reauth flow token

add a special token to always allow completing a form submission, even if the reauthentication time has expired

.github/workflows/build.yml

@@ -24,7 +24,7 @@ jobs:
     name: Packaging
     strategy:
       matrix:
-        python-version: ["3.13"]
+        python-version: ["3.11"]
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python ${{ matrix.python-version }}

.github/workflows/strings.yml

@@ -24,10 +24,10 @@ jobs:
     name: Check gettext syntax
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python 3.13
+      - name: Set up Python 3.11
         uses: actions/setup-python@v5
         with:
-          python-version: 3.13
+          python-version: 3.11
       - uses: actions/cache@v4
         with:
           path: ~/.cache/pip
@@ -49,10 +49,10 @@ jobs:
     name: Spellcheck
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python 3.13
+      - name: Set up Python 3.11
         uses: actions/setup-python@v5
         with:
-          python-version: 3.13
+          python-version: 3.11
       - uses: actions/cache@v4
         with:
           path: ~/.cache/pip

.github/workflows/style.yml

@@ -24,10 +24,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python 3.13
+      - name: Set up Python 3.11
         uses: actions/setup-python@v5
         with:
-          python-version: 3.13
+          python-version: 3.11
       - uses: actions/cache@v4
         with:
           path: ~/.cache/pip
@@ -44,10 +44,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python 3.13
+      - name: Set up Python 3.11
         uses: actions/setup-python@v5
         with:
-          python-version: 3.13
+          python-version: 3.11
       - uses: actions/cache@v4
         with:
           path: ~/.cache/pip
@@ -64,10 +64,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python 3.13
+      - name: Set up Python 3.11
         uses: actions/setup-python@v5
         with:
-          python-version: 3.13
+          python-version: 3.11
       - name: Install Dependencies
         run: pip3 install licenseheaders
       - name: Run licenseheaders

.github/workflows/tests.yml

@@ -23,15 +23,13 @@ jobs:
     name: Tests
     strategy:
       matrix:
-        python-version: ["3.11", "3.13", "3.14"]
+        python-version: ["3.10", "3.11", "3.13"]
         database: [sqlite, postgres]
         exclude:
           - database: sqlite
             python-version: "3.10"
           - database: sqlite
             python-version: "3.11"
-          - database: sqlite
-            python-version: "3.12"
     services:
       postgres:
         image: postgres:15
@@ -83,4 +81,4 @@ jobs:
           file: src/coverage.xml
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: false
-        if: matrix.database == 'postgres' && matrix.python-version == '3.13'
+        if: matrix.database == 'postgres' && matrix.python-version == '3.11'

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.13-trixie
+FROM python:3.11-bookworm
 
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \

pyproject.toml

@@ -3,7 +3,7 @@ name = "pretix"
 dynamic = ["version"]
 description = "Reinventing presales, one ticket at a time"
 readme = "README.rst"
-requires-python = ">=3.11"
+requires-python = ">=3.10"
 license = {file = "LICENSE"}
 keywords = ["tickets", "web", "shop", "ecommerce"]
 authors = [
@@ -19,11 +19,10 @@ classifiers = [
   "Topic :: Internet :: WWW/HTTP :: Dynamic Content",
   "Environment :: Web Environment",
   "License :: OSI Approved :: GNU Affero General Public License v3",
+  "Programming Language :: Python :: 3.9",
+  "Programming Language :: Python :: 3.10",
   "Programming Language :: Python :: 3.11",
-  "Programming Language :: Python :: 3.12",
-  "Programming Language :: Python :: 3.13",
-  "Programming Language :: Python :: 3.14",
-  "Framework :: Django :: 5.2",
+  "Framework :: Django :: 4.2",
 ]
 
