['voucher'] = [
                            'The voucher has already been used the maximum number of times.'
                        ]
@@ -1585,7 +1589,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                pos_data['attendee_name_parts'] = {
                    '_legacy': attendee_name
                }
-            pos = OrderPosition(**{k: v for k, v in pos_data.items() if k != 'answers' and k != '_quotas' and k != 'use_reusable_medium'})
+            pos = OrderPosition(**{k: v for k, v in pos_data.items() if k not in ('answers', '_quotas', 'use_reusable_medium')})
            if simulate:
                pos.order = order._wrapped
            else:
@@ -1700,15 +1704,25 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                        answ.options.add(*options)

                if use_reusable_medium:
-                    use_reusable_medium.linked_orderposition = pos
-                    use_reusable_medium.save(update_fields=['linked_orderposition'])
+                    if pos.item.media_policy not in (Item.MEDIA_POLICY_APPEND, Item.MEDIA_POLICY_APPEND_OR_NEW):
+                        for op_pk in use_reusable_medium.linked_orderpositions.values_list('pk', flat=True):
+                            use_reusable_medium.log_action(
+                                'pretix.reusable_medium.linked_orderposition.removed',
+                                data={
+                                    'linked_orderposition': op_pk,
+                                }
+                            )
+                        use_reusable_medium.linked_orderpositions.set([pos])
+                    else:
+                        use_reusable_medium.linked_orderpositions.add(pos)
                    use_reusable_medium.log_action(
-                        'pretix.reusable_medium.linked_orderposition.changed',
+                        'pretix.reusable_medium.linked_orderposition.added',
                        data={
                            'by_order': order.code,
                            'linked_orderposition': pos.pk,
                        }
                    )
+                    use_reusable_medium.touch()

        if not simulate:
            for cp in delete_cps:
@@ -58,8 +58,8 @@ from pretix.helpers.permission_migration import (
    OLD_TO_NEW_EVENT_COMPAT, OLD_TO_NEW_EVENT_MIGRATION,
    OLD_TO_NEW_ORGANIZER_COMPAT, OLD_TO_NEW_ORGANIZER_MIGRATION,
 )
-from pretix.helpers.urls import build_absolute_uri as build_global_uri
-from pretix.multidomain.urlreverse import build_absolute_uri
+from pretix.helpers.urls import mainreverse_absolute
+from pretix.multidomain.urlreverse import eventreverse_absolute

 logger = logging.getLogger(__name__)

@@ -71,7 +71,7 @@ class OrganizerSerializer(I18nAwareModelSerializer):
    slug = serializers.CharField(read_only=True)

    def get_organizer_url(self, organizer):
-        return build_absolute_uri(organizer, 'presale:organizer.index')
+        return eventreverse_absolute(organizer, 'presale:organizer.index')

    class Meta:
        model = Organizer
@@ -499,7 +499,7 @@ class TeamInviteSerializer(serializers.ModelSerializer):
                'user': self,
                'organizer': self.context['organizer'].name,
                'team': instance.team.name,
-                'url': build_global_uri('control:auth.invite', kwargs={
+                'url': mainreverse_absolute('control:auth.invite', kwargs={
                    'token': instance.token
                })
            },
@@ -605,6 +605,7 @@ class OrganizerSettingsSerializer(SettingsSerializer):
        'cookie_consent_dialog_button_yes',
        'cookie_consent_dialog_button_no',
        'reusable_media_active',
+        'reusable_media_usage_enforced',
        'reusable_media_type_barcode',
        'reusable_media_type_barcode_identifier_length',
        'reusable_media_type_nfc_uid',
@@ -69,8 +69,10 @@ from pretix.base.models import (
 from pretix.base.models.orders import PrintLog
 from pretix.base.permissions import AnyPermissionOf
 from pretix.base.services.checkin import (
-    CheckInError, RequiredQuestionsError, SQLLogic, perform_checkin,
+    CheckInError, RequiredMediaExchangeError, RequiredQuestionsError, SQLLogic,
+    perform_checkin,
 )
+from pretix.base.services.media import perform_media_exchange
 from pretix.base.signals import checkin_annulled
 from pretix.helpers import OF_SELF

@@ -454,7 +456,8 @@ def _checkin_list_position_queryset(checkinlists, ignore_status=False, ignore_pr

 def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force, checkin_type, ignore_unpaid, nonce,
                    untrusted_input, user, auth, expand, pdf_data, request, questions_supported, canceled_supported,
-                    source_type='barcode', legacy_url_support=False, simulate=False, gate=None, use_order_locale=False):
+                    source_type='barcode', legacy_url_support=False, simulate=False, gate=None, use_order_locale=False,
+                    exchange_medium_type=None, exchange_medium_identifier=None):
    if not checkinlists:
        raise ValidationError('No check-in list passed.')

@@ -463,6 +466,7 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,

    device = auth if isinstance(auth, Device) else None
    gate = gate or (auth.gate if isinstance(auth, Device) else None)
+    medium = None

    context = {
        'request': request,
@@ -491,6 +495,7 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
    )
    raw_barcode_for_checkin = None
    from_revoked_secret = False
+    reusable_medium_used = None
    if simulate:
        common_checkin_args['__fake_arg_to_prevent_this_from_being_saved'] = True

@@ -521,11 +526,12 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
    #    with respecting the force option), or it's a reusable medium (-> proceed with that)
    if not op_candidates:
        try:
-            media = ReusableMedium.objects.select_related('linked_orderposition').active().get(
+            medium = ReusableMedium.objects.active().filter(
+                Exists(ReusableMedium.linked_orderpositions.through.objects.filter(reusablemedium_id=OuterRef('pk')))
+            ).get(
                organizer_id=checkinlists[0].event.organizer_id,
                type=source_type,
                identifier=raw_barcode,
-                linked_orderposition__isnull=False,
            )
            raw_barcode_for_checkin = raw_barcode
        except ReusableMedium.DoesNotExist:
@@ -628,7 +634,9 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
                    'list': MiniCheckinListSerializer(list_by_event[revoked_matches[0].event_id]).data,
                }, status=400)
        else:
-            if media.linked_orderposition.order.event_id not in list_by_event:
+            linked_ops = medium.linked_orderpositions.all().select_related("order").prefetch_related("addons")
+            linked_event_ids = {op.order.event_id for op in linked_ops}
+            if not any(event_id in list_by_event for event_id in linked_event_ids):
                # Medium exists but connected ticket is for the wrong event
                if not simulate:
                    checkinlists[0].event.log_action('pretix.event.checkin.unknown', data={
@@ -654,28 +662,91 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
                    'checkin_texts': [],
                    'list': MiniCheckinListSerializer(checkinlists[0]).data,
                }, status=404)
-            op_candidates = [media.linked_orderposition]
-            if list_by_event[media.linked_orderposition.order.event_id].addon_match:
-                op_candidates += list(media.linked_orderposition.addons.all())
+            op_candidates = []
+            for op in linked_ops:
+                if op.order.event_id in list_by_event:
+                    reusable_medium_used = medium
+                    op_candidates.append(op)
+                    if list_by_event[op.order.event_id].addon_match:
+                        op_candidates += list(op.addons.all())

    # 3. Handle the "multiple options found" case: Except for the unlikely case of a secret being also a valid primary
-    #    key on the same list, we're probably dealing with the ``addon_match`` case here and need to figure out
-    #    which add-on has the right product.
+    #    key on the same list, we're probably dealing with multiple linked_orderpositions or the ``addon_match`` case
+    #    here and need to figure out which op has the right product. This basically is a valid-for-checkin-test on every op.
    if len(op_candidates) > 1:
-        op_candidates_matching_product = [
-            op for op in op_candidates
-            if (
-                (list_by_event[op.order.event_id].addon_match or op.secret == raw_barcode or legacy_url_support) and
-                (list_by_event[op.order.event_id].all_products or op.item_id in {i.pk for i in list_by_event[op.order.event_id].limit_products.all()})
-            )
-        ]

-        if len(op_candidates_matching_product) == 0:
-            # None of the found add-ons has the correct product, too bad! We could just error out here, but
+        if not reusable_medium_used:
+            # 3a. First, we clean up that we made an imprecise query above. If a scan is made for multiple check-in lists,
+            # we have queried ``addon_to__secret=raw_barcode``, even if some of the lists in question do not allow addon
+            # matching. So we accept all candidates that match one of these cases:
+            # - Exactly the ticket secret we scanned (because that's always a possible result)
+            # - Exactly the ticket pk we scanned (on legacy endpoints)
+            # - An add-on on a list that allows add-on matching
+            # This is not necessary when a reusable media was used, since in that case we already obeyed list.addon_match
+            # correctly above.
+            op_candidates_filtered = [
+                op for op in op_candidates
+                if (
+                    op.secret == raw_barcode or
+                    list_by_event[op.order.event_id].addon_match or
+                    (str(op.pk) == raw_barcode and legacy_url_support and not untrusted_input)
+                )
+            ]
+        else:
+            op_candidates_filtered = op_candidates
+
+        if len(op_candidates_filtered) > 1:
+            # 3b. If we still have multiple candidates, we filter by product based on the check-in list configuration.
+            # This is relevant for the addon_match scenario where the scanned ticket has multiple add-ons, but only
+            # one is contained in the check-in list used to scan. It makes sense to filter this first, since it is a
+            # "static" check, i.e. scanning the same QR code on the same check-in list will always do the same, no matter
+            # when I scan it, and it is "intentional" filtering in the sense that the admin configured this behaviour
+            # into the check-in list.
+            op_candidates_filtered = [
+                op for op in op_candidates_filtered
+                if list_by_event[op.order.event_id].all_products or op.item_id in {i.pk for i in list_by_event[op.order.event_id].limit_products.all()}
+            ]
+
+        if len(op_candidates_filtered) > 1:
+            # 3c. If we still have multiple candidates, we filter by validity date. This was introduced for the case where
+            # a reusable media refers to two tickets, one currently valid and one expired or in the future. Howeer,
+            # it could in theory also happen with two add-ons being on the same check-in list but without overlapping
+            # validity. It makes sense to filter this "after" the previous checks since it is not "intentional" filtering
+            # configured by the admin but "accidental" filtering that depends on the time of execution.
+            op_candidates_filtered = [
+                op for op in op_candidates_filtered
+                if (
+                    (not op.valid_from or op.valid_from <= datetime) and
+                    (not op.valid_until or op.valid_until > datetime)
+                )
+            ]
+
+        if len(op_candidates_filtered) == 0:
+            # None of the ops is valid today or has the correct product, too bad! We could just error out here, but
            # instead we just continue with *any* product and have it rejected by the check in perform_checkin.
-            # This has the advantage of a better error message.
-            op_candidates = [op_candidates[0]]
-        elif len(op_candidates_matching_product) > 1:
+            # To improve the error message, we select the op that will "work next" or - if none matches - "worked last".
+            op_candidate = None
+            for op in op_candidates:
+                if (
+                    op.valid_from and op.valid_from > datetime and
+                    (not op_candidate or op.valid_from < op_candidate.valid_from)
+                ):
+                    op_candidate = op
+
+            if not op_candidate:
+                # no candidate in the future, get closest in the past
+                for op in op_candidates:
+                    if (
+                        op.valid_until and op.valid_until < datetime and
+                        (not op_candidate or op.valid_until > op_candidate.valid_until)
+                    ):
+                        op_candidate = op
+
+            if not op_candidate:
+                op_candidate = op_candidates[0]
+
+            op_candidates = [op_candidate]
+        elif len(op_candidates_filtered) > 1:
            # It's still ambiguous, we'll error out.
            # We choose the first match (regardless of product) for the logging since it's most likely to be the
            # base product according to our order_by above.
@@ -709,7 +780,7 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
                'list': MiniCheckinListSerializer(list_by_event[op.order.event_id]).data,
            }, status=400)
        else:
-            op_candidates = op_candidates_matching_product
+            op_candidates = op_candidates_filtered

    op = op_candidates[0]
    common_checkin_args['list'] = list_by_event[op.order.event_id]
@@ -721,7 +792,10 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
            if str(q.pk) in answers_data:
                try:
                    if q.type == Question.TYPE_FILE:
-                        given_answers[q] = _handle_file_upload(answers_data[str(q.pk)], user, auth)
+                        if answers_data[str(q.pk)]:
+                            given_answers[q] = _handle_file_upload(answers_data[str(q.pk)], user, auth)
+                        else:
+                            given_answers[q] = None
                    else:
                        given_answers[q] = q.clean_answer(answers_data[str(q.pk)])
                except (ValidationError, BaseValidationError):
@@ -734,7 +808,14 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
        locale = op.order.event.settings.locale
    with language(locale):
        try:
-            perform_checkin(
+            if exchange_medium_identifier and medium:
+                # Cannot scan a medium and then request to exchange it
+                raise CheckInError(
+                    gettext('You cannot exchange a medium for a medium.'),
+                    'error'
+                )
+
+            checkin_args = dict(
                op=op,
                clist=list_by_event[op.order.event_id],
                given_answers=given_answers,
@@ -752,7 +833,25 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
                from_revoked_secret=from_revoked_secret,
                simulate=simulate,
                gate=gate,
+                reusable_medium=medium,
            )
+
+            if exchange_medium_identifier:  # other fields are filled, see CheckinRPCRedeemInputSerializer.validate
+                with transaction.atomic():
+                    # Do exchange and check-in atomically, i.e. both succeed or both fail
+                    medium = perform_media_exchange(
+                        organizer=request.organizer,
+                        media_type=exchange_medium_type,
+                        identifier=exchange_medium_identifier,
+                        link_orderposition=op,
+                        user=user,
+                        auth=auth,
+                    )
+                    source_type = medium.media_type.identifier
+                    checkin_args['reusable_medium'] = medium
+                    perform_checkin(**checkin_args)
+            else:
+                perform_checkin(**checkin_args)
        except RequiredQuestionsError as e:
            return Response({
                'status': 'incomplete',
@@ -764,6 +863,18 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
                ],
                'list': MiniCheckinListSerializer(list_by_event[op.order.event_id]).data,
            }, status=400)
+        except RequiredMediaExchangeError as e:
+            return Response({
+                'status': 'exchange',
+                'require_attention': op.require_checkin_attention,
+                'checkin_texts': op.checkin_texts,
+                'position': CheckinListOrderPositionSerializer(op, context=_make_context(context, op.order.event)).data,
+                'media_policy': e.media_policy,
+                'media_type': e.media_type,
+                'list': MiniCheckinListSerializer(list_by_event[op.order.event_id]).data,
+                'reason': e.code,
+                'reason_explanation': e.msg,
+            }, status=400)
        except CheckInError as e:
            if not simulate:
                op.order.log_action('pretix.event.checkin.denied', data={
@@ -951,6 +1062,8 @@ class CheckinRPCRedeemView(views.APIView):
            canceled_supported=True,
            request=self.request,  # this is not clean, but we need it in the serializers for URL generation
            legacy_url_support=False,
+            exchange_medium_type=s.validated_data.get('exchange_medium_type'),
+            exchange_medium_identifier=s.validated_data.get('exchange_medium_identifier'),
        )


@@ -53,10 +53,12 @@ with scopes_disabled():
        customer = django_filters.CharFilter(field_name='customer__identifier')
        updated_since = django_filters.IsoDateTimeFilter(field_name='updated', lookup_expr='gte')
        created_since = django_filters.IsoDateTimeFilter(field_name='created', lookup_expr='gte')
+        # backwards-compatible
+        linked_orderposition = django_filters.NumberFilter(field_name='linked_orderpositions__id')

        class Meta:
            model = ReusableMedium
-            fields = ['identifier', 'type', 'active', 'customer', 'linked_orderposition', 'linked_giftcard']
+            fields = ['identifier', 'type', 'active', 'customer', 'linked_orderpositions', 'linked_giftcard']


 class ReusableMediaViewSet(viewsets.ModelViewSet):
@@ -75,7 +77,7 @@ class ReusableMediaViewSet(viewsets.ModelViewSet):
        ).order_by().values('card').annotate(s=Sum('value')).values('s')
        return self.request.organizer.reusable_media.prefetch_related(
            Prefetch(
-                'linked_orderposition',
+                'linked_orderpositions',
                queryset=OrderPosition.objects.select_related(
                    'order', 'order__event', 'order__event__organizer', 'seat',
                ).prefetch_related(
@@ -117,14 +119,38 @@ class ReusableMediaViewSet(viewsets.ModelViewSet):