 dependencies = [
@@ -37,7 +36,7 @@ dependencies = [
   "css-inline==0.20.*",
   "defusedcsv>=1.1.0",
   "dnspython==2.*",
-  "Django[argon2]==5.2.*",
+  "Django[argon2]==4.2.*,>=4.2.26",
   "django-bootstrap3==26.1",
   "django-compressor==4.6.0",
   "django-countries==8.2.*",
@@ -60,7 +59,7 @@ dependencies = [
   "dnspython==2.8.*",
   "drf_ujson2==1.7.*",
   "geoip2==5.*",
-  "importlib_metadata==9.*",  # Polyfill, we can probably drop this once we require Python 3.10+
+  "importlib_metadata==8.*",  # Polyfill, we can probably drop this once we require Python 3.10+
   "isoweek",
   "jsonschema",
   "kombu==5.6.*",
@@ -76,7 +75,7 @@ dependencies = [
   "paypal-checkout-serversdk==1.0.*",
   "PyJWT==2.12.*",
   "phonenumberslite==9.0.*",
-  "Pillow==12.2.*",
+  "Pillow==12.1.*",
   "pretix-plugin-build",
   "protobuf==7.34.*",
   "psycopg2-binary",
@@ -90,10 +89,10 @@ dependencies = [
   "pytz-deprecation-shim==0.1.*",
   "pyuca",
   "qrcode==8.2",
-  "redis==7.4.*",
+  "redis==7.1.*",
   "reportlab==4.4.*",
   "requests==2.32.*",
-  "sentry-sdk==2.57.*",
+  "sentry-sdk==2.54.*",
   "sepaxml==2.7.*",
   "stripe==7.9.*",
   "text-unidecode==1.*",

src/pretix/__init__.py

@@ -19,4 +19,4 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-__version__ = "2026.4.0.dev0"
+__version__ = "2026.3.0.dev0"

src/pretix/base/exporter.py

@@ -47,7 +47,6 @@ from django.utils.formats import localize
 from django.utils.translation import gettext, gettext_lazy as _
 
 from pretix.base.models import Event
-from pretix.base.models.auth import PermissionHolder
 from pretix.helpers.safe_openpyxl import (  # NOQA: backwards compatibility for plugins using excel_safe
     SafeWorkbook, remove_invalid_excel_chars as excel_safe,
 )
@@ -60,20 +59,11 @@ class BaseExporter:
     This is the base class for all data exporters
     """
 
-    def __init__(self, event, organizer, permission_holder: PermissionHolder=None, progress_callback=lambda v: None):
-        """
-        :param event: Event context, can also be a queryset of events for multi-event exports
-        :param organizer: Organizer context
-        :param user: The user who triggered the export (or None).
-        :param token: The API token that triggered the export (or None).
-        :param device: The device that triggered the export (or None)
-        :param progress_callback: Callback function with progress
-        """
+    def __init__(self, event, organizer, progress_callback=lambda v: None):
         self.event = event
         self.organizer = organizer
         self.progress_callback = progress_callback
         self.is_multievent = isinstance(event, QuerySet)
-        self.permission_holder = permission_holder
         if isinstance(event, QuerySet):
             self.events = event
             self.event = None
@@ -190,7 +180,7 @@ class BaseExporter:
         return True
 
     @classmethod
-    def get_required_event_permission(cls) -> Optional[str]:
+    def get_required_event_permission(cls) -> str:
         """
         The permission level required to use this exporter for events. For multi-event-exports, this will be used
         to limit the selection of events. Will be ignored if the ``OrganizerLevelExportMixin`` mixin is used.
@@ -205,7 +195,7 @@ class OrganizerLevelExportMixin:
         raise TypeError("required_event_permission may not be called on OrganizerLevelExportMixin")
 
     @classmethod
-    def get_required_organizer_permission(cls) -> Optional[str]:
+    def get_required_organizer_permission(cls) -> str:
         """
         The permission level required to use this exporter. Must be set for organizer-level exports. Set to `None` to
         allow everyone with any access to the organizer.

src/pretix/base/forms/auth.py

@@ -196,7 +196,8 @@ class RegistrationForm(forms.Form):
     def clean_password(self):
         password1 = self.cleaned_data.get('password', '')
         user = User(email=self.cleaned_data.get('email'))
-        validate_password(password1, user=user)
+        if validate_password(password1, user=user) is not None:
+            raise forms.ValidationError(_(password_validators_help_texts()), code='pw_invalid')
         return password1
 
     def clean_email(self):

src/pretix/base/forms/questions.py

@@ -45,6 +45,7 @@ import pycountry
 from django import forms
 from django.conf import settings
 from django.contrib import messages
+from django.contrib.gis.geoip2 import GeoIP2
 from django.core.exceptions import ValidationError
 from django.core.files.uploadedfile import SimpleUploadedFile
 from django.core.validators import (
@@ -101,7 +102,6 @@ from pretix.helpers.countries import (
 from pretix.helpers.escapejson import escapejson_attr
 from pretix.helpers.http import get_client_ip
 from pretix.helpers.i18n import get_format_without_seconds
-from pretix.helpers.security import get_geoip
 from pretix.presale.signals import question_form_fields
 
 logger = logging.getLogger(__name__)
@@ -393,7 +393,7 @@ class WrappedPhoneNumberPrefixWidget(PhoneNumberPrefixWidget):
 
 def guess_country_from_request(request, event):
     if settings.HAS_GEOIP:
-        g = get_geoip()
+        g = GeoIP2()
         try:
             res = g.country(get_client_ip(request))
             if res['country_code'] and len(res['country_code']) == 2:

src/pretix/base/management/commands/makemigrations.py

@@ -36,9 +36,8 @@ from django.core.management.commands.makemigrations import Command as Parent
 
 from ._migrations import monkeypatch_migrations
 
+monkeypatch_migrations()
+
 
 class Command(Parent):
-
-    def handle(self, *args, **kwargs):
-        monkeypatch_migrations()
-        return super().handle(*args, **kwargs)
+    pass

src/pretix/base/management/commands/runperiodic.py

@@ -64,7 +64,7 @@ class Command(BaseCommand):
         if not periodic_task.receivers or periodic_task.sender_receivers_cache.get(self) is NO_RECEIVERS:
             return
 
-        for receiver in periodic_task._live_receivers(self)[0]:
+        for receiver in periodic_task._live_receivers(self):
             name = f'{receiver.__module__}.{receiver.__name__}'
             if options['list_tasks']:
                 print(name)

src/pretix/base/migrations/0234_total_ordering.py

@@ -41,20 +41,16 @@ class Migration(migrations.Migration):
             name='datetime',
             field=models.DateTimeField(),
         ),
-        migrations.AddIndex(
-            'logentry',
-            models.Index(fields=('datetime', 'id'), name="pretixbase__datetim_b1fe5a_idx"),
+        migrations.AlterIndexTogether(
+            name='logentry',
+            index_together={('datetime', 'id')},
         ),
-        migrations.AddIndex(
-            'order',
-            models.Index(fields=["datetime", "id"], name="pretixbase__datetim_66aff0_idx"),
+        migrations.AlterIndexTogether(
+            name='order',
+            index_together={('datetime', 'id'), ('last_modified', 'id')},
         ),
-        migrations.AddIndex(
-            'order',
-            models.Index(fields=["last_modified", "id"], name="pretixbase__last_mo_4ebf8b_idx"),
-        ),
-        migrations.AddIndex(
-            'transaction',
-            models.Index(fields=('datetime', 'id'), name="pretixbase__datetim_b20405_idx"),
+        migrations.AlterIndexTogether(
+            name='transaction',
+            index_together={('datetime', 'id')},
         ),
     ]

src/pretix/base/migrations/0236_reusable_media.py

@@ -61,10 +61,7 @@ class Migration(migrations.Migration):
             options={
                 'ordering': ('identifier', 'type', 'organizer'),
                 'unique_together': {('identifier', 'type', 'organizer')},
-                'indexes': [
-                    models.Index(fields=('identifier', 'type', 'organizer'), name='reusable_medium_organizer_index'),
-                    models.Index(fields=('updated', 'id'), name="pretixbase__updated_093277_idx")
-                ],
+                'index_together': {('identifier', 'type', 'organizer'), ('updated', 'id')},
             },
             bases=(models.Model, pretix.base.models.base.LoggingMixin),
         ),