    @transaction.atomic()
    def perform_update(self, serializer):
-        ReusableMedium.objects.select_for_update(of=OF_SELF).get(pk=self.get_object().pk)
+        rm = ReusableMedium.objects.select_for_update(of=OF_SELF).get(pk=self.get_object().pk)
+        prev_linked_ops_pks = list(rm.linked_orderpositions.values_list("pk", flat=True))
        inst = serializer.save(identifier=serializer.instance.identifier, type=serializer.instance.type)
-        inst.log_action(
-            'pretix.reusable_medium.changed',
-            user=self.request.user,
-            auth=self.request.auth,
-            data=self.request.data,
-        )
+        linked_ops_pks = inst.linked_orderpositions.values_list("pk", flat=True)
+        for op_pk in prev_linked_ops_pks:
+            if op_pk not in linked_ops_pks:
+                inst.log_action(
+                    'pretix.reusable_medium.linked_orderposition.removed',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data={
+                        'linked_orderposition': op_pk,
+                    }
+                )
+        for op_pk in linked_ops_pks:
+            if op_pk not in prev_linked_ops_pks:
+                inst.log_action(
+                    'pretix.reusable_medium.linked_orderposition.added',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data={
+                        'linked_orderposition': op_pk,
+                    }
+                )
+        data = {k: v for k, v in self.request.data.items() if k not in ('linked_orderposition', 'linked_orderpositions')}
+        if data:
+            inst.log_action(
+                'pretix.reusable_medium.changed',
+                user=self.request.user,
+                auth=self.request.auth,
+                data=data,
+            )
        return inst

    def perform_destroy(self, instance):
@@ -157,7 +183,6 @@ class ReusableMediaViewSet(viewsets.ModelViewSet):
                        type=s.validated_data["type"],
                        identifier=s.validated_data["identifier"],
                    )
-                m.linked_orderposition = None  # not relevant for cross-organizer
                m.customer = None  # not relevant for cross-organizer
                s = self.get_serializer(m)
                return Response({"result": s.data})
@@ -171,7 +196,7 @@ class ReusableMediaViewSet(viewsets.ModelViewSet):

            return Response({"result": None})

-    @scopes_disabled()  # we are sure enough that get_queryset() is correct, so we save some perforamnce
+    @scopes_disabled()  # we are sure enough that get_queryset() is correct, so we save some performance
    def list(self, request, **kwargs):
        date = serializers.DateTimeField().to_representation(now())
        queryset = self.filter_queryset(self.get_queryset())
@@ -194,7 +194,7 @@ with scopes_disabled():
                )
            ).values('id')

-            matching_media = ReusableMedium.objects.filter(identifier=u).values_list('linked_orderposition__order_id', flat=True)
+            matching_media = ReusableMedium.objects.filter(identifier=u).values_list('linked_orderpositions__order_id', flat=True)

            mainq = (
                code
@@ -1034,7 +1034,7 @@ with scopes_disabled():
        search = django_filters.CharFilter(method='search_qs')

        def search_qs(self, queryset, name, value):
-            matching_media = ReusableMedium.objects.filter(identifier=value).values_list('linked_orderposition', flat=True)
+            matching_media = ReusableMedium.objects.filter(identifier=value).values_list('linked_orderpositions', flat=True)
            return queryset.filter(
                Q(secret__istartswith=value)
                | Q(attendee_name_cached__icontains=value)
@@ -408,6 +408,12 @@ def register_default_webhook_events(sender, **kwargs):
            _('This includes product added or deleted and changes to nested objects like '
              'variations or bundles.'),
        ),
+        ParametrizedItemWebhookEvent(
+            'pretix.event.quota.*',
+            _('Quota changed'),
+            _('This includes related events like creation, deletion, opening or closing of quotas. '
+              'No webhook is sent for changes to the resulting availability.'),
+        ),
        ParametrizedEventWebhookEvent(
            'pretix.event.live.activated',
            _('Shop taken live'),
@@ -36,7 +36,7 @@ from django.core.exceptions import ValidationError
 from django.utils.translation import gettext_lazy as _
 from requests import RequestException

-from pretix.multidomain.urlreverse import build_absolute_uri
+from pretix.multidomain.urlreverse import eventreverse_absolute

 logger = logging.getLogger(__name__)

@@ -313,7 +313,7 @@ def _get_or_create_server_keypair(organizer):

 def generate_id_token(customer, client, auth_time, nonce, scope, expires: datetime, scope_claims=False, with_code=None, with_access_token=None):
    payload = {
-        'iss': build_absolute_uri(client.organizer, 'presale:organizer.index').rstrip('/'),
+        'iss': eventreverse_absolute(client.organizer, 'presale:organizer.index').rstrip('/'),
        'aud': client.client_id,
        'exp': int(expires.timestamp()),
        'iat': int(time.time()),
@@ -28,7 +28,7 @@ from django.utils.translation import gettext_lazy as _, pgettext_lazy

 from pretix.base.models import Checkin, InvoiceAddress, Order, Question
 from pretix.base.settings import PERSON_NAME_SCHEMES
-from pretix.multidomain.urlreverse import build_absolute_uri
+from pretix.multidomain.urlreverse import eventreverse_absolute


 def get_answer(op, question_identifier=None):
@@ -545,7 +545,7 @@ def get_data_fields(event, for_model=None):
                _("Order link"),
                Question.TYPE_STRING,
                None,
-                lambda order: build_absolute_uri(
+                lambda order: eventreverse_absolute(
                    event,
                    'presale:event.order', kwargs={
                        'order': order.code,
@@ -560,7 +560,7 @@ def get_data_fields(event, for_model=None):
                _("Ticket link"),
                Question.TYPE_STRING,
                None,
-                lambda op: build_absolute_uri(
+                lambda op: eventreverse_absolute(
                    event,
                    'presale:event.order.position', kwargs={
                        'order': op.order.code,
@@ -68,7 +68,7 @@ from ...control.forms.filter import get_all_payment_providers
 from ...helpers import GroupConcat
 from ...helpers.iter import chunked_iterable
 from ...helpers.safe_openpyxl import remove_invalid_excel_chars
-from ...multidomain.urlreverse import build_absolute_uri
+from ...multidomain.urlreverse import eventreverse_absolute
 from ..exporter import (
    ListExporter, MultiSheetListExporter, OrganizerLevelExportMixin,
 )
@@ -160,7 +160,7 @@ class OrderListExporter(MultiSheetListExporter):

    def _get_all_payment_methods(self, qs):
        pps = dict(get_all_payment_providers())
-        return sorted([(pp, pps[pp]) for pp in set(
+        return sorted([(pp, pps.get(pp, pp)) for pp in set(
            OrderPayment.objects.exclude(provider='free').filter(order__event__in=self.events).values_list(
                'provider', flat=True
            ).distinct()
@@ -330,6 +330,7 @@ class OrderListExporter(MultiSheetListExporter):
                taxsum=Sum('tax_value'), grosssum=Sum('value')
            )
        }
+        payment_methods = None
        if form_data.get('include_payment_amounts'):
            payment_sum_cache = {
                (o['order__id'], o['provider']): o['grosssum'] for o in
@@ -347,6 +348,7 @@ class OrderListExporter(MultiSheetListExporter):
                    grosssum=Sum('amount')
                )
            }
+            payment_methods = self._get_all_payment_methods(qs)
        sum_cache = {
            (o['order__id'], o['tax_rate']): o for o in
            OrderPosition.objects.values('tax_rate', 'order__id').order_by().annotate(
@@ -427,14 +429,13 @@ class OrderListExporter(MultiSheetListExporter):
            ]))

            row.append(
-                build_absolute_uri(order.event, 'presale:event.order', kwargs={
+                eventreverse_absolute(order.event, 'presale:event.order', kwargs={
                    'order': order.code,
                    'secret': order.secret,
                })
            )

            if form_data.get('include_payment_amounts'):
-                payment_methods = self._get_all_payment_methods(qs)
                for id, vn in payment_methods:
                    row.append(
                        payment_sum_cache.get((order.id, id), Decimal('0.00')) -
@@ -854,7 +855,7 @@ class OrderListExporter(MultiSheetListExporter):
                ]))

                row.append(
-                    build_absolute_uri(order.event, 'presale:event.order.position', kwargs={
+                    eventreverse_absolute(order.event, 'presale:event.order.position', kwargs={
                        'order': order.code,
                        'secret': op.web_secret,
                        'position': op.positionid
@@ -20,12 +20,13 @@
 # <https://www.gnu.org/licenses/>.
 #

+from django.db.models import Prefetch
 from django.dispatch import receiver
 from django.utils.formats import date_format
 from django.utils.translation import gettext_lazy as _, pgettext, pgettext_lazy

 from ..exporter import ListExporter, OrganizerLevelExportMixin
-from ..models import ReusableMedium
+from ..models import OrderPosition, ReusableMedium
 from ..signals import register_multievent_data_exporters


@@ -44,7 +45,9 @@ class ReusableMediaExporter(OrganizerLevelExportMixin, ListExporter):
        media = ReusableMedium.objects.filter(
            organizer=self.organizer,
        ).select_related(
-            'customer', 'linked_orderposition', 'linked_giftcard',
+            'customer', 'linked_giftcard',
+        ).prefetch_related(
+            Prefetch('linked_orderpositions', queryset=OrderPosition.objects.select_related("order"))
        ).order_by('created')

        headers = [
@@ -61,18 +64,23 @@ class ReusableMediaExporter(OrganizerLevelExportMixin, ListExporter):
        yield headers
        yield self.ProgressSetTotal(total=media.count())

+        can_read_giftcards = self.permission_holder.has_organizer_permission(self.organizer, 'organizer.giftcards:read')
+
        for medium in media.iterator(chunk_size=1000):
-            row = [
+            giftcard_secret = medium.linked_giftcard.secret if medium.linked_giftcard_id else ''
+            if giftcard_secret and not can_read_giftcards:
+                giftcard_secret = giftcard_secret[:3] + "…"
+
+            yield [
                medium.type,
                medium.identifier,
                _('Yes') if medium.active else _('No'),
                date_format(medium.expires, 'SHORT_DATETIME_FORMAT') if medium.expires else '',
                medium.customer.identifier if medium.customer_id else '',
-                f"{medium.linked_orderposition.order.code}-{medium.linked_orderposition.positionid}" if medium.linked_orderposition_id else '',
-                medium.linked_giftcard.secret if medium.linked_giftcard_id else '',
+                ', '.join([f"{op.order.code}-{op.positionid}" for op in medium.linked_orderpositions.all()]),
+                giftcard_secret,
                medium.notes,
            ]
-            yield row

    def get_filename(self):
        return f'{self.organizer.slug}_media'
@@ -35,6 +35,7 @@
 import copy
 import json
 import logging
+import re
 from datetime import timedelta
 from decimal import Decimal
 from io import BytesIO
@@ -47,9 +48,7 @@ from django.conf import settings
 from django.contrib import messages
 from django.core.exceptions import ValidationError
 from django.core.files.uploadedfile import SimpleUploadedFile
-from django.core.validators import (
-    MaxValueValidator, MinValueValidator, RegexValidator,
-)
+from django.core.validators import MaxValueValidator, MinValueValidator
 from django.db.models import QuerySet
 from django.forms import Select, widgets
 from django.forms.widgets import FILE_INPUT_CONTRADICTION
@@ -220,20 +219,6 @@ class NamePartsFormField(forms.MultiValueField):
        defaults = {
            'widget': self.widget,
            'max_length': kwargs.pop('max_length', None),
-            'validators': [
-                RegexValidator(
-                    # The following characters should never appear in a name anywhere of
-                    # the world. However, they commonly appear in inputs generated by spam
-                    # bots.
-                    r'^[^$€/%§{}<>~]*$',
-                    message=_('Please do not use special characters in names.')
-                ),
-                RegexValidator(
-                    URL_RE,
-                    inverse_match=True,
-                    message=_('Please do not use special characters in names.')
-                )
-            ]
        }
        self.max_length = defaults['max_length']
        self.scheme_name = kwargs.pop('scheme')
@@ -255,7 +240,6 @@ class NamePartsFormField(forms.MultiValueField):
            if fname == 'title' and self.scheme_titles:
                d = dict(defaults)
                d.pop('max_length', None)
-                d.pop('validators', None)
                field = forms.ChoiceField(
                    **d,
                    choices=[('', '')] + [(d, d) for d in self.scheme_titles[1]]
@@ -264,7 +248,6 @@ class NamePartsFormField(forms.MultiValueField):
            elif fname == 'salutation':
                d = dict(defaults)
                d.pop('max_length', None)
-                d.pop('validators', None)
                field = forms.ChoiceField(
                    **d,
                    choices=[
@@ -296,6 +279,37 @@ class NamePartsFormField(forms.MultiValueField):
        if sum(len(v) for v in value.values() if v) > (self.max_length or 250):
            raise forms.ValidationError(_('Please enter a shorter name.'), code='max_length')

+        for fname, label, size in self.scheme['fields']:
+            if fname == 'salutation' or (fname == 'title' and self.scheme_titles):
+                continue
+            v = value.get(fname)
+            if not v:
+                continue
+            special_chars = re.findall('[$€/%§{}<>~]', v)
+            if special_chars:
+                raise forms.ValidationError(
+                    _('The field "%(label)s" may not contain special characters such as "%(chars)s".'),
+                    code='name_special_chars',
+                    params={
+                        "label": label,
+                        "chars": "".join(special_chars),
+                    },
+                )
+            # URL_RE checks for valid domain names, including one special TLD med, which can be part of a title
+            if ".med" in v:
+                v = v.replace(".med", ". med")
+                value[fname] = v
+            url_matched = URL_RE.search(v)
+            if url_matched:
+                raise forms.ValidationError(
+                    _('The field "%(label)s" may not contain an URL (%(url)s).'),
+                    code='url_in_title',
+                    params={
+                        "label": label,
+                        "url": url_matched.group(0),
+                    }
+                )
+
        if value.get("salutation") == "empty":
            value["salutation"] = ""

@@ -1160,7 +1160,7 @@ class Modern1Renderer(ClassicInvoiceRenderer):
        return stylesheet

    def _draw_invoice_from(self, canvas):
-        if not self.invoice.invoice_from:
+        if not self.invoice.address_invoice_from:
            return
        c = [
            self._clean_text(l)
@@ -0,0 +1,60 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020  Raphael Michel and contributors
+# Copyright (C) 2020-today pretix GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+
+"""This command supersedes the Django-inbuilt runserver command.
+
+It runs the local frontend server, if node is installed and the setting
+is set.
+"""
+import atexit
+import os
+import subprocess
+from pathlib import Path
+
+from django.conf import settings
+from django.contrib.staticfiles.management.commands.runserver import (
+    Command as Parent,
+)
+from django.utils.autoreload import DJANGO_AUTORELOAD_ENV
+
+
+class Command(Parent):
+    def handle(self, *args, **options):
+        # Only start Vite in the non-main process of the autoreloader
+        if settings.VITE_DEV_MODE and os.environ.get(DJANGO_AUTORELOAD_ENV) != "true":
+            # Start the vite server in the background
+            vite_server = subprocess.Popen(
+                ["npm", "run", "dev:control"],
+                cwd=Path(__file__).parent.parent.parent.parent.parent,
+                stdin=subprocess.DEVNULL
+            )
+
+            def cleanup():
+                vite_server.terminate()
+                try:
+                    vite_server.wait(timeout=5)
+                except subprocess.TimeoutExpired:
+                    vite_server.kill()
+
+            atexit.register(cleanup)
+
+        super().handle(*args, **options)
@@ -26,6 +26,7 @@ from django.utils.translation import gettext_lazy as _

 class BaseMediaType:
    medium_created_by_server = False
+    medium_created_from_unknown_supported = False
    supports_orderposition = False
    supports_giftcard = False