src/pretix/base/migrations/0246_bigint.py

@@ -9,6 +9,31 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
+        migrations.RenameIndex(
+            model_name="logentry",
+            new_name="pretixbase__datetim_b1fe5a_idx",
+            old_fields=("datetime", "id"),
+        ),
+        migrations.RenameIndex(
+            model_name="order",
+            new_name="pretixbase__datetim_66aff0_idx",
+            old_fields=("datetime", "id"),
+        ),
+        migrations.RenameIndex(
+            model_name="order",
+            new_name="pretixbase__last_mo_4ebf8b_idx",
+            old_fields=("last_modified", "id"),
+        ),
+        migrations.RenameIndex(
+            model_name="reusablemedium",
+            new_name="pretixbase__updated_093277_idx",
+            old_fields=("updated", "id"),
+        ),
+        migrations.RenameIndex(
+            model_name="transaction",
+            new_name="pretixbase__datetim_b20405_idx",
+            old_fields=("datetime", "id"),
+        ),
         migrations.AlterField(
             model_name="attendeeprofile",
             name="id",

src/pretix/base/migrations/0260_alter_reusablemedium_index_together.py

@@ -1,6 +1,6 @@
 # Generated by Django 4.2.10 on 2024-04-02 15:16
 
-from django.db import migrations, models
+from django.db import migrations
 
 
 class Migration(migrations.Migration):
@@ -10,8 +10,8 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.RemoveIndex(
-            "reusablemedium",
-            'reusable_medium_organizer_index',
+        migrations.AlterIndexTogether(
+            name="reusablemedium",
+            index_together=set(),
         ),
     ]

src/pretix/base/modelimport.py

@@ -70,10 +70,6 @@ def parse_csv(file, length=None, mode="strict", charset=None):
         except ImportError:
             charset = file.charset
     data = data.decode(charset or "utf-8", mode)
-
-    # remove stray linebreaks from the end of the file
-    data = data.rstrip("\n")
-
     # If the file was modified on a Mac, it only contains \r as line breaks
     if '\r' in data and '\n' not in data:
         data = data.replace('\r', '\n')

src/pretix/base/models/_transactions.py

@@ -29,9 +29,7 @@ import inspect
 import logging
 import os
 import threading
-from pathlib import Path
 
-import django
 from django.conf import settings
 from django.db import transaction
 
@@ -76,14 +74,10 @@ def _transactions_mark_order_dirty(order_id, using=None):
     if "PYTEST_CURRENT_TEST" in os.environ:
         # We don't care about Order.objects.create() calls in test code so let's try to figure out if this is test code
         # or not.
-        for frame in inspect.stack()[1:]:
-            if (
-                'pretix/base/models/orders' in frame.filename
-                or Path(frame.filename).is_relative_to(Path(django.__file__).parent)
-            ):
-                # Ignore model- and django-internal code
+        for frame in inspect.stack():
+            if 'pretix/base/models/orders' in frame.filename:
                 continue
-            elif 'test_' in frame.filename or 'conftest.py' in frame.filename:
+            elif 'test_' in frame.filename or 'conftest.py in frame.filename':
                 return
             elif 'pretix/' in frame.filename or 'pretix_' in frame.filename:
                 # This went through non-test code, let's consider it non-test

src/pretix/base/models/auth.py

@@ -38,7 +38,6 @@ import operator
 import secrets
 from datetime import timedelta
 from functools import reduce
-from typing import Protocol
 
 from django.conf import settings
 from django.contrib.auth.models import (
@@ -68,14 +67,6 @@ class EmailAddressTakenError(IntegrityError):
     pass
 
 
-class PermissionHolder(Protocol):
-    def has_event_permission(self, organizer, event, perm_name=None, request=None, session_key=None) -> bool:
-        ...
-
-    def has_organizer_permission(self, organizer, perm_name=None, request=None):
-        ...
-
-
 class UserManager(BaseUserManager):
     """
     This is the user manager for our custom user model. See the User
@@ -705,18 +696,6 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         return self.teams.exists()
 
 
-class UserWithStaffSession:
-    # Wrapper around a User object with a staff session, implementing the PermissionHolder Protocol
-    def __init__(self, user):
-        self.user = user
-
-    def has_event_permission(self, organizer, event, perm_name=None, request=None, session_key=None) -> bool:
-        return True
-
-    def has_organizer_permission(self, organizer, perm_name=None, request=None):
-        return True
-
-
 class UserKnownLoginSource(models.Model):
     user = models.ForeignKey('User', on_delete=models.CASCADE, related_name="known_login_sources")
     agent_type = models.CharField(max_length=255, null=True, blank=True)

src/pretix/base/models/devices.py

@@ -229,7 +229,7 @@ class Device(LoggedModel):
         """
         return self._organizer_permission_set() if self.organizer == organizer else set()
 
-    def has_event_permission(self, organizer, event, perm_name=None, request=None, session_key=None) -> bool:
+    def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
         """
         Checks if this token is part of a team that grants access of type ``perm_name``
         to the event ``event``.
@@ -238,7 +238,6 @@ class Device(LoggedModel):
         :param event: The event to check
         :param perm_name: The permission, e.g. ``event.orders:read``
         :param request: This parameter is ignored and only defined for compatibility reasons.
-        :param session_key: This parameter is ignored and only defined for compatibility reasons.
         :return: bool
         """
         has_event_access = (self.all_events and organizer == self.organizer) or (

src/pretix/base/models/log.py

@@ -88,7 +88,7 @@ class LogEntry(models.Model):
 
     class Meta:
         ordering = ('-datetime', '-id')
-        indexes = [models.Index(fields=["datetime", "id"], name="pretixbase__datetim_b1fe5a_idx")]
+        indexes = [models.Index(fields=["datetime", "id"])]
 
     def display(self):
         from pretix.base.logentrytype_registry import log_entry_types

src/pretix/base/models/media.py

@@ -122,7 +122,7 @@ class ReusableMedium(LoggedModel):
     class Meta:
         unique_together = (("identifier", "type", "organizer"),)
         indexes = [
-            models.Index(fields=("updated", "id"), name="pretixbase__updated_093277_idx"),
+            models.Index(fields=("updated", "id")),
         ]
         ordering = "identifier", "type", "organizer"
 

src/pretix/base/models/orders.py

@@ -336,8 +336,8 @@ class Order(LockModel, LoggedModel):
         verbose_name_plural = _("Orders")
         ordering = ("-datetime", "-pk")
         indexes = [
-            models.Index(fields=["datetime", "id"], name="pretixbase__datetim_66aff0_idx"),
-            models.Index(fields=["last_modified", "id"], name="pretixbase__last_mo_4ebf8b_idx"),
+            models.Index(fields=["datetime", "id"]),
+            models.Index(fields=["last_modified", "id"]),
         ]
         constraints = [
             models.UniqueConstraint(fields=["organizer", "code"], name="order_organizer_code_uniq"),
@@ -590,7 +590,7 @@ class Order(LockModel, LoggedModel):
             not kwargs.get('force_save_with_deferred_fields', None) and
             (not update_fields or ('require_approval' not in update_fields and 'status' not in update_fields))
         ):
-            _fail("It is unsafe to call save() on an Order with deferred fields since we can't check if you missed "
+            _fail("It is unsafe to call save() on an OrderFee with deferred fields since we can't check if you missed "
                   "creating a transaction. Call save(force_save_with_deferred_fields=True) if you really want to do "
                   "this.")
 
@@ -2841,7 +2841,7 @@ class OrderPosition(AbstractPosition):
             if Transaction.key(self) != self.__initial_transaction_key or self.canceled != self.__initial_canceled or not self.pk:
                 _transactions_mark_order_dirty(self.order_id, using=kwargs.get('using', None))
         elif not kwargs.get('force_save_with_deferred_fields', None):
-            _fail("It is unsafe to call save() on an OrderPosition with deferred fields since we can't check if you missed "
+            _fail("It is unsafe to call save() on an OrderFee with deferred fields since we can't check if you missed "
                   "creating a transaction. Call save(force_save_with_deferred_fields=True) if you really want to do "
                   "this.")
 