@@ -56,7 +57,7 @@ class BaseMediaType:
    def is_active(self, organizer):
        return organizer.settings.get(f'reusable_media_type_{self.identifier}', as_type=bool, default=False)

-    def handle_unknown(self, organizer, identifier, user, auth):
+    def handle_unknown(self, organizer, identifier, user, auth, force_create=False):
        pass

    def handle_new(self, organizer, medium, user, auth):
@@ -88,23 +89,32 @@ class NfcUidMediaType(BaseMediaType):
    verbose_name = _('NFC UID-based')
    icon = 'pretixbase/img/media/nfc_uid.svg'
    medium_created_by_server = False
+    medium_created_from_unknown_supported = True
    supports_giftcard = True
-    supports_orderposition = False
+    supports_orderposition = True

-    def handle_unknown(self, organizer, identifier, user, auth):
+    def handle_unknown(self, organizer, identifier, user, auth, force_create=False):
        from pretix.base.models import GiftCard, ReusableMedium

-        if organizer.settings.get(f'reusable_media_type_{self.identifier}_autocreate_giftcard', as_type=bool):
+        create_giftcard = organizer.settings.get(f'reusable_media_type_{self.identifier}_autocreate_giftcard', as_type=bool)
+        if create_giftcard or force_create:
            if identifier.startswith("08"):
                # Don't create gift cards for NFC UIDs that start with 08, which represents NFC cards that issue random
                # UIDs on every read, so they won't be useful.
                return
            with transaction.atomic():
-                gc = GiftCard.objects.create(
-                    issuer=organizer,
-                    expires=organizer.default_gift_card_expiry,
-                    currency=organizer.settings.get(f'reusable_media_type_{self.identifier}_autocreate_giftcard_currency'),
-                )
+                if create_giftcard:
+                    gc = GiftCard.objects.create(
+                        issuer=organizer,
+                        expires=organizer.default_gift_card_expiry,
+                        currency=organizer.settings.get(f'reusable_media_type_{self.identifier}_autocreate_giftcard_currency'),
+                    )
+                    gc.log_action(
+                        'pretix.giftcards.created',
+                        user=user, auth=auth,
+                    )
+                else:
+                    gc = None
                m = ReusableMedium.objects.create(
                    type=self.identifier,
                    identifier=identifier,
@@ -116,10 +126,6 @@ class NfcUidMediaType(BaseMediaType):
                    'pretix.reusable_medium.created.auto',
                    user=user, auth=auth,
                )
-                gc.log_action(
-                    'pretix.giftcards.created',
-                    user=user, auth=auth,
-                )
                return m


@@ -129,7 +135,7 @@ class NfcMf0aesMediaType(BaseMediaType):
    icon = 'pretixbase/img/media/nfc_secure.svg'
    medium_created_by_server = False
    supports_giftcard = True
-    supports_orderposition = False
+    supports_orderposition = True

    def handle_new(self, organizer, medium, user, auth):
        from pretix.base.models import GiftCard
@@ -282,10 +282,12 @@ def metric_values():

    # Throwaway metrics
    exact_tables = [
-        Order, OrderPosition, Invoice, Event, Organizer
+        Order, Invoice, Event, Organizer
    ]
    for m in apps.get_models():  # Count all models
-        if any(issubclass(m, p) for p in exact_tables):
+        if issubclass(m, OrderPosition):
+            metrics['pretix_model_instances']['{model="%s"}' % m._meta] = m.all.count()
+        elif any(issubclass(m, p) for p in exact_tables):
            metrics['pretix_model_instances']['{model="%s"}' % m._meta] = m.objects.count()
        else:
            metrics['pretix_model_instances']['{model="%s"}' % m._meta] = estimate_count_fast(m)
@@ -24,6 +24,7 @@ from urllib.parse import urlparse, urlsplit
 from zoneinfo import ZoneInfo, ZoneInfoNotFoundError

 from django.conf import settings
+from django.core.exceptions import BadRequest
 from django.http import Http404, HttpRequest, HttpResponse
 from django.middleware.common import CommonMiddleware
 from django.urls import get_script_prefix, resolve
@@ -73,6 +74,7 @@ class LocaleMiddleware(MiddlewareMixin):

    def process_request(self, request: HttpRequest):
        language = get_language_from_request(request)
+        region = None
        # Normally, this middleware runs *before* the event is set. However, on event frontend pages it
        # might be run a second time by pretix.presale.EventMiddleware and in this case the event is already
        # set and can be taken into account for the decision.
@@ -93,15 +95,16 @@ class LocaleMiddleware(MiddlewareMixin):
                if '-' not in language and settings_holder.settings.region:
                    language += '-' + settings_holder.settings.region
                if settings_holder.settings.region:
-                    set_region(settings_holder.settings.region)
+                    region = settings_holder.settings.region
        else:
            gs = global_settings_object(request)
            if '-' not in language and gs.settings.region:
                language += '-' + gs.settings.region
            if gs.settings.region:
-                set_region(gs.settings.region)
+                region = gs.settings.region

        translation.activate(language)
+        set_region(region)
        request.LANGUAGE_CODE = get_language_without_region()

        tzname = None
@@ -280,7 +283,7 @@ class SecurityMiddleware(MiddlewareMixin):

        h = {
            'default-src': ["{static}"],
-            'script-src': ['{static}'],
+            'script-src': ["{static}"],
            'object-src': ["'none'"],
            'frame-src': ['{static}'],
            'style-src': ["{static}", "{media}"],
@@ -294,6 +297,18 @@ class SecurityMiddleware(MiddlewareMixin):
            # this. However, we'll restrict it to HTTPS.
            'form-action': ["{dynamic}", "https:"] + (['http:'] if settings.SITE_URL.startswith('http://') else []),
        }
+
+        if settings.VITE_DEV_MODE:
+            h['script-src'] += ["http://localhost:5173", "ws://localhost:5173"]
+            h['style-src'] += ["'unsafe-inline'"]
+            h['connect-src'] += ["http://localhost:5173", "ws://localhost:5173"]
+
+        if hasattr(request, 'csp_nonce'):
+            nonce = f"'nonce-{request.csp_nonce}'"
+            h['script-src'].append(nonce)
+            if not settings.VITE_DEV_MODE:
+                # can't have 'unsafe-inline' and nonce at the same time
+                h['style-src'].append(nonce)
        # Only include pay.google.com for wallet detection purposes on the Payment selection page
        if (
                url.url_name == "event.order.pay.change" or
@@ -347,6 +362,18 @@ class SecurityMiddleware(MiddlewareMixin):
        return resp


+class RejectInvalidInputMiddleware(MiddlewareMixin):
+
+    def process_request(self, request):
+        # Nullbytes in GET/POST parameters are mostly harmless, as they will later fail on database insertion, but it
+        # keeps spamming our error logs whenever someone tries to run a vulnerability scanner.
+        if "\x00" in request.META['QUERY_STRING'] or "%00" in request.META['QUERY_STRING']:
+            raise BadRequest("Invalid characters in input.")
+        if request.method in ('POST', 'PUT', 'PATCH') and request.content_type == "application/x-www-form-urlencoded":
+            if any("\x00" in value for key, value_list in request.POST.lists() for value in value_list):
+                raise BadRequest("Invalid characters in input.")
+
+
 class CustomCommonMiddleware(CommonMiddleware):

    def get_full_path_with_slash(self, request):
@@ -0,0 +1,19 @@
+# Generated by Django 4.2.27 on 2026-01-21 12:06
+
+import i18nfield.fields
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("pretixbase", "0298_pluggable_permissions"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="itemprogramtime",
+            name="location",
+            field=i18nfield.fields.I18nTextField(max_length=200, null=True),
+        )
+    ]
@@ -0,0 +1,35 @@
+# Generated by Django 4.2.26 on 2025-11-24 11:32
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("pretixbase", "0299_itemprogramtime_location"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="reusablemedium",
+            name="claim_token",
+            field=models.CharField(max_length=200, null=True),
+        ),
+        migrations.AddField(
+            model_name="reusablemedium",
+            name="label",
+            field=models.CharField(max_length=200, null=True),
+        ),
+        # use temporary related_name "linked_mediums" for ManyToManyField, so we can migrate existing data
+        migrations.AddField(
+            model_name="reusablemedium",
+            name="linked_orderpositions",
+            field=models.ManyToManyField(
+                related_name="linked_mediums", to="pretixbase.orderposition"
+            ),
+        ),
+        migrations.RunSQL(
+            sql="INSERT INTO pretixbase_reusablemedium_linked_orderpositions (reusablemedium_id, orderposition_id) SELECT id, linked_orderposition_id FROM pretixbase_reusablemedium WHERE linked_orderposition_id IS NOT NULL;",
+            reverse_sql="DELETE FROM pretixbase_reusablemedium_linked_orderpositions;",
+        ),
+    ]
@@ -0,0 +1,44 @@
+# Generated by Django 4.2.26 on 2025-11-24 11:32
+
+from django.db import migrations, models
+
+
+def reverse(apps, schema_editor):
+    ReusableMedium = apps.get_model('pretixbase', 'ReusableMedium')
+
+    qs = ReusableMedium.linked_orderpositions.through.objects
+    objs = []
+    # get last added orderposition from linked_orderpositions
+    for rm_id, op_id in qs.filter(id__in=qs.values("reusablemedium_id").annotate(max_id=models.Max('id')).values('max_id')).values_list("reusablemedium_id", "orderposition_id"):
+        obj = ReusableMedium(
+            id=rm_id,
+            linked_orderposition_id=op_id,
+        )
+        objs.append(obj)
+
+    ReusableMedium.objects.bulk_update(objs, ['linked_orderposition_id'])
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("pretixbase", "0300_add_reusablemedium_label"),
+    ]
+
+    operations = [
+        # according to the docs, UPDATE FROM should run similarly on sqlite and postgres, but I could not get it to work
+        # so roll back the data migration with code before deleting data from through-table in 0297
+        migrations.RunPython(migrations.RunPython.noop, reverse),
+        migrations.RemoveField(
+            model_name="reusablemedium",
+            name="linked_orderposition",
+        ),
+        # change related_name for new ManyToManyField to previously used linked_media
+        migrations.AlterField(
+            model_name="reusablemedium",
+            name="linked_orderpositions",
+            field=models.ManyToManyField(
+                related_name="linked_media", to="pretixbase.orderposition"
+            ),
+        ),
+    ]
@@ -442,7 +442,7 @@ class AttendeeState(ImportColumn):

    @property
    def verbose_name(self):
-        return _('Attendee address') + ': ' + _('State')
+        return _('Attendee address') + ': ' + pgettext('address', 'State')

    def clean(self, value, previous_values):
        if value:
@@ -57,7 +57,7 @@ from django_otp.models import Device
 from django_scopes import scopes_disabled

 from pretix.base.i18n import language
-from pretix.helpers.urls import build_absolute_uri
+from pretix.helpers.urls import mainreverse_absolute

 from ...helpers.countries import FastCountryField
 from ...helpers.u2f import pub_key_from_der, websafe_decode
@@ -378,7 +378,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
            {
                'user': self,
                'messages': msg,
-                'url': build_absolute_uri('control:user.settings'),
+                'url': mainreverse_absolute('control:user.settings'),
                'instance': settings.PRETIX_INSTANCE_NAME,
            },
            event=None,
@@ -466,7 +466,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
            {
                'instance': settings.PRETIX_INSTANCE_NAME,
                'user': self,
-                'url': (build_absolute_uri('control:auth.forgot.recover')
+                'url': (mainreverse_absolute('control:auth.forgot.recover')
                        + '?id=%d&token=%s' % (self.id, default_token_generator.make_token(self)))
            },
            None, locale=self.locale, user=self
@@ -125,7 +125,7 @@ class LoggingMixin:
        elif isinstance(self, Event):
            event = self
            organizer_id = self.organizer_id
-        elif hasattr(self, 'event'):
+        elif hasattr(self, 'event') and self.event:
            event = self.event
            organizer_id = self.event.organizer_id
        elif hasattr(self, 'organizer_id'):
@@ -346,11 +346,14 @@ class Checkin(models.Model):
    REASON_INCOMPLETE = 'incomplete'
    REASON_ALREADY_REDEEMED = 'already_redeemed'
    REASON_AMBIGUOUS = 'ambiguous'
+    REASON_MEDIUM_INVALID = 'medium_invalid'
+    REASON_MEDIUM_EXISTS = 'medium_exists'
    REASON_ERROR = 'error'
    REASON_BLOCKED = 'blocked'
    REASON_UNAPPROVED = 'unapproved'
    REASON_INVALID_TIME = 'invalid_time'
    REASON_ANNULLED = 'annulled'
+    REASON_ALREADY_EXCHANGED = 'already_exchanged'
    REASONS = (
        (REASON_CANCELED, _('Order canceled')),
        (REASON_INVALID, _('Unknown ticket')),
@@ -366,6 +369,9 @@ class Checkin(models.Model):
        (REASON_UNAPPROVED, _('Order not approved')),
        (REASON_INVALID_TIME, _('Ticket not valid at this time')),
        (REASON_ANNULLED, _('Check-in annulled')),
+        (REASON_ALREADY_EXCHANGED, _('Ticket already exchanged')),
+        (REASON_MEDIUM_INVALID, _('Reusable medium invalid')),
+        (REASON_MEDIUM_EXISTS, _('Reusable medium already exists')),
    )

    successful = models.BooleanField(
@@ -167,7 +167,7 @@ class Customer(LoggedModel):

    def send_security_notice(self, message, email=None):
        from pretix.base.services.mail import SendMailException, mail
-        from pretix.multidomain.urlreverse import build_absolute_uri
+        from pretix.multidomain.urlreverse import eventreverse_absolute

        try:
            with language(self.locale):
@@ -178,7 +178,7 @@ class Customer(LoggedModel):
                    {
                        **self.get_email_context(),
                        'message': str(message),
-                        'url': build_absolute_uri(self.organizer, 'presale:organizer.customer.index')
+                        'url': eventreverse_absolute(self.organizer, 'presale:organizer.customer.index')
                    },
                    customer=self,
                    organizer=self.organizer,
@@ -299,12 +299,12 @@ class Customer(LoggedModel):

    def send_activation_mail(self):
        from pretix.base.services.mail import mail
-        from pretix.multidomain.urlreverse import build_absolute_uri
+        from pretix.multidomain.urlreverse import eventreverse_absolute
        from pretix.presale.forms.customer import TokenGenerator

        ctx = self.get_email_context()
        token = TokenGenerator().make_token(self)
-        ctx['url'] = build_absolute_uri(
+        ctx['url'] = eventreverse_absolute(
            self.organizer,
            'presale:organizer.customer.activate'
        ) + '?id=' + self.identifier + '&token=' + token
@@ -724,7 +724,7 @@ class Event(EventMixin, LoggedModel):