@@ -3080,7 +3080,7 @@ class Transaction(models.Model):
     class Meta:
         ordering = 'datetime', 'pk'
         indexes = [
-            models.Index(fields=['datetime', 'id'], name="pretixbase__datetim_b20405_idx")
+            models.Index(fields=['datetime', 'id'])
         ]
 
     def save(self, *args, **kwargs):

src/pretix/base/models/organizer.py

@@ -319,9 +319,6 @@ class TeamQuerySet(models.QuerySet):
     def event_permission_q(cls, perm_name):
         from ..permissions import assert_valid_event_permission
 
-        if perm_name is None:
-            return Q()
-
         if perm_name.startswith('can_') and perm_name in OLD_TO_NEW_EVENT_COMPAT:  # legacy
             return reduce(operator.and_, [cls.event_permission_q(p) for p in OLD_TO_NEW_EVENT_COMPAT[perm_name]])
         assert_valid_event_permission(perm_name, allow_legacy=False)
@@ -334,9 +331,6 @@ class TeamQuerySet(models.QuerySet):
     def organizer_permission_q(cls, perm_name):
         from ..permissions import assert_valid_organizer_permission
 
-        if perm_name is None:
-            return Q()
-
         if perm_name.startswith('can_') and perm_name in OLD_TO_NEW_ORGANIZER_COMPAT:  # legacy
             return reduce(operator.and_, [cls.organizer_permission_q(p) for p in OLD_TO_NEW_ORGANIZER_COMPAT[perm_name]])
         assert_valid_organizer_permission(perm_name, allow_legacy=False)
@@ -556,7 +550,7 @@ class TeamAPIToken(models.Model):
         """
         return self.team.organizer_permission_set() if self.team.organizer == organizer else set()
 
-    def has_event_permission(self, organizer, event, perm_name=None, request=None, session_key=None) -> bool:
+    def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
         """
         Checks if this token is part of a team that grants access of type ``perm_name``
         to the event ``event``.
@@ -565,7 +559,6 @@ class TeamAPIToken(models.Model):
         :param event: The event to check
         :param perm_name: The permission, e.g. ``event.orders:read``
         :param request: This parameter is ignored and only defined for compatibility reasons.
-        :param session_key: This parameter is ignored and only defined for compatibility reasons.
         :return: bool
         """
         has_event_access = (self.team.all_events and organizer == self.team.organizer) or (

src/pretix/base/pdf.py

@@ -54,7 +54,7 @@ from bidi import get_display
 from django.conf import settings
 from django.contrib.staticfiles import finders
 from django.core.exceptions import ValidationError
-from django.db.models import Exists, Max, Min, OuterRef
+from django.db.models import Max, Min
 from django.db.models.fields.files import FieldFile
 from django.dispatch import receiver
 from django.utils.deconstruct import deconstructible
@@ -76,7 +76,7 @@ from reportlab.pdfgen.canvas import Canvas
 from reportlab.platypus import Paragraph
 
 from pretix.base.i18n import language
-from pretix.base.models import Checkin, Event, Order, OrderPosition, Question
+from pretix.base.models import Event, Order, OrderPosition, Question
 from pretix.base.settings import PERSON_NAME_SCHEMES
 from pretix.base.signals import layout_image_variables, layout_text_variables
 from pretix.base.templatetags.money import money_filter
@@ -379,13 +379,6 @@ DEFAULT_VARIABLES = OrderedDict((
             str(p) for p in generate_compressed_addon_list(op, order, ev)
         ])
     }),
-    ("checked_in_addons", {
-        "label": _("List of Checked-In Add-Ons"),
-        "editor_sample": _("Add-on 1\n2x Add-on 2"),
-        "evaluate": lambda op, order, ev: "\n".join([
-            str(p) for p in generate_compressed_addon_list(op, order, ev, only_checked_in=True)
-        ])
-    }),
     ("organizer", {
         "label": _("Organizer name"),
         "editor_sample": _("Event organizer company"),
@@ -757,16 +750,12 @@ def get_program_times(op: OrderPosition, ev: Event):
     ])
 
 
-def generate_compressed_addon_list(op, order, event, only_checked_in=False):
+def generate_compressed_addon_list(op, order, event):
     itemcount = defaultdict(int)
-    addon_qs = (
+    addons = [p for p in (
         op.addons.all() if 'addons' in getattr(op, '_prefetched_objects_cache', {})
         else op.addons.select_related('item', 'variation')
-    )
-    if only_checked_in:
-        addon_qs = addon_qs.filter(Exists(Checkin.objects.filter(position=OuterRef('pk'))), canceled=False)
-    addons = [p for p in addon_qs if not p.canceled]
-
+    ) if not p.canceled]
     for pos in addons:
         itemcount[pos.item, pos.variation] += 1
 

src/pretix/base/services/export.py

@@ -40,7 +40,6 @@ from pretix.base.models import (
     CachedFile, Device, Event, Organizer, ScheduledEventExport, TeamAPIToken,
     User, cachedfile_name,
 )
-from pretix.base.models.auth import UserWithStaffSession
 from pretix.base.models.exports import ScheduledOrganizerExport
 from pretix.base.services.mail import mail
 from pretix.base.services.tasks import (
@@ -212,12 +211,7 @@ def init_event_exporters(event, user=None, token=None, device=None, request=None
         if not perm_holder.has_event_permission(event.organizer, event, permission_name, request) and not staff_session:
             continue
 
-        exporter: BaseExporter = response(
-            event=event,
-            organizer=event.organizer,
-            permission_holder=token or device or (UserWithStaffSession(user) if staff_session else user),
-            **kwargs
-        )
+        exporter: BaseExporter = response(event=event, organizer=event.organizer, **kwargs)
 
         if not exporter.available_for_user(user if user and user.is_authenticated else None):
             continue
@@ -249,12 +243,7 @@ def init_organizer_exporters(
             continue
 
         if issubclass(response, OrganizerLevelExportMixin):
-            exporter: BaseExporter = response(
-                event=Event.objects.none(),
-                organizer=organizer,
-                permission_holder=token or device or (UserWithStaffSession(user) if staff_session else user),
-                **kwargs,
-            )
+            exporter: BaseExporter = response(event=Event.objects.none(), organizer=organizer, **kwargs)
 
             try:
                 if not perm_holder.has_organizer_permission(organizer, response.get_required_organizer_permission(), request) and not staff_session:
@@ -306,12 +295,7 @@ def init_organizer_exporters(
             if not _has_permission_on_any_team_cache[permission_name] and not staff_session:
                 continue
 
-            exporter: BaseExporter = response(
-                event=_event_list_cache[permission_name],
-                organizer=organizer,
-                permission_holder=token or device or (UserWithStaffSession(user) if staff_session else user),
-                **kwargs,
-            )
+            exporter: BaseExporter = response(event=_event_list_cache[permission_name], organizer=organizer, **kwargs)
 
         if not exporter.available_for_user(user if user and user.is_authenticated else None):
             continue

src/pretix/base/services/mail.py

@@ -411,7 +411,7 @@ def mail_send_task(self, **kwargs) -> bool:
         try:
             outgoing_mail = OutgoingMail.objects.select_for_update(of=OF_SELF).get(pk=outgoing_mail)
         except OutgoingMail.DoesNotExist:
-            logger.info(f"Ignoring job for non existing email {outgoing_mail}")
+            logger.info(f"Ignoring job for non existing email {outgoing_mail.guid}")
             return False
         if outgoing_mail.status == OutgoingMail.STATUS_INFLIGHT:
             logger.info(f"Ignoring job for inflight email {outgoing_mail.guid}")