    @property
    def social_image(self):
-        from pretix.multidomain.urlreverse import build_absolute_uri
+        from pretix.multidomain.urlreverse import eventreverse_absolute

        img = None
        logo_file = self.settings.get('logo_image', as_type=str, default='')[7:]
@@ -742,7 +742,7 @@ class Event(EventMixin, LoggedModel):
                logger.exception(f'Failed to create thumbnail of {logo_file}')
                img = default_storage.url(logo_file)
        if img:
-            return urljoin(build_absolute_uri(self, 'presale:event.index'), img)
+            return urljoin(eventreverse_absolute(self, 'presale:event.index'), img)

    def _seats(self, ignore_voucher=None):
        from .seating import Seat
@@ -452,11 +452,16 @@ class Item(LoggedModel):
    MEDIA_POLICY_REUSE = 'reuse'
    MEDIA_POLICY_NEW = 'new'
    MEDIA_POLICY_REUSE_OR_NEW = 'reuse_or_new'
+    MEDIA_POLICY_APPEND = 'append'
+    MEDIA_POLICY_APPEND_OR_NEW = 'append_or_new'
    MEDIA_POLICIES = (
-        (None, _("Don't use re-usable media, use regular one-off tickets")),
-        (MEDIA_POLICY_REUSE, _('Require an existing medium to be re-used')),
+        (None, _("Don't use reusable media, use regular one-off tickets")),
        (MEDIA_POLICY_NEW, _('Require a previously unknown medium to be newly added')),
-        (MEDIA_POLICY_REUSE_OR_NEW, _('Require either an existing or a new medium to be used')),
+        (MEDIA_POLICY_REUSE, _('Require an existing medium to be reused, replacing any previous tickets')),
+        (MEDIA_POLICY_REUSE_OR_NEW, _('Require either an existing or a new medium to be used, replacing any previous tickets')),
+        (MEDIA_POLICY_APPEND, _('Require an existing medium to be reused, adding to any previous tickets')),
+        (MEDIA_POLICY_APPEND_OR_NEW,
+         _('Require either an existing or a new medium to be used, adding to any previous tickets')),
    )

    objects = ItemQuerySetManager()
@@ -769,7 +774,7 @@ class Item(LoggedModel):
        null=True, blank=True, max_length=16,
        verbose_name=_('Reusable media policy'),
        help_text=_(
-            'If this product should be stored on a re-usable physical medium, you can attach a physical media policy. '
+            'If this product should be stored on a reusable physical medium, you can attach a physical media policy. '
            'This is not required for regular tickets, which just use a one-time barcode, but only for products like '
            'renewable season tickets or re-chargeable gift card wristbands. '
            'This is an advanced feature that also requires specific configuration of ticketing and printing settings.'
@@ -778,7 +783,7 @@ class Item(LoggedModel):
    media_type = models.CharField(
        max_length=100,
        null=True, blank=True,
-        choices=[(None, _("Don't use re-usable media, use regular one-off tickets"))] + [(k, v) for k, v in MEDIA_TYPES.items()],
+        choices=[(None, _("Don't use reusable media, use regular one-off tickets"))] + [(k, v) for k, v in MEDIA_TYPES.items()],
        verbose_name=_('Reusable media type'),
        help_text=_(
            'Select the type of physical medium that should be used for this product. Note that not all media types '
@@ -995,6 +1000,11 @@ class Item(LoggedModel):
                raise ValidationError(_('The selected media type does not support usage for tickets currently.'))
            if not mt.supports_giftcard and issue_giftcard:
                raise ValidationError(_('The selected media type does not support usage for gift cards currently.'))
+            if media_policy in (Item.MEDIA_POLICY_NEW, Item.MEDIA_POLICY_APPEND_OR_NEW, Item.MEDIA_POLICY_REUSE_OR_NEW):
+                if not mt.medium_created_by_server and not mt.medium_created_from_unknown_supported:
+                    raise ValidationError(_('The selected media type requires all media to be registered in the system '
+                                            'prior to their usage. Therefore, the selected media policy does not make '
+                                            'sense for this media type.'))
            if issue_giftcard:
                raise ValidationError(_('You currently cannot create gift cards with a reusable media policy. Instead, '
                                        'gift cards for some reusable media types can be created or re-charged directly '
@@ -2220,7 +2230,7 @@ class Quota(LoggedModel):
 class ItemMetaProperty(LoggedModel):
    """
    An event can have ItemMetaProperty objects attached to define meta information fields
-    for its items. This information can be re-used for example in ticket layouts.
+    for its items. This information can be reused for example in ticket layouts.

    :param event: The event this property is defined for.
    :type event: Event
@@ -2306,10 +2316,17 @@ class ItemProgramTime(models.Model):
    :type start: datetime
    :param end: The date and time this program time ends
    :type end: datetime
+    :param location: venue
+    :type location: str
    """
    item = models.ForeignKey('Item', related_name='program_times', on_delete=models.CASCADE)
    start = models.DateTimeField(verbose_name=_("Start"))
    end = models.DateTimeField(verbose_name=_("End"))
+    location = I18nTextField(
+        null=True, blank=True,
+        max_length=200,
+        verbose_name=_("Location"),
+    )

    def clean(self):
        if hasattr(self, 'item') and self.item and self.item.event.has_subevents:
@@ -72,6 +72,16 @@ class ReusableMedium(LoggedModel):
        max_length=200,
        verbose_name=pgettext_lazy('reusable_medium', 'Identifier'),
    )
+    claim_token = models.CharField(
+        max_length=200,
+        verbose_name=pgettext_lazy('reusable_medium', 'Claim token'),
+        null=True, blank=True
+    )
+    label = models.CharField(
+        max_length=200,
+        verbose_name=pgettext_lazy('reusable_medium', 'Label'),
+        null=True, blank=True
+    )

    active = models.BooleanField(
        verbose_name=_('Active'),
@@ -89,12 +99,14 @@ class ReusableMedium(LoggedModel):
        on_delete=models.SET_NULL,
        verbose_name=_('Customer account'),
    )
-    linked_orderposition = models.ForeignKey(
+    linked_orderpositions = models.ManyToManyField(
        OrderPosition,
-        null=True, blank=True,
        related_name='linked_media',
-        on_delete=models.SET_NULL,
-        verbose_name=_('Linked ticket'),
+        verbose_name=_('Linked tickets'),
+        help_text=_(
+            'If you link to more than one ticket, make sure there is no overlap in validity. '
+            'If multiple tickets are valid at once, this will lead to failed check-ins.'
+        )
    )
    linked_giftcard = models.ForeignKey(
        GiftCard,
@@ -117,7 +129,10 @@ class ReusableMedium(LoggedModel):

    @property
    def is_expired(self):
-        return self.expires and self.expires > now()
+        return self.expires and self.expires < now()
+
+    def touch(self):
+        self.save(update_fields=['updated'])

    class Meta:
        unique_together = (("identifier", "type", "organizer"),)
@@ -354,38 +354,60 @@ class Order(LockModel, LoggedModel):
    def _transaction_key_reset(self):
        self.__initial_status_paid_or_pending = self.status in (Order.STATUS_PENDING, Order.STATUS_PAID) and not self.require_approval

-    def gracefully_delete(self, user=None, auth=None):
-        from . import GiftCard, GiftCardTransaction, Membership, Voucher
-
-        if not self.testmode:
-            raise TypeError("Only test mode orders can be deleted.")
-        self.log_action(
-            'pretix.event.order.deleted', user=user, auth=auth,
-            data={
-                'code': self.code,
-            }
+    @classmethod
+    def gracefully_delete_bulk(cls, event, orders, user=None, auth=None):
+        # Expects to be called in a transaction
+        from . import (
+            GiftCard, GiftCardTransaction, LogEntry, Membership, Voucher,
        )

-        order_gracefully_delete.send(self.event, order=self)
+        if not transaction.get_connection().in_atomic_block:
+            raise Exception('gracefully_delete_bulk should only be called in atomic transaction!')

-        if self.status != Order.STATUS_CANCELED:
-            for position in self.positions.all():
-                if position.voucher:
-                    Voucher.objects.filter(pk=position.voucher.pk).update(redeemed=Greatest(0, F('redeemed') - 1))
+        logs_create = []
+        for o in orders:
+            if not o.testmode:
+                raise TypeError("Only test mode orders can be deleted.")
+            order_gracefully_delete.send(event, order=o)
+            logs_create.append(o.log_action(
+                'pretix.event.order.deleted', user=user, auth=auth,
+                data={
+                    'code': o.code,
+                },
+                save=False,
+            ))
+        LogEntry.bulk_create_and_postprocess(logs_create)

-        GiftCardTransaction.objects.filter(payment__in=self.payments.all()).update(payment=None)
-        GiftCardTransaction.objects.filter(refund__in=self.refunds.all()).update(refund=None)
-        GiftCardTransaction.objects.filter(order=self).update(order=None)
-        GiftCard.objects.filter(issued_in__in=self.positions.all()).update(issued_in=None)
-        Membership.objects.filter(granted_in__order=self, testmode=True).update(granted_in=None)
-        OrderPosition.all.filter(order=self, addon_to__isnull=False).delete()
-        OrderPosition.all.filter(order=self).delete()
-        OrderFee.all.filter(order=self).delete()
-        Transaction.objects.filter(order=self).delete()
-        self.refunds.all().delete()
-        self.payments.all().delete()
-        self.event.cache.delete('complain_testmode_orders')
-        self.delete()
+        voucher_ids = OrderPosition.objects.filter(
+            order__in=orders,
+            voucher__isnull=False
+        ).exclude(order__status=Order.STATUS_CANCELED).values_list("voucher_id", flat=True)
+        voucher_usages = Counter(voucher_ids)
+        for v_id, usage_count in voucher_usages.items():
+            Voucher.objects.filter(pk=v_id).update(redeemed=Greatest(0, F('redeemed') - usage_count))
+
+        GiftCardTransaction.objects.filter(payment__order__in=orders).update(payment=None)
+        GiftCardTransaction.objects.filter(refund__order__in=orders).update(refund=None)
+        GiftCardTransaction.objects.filter(order__in=orders).update(order=None)
+        GiftCard.objects.filter(issued_in__order__in=orders).update(issued_in=None)
+        Membership.objects.filter(granted_in__order__in=orders, testmode=True).update(granted_in=None)
+        OrderPosition.all.filter(order__in=orders, addon_to__isnull=False).delete()
+        OrderPosition.all.filter(order__in=orders).delete()
+        OrderFee.all.filter(order__in=orders).delete()
+        Transaction.objects.filter(order__in=orders).delete()
+        OrderRefund.objects.filter(order__in=orders).delete()
+        OrderPayment.objects.filter(order__in=orders).delete()
+        if isinstance(orders, models.QuerySet):
+            orders.delete()
+        else:
+            Order.objects.filter(pk__in=[o.pk for o in orders]).delete()
+        event.cache.delete('complain_testmode_orders')
+
+    def gracefully_delete(self, user=None, auth=None):
+        if not self.testmode:
+            raise TypeError("Only test mode orders can be deleted.")
+
+        Order.gracefully_delete_bulk(self.event, Order.objects.filter(pk=self.pk), user, auth)

    def email_confirm_secret(self):
        return self.tagged_secret("email_confirm", 9)
@@ -118,7 +118,10 @@ class SeatingPlan(LoggedModel):
        for zi, z in enumerate(self.layout_data['zones']):
            zpos = (z['position']['x'], z['position']['y'])
            for ri, r in enumerate(z['rows']):
-                rpos = (zpos[0] + r['position']['x'], zpos[1] + r['position']['y'])
+                rpos = (
+                    zpos[0] + r.get('position', {}).get('x', 0),
+                    zpos[1] + r.get('position', {}).get('y', 0),
+                )
                row_label = None
                if r.get('row_label'):
                    row_label = r['row_label'].replace("%s", r.get('row_number', str(ri)))
@@ -147,8 +150,8 @@ class SeatingPlan(LoggedModel):
                        zone=z['name'],
                        category=s['category'],
                        sorting_rank=rank,
-                        x=rpos[0] + s['position']['x'],
-                        y=rpos[1] + s['position']['y'],
+                        x=rpos[0] + s.get('position', {}).get('x', 0),
+                        y=rpos[1] + s.get('position', {}).get('y', 0),
                    )


@@ -43,7 +43,7 @@ from django.utils.translation import gettext_lazy as _, pgettext_lazy
 from pretix.base.models import Event, LogEntry
 from pretix.base.signals import register_notification_types
 from pretix.base.templatetags.money import money_filter
-from pretix.helpers.urls import build_absolute_uri
+from pretix.helpers.urls import mainreverse_absolute

 logger = logging.getLogger(__name__)
 _ALL_TYPES = None
@@ -170,7 +170,7 @@ class ParametrizedOrderNotificationType(NotificationType):
    def build_notification(self, logentry: LogEntry):
        order = logentry.content_object

-        order_url = build_absolute_uri(
+        order_url = mainreverse_absolute(
            'control:event.order',
            kwargs={
                'organizer': logentry.event.organizer.slug,
@@ -71,7 +71,7 @@ from pretix.helpers import OF_SELF
 from pretix.helpers.countries import CachedCountries
 from pretix.helpers.format import format_map
 from pretix.helpers.money import DecimalTextInput
-from pretix.multidomain.urlreverse import build_absolute_uri
+from pretix.multidomain.urlreverse import eventreverse_absolute
 from pretix.presale.views import get_cart
 from pretix.presale.views.cart import cart_session, get_or_create_cart_id

@@ -379,7 +379,7 @@ class BasePaymentProvider:

        if not self.settings.get('_hidden_seed'):
            self.settings.set('_hidden_seed', get_random_string(64))
-        hidden_url = build_absolute_uri(self.event, 'presale:event.payment.unlock', kwargs={
+        hidden_url = eventreverse_absolute(self.event, 'presale:event.payment.unlock', kwargs={
            'hash': hashlib.sha256((self.settings._hidden_seed + self.event.slug).encode()).hexdigest(),
        })

@@ -498,9 +498,9 @@ DEFAULT_VARIABLES = OrderedDict((
        ) if op.valid_until else ""
    }),
    ("program_times", {
-        "label": _("Program times: date and time"),
+        "label": _("Program times"),
        "editor_sample": _(
-            "2017-05-31 10:00 – 12:00\n2017-05-31 14:00 – 16:00\n2017-05-31 14:00 – 2017-06-01 14:00"),
+            "2017-05-31 10:00 – 12:00, Room 1\n2017-05-31 14:00 – 16:00, Room 2\n2017-05-31 14:00 – 2017-06-01 14:00, Building A"),
        "evaluate": lambda op, order, ev: get_program_times(op, ev)
    }),
    ("medium_identifier", {
@@ -748,13 +748,19 @@ def get_seat(op: OrderPosition):


 def get_program_times(op: OrderPosition, ev: Event):
-    return '\n'.join([
-        datetimerange(
-            pt.start.astimezone(ev.timezone),
-            pt.end.astimezone(ev.timezone),
-            as_html=False
-        ) for pt in op.item.program_times.all()
-    ])
+    ptstr = []
+    for pt in op.item.program_times.all():
+        ptstr.append([
+            datetimerange(
+                pt.start.astimezone(ev.timezone),
+                pt.end.astimezone(ev.timezone),
+                as_html=False
+            ),
+            (', ' + ', '.join(
+                l.strip() for l in str(pt.location).splitlines() if l.strip())
+             ) if str(pt.location).strip() else ''
+        ])
+    return '\n'.join(''.join(l) for l in ptstr)


 def generate_compressed_addon_list(op, order, event, only_checked_in=False):
@@ -923,7 +929,7 @@ class Renderer:

            # We do not use str.format like in emails so we (a) can evaluate lazily and (b) can re-implement this
            # 1:1 on other platforms that render PDFs through our API (libpretixprint)
-            return re.sub(r'\{([a-zA-Z0-9:_]+)\}', replace, text)
+            return re.sub(r'\{([-a-zA-Z0-9:_]+)\}', replace, text)

        elif o['content'].startswith('itemmeta:'):
            if op.variation_id:
@@ -49,14 +49,39 @@ class PluginType(Enum):
    EXPORT = 4


+def plugin_is_available(meta, event=None, organizer=None):
+    if not hasattr(meta.app, 'is_available'):
+        return True
+
+    level = getattr(meta, "level", PLUGIN_LEVEL_EVENT)
+    if level == PLUGIN_LEVEL_EVENT:
+        if event:
+            return meta.app.is_available(event)
+        elif organizer:
+            if not hasattr(organizer, '_plugin_availability_fallback_event'):
+                with scope(organizer=organizer):
+                    setattr(organizer, '_plugin_availability_fallback_event', organizer.events.first())
+            return (
+                organizer._plugin_availability_fallback_event
+                and meta.app.is_available(organizer._plugin_availability_fallback_event)
+            )
+    elif level == PLUGIN_LEVEL_ORGANIZER:
+        if organizer:
+            return meta.app.is_available(organizer)
+        elif event:
+            return meta.app.is_available(event.organizer)
+    elif level == PLUGIN_LEVEL_EVENT_ORGANIZER_HYBRID and (event or organizer):
+        return meta.app.is_available(event or organizer)
+
+    return True
+
+
 def get_all_plugins(*, event=None, organizer=None) -> List[type]:
    """
    Returns the PretixPluginMeta classes of all plugins found in the installed Django apps.
    """
    assert not event or not organizer
    plugins = []
-    event_fallback = None
-    event_fallback_used = False
    for app in apps.get_app_configs():
        if hasattr(app, 'PretixPluginMeta'):
            meta = app.PretixPluginMeta
@@ -65,28 +90,8 @@ def get_all_plugins(*, event=None, organizer=None) -> List[type]:
            if app.name in settings.PRETIX_PLUGINS_EXCLUDE:
                continue

-            level = getattr(meta, "level", PLUGIN_LEVEL_EVENT)
-            if level == PLUGIN_LEVEL_EVENT:
-                if event and hasattr(app, 'is_available'):
-                    if not app.is_available(event):
-                        continue
-                elif organizer and hasattr(app, 'is_available'):
-                    if not event_fallback_used:
-                        with scope(organizer=organizer):
-                            event_fallback = organizer.events.first()
-                        event_fallback_used = True
-                    if not event_fallback or not app.is_available(event_fallback):
-                        continue
-            elif level == PLUGIN_LEVEL_ORGANIZER:
-                if organizer and hasattr(app, 'is_available'):
-                    if not app.is_available(organizer):
-                        continue
-                elif event and hasattr(app, 'is_available'):
-                    if not app.is_available(event.organizer):
-                        continue
-            elif level == PLUGIN_LEVEL_EVENT_ORGANIZER_HYBRID and (event or organizer) and hasattr(app, 'is_available'):
-                if not app.is_available(event or organizer):
-                    continue
+            if not plugin_is_available(meta, event, organizer):
+                continue

            plugins.append(meta)
    return sorted(
@@ -162,12 +162,12 @@ error_messages = {
    'price_too_high': gettext_lazy('The entered price is to high.'),
    'voucher_invalid': gettext_lazy('This voucher code is not known in our database.'),
    'voucher_min_usages': ngettext_lazy(
-        'The voucher code "%(voucher)s" can only be used if you select at least %(number)s matching products.',
+        'The voucher code "%(voucher)s" can only be used if you select at least %(number)s matching product.',
        'The voucher code "%(voucher)s" can only be used if you select at least %(number)s matching products.',
        'number'
    ),
    'voucher_min_usages_removed': ngettext_lazy(
-        'The voucher code "%(voucher)s" can only be used if you select at least %(number)s matching products. '
+        'The voucher code "%(voucher)s" can only be used if you select at least %(number)s matching product. '
        'We have therefore removed some positions from your cart that can no longer be purchased like this.',
        'The voucher code "%(voucher)s" can only be used if you select at least %(number)s matching products. '
        'We have therefore removed some positions from your cart that can no longer be purchased like this.',
@@ -287,11 +287,11 @@ def _check_position_constraints(
        raise CartPositionError(error_messages['unavailable'])

    # Invalid media policy for online sale
-    if item.media_policy in (Item.MEDIA_POLICY_NEW, Item.MEDIA_POLICY_REUSE_OR_NEW):
+    if item.media_policy in (Item.MEDIA_POLICY_NEW, Item.MEDIA_POLICY_REUSE_OR_NEW, Item.MEDIA_POLICY_APPEND_OR_NEW, Item.MEDIA_POLICY_REUSE_OR_NEW):
        mt = MEDIA_TYPES[item.media_type]
        if not mt.medium_created_by_server:
            raise CartPositionError(error_messages['media_usage_not_implemented'])
-    elif item.media_policy == Item.MEDIA_POLICY_REUSE:
+    elif item.media_policy in (Item.MEDIA_POLICY_REUSE, Item.MEDIA_POLICY_APPEND):
        raise CartPositionError(error_messages['media_usage_not_implemented'])

    # Item removed from sales channel
@@ -867,6 +867,15 @@ class RequiredQuestionsError(Exception):
        super().__init__(msg)


+class RequiredMediaExchangeError(Exception):
+    def __init__(self, msg, code, media_policy, media_type):
+        self.msg = msg
+        self.code = code
+        self.media_policy = media_policy
+        self.media_type = media_type
+        super().__init__(msg)
+
+
 def _save_answers(op, answers, given_answers):
    def _create_answer(question, answer):
        try:
@@ -939,7 +948,7 @@ def perform_checkin(op: OrderPosition, clist: CheckinList, given_answers: dict,
                    ignore_unpaid=False, nonce=None, datetime=None, questions_supported=True,
                    user=None, auth=None, canceled_supported=False, type=Checkin.TYPE_ENTRY,
                    raw_barcode=None, raw_source_type=None, from_revoked_secret=False, simulate=False,
-                    gate=None):
+                    gate=None, reusable_medium=None):
    """
    Create a checkin for this particular order position and check-in list. Fails with CheckInError if the check in is
    not valid at this time.
@@ -955,6 +964,7 @@ def perform_checkin(op: OrderPosition, clist: CheckinList, given_answers: dict,
    :param datetime: The datetime of the checkin, defaults to now.
    :param simulate: If true, the check-in is not saved.
    :param gate: The gate the check-in was performed at.
+    :param reusable_medium: The medium that is available for an exchange
    """

    # !!!!!!!!!
@@ -1035,7 +1045,7 @@ def perform_checkin(op: OrderPosition, clist: CheckinList, given_answers: dict,

    with transaction.atomic():
        # Lock order positions, if it is an entry. We don't need it for exits, as a race condition wouldn't be problematic
-        opqs = OrderPosition.all
+        opqs = OrderPosition.all.select_related("order", "item")
        if type != Checkin.TYPE_EXIT:
            opqs = opqs.select_for_update(of=OF_SELF)
        op = opqs.get(pk=op.pk)
@@ -1101,6 +1111,24 @@ def perform_checkin(op: OrderPosition, clist: CheckinList, given_answers: dict,
                require_answers
            )

+        required_media_policy = op.item.media_policy
+        required_media_type = op.item.media_type
+        require_a_medium = required_media_policy and required_media_type
+        linked_media = op.linked_media
+        if require_a_medium and not reusable_medium and not force:
+            if not linked_media.exists():
+                raise RequiredMediaExchangeError(
+                    _('Ticket needs to be exchanged to a suitable medium.'),
+                    'exchange',
+                    required_media_policy,
+                    required_media_type
+                )
+            elif op.organizer.settings.reusable_media_usage_enforced:
+                raise CheckInError(
+                    _('This ticket has already been exchanged for a reusable medium that now needs to be used instead.'),
+                    'already_exchanged',
+                )
+
        device = None
        if isinstance(auth, Device):
            device = auth
@@ -51,7 +51,7 @@ from pretix.base.signals import (
 )
 from pretix.celery_app import app
 from pretix.helpers import OF_SELF, repeatable_reads_transaction
-from pretix.helpers.urls import build_absolute_uri
+from pretix.helpers.urls import mainreverse_absolute

 logger = logging.getLogger(__name__)

@@ -455,7 +455,7 @@ def scheduled_organizer_export(self, organizer: Organizer, schedule: int) -> Non
        schedule,
        organizer,
        exporter,
-        build_absolute_uri(
+        mainreverse_absolute(
            'control:organizer.export',
            kwargs={
                'organizer': organizer.slug,
@@ -481,7 +481,7 @@ def scheduled_event_export(self, event: Event, schedule: int) -> None:
        schedule,
        event,
        exporter,
-        build_absolute_uri(
+        mainreverse_absolute(
            'control:event.orders.export',
            kwargs={
                'event': event.slug,
@@ -85,7 +85,7 @@ from pretix.helpers.format import (
    FormattedString, PlainHtmlAlternativeString, SafeFormatter, format_map,
 )
 from pretix.helpers.hierarkey import clean_filename
-from pretix.multidomain.urlreverse import build_absolute_uri
+from pretix.multidomain.urlreverse import eventreverse_absolute
 from pretix.presale.ical import get_private_icals

 logger = logging.getLogger('pretix.base.mail')
@@ -997,7 +997,7 @@ def _wrap_plain_body(content_plain, signature, event, order, position, no_order_
        body_plain += _(
            "You can view your order details at the following URL:\n{orderurl}."
        ).replace("\n", "\r\n").format(
-            orderurl=build_absolute_uri(
+            orderurl=eventreverse_absolute(
                order.event, 'presale:event.order.position', kwargs={
                    'order': order.code,
                    'secret': position.web_secret,
@@ -1013,7 +1013,7 @@ def _wrap_plain_body(content_plain, signature, event, order, position, no_order_
        body_plain += _(
            "You can view your order details at the following URL:\n{orderurl}."
        ).replace("\n", "\r\n").format(
-            event=event.name, orderurl=build_absolute_uri(
+            event=event.name, orderurl=eventreverse_absolute(
                order.event, 'presale:event.order.open', kwargs={
                    'order': order.code,
                    'secret': order.secret,
@@ -23,10 +23,13 @@ import secrets

 from django.db import IntegrityError
 from django.db.models import Q
+from django.utils.translation import gettext as _
 from django_scopes import scopes_disabled

-from pretix.base.models import GiftCardAcceptance
-from pretix.base.models.media import MediumKeySet
+from pretix.base.media import MEDIA_TYPES
+from pretix.base.models import Checkin, GiftCardAcceptance, Item
+from pretix.base.models.media import MediumKeySet, ReusableMedium
+from pretix.base.services.checkin import CheckInError


 def create_nfc_mf0aes_keyset(organizer):
@@ -70,3 +73,174 @@ def get_keysets_for_organizer(organizer):
        if new_set:
            sets.append(new_set)
    return sets
+
+
+def perform_media_exchange(organizer, media_type, identifier, link_orderposition, user, auth):
+    """
+    Create or retrieve a medium, then link the order position to it. Expected to be called in a transaction.
+
+    :param organizer: Organizer to operate in
+    :param media_type: Type of medium to operate with
+    :param identifier: Identifier of the medium
+    :param link_orderposition: Position to link to the medium
+    :return: ReusableMedium
+    """
+    medium = None
+    media_policy = link_orderposition.item.media_policy
+
+    if media_type not in MEDIA_TYPES:  # should be caught by serializer already
+        raise CheckInError(
+            _('Invalid medium type.'),
+            Checkin.REASON_ERROR,
+            reason=_('Invalid medium type.'),
+        )
+
+    if not MEDIA_TYPES[media_type].is_active(organizer):
+        raise CheckInError(
+            _('Medium type is not enabled for organizer.'),
+            Checkin.REASON_ERROR,
+            reason=_('Medium type is not enabled for organizer.'),
+        )
+
+    if link_orderposition.item.media_type != media_type:
+        raise CheckInError(
+            _('Incorrect medium type for product.'),
+            Checkin.REASON_PRODUCT,
+            reason=_('Incorrect medium type for product.'),
+        )
+
+    if link_orderposition.linked_media.exists():
+        raise CheckInError(
+            _('Ticket is already exchanged for reusable medium.'),
+            Checkin.REASON_ALREADY_EXCHANGED,
+            reason=_('Ticket is already exchanged for reusable medium.'),
+        )
+
+    if media_policy in (Item.MEDIA_POLICY_APPEND, Item.MEDIA_POLICY_APPEND_OR_NEW, Item.MEDIA_POLICY_NEW):
+        link_action = "append"
+    else:
+        link_action = "replace"
+
+    if media_policy in (Item.MEDIA_POLICY_REUSE, Item.MEDIA_POLICY_APPEND):
+        try:
+            medium = ReusableMedium.objects.get(
+                type=media_type,
+                identifier=identifier,
+                organizer=organizer,
+            )
+        except ReusableMedium.DoesNotExist:
+            raise CheckInError(
+                _('Reusable medium not found.'),
+                Checkin.REASON_MEDIUM_INVALID,
+                reason=_('Reusable medium not found.'),
+            )
+        else:
+            if medium.is_expired or not medium.active:
+                raise CheckInError(
+                    _('Reusable medium is inactive or expired.'),
+                    Checkin.REASON_MEDIUM_INVALID,
+                    reason=_('Reusable medium is inactive or expired.'),
+                )
+
+    elif media_policy in (Item.MEDIA_POLICY_REUSE_OR_NEW, Item.MEDIA_POLICY_APPEND_OR_NEW):
+        try:
+            medium = ReusableMedium.objects.get(
+                type=media_type,
+                identifier=identifier,
+                organizer=organizer,
+            )
+        except ReusableMedium.DoesNotExist:
+            if not MEDIA_TYPES[media_type].medium_created_from_unknown_supported:
+                raise CheckInError(
+                    _('Reusable medium not found and could not be created.'),
+                    Checkin.REASON_MEDIUM_INVALID,
+                )
+
+            medium = MEDIA_TYPES[media_type].handle_unknown(organizer, identifier, user, auth, force_create=True)
+            if not medium:
+                raise CheckInError(
+                    _('Reusable medium not found and could not be created.'),
+                    Checkin.REASON_MEDIUM_INVALID,
+                )
+
+        if medium.is_expired or not medium.active:
+            raise CheckInError(
+                _('Reusable medium is inactive or expired.'),
+                Checkin.REASON_MEDIUM_INVALID,
+                reason=_('Reusable medium is inactive or expired.'),
+            )
+
+    elif media_policy == Item.MEDIA_POLICY_NEW:
+        if not MEDIA_TYPES[media_type].medium_created_from_unknown_supported:
+            raise CheckInError(
+                _('Reusable medium not found and could not be created.'),
+                Checkin.REASON_MEDIUM_INVALID,
+            )
+        try:
+            medium = MEDIA_TYPES[media_type].handle_unknown(organizer, identifier, user, auth, force_create=True)
+        except IntegrityError:
+            raise CheckInError(
+                _('Reusable medium already exists.'),
+                Checkin.REASON_MEDIUM_EXISTS,
+            )
+        else:
+            if not medium:
+                raise CheckInError(
+                    _('Reusable medium could not be created.'),
+                    Checkin.REASON_MEDIUM_INVALID,
+                )
+
+    else:
+        raise CheckInError(
+            _('Product does not support medium exchange.'),
+            Checkin.REASON_PRODUCT,
+            reason=_('Product does not support medium exchange.'),
+        )
+
+    if link_action == 'append':
+        medium.linked_orderpositions.add(link_orderposition)
+        medium.log_action(
+            'pretix.reusable_medium.linked_orderposition.added',
+            user=user,
+            auth=auth,
+            data={
+                'linked_orderposition': link_orderposition,
+            }
+        )
+    elif link_action == 'replace':
+        already_found = False
+        for op_pk in medium.linked_orderpositions.values_list('pk', flat=True):
+            if op_pk == link_orderposition.pk:
+                already_found = True
+                continue
+            else:
+                medium.log_action(
+                    'pretix.reusable_medium.linked_orderposition.removed',
+                    data={
+                        'linked_orderposition': op_pk,
+                    }
+                )
+        if not already_found:
+            medium.linked_orderpositions.set([link_orderposition])
+            medium.log_action(
+                'pretix.reusable_medium.linked_orderposition.added',
+                user=user,
+                auth=auth,
+                data={
+                    'linked_orderposition': link_orderposition,
+                }
+            )
+
+    link_orderposition.order.log_action(
+        'pretix.reusable_medium.exchanged',
+        data={
+            'position': link_orderposition.pk,
+            'positionid': link_orderposition.positionid,
+            'medium': medium.pk,
+            'medium_identifier': medium.identifier,
+            'medium_type': medium.media_type.identifier,
+        }
+    )
+    medium.touch()
+
+    return medium
@@ -37,7 +37,7 @@ from pretix.base.services.tasks import ProfiledTask, TransactionAwareTask
 from pretix.base.signals import notification
 from pretix.celery_app import app
 from pretix.helpers.celery import get_task_priority
-from pretix.helpers.urls import build_absolute_uri
+from pretix.helpers.urls import mainreverse_absolute


@app.task(base=TransactionAwareTask, acks_late=True, max_retries=9, default_retry_delay=900)
@@ -136,10 +136,10 @@ def send_notification_mail(notification: Notification, user: User):
        'site_url': settings.SITE_URL,
        'color': settings.PRETIX_PRIMARY_COLOR,
        'notification': notification,
-        'settings_url': build_absolute_uri(
+        'settings_url': mainreverse_absolute(
            'control:user.settings.notifications',
        ),
-        'disable_url': build_absolute_uri(
+        'disable_url': mainreverse_absolute(
            'control:user.settings.notifications.off',
            kwargs={
                'token': user.notifications_token,
@@ -727,8 +727,6 @@ def _check_positions(event: Event, now_dt: datetime, time_machine_now_dt: dateti
    _check_date(event, time_machine_now_dt)

    products_seen = Counter()
-    q_avail = Counter()
-    v_avail = Counter()
    v_usages = Counter()
    v_budget = {}
    deleted_positions = set()
@@ -793,6 +791,9 @@ def _check_positions(event: Event, now_dt: datetime, time_machine_now_dt: dateti
                shared_lock_objects=[event]
            )

+    q_avail = Counter()
+    v_avail = Counter()
+
    # Check maximum order size
    limit = min(int(event.settings.max_items_per_order), settings.PRETIX_MAX_ORDER_SIZE)
    if sum(1 for cp in sorted_positions if not cp.addon_to) > limit:
@@ -3505,7 +3506,7 @@ def signal_listener_issue_media(sender: Event, order: Order, **kwargs):
    from pretix.base.models import ReusableMedium

    for p in order.positions.all():
-        if p.item.media_policy in (Item.MEDIA_POLICY_NEW, Item.MEDIA_POLICY_REUSE_OR_NEW):
+        if p.item.media_policy in (Item.MEDIA_POLICY_NEW, Item.MEDIA_POLICY_REUSE_OR_NEW, Item.MEDIA_POLICY_APPEND_OR_NEW):
            mt = MEDIA_TYPES[p.item.media_type]
            if mt.medium_created_by_server and not p.linked_media.exists():
                rm = ReusableMedium.objects.create(
@@ -3514,8 +3515,8 @@ def signal_listener_issue_media(sender: Event, order: Order, **kwargs):
                    identifier=mt.generate_identifier(sender.organizer),
                    active=True,
                    customer=order.customer,
-                    linked_orderposition=p,
                )
+                rm.linked_orderpositions.add(p)
                rm.log_action(
                    'pretix.reusable_medium.created',
                    data={
@@ -327,7 +327,7 @@ def get_best_name(position_or_address, parts=False):

@receiver(register_text_placeholders, dispatch_uid="pretixbase_register_text_placeholders")
 def base_placeholders(sender, **kwargs):
-    from pretix.multidomain.urlreverse import build_absolute_uri
+    from pretix.multidomain.urlreverse import eventreverse_absolute

    def _event_sample(event):
        if event.has_subevents:
@@ -388,14 +388,14 @@ def base_placeholders(sender, **kwargs):
            lambda event: LazyDate(now() + timedelta(days=15))
        ),
        SimpleFunctionalTextPlaceholder(
-            'url', ['order', 'event'], lambda order, event: build_absolute_uri(
+            'url', ['order', 'event'], lambda order, event: eventreverse_absolute(
                event,
                'presale:event.order.open', kwargs={
                    'order': order.code,
                    'secret': order.secret,
                    'hash': order.email_confirm_secret()
                }
-            ), lambda event: build_absolute_uri(
+            ), lambda event: eventreverse_absolute(
                event,
                'presale:event.order.open', kwargs={
                    'order': 'F8VVL',
@@ -406,7 +406,7 @@ def base_placeholders(sender, **kwargs):
        ),
        SimpleButtonPlaceholder(
            'url_button', ['order', 'event'],
-            url_func=lambda order, event: build_absolute_uri(
+            url_func=lambda order, event: eventreverse_absolute(
                event,
                'presale:event.order.open', kwargs={
                    'order': order.code,
@@ -415,7 +415,7 @@ def base_placeholders(sender, **kwargs):
                }
            ),
            text_func=lambda order, event: _("View order details"),
-            sample_url_func=lambda event: build_absolute_uri(
+            sample_url_func=lambda event: eventreverse_absolute(
                event,
                'presale:event.order.open', kwargs={
                    'order': 'F8VVL',
@@ -426,13 +426,13 @@ def base_placeholders(sender, **kwargs):
            sample_text_func=lambda event: _("View order details"),
        ),
        SimpleFunctionalTextPlaceholder(
-            'url_info_change', ['order', 'event'], lambda order, event: build_absolute_uri(
+            'url_info_change', ['order', 'event'], lambda order, event: eventreverse_absolute(
                event,
                'presale:event.order.modify', kwargs={
                    'order': order.code,
                    'secret': order.secret,
                }
-            ), lambda event: build_absolute_uri(
+            ), lambda event: eventreverse_absolute(
                event,
                'presale:event.order.modify', kwargs={
                    'order': 'F8VVL',
@@ -441,13 +441,13 @@ def base_placeholders(sender, **kwargs):
            ),
        ),
        SimpleFunctionalTextPlaceholder(
-            'url_products_change', ['order', 'event'], lambda order, event: build_absolute_uri(
+            'url_products_change', ['order', 'event'], lambda order, event: eventreverse_absolute(
                event,
                'presale:event.order.change', kwargs={
                    'order': order.code,
                    'secret': order.secret,
                }
-            ), lambda event: build_absolute_uri(
+            ), lambda event: eventreverse_absolute(
                event,
                'presale:event.order.change', kwargs={
                    'order': 'F8VVL',
@@ -456,13 +456,13 @@ def base_placeholders(sender, **kwargs):
            ),
        ),
        SimpleFunctionalTextPlaceholder(
-            'url_cancel', ['order', 'event'], lambda order, event: build_absolute_uri(
+            'url_cancel', ['order', 'event'], lambda order, event: eventreverse_absolute(
                event,
                'presale:event.order.cancel', kwargs={
                    'order': order.code,
                    'secret': order.secret,
                }
-            ), lambda event: build_absolute_uri(
+            ), lambda event: eventreverse_absolute(
                event,
                'presale:event.order.cancel', kwargs={
                    'order': 'F8VVL',
@@ -471,7 +471,7 @@ def base_placeholders(sender, **kwargs):
            ),
        ),
        SimpleFunctionalTextPlaceholder(
-            'url', ['event', 'position'], lambda event, position: build_absolute_uri(
+            'url', ['event', 'position'], lambda event, position: eventreverse_absolute(
                event,
                'presale:event.order.position',
                kwargs={
@@ -480,7 +480,7 @@ def base_placeholders(sender, **kwargs):
                    'position': position.positionid
                }
            ),
-            lambda event: build_absolute_uri(
+            lambda event: eventreverse_absolute(
                event,
                'presale:event.order.position', kwargs={
                    'order': 'F8VVL',
@@ -491,7 +491,7 @@ def base_placeholders(sender, **kwargs):
        ),
        SimpleButtonPlaceholder(
            'url_button', ['event', 'position'],
-            url_func=lambda event, position: build_absolute_uri(
+            url_func=lambda event, position: eventreverse_absolute(
                event,
                'presale:event.order.position', kwargs={
                    'order': position.order.code,
@@ -500,7 +500,7 @@ def base_placeholders(sender, **kwargs):
                }
            ),
            text_func=lambda event, position: _("View registration details"),
-            sample_url_func=lambda event: build_absolute_uri(
+            sample_url_func=lambda event: eventreverse_absolute(
                event,
                'presale:event.order.position', kwargs={
                    'order': 'F8VVL',
@@ -511,14 +511,14 @@ def base_placeholders(sender, **kwargs):
            sample_text_func=lambda event: _("View registration details"),
        ),
        SimpleFunctionalTextPlaceholder(
-            'url_info_change', ['position', 'event'], lambda position, event: build_absolute_uri(
+            'url_info_change', ['position', 'event'], lambda position, event: eventreverse_absolute(
                event,
                'presale:event.order.position.modify', kwargs={
                    'order': position.order.code,
                    'secret': position.web_secret,
                    'position': position.positionid
                }
-            ), lambda event: build_absolute_uri(
+            ), lambda event: eventreverse_absolute(
                event,
                'presale:event.order.position.modify', kwargs={
                    'order': 'F8VVL',
@@ -528,14 +528,14 @@ def base_placeholders(sender, **kwargs):
            ),
        ),
        SimpleFunctionalTextPlaceholder(
-            'url_products_change', ['position', 'event'], lambda position, event: build_absolute_uri(
+            'url_products_change', ['position', 'event'], lambda position, event: eventreverse_absolute(
                event,
                'presale:event.order.position.change', kwargs={
                    'order': position.order.code,
                    'secret': position.web_secret,
                    'position': position.positionid
                }
-            ), lambda event: build_absolute_uri(
+            ), lambda event: eventreverse_absolute(
                event,
                'presale:event.order.position.change', kwargs={
                    'order': 'F8VVL',
@@ -581,20 +581,20 @@ def base_placeholders(sender, **kwargs):
        ),
        SimpleFunctionalTextPlaceholder(
            'url_remove', ['waiting_list_voucher', 'event'],
-            lambda waiting_list_voucher, event: build_absolute_uri(
+            lambda waiting_list_voucher, event: eventreverse_absolute(
                event, 'presale:event.waitinglist.remove'
            ) + '?voucher=' + waiting_list_voucher.code,
-            lambda event: build_absolute_uri(
+            lambda event: eventreverse_absolute(
                event,
                'presale:event.waitinglist.remove',
            ) + '?voucher=68CYU2H6ZTP3WLK5',
        ),
        SimpleFunctionalTextPlaceholder(
            'url', ['waiting_list_voucher', 'event'],
-            lambda waiting_list_voucher, event: build_absolute_uri(
+            lambda waiting_list_voucher, event: eventreverse_absolute(
                event, 'presale:event.redeem'
            ) + '?voucher=' + waiting_list_voucher.code,
-            lambda event: build_absolute_uri(
+            lambda event: eventreverse_absolute(
                event,
                'presale:event.redeem',
            ) + '?voucher=68CYU2H6ZTP3WLK5',
@@ -611,7 +611,7 @@ def base_placeholders(sender, **kwargs):
            'orders', ['event', 'orders'], lambda event, orders: '\n' + '\n\n'.join(
                '* {} - {}'.format(
                    order.full_code,
-                    build_absolute_uri(event, 'presale:event.order.open', kwargs={
+                    eventreverse_absolute(event, 'presale:event.order.open', kwargs={
                        'event': event.slug,
                        'organizer': event.organizer.slug,
                        'order': order.code,
@@ -623,7 +623,7 @@ def base_placeholders(sender, **kwargs):
            ), lambda event: '\n' + '\n\n'.join(
                '* {} - {}'.format(
                    '{}-{}'.format(event.slug.upper(), order['code']),
-                    build_absolute_uri(event, 'presale:event.order.open', kwargs={
+                    eventreverse_absolute(event, 'presale:event.order.open', kwargs={
                        'event': event.slug,
                        'organizer': event.organizer.slug,
                        'order': order['code'],
@@ -662,13 +662,13 @@ def base_placeholders(sender, **kwargs):
            # join vouchers with two spaces at end of line so markdown-parser inserts a <br>
            'voucher_url_list', ['event', 'voucher_list'],
            lambda event, voucher_list: '  \n'.join([
-                build_absolute_uri(
+                eventreverse_absolute(
                    event, 'presale:event.redeem'
                ) + '?voucher=' + c
                for c in voucher_list
            ]),
            lambda event: '  \n'.join([
-                build_absolute_uri(
+                eventreverse_absolute(
                    event, 'presale:event.redeem'
                ) + '?voucher=' + c
                for c in ['68CYU2H6ZTP3WLK5', '7MB94KKPVEPSMVF2']
@@ -676,10 +676,10 @@ def base_placeholders(sender, **kwargs):
            inline=False,
        ),
        SimpleFunctionalTextPlaceholder(
-            'url', ['event', 'voucher_list'], lambda event, voucher_list: build_absolute_uri(event, 'presale:event.index', kwargs={
+            'url', ['event', 'voucher_list'], lambda event, voucher_list: eventreverse_absolute(event, 'presale:event.index', kwargs={
                'event': event.slug,
                'organizer': event.organizer.slug,
-            }), lambda event: build_absolute_uri(event, 'presale:event.index', kwargs={
+            }), lambda event: eventreverse_absolute(event, 'presale:event.index', kwargs={
                'event': event.slug,
                'organizer': event.organizer.slug,
            })
@@ -37,7 +37,7 @@ from pretix.base.services.mail import mail
 from pretix.base.settings import GlobalSettingsObject
 from pretix.base.signals import periodic_task
 from pretix.celery_app import app
-from pretix.helpers.urls import build_absolute_uri
+from pretix.helpers.urls import mainreverse_absolute


@receiver(signal=periodic_task)
@@ -121,7 +121,7 @@ def send_update_notification_email():
            )
        ),
        {
-            'url': build_absolute_uri('control:global.update')
+            'url': mainreverse_absolute('control:global.update')
        },
    )

@@ -11,6 +11,7 @@
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta charset="utf-8">
    <link rel="icon" href="{% static "pretixbase/img/favicon.ico" %}">
+    <script type="text/javascript" src="{% static "pretixbase/js/errors.js" %}"></script>
    {% block custom_header %}{% endblock %}
    {% if css_theme %}
        <link rel="stylesheet" type="text/css" href="{{ css_theme }}" />
@@ -21,5 +22,4 @@
    {% block content %}{% endblock %}
 </div>
 </body>
-<script src="{% static "pretixbase/js/errors.js" %}"></script>
 </html>
@@ -55,10 +55,12 @@
                {% trans "You receive these emails based on your notification settings." %}<br>
                <a href="{{ settings_url }}">
                    {% trans "Click here to view and change your notification settings" %}
-                </a><br>
-                <a href="{{ disable_url }}">
-                    {% trans "Click here disable all notifications immediately." %}
                </a>
+                {% if disable_url %}<br>
+                    <a href="{{ disable_url }}">
+                        {% trans "Click here disable all notifications immediately." %}
+                    </a>
+                {% endif %}
            </div>
            <!--[if gte mso 9]>
                    </td></tr></table>
@@ -14,5 +14,6 @@
 {% trans "You receive these emails based on your notification settings." %}
 {% trans "Click here to view and change your notification settings:" %}
 {{ settings_url }}
-{% trans "Click here disable all notifications immediately:" %}
+{% if disable_url %}{% trans "Click here disable all notifications immediately:" %}
 {{ disable_url }}
+{% endif %}
@@ -0,0 +1,32 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020  Raphael Michel and contributors
+# Copyright (C) 2020-today pretix GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+from django import template
+from django.conf import settings
+
+register = template.Library()
+
+
+@register.filter
+def human_readable_locale(value):
+    if not value:
+        return ''
+    return dict(settings.LANGUAGES).get(value, '')
@@ -0,0 +1,243 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020  Raphael Michel and contributors
+# Copyright (C) 2020-today pretix GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+
+import json
+import logging
+import pathlib
+import re
+import secrets
+from urllib.parse import urljoin
+from urllib.request import urlopen
+
+import importlib_metadata as metadata
+from django import template
+from django.conf import settings
+from django.utils.safestring import mark_safe
+
+register = template.Library()
+LOGGER = logging.getLogger(__name__)
+_MANIFEST = {}
+# TODO more os.path.join ?
+MANIFEST_PATH = settings.STATIC_ROOT + "/vite/control/.vite/manifest.json"
+MANIFEST_BASE = "vite/control/"
+
+# entry_name -> {"manifest_entry": {...}, "url_base": "..."}
+_PLUGIN_REGISTRY = {}
+
+
+def _discover_plugin_manifests():
+    """Discover plugin vite manifests at startup.
+
+    Scans installed pretix plugins for a .vite/manifest.json inside a static.dist
+    directory. Only non-editable (wheel) plugins are expected to ship pre-built
+    assets; editable plugins are served through the Vite dev server.
+    """
+    for ep in metadata.entry_points(group='pretix.plugin'):
+        dist = ep.dist
+        if not dist or not dist.files:
+            continue
+
+        try:
+            url_info = json.loads(dist.read_text('direct_url.json') or '{}')
+            if url_info.get('dir_info', {}).get('editable', False):
+                continue  # editable plugins are served via vite dev server
+        except Exception:
+            pass
+
+        # Find .vite/manifest.json inside a /static/ directory
+        try:
+            manifest_rel = None
+            for f in dist.files:
+                if f.name == 'manifest.json' and '/static/' in str(f) and '/.vite/' in str(f):
+                    manifest_rel = f
+                    break
+
+            if not manifest_rel:
+                continue
+
+            manifest_path = pathlib.Path(str(dist.locate_file(manifest_rel)))
+            if not manifest_path.exists():
+                continue
+
+            plugin_manifest = json.loads(manifest_path.read_text())
+
+            url_base = re.search(r'/static/(.+?)/\.vite/', str(manifest_rel)).group(1) + '/'
+
+            for _key, entry in plugin_manifest.items():
+                if entry.get('isEntry') and 'name' in entry:
+                    _PLUGIN_REGISTRY[entry['name']] = {
+                        'manifest_entry': entry,
+                        'url_base': url_base,
+                    }
+        except Exception:
+            LOGGER.warning(f"Failed to discover vite manifest for plugin {ep.name}", exc_info=True)
+
+
+# Load core manifest
+if not settings.VITE_DEV_MODE and not settings.VITE_IGNORE:
+    try:
+        with open(MANIFEST_PATH) as fp:
+            _MANIFEST = json.load(fp)
+    except Exception as e:
+        LOGGER.warning(f"Error reading vite manifest at {MANIFEST_PATH}: {str(e)}")
+
+# Discover plugin manifests
+if not settings.VITE_IGNORE:
+    _discover_plugin_manifests()
+
+
+def _generate_script_tag(path, attrs, src=None):
+    all_attrs = " ".join(f'{key}="{value}"' for key, value in attrs.items())
+    if src is None:
+        if settings.VITE_DEV_MODE:
+            src = urljoin(settings.VITE_DEV_SERVER, path)
+        else:
+            src = urljoin(settings.STATIC_URL, path)
+    return f'<script {all_attrs} src="{src}"></script>'
+
+
+def _generate_css_tags(asset, already_processed=None):
+    """Recursively builds all CSS tags used in a given asset from the core manifest."""
+    tags = []
+    manifest_entry = _MANIFEST[asset]
+    if already_processed is None:
+        already_processed = []
+
+    if "css" in manifest_entry:
+        for css_path in manifest_entry["css"]:
+            if css_path not in already_processed:
+                full_path = urljoin(settings.STATIC_URL, MANIFEST_BASE + css_path)
+                tags.append(f'<link rel="stylesheet" href="{full_path}" />')
+                already_processed.append(css_path)
+
+    if "imports" in manifest_entry:
+        for import_path in manifest_entry["imports"]:
+            tags += _generate_css_tags(import_path, already_processed)
+
+    return tags
+
+
+def _generate_plugin_css_tags(manifest_entry, url_base):
+    """Build CSS tags for a plugin manifest entry."""
+    tags = []
+    if "css" in manifest_entry:
+        for css_path in manifest_entry["css"]:
+            full_path = urljoin(settings.STATIC_URL, url_base + css_path)
+            tags.append(f'<link rel="stylesheet" href="{full_path}" />')
+    return tags
+
+
+@register.simple_tag
+@mark_safe
+def vite_asset(path):
+    """
+    Generates one <script> tag and <link> tags for each of the CSS dependencies.
+    """
+
+    if not path:
+        return ""
+
+    # Check plugin registry (non-editable plugins with pre-built assets)
+    if path in _PLUGIN_REGISTRY:
+        info = _PLUGIN_REGISTRY[path]
+        entry = info['manifest_entry']
+        url_base = info['url_base']
+        tags = _generate_plugin_css_tags(entry, url_base)
+        # Always use STATIC_URL for pre-built plugin assets, even in dev mode
+        src = urljoin(settings.STATIC_URL, url_base + entry["file"])
+        tags.append(_generate_script_tag(path, {"type": "module", "crossorigin": ""}, src=src))
+        return "".join(tags)
+
+    # Dev mode: editable plugins and core entries go through the vite dev server
+    if settings.VITE_DEV_MODE:
+        return _generate_script_tag(path, {"type": "module"})
+
+    # Prod mode
+    manifest_entry = _MANIFEST.get(path)
+    if not manifest_entry:
+        raise RuntimeError(f"Cannot find {path} in Vite manifest at {MANIFEST_PATH}")
+
+    tags = _generate_css_tags(path)
+    tags.append(
+        _generate_script_tag(
+            MANIFEST_BASE + manifest_entry["file"], {"type": "module", "crossorigin": ""}
+        )
+    )
+    return "".join(tags)
+
+
+@register.simple_tag
+@mark_safe
+def vite_hmr():
+    if not settings.VITE_DEV_MODE:
+        return ""
+    return _generate_script_tag("@vite/client", {"type": "module"})
+
+
+_dev_importmap_cache = None
+
+
+def _get_dev_importmap():
+    """Fetch the shared-dep import map from the Vite dev server. Cached after first call."""
+    global _dev_importmap_cache
+    if _dev_importmap_cache is not None:
+        return _dev_importmap_cache
+    try:
+        url = urljoin(settings.VITE_DEV_SERVER, "/__pretix_importmap")
+        raw = json.loads(urlopen(url, timeout=2).read())
+        _dev_importmap_cache = {
+            dep: urljoin(settings.VITE_DEV_SERVER, dep_path)
+            for dep, dep_path in raw.items()
+        }
+    except Exception:
+        LOGGER.warning("Failed to fetch import map from Vite dev server")
+        _dev_importmap_cache = {}
+    return _dev_importmap_cache
+
+
+@register.simple_tag(takes_context=True)
+@mark_safe
+def vite_importmap(context):
+    """Emit an import map so pre-built plugin assets can resolve shared dependencies like vue."""
+    imports = {}
+
+    if settings.VITE_DEV_MODE:
+        # Fetch the import map from the Vite dev server (served by sharedDepsPlugin)
+        imports.update(_get_dev_importmap())
+    else:
+        # Discover all _vendor/* entries from the core manifest
+        for _key, entry in _MANIFEST.items():
+            name = entry.get("name", "")
+            if name.startswith("_vendor/"):
+                bare_specifier = name[len("_vendor/"):]
+                imports[bare_specifier] = urljoin(settings.STATIC_URL, MANIFEST_BASE + entry["file"])
+
+    if not imports:
+        return ""
+
+    # Generate a nonce and store it on the request so the CSP middleware can allow it
+    nonce = secrets.token_urlsafe(16)
+    request = context.get('request')
+    if request:
+        request.csp_nonce = nonce
+
+    return f'<script type="importmap" nonce="{nonce}">{json.dumps({"imports": imports})}</script>'
@@ -24,10 +24,12 @@ import calendar
 from dateutil.rrule import DAILY, MONTHLY, WEEKLY, YEARLY, rrule, rrulestr
 from django.conf import settings
 from django.core.exceptions import ValidationError
-from django.core.validators import validate_email
+from django.core.validators import RegexValidator, validate_email
 from django.utils.deconstruct import deconstructible
 from django.utils.translation import gettext_lazy as _

+from pretix.base.templatetags.rich_text import URL_RE
+
 # This file is based on an earlier version of pretix which was released under the Apache License 2.0. The full text of
 # the Apache License 2.0 can be obtained at <http://www.apache.org/licenses/LICENSE-2.0>.
 #
@@ -113,6 +115,33 @@ def multimail_validate(val):
    return s


+class RegexValidatorInverseMatchAndParam(RegexValidator):
+    inverse_match = True
+
+    def __call__(self, value):
+        regex_matches = self.regex.search(str(value))
+        if regex_matches:
+            raise ValidationError(
+                self.message,
+                code=self.code,
+                params={
+                    "value": value,
+                    "match": regex_matches.group(0) if regex_matches else "",
+                }
+            )
+
+
+class NoUrlValidator(RegexValidatorInverseMatchAndParam):
+    regex = URL_RE
+
+    def __init__(self, **kwargs):
+        if not kwargs.get("message"):
+            kwargs["message"] = _('You entered an URL, which is not allowed. Please remove %(match)s from your input.')
+        if not kwargs.get("code"):
+            kwargs["code"] = "contains_url"
+        super().__init__(**kwargs)
+
+
 class RRuleValidator:
    def __init__(self, enforce_simple=False):
        self.enforce_simple = enforce_simple
@@ -20,6 +20,7 @@
 # <https://www.gnu.org/licenses/>.
 #
 import logging
+import re
 from collections import defaultdict
 from datetime import timedelta
 from importlib import import_module
@@ -52,6 +53,7 @@ from pretix.celery_app import app
 from pretix.helpers.http import redirect_to_url

 logger = logging.getLogger('pretix.base.tasks')
+RE_ASYNC_ID = re.compile(r"^[a-zA-Z0-9\-]+$")


 class AsyncMixin:
@@ -133,6 +135,8 @@ class AsyncMixin:
    def get_result(self, request):
        if not request.GET.get('async_id'):
            raise BadRequest("No async_id given")
+        if not RE_ASYNC_ID.match(request.GET.get('async_id')):
+            raise BadRequest("Invalid async_id given")
        res = AsyncResult(request.GET.get('async_id'))
        if 'ajax' in self.request.GET:
            return JsonResponse(self._return_ajax_result(res, timeout=0.25))
@@ -461,3 +461,31 @@ class SalesChannelCheckboxSelectMultiple(forms.CheckboxSelectMultiple):
            **super().create_option(name, value, label, selected, index, subindex, attrs),
            "plugin_missing": plugin and plugin not in self.event.get_plugins(),
        }
+
+
+class ModelChoiceIteratorWithNone(forms.models.ModelChoiceIterator):
+    # see django.forms.models.ModelChoiceIterator for original implementation
+    def __iter__(self):
+        if self.field.empty_label is not None:
+            yield ("", self.field.empty_label)
+        if self.field.none_label is not None:
+            yield ("_none", self.field.none_label)
+        queryset = self.queryset
+        # Can't use iterator() when queryset uses prefetch_related()
+        if not queryset._prefetch_related_lookups:
+            queryset = queryset.iterator()
+        for obj in queryset:
+            yield self.choice(obj)
+
+
+class ModelChoiceFieldWithNone(forms.ModelChoiceField):
+    iterator = ModelChoiceIteratorWithNone
+
+    def __init__(self, *args, **kwargs):
+        self.none_label = kwargs.pop("none_label", None)
+        super().__init__(*args, **kwargs)
+
+    def to_python(self, value):
+        if value == "_none":
+            return value
+        return super().to_python(value)
@@ -80,7 +80,7 @@ from pretix.control.forms.widgets import Select2
 from pretix.helpers.countries import CachedCountries
 from pretix.multidomain.models import AlternativeDomainAssignment, KnownDomain
 from pretix.multidomain.urlreverse import (
-    build_absolute_uri, get_organizer_domain,
+    eventreverse_absolute, get_organizer_domain,
 )
 from pretix.plugins.banktransfer.payment import BankTransfer
 from pretix.presale.style import get_fonts
@@ -219,7 +219,7 @@ class EventWizardBasicsForm(I18nModelForm):
        self.fields['location'].widget.attrs['placeholder'] = _(
            'Sample Conference Center\nHeidelberg, Germany'
        )
-        self.fields['slug'].widget.prefix = build_absolute_uri(self.organizer, 'presale:organizer.index')
+        self.fields['slug'].widget.prefix = eventreverse_absolute(self.organizer, 'presale:organizer.index')
        self.fields['tax_rate']._required = True  # Do not render as optional because it is conditionally required
        if self.has_subevents:
            del self.fields['presale_start']
@@ -1342,7 +1342,13 @@ class QuestionAnswerFilterForm(forms.Form):
            opqs = opqs.filter(canceled=False)
        if fdata.get("item", "") != "":
            i = fdata.get("item", "")
-            opqs = opqs.filter(item_id__in=(i,))
+            if '-' in i:
+                opqs = opqs.filter(
+                    item_id=i.split('-')[0],
+                    variation_id=i.split('-')[1],
+                )
+            else:
+                opqs = opqs.filter(item_id=i)

        return opqs

@@ -1528,6 +1534,133 @@ class SubEventFilterForm(FilterForm):
        return self.event.organizer.meta_properties.filter(filter_allowed=True)


+class QuotaFilterForm(FilterForm):
+    orders = {
+        '-date': ('-subevent__date_from', 'name', 'pk'),
+        'date': ('subevent__date_from', '-name', '-pk'),
+        'size': ('size', 'name', 'pk'),
+        '-size': ('-size', '-name', '-pk'),
+        'name': ('name', 'pk'),
+        '-name': ('-name', '-pk'),
+    }
+    subevent = forms.ModelChoiceField(
+        label=pgettext_lazy('subevent', 'Date'),
+        queryset=SubEvent.objects.none(),
+        required=False,
+        empty_label=pgettext_lazy('subevent', 'All dates')
+    )
+    date_from = forms.DateField(
+        label=_('Date from'),
+        required=False,
+        widget=DatePickerWidget({
+            'placeholder': _('Date from'),
+        }),
+    )
+    date_until = forms.DateField(
+        label=_('Date until'),
+        required=False,
+        widget=DatePickerWidget({
+            'placeholder': _('Date until'),
+        }),
+    )
+    time_from = forms.TimeField(
+        label=_('Start time from'),
+        required=False,
+        widget=TimePickerWidget({}),
+    )
+    time_until = forms.TimeField(
+        label=_('Start time until'),
+        required=False,
+        widget=TimePickerWidget({}),
+    )
+    weekday = forms.MultipleChoiceField(
+        label=_('Weekday'),
+        choices=(
+            ('2', _('Monday')),
+            ('3', _('Tuesday')),
+            ('4', _('Wednesday')),
+            ('5', _('Thursday')),
+            ('6', _('Friday')),
+            ('7', _('Saturday')),
+            ('1', _('Sunday')),
+        ),
+        widget=forms.CheckboxSelectMultiple,
+        required=False
+    )
+    query = forms.CharField(
+        label=_('Quota name'),
+        widget=forms.TextInput(),
+        required=False
+    )
+
+    def __init__(self, *args, **kwargs):
+        self.event = kwargs.pop('event')
+        super().__init__(*args, **kwargs)
+        if self.event.has_subevents:
+            self.fields['date_from'].widget = DatePickerWidget()
+            self.fields['date_until'].widget = DatePickerWidget()
+            self.fields['subevent'].queryset = self.event.subevents.all()
+            self.fields['subevent'].widget = Select2(
+                attrs={
+                    'data-model-select2': 'event',
+                    'data-select2-url': reverse('control:event.subevents.select2', kwargs={
+                        'event': self.event.slug,
+                        'organizer': self.event.organizer.slug,
+                    }),
+                    'data-placeholder': pgettext_lazy('subevent', 'All dates')
+                }
+            )
+            self.fields['subevent'].widget.choices = self.fields['subevent'].choices
+        else:
+            del self.fields['subevent']
+            del self.fields['date_from']
+            del self.fields['date_until']
+            del self.fields['time_from']
+            del self.fields['time_until']
+            del self.fields['weekday']
+
+    def filter_qs(self, qs):
+        fdata = self.cleaned_data
+
+        if fdata.get('weekday'):
+            qs = qs.annotate(wday=ExtractWeekDay('subevent__date_from')).filter(wday__in=fdata.get('weekday'))
+
+        if fdata.get('subevent'):
+            qs = qs.filter(subevent=fdata["subevent"])
+
+        if fdata.get('query'):
+            query = fdata.get('query')
+            qs = qs.filter(name__icontains=query)
+
+        if fdata.get('date_until'):
+            date_end = make_aware(datetime.combine(
+                fdata.get('date_until') + timedelta(days=1),
+                time(hour=0, minute=0, second=0, microsecond=0)
+            ), get_current_timezone())
+            qs = qs.filter(
+                Q(subevent__date_to__isnull=True, subevent__date_from__lt=date_end) |
+                Q(subevent__date_to__isnull=False, subevent__date_to__lt=date_end)
+            )
+        if fdata.get('date_from'):
+            date_start = make_aware(datetime.combine(
+                fdata.get('date_from'),
+                time(hour=0, minute=0, second=0, microsecond=0)
+            ), get_current_timezone())
+            qs = qs.filter(subevent__date_from__gte=date_start)
+
+        if fdata.get('time_until'):
+            qs = qs.filter(subevent__date_from__time__lte=fdata.get('time_until'))
+        if fdata.get('time_from'):
+            qs = qs.filter(subevent__date_from__time__gte=fdata.get('time_from'))
+
+        if fdata.get('ordering'):
+            qs = qs.order_by(*get_deterministic_ordering(Quota, self.get_order_by()))
+        else:
+            qs = qs.order_by('-subevent__date_from', 'name', 'pk')
+
+        return qs
+
+
 class OrganizerFilterForm(FilterForm):
    orders = {
        'slug': 'slug',
@@ -1744,7 +1877,7 @@ class ReusableMediaFilterForm(FilterForm):
                Q(identifier__icontains=query)
                | Q(customer__identifier__icontains=query)
                | Q(customer__external_identifier__istartswith=query)
-                | Q(linked_orderposition__order__code__icontains=query)
+                | Q(linked_orderpositions__order__code__icontains=query)
                | Q(linked_giftcard__secret__icontains=query)
            )

@@ -104,6 +104,13 @@ class GlobalSettingsForm(SettingsForm):
                help_text=_("Will be served at {domain}/.well-known/apple-developer-merchantid-domain-association").format(
                    domain=settings.SITE_URL
                )
+            )),
+            ('widget_vite_origins', forms.CharField(
+                widget=forms.Textarea(attrs={'rows': '3'}),
+                required=False,
+                # Not translated on purpose, this is a temporary feature and contains too many special case words
+                label="Vite widget origins",
+                help_text="One origin per line (e.g. https://example.com). Requests from these origins will be served the new vite-based widget.",
            ))
        ])
        responses = register_global_settings.send(self)
@@ -43,6 +43,7 @@ from django.core.exceptions import ValidationError
 from django.db.models import Max, Q
 from django.forms import ChoiceField, RadioSelect
 from django.forms.formsets import DELETION_FIELD_NAME
+from django.forms.utils import ErrorDict
 from django.urls import reverse
 from django.utils.functional import cached_property
 from django.utils.html import escape, format_html
@@ -375,6 +376,60 @@ class QuotaForm(I18nModelForm):
        return inst


+class QuotaBulkEditForm(QuotaForm):
+
+    def __init__(self, *args, **kwargs):
+        self.mixed_values = kwargs.pop('mixed_values')
+        self.queryset = kwargs.pop('queryset')
+        super().__init__(**kwargs)
+        self.fields.pop("subevent", None)  # Would add extra complexity and it's hard to imagine a use case for that
+        self.fields["name"].required = False
+        self.fields["itemvars"].required = False
+
+    def clean(self):
+        d = super().clean()
+        if self.prefix + "name" in self.data.getlist('_bulk') and not d.get("name"):
+            raise ValidationError({"name": _("This field is required.")})
+        if self.prefix + "itemvars" in self.data.getlist('_bulk') and not d.get("itemvars"):
+            raise ValidationError({"itemvars": _("This field is required.")})
+        return d
+
+    def save(self, commit=True):
+        objs = list(self.queryset)
+        fields = set()
+
+        for k in self.fields:
+            cb_val = self.prefix + k
+            if cb_val not in self.data.getlist('_bulk'):
+                continue
+
+            fields.add(k)
+            if k == 'itemvars':
+                selected_items = set(list(self.event.items.filter(id__in=[
+                    i.split('-')[0] for i in self.cleaned_data['itemvars']
+                ])))
+                selected_variations = list(ItemVariation.objects.filter(item__event=self.event, id__in=[
+                    i.split('-')[1] for i in self.cleaned_data['itemvars'] if '-' in i
+                ]))
+                for obj in objs:
+                    obj.items.set(selected_items)
+                    obj.variations.set(selected_variations)
+            else:
+                for obj in objs:
+                    setattr(obj, k, self.cleaned_data[k])
+
+        fields = [f for f in fields if f != 'itemvars']
+        if fields:
+            Quota.objects.bulk_update(objs, fields, 200)
+
+    def full_clean(self):
+        if len(self.data) == 0:
+            # form wasn't submitted
+            self._errors = ErrorDict()
+            return
+        super().full_clean()
+
+
 class ItemCreateForm(I18nModelForm):
    NONE = 'none'
    EXISTING = 'existing'
@@ -574,7 +629,7 @@ class ItemCreateForm(I18nModelForm):
                instance.bundles.create(bundled_item=b.bundled_item, bundled_variation=b.bundled_variation,
                                        count=b.count, designated_price=b.designated_price)
            for pt in self.cleaned_data['copy_from'].program_times.all():
-                instance.program_times.create(start=pt.start, end=pt.end)
+                instance.program_times.create(start=pt.start, end=pt.end, location=pt.location)

            item_copy_data.send(sender=self.event, source=self.cleaned_data['copy_from'], target=instance)

@@ -1354,6 +1409,10 @@ class ItemProgramTimeForm(I18nModelForm):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.fields['end'].widget.attrs['data-date-after'] = '#id_{prefix}-start_0'.format(prefix=self.prefix)
+        self.fields['location'].widget.attrs['rows'] = '3'
+        self.fields['location'].widget.attrs['placeholder'] = _(
+            'Sample Conference Center, Heidelberg, Germany'
+        )

    class Meta:
        model = ItemProgramTime
@@ -1361,6 +1420,7 @@ class ItemProgramTimeForm(I18nModelForm):
        fields = [
            'start',
            'end',
+            'location'
        ]
        field_classes = {
            'start': forms.SplitDateTimeField,
@@ -86,9 +86,9 @@ from pretix.control.forms import ExtFileField, SplitDateTimeField
 from pretix.control.forms.event import (
    SafeEventMultipleChoiceField, multimail_validate,
 )
-from pretix.control.forms.widgets import Select2
+from pretix.control.forms.widgets import Select2, Select2Multiple
 from pretix.multidomain.models import KnownDomain
-from pretix.multidomain.urlreverse import build_absolute_uri
+from pretix.multidomain.urlreverse import eventreverse_absolute


 class OrganizerForm(I18nModelForm):
@@ -249,6 +249,15 @@ class SafeOrderPositionChoiceField(forms.ModelChoiceField):
        return f'{op.order.code}-{op.positionid} ({str(op.item) + ((" - " + str(op.variation)) if op.variation else "")})'


+class SafeOrderPositionMultipleChoiceField(forms.ModelMultipleChoiceField):
+    def __init__(self, queryset, **kwargs):
+        queryset = queryset.model.all.none()
+        super().__init__(queryset, **kwargs)
+
+    def label_from_instance(self, op):
+        return f'{op.order.code}-{op.positionid} ({str(op.item) + ((" - " + str(op.variation)) if op.variation else "")})'
+
+
 class EventMetaPropertyForm(I18nModelForm):
    class Meta:
        model = EventMetaProperty
@@ -627,6 +636,7 @@ class OrganizerSettingsForm(SettingsForm):
        'cookie_consent_dialog_button_yes',
        'cookie_consent_dialog_button_no',
        'reusable_media_active',
+        'reusable_media_usage_enforced',
        'reusable_media_type_barcode',
        'reusable_media_type_barcode_identifier_length',
        'reusable_media_type_nfc_uid',
@@ -781,7 +791,7 @@ class MailSettingsForm(SettingsForm):
        }

        if 'url' in base_parameters:
-            placeholders['url'] = build_absolute_uri(
+            placeholders['url'] = eventreverse_absolute(
                self.organizer,
                'presale:organizer.customer.activate'
            ) + '?token=' + get_random_string(30)
@@ -963,12 +973,12 @@ class ReusableMediumUpdateForm(forms.ModelForm):

    class Meta:
        model = ReusableMedium
-        fields = ['active', 'expires', 'customer', 'linked_giftcard', 'linked_orderposition', 'notes']
+        fields = ['active', 'expires', 'customer', 'linked_giftcard', 'linked_orderpositions', 'notes']
        field_classes = {
            'expires': SplitDateTimeField,
            'customer': SafeModelChoiceField,
            'linked_giftcard': SafeModelChoiceField,
-            'linked_orderposition': SafeOrderPositionChoiceField,
+            'linked_orderpositions': SafeOrderPositionMultipleChoiceField,
        }
        widgets = {
            'expires': SplitDateTimePickerWidget,
@@ -978,8 +988,8 @@ class ReusableMediumUpdateForm(forms.ModelForm):
        super().__init__(*args, **kwargs)
        organizer = self.instance.organizer

-        self.fields['linked_orderposition'].queryset = OrderPosition.all.filter(order__event__organizer=organizer).all()
-        self.fields['linked_orderposition'].widget = Select2(
+        self.fields['linked_orderpositions'].queryset = OrderPosition.all.filter(order__event__organizer=organizer).all()
+        self.fields['linked_orderpositions'].widget = Select2Multiple(
            attrs={
                'data-model-select2': 'generic',
                'data-select2-url': reverse('control:organizer.ticket_select2', kwargs={
@@ -987,8 +997,8 @@ class ReusableMediumUpdateForm(forms.ModelForm):
                }),
            }
        )
-        self.fields['linked_orderposition'].widget.choices = self.fields['linked_orderposition'].choices
-        self.fields['linked_orderposition'].required = False
+        self.fields['linked_orderpositions'].widget.choices = self.fields['linked_orderpositions'].choices
+        self.fields['linked_orderpositions'].required = False

        self.fields['linked_giftcard'].queryset = organizer.issued_gift_cards.all()
        self.fields['linked_giftcard'].widget = Select2(
@@ -1042,12 +1052,12 @@ class ReusableMediumCreateForm(ReusableMediumUpdateForm):

    class Meta:
        model = ReusableMedium
-        fields = ['active', 'type', 'identifier', 'expires', 'linked_orderposition', 'linked_giftcard', 'customer', 'notes']
+        fields = ['active', 'type', 'identifier', 'expires', 'linked_orderpositions', 'linked_giftcard', 'customer', 'notes']
        field_classes = {
            'expires': SplitDateTimeField,
            'customer': SafeModelChoiceField,
            'linked_giftcard': SafeModelChoiceField,
-            'linked_orderposition': SafeOrderPositionChoiceField,
+            'linked_orderpositions': SafeOrderPositionMultipleChoiceField,
        }
        widgets = {
            'expires': SplitDateTimePickerWidget,
@@ -29,17 +29,30 @@ class Select2Mixin:
        super().__init__(*args, **kwargs)

    def options(self, name, value, attrs=None):
-        if value and value[0]:
-            for i, selected in enumerate(self.choices.queryset.filter(pk__in=value)):
-                yield self.create_option(
-                    None,
-                    self.choices.field.prepare_value(selected),
-                    self.choices.field.label_from_instance(selected),
-                    True,
-                    i,
-                    subindex=None,
-                    attrs=attrs
-                )
+        if not value or not value[0]:
+            return
+        has_none = "_none" in value
+        if has_none:
+            value = [v for v in value if v != "_none"]
+            yield self.create_option(
+                None,
+                "_none",
+                self.choices.field.none_label,
+                True,
+                0,
+                subindex=None,
+                attrs=attrs
+            )
+        for i, selected in enumerate(self.choices.queryset.filter(pk__in=value)):
+            yield self.create_option(
+                None,
+                self.choices.field.prepare_value(selected),
+                self.choices.field.label_from_instance(selected),
+                True,
+                i + (1 if has_none else 0),
+                subindex=None,
+                attrs=attrs
+            )
        return

    def optgroups(self, name, value, attrs=None):
@@ -34,11 +34,11 @@
 # License for the specific language governing permissions and limitations under the License.

 from collections import defaultdict
+from datetime import datetime
 from decimal import Decimal
 from typing import Optional

 import bleach
-import dateutil.parser
 from django.dispatch import receiver
 from django.urls import reverse
 from django.utils.formats import date_format
@@ -248,7 +248,7 @@ class OrderValidFromChanged(OrderChangeLogEntryType):
    def display_prefixed(self, event: Event, logentry: LogEntry, data):
        return _('The validity start date for position #{posid} has been changed to {value}.').format(
            posid=data.get('positionid', '?'),
-            value=date_format(dateutil.parser.parse(data.get('new_value')), 'SHORT_DATETIME_FORMAT') if data.get(
+            value=date_format(datetime.fromisoformat(data.get('new_value')), 'SHORT_DATETIME_FORMAT') if data.get(
                'new_value') else '–'
        )

@@ -260,7 +260,7 @@ class OrderValidUntilChanged(OrderChangeLogEntryType):
    def display_prefixed(self, event: Event, logentry: LogEntry, data):
        return _('The validity end date for position #{posid} has been changed to {value}.').format(
            posid=data.get('positionid', '?'),
-            value=date_format(dateutil.parser.parse(data.get('new_value')), 'SHORT_DATETIME_FORMAT') if data.get('new_value') else '–'
+            value=date_format(datetime.fromisoformat(data.get('new_value')), 'SHORT_DATETIME_FORMAT') if data.get('new_value') else '–'
        )


@@ -364,7 +364,7 @@ class CheckinErrorLogEntryType(OrderLogEntryType):
        data['posid'] = logentry.parsed_data.get('positionid', '?')

        if 'datetime' in data:
-            dt = dateutil.parser.parse(data.get('datetime'))
+            dt = datetime.fromisoformat(data.get('datetime'))
            if abs((logentry.datetime - dt).total_seconds()) > 5 or data.get('forced'):
                if event:
                    data['datetime'] = date_format(dt.astimezone(event.timezone), "SHORT_DATETIME_FORMAT")
@@ -430,7 +430,7 @@ class OrderPrintLogEntryType(OrderLogEntryType):
        return _('Position #{posid} has been printed at {datetime} with type "{type}".').format(
            posid=data.get('positionid'),
            datetime=date_format(
-                dateutil.parser.parse(data["datetime"]).astimezone(logentry.event.timezone),
+                datetime.fromisoformat(data["datetime"]).astimezone(logentry.event.timezone),
                "SHORT_DATETIME_FORMAT"
            ) if logentry.event else data["datetime"],
            type=dict(PrintLog.PRINT_TYPES)[data["type"]],
@@ -743,7 +743,10 @@ class CoreUserImpersonatedLogEntryType(UserImpersonatedLogEntryType):
    'pretix.reusable_medium.created': _('The reusable medium has been created.'),
    'pretix.reusable_medium.created.auto': _('The reusable medium has been created automatically.'),
    'pretix.reusable_medium.changed': _('The reusable medium has been changed.'),
+    'pretix.reusable_medium.linked_orderposition.added': _('A new ticket has been added to the medium.'),
+    'pretix.reusable_medium.linked_orderposition.removed': _('A ticket has been removed from the medium.'),
    'pretix.reusable_medium.linked_orderposition.changed': _('The medium has been connected to a new ticket.'),
+    'pretix.reusable_medium.exchanged': _('The ticket #{positionid} was exchanged for reusable medium {medium_identifier}.'),
    'pretix.reusable_medium.linked_giftcard.changed': _('The medium has been connected to a new gift card.'),
    'pretix.email.error': _('Sending of an email has failed.'),
    'pretix.event.comment': _('The event\'s internal comment has been updated.'),
@@ -985,7 +988,7 @@ class LegacyCheckinLogEntryType(OrderLogEntryType):

    def display(self, logentry, data):
        # deprecated
-        dt = dateutil.parser.parse(data.get('datetime'))
+        dt = datetime.fromisoformat(data.get('datetime'))
        tz = logentry.event.timezone
        dt_formatted = date_format(dt.astimezone(tz), "SHORT_DATETIME_FORMAT")
        if 'list' in data:
--- a/Show More
+++ b/Show More