src/pretix/base/services/orders.py

@@ -67,9 +67,9 @@ from pretix.base.email import get_email_context
 from pretix.base.i18n import get_language_without_region, language
 from pretix.base.media import MEDIA_TYPES
 from pretix.base.models import (
-    CartPosition, Device, Event, GiftCard, Item, ItemVariation, LogEntry,
-    Membership, Order, OrderPayment, OrderPosition, Quota, Seat,
-    SeatCategoryMapping, User, Voucher,
+    CartPosition, Device, Event, GiftCard, Item, ItemVariation, Membership,
+    Order, OrderPayment, OrderPosition, Quota, Seat, SeatCategoryMapping, User,
+    Voucher,
 )
 from pretix.base.models.event import SubEvent
 from pretix.base.models.orders import (
@@ -1618,7 +1618,7 @@ class OrderChangeManager:
     MembershipOperation = namedtuple('MembershipOperation', ('position', 'membership'))
     CancelOperation = namedtuple('CancelOperation', ('position', 'price_diff'))
     AddOperation = namedtuple('AddOperation', ('item', 'variation', 'price', 'addon_to', 'subevent', 'seat', 'membership',
-                                               'valid_from', 'valid_until', 'is_bundled', 'result', 'count'))
+                                               'valid_from', 'valid_until', 'is_bundled', 'result'))
     SplitOperation = namedtuple('SplitOperation', ('position',))
     FeeValueOperation = namedtuple('FeeValueOperation', ('fee', 'value', 'price_diff'))
     AddFeeOperation = namedtuple('AddFeeOperation', ('fee', 'price_diff'))
@@ -1632,24 +1632,16 @@ class OrderChangeManager:
     ForceRecomputeOperation = namedtuple('ForceRecomputeOperation', tuple())
 
     class AddPositionResult:
-        _positions: Optional[List[OrderPosition]]
+        _position: Optional[OrderPosition]
 
         def __init__(self):
-            self._positions = None
+            self._position = None
 
         @property
         def position(self) -> OrderPosition:
-            if self._positions is None:
+            if self._position is None:
                 raise RuntimeError("Order position has not been created yet. Call commit() first on OrderChangeManager.")
-            if len(self._positions) != 1:
-                raise RuntimeError("More than one position created.")
-            return self._positions[0]
-
-        @property
-        def positions(self) -> List[OrderPosition]:
-            if self._positions is None:
-                raise RuntimeError("Order position has not been created yet. Call commit() first on OrderChangeManager.")
-            return self._positions
+            return self._position
 
     def __init__(self, order: Order, user=None, auth=None, notify=True, reissue_invoice=True, allow_blocked_seats=False):
         self.order = order
@@ -1856,12 +1848,8 @@ class OrderChangeManager:
 
     def add_position(self, item: Item, variation: ItemVariation, price: Decimal, addon_to: OrderPosition = None,
                      subevent: SubEvent = None, seat: Seat = None, membership: Membership = None,
-                     valid_from: datetime = None, valid_until: datetime = None, count: int = 1) -> 'OrderChangeManager.AddPositionResult':
-        if count < 1:
-            raise ValueError("Count must be positive")
+                     valid_from: datetime = None, valid_until: datetime = None) -> 'OrderChangeManager.AddPositionResult':
         if isinstance(seat, str):
-            if count > 1:
-                raise ValueError("Cannot combine count > 1 with seat")
             if not seat:
                 seat = None
             else:
@@ -1915,14 +1903,14 @@ class OrderChangeManager:
         if self.order.event.settings.invoice_include_free or price.gross != Decimal('0.00'):
             self._invoice_dirty = True
 
-        self._totaldiff_guesstimate += price.gross * count
-        self._quotadiff.update({q: count for q in new_quotas})
+        self._totaldiff_guesstimate += price.gross
+        self._quotadiff.update(new_quotas)
         if seat:
             self._seatdiff.update([seat])
 
         result = self.AddPositionResult()
         self._operations.append(self.AddOperation(item, variation, price, addon_to, subevent, seat, membership,
-                                                  valid_from, valid_until, is_bundled, result, count))
+                                                  valid_from, valid_until, is_bundled, result))
         return result
 
     def split(self, position: OrderPosition):
@@ -2542,35 +2530,29 @@ class OrderChangeManager:
                     secret_dirty.remove(position)
                 position.save(update_fields=['canceled', 'secret'])
             elif isinstance(op, self.AddOperation):
-                new_pos = []
-                new_logs = []
-                for i in range(op.count):
-                    pos = OrderPosition.objects.create(
-                        item=op.item, variation=op.variation, addon_to=op.addon_to,
-                        price=op.price.gross, order=self.order, tax_rate=op.price.rate, tax_code=op.price.code,
-                        tax_value=op.price.tax, tax_rule=op.item.tax_rule,
-                        positionid=nextposid, subevent=op.subevent, seat=op.seat,
-                        used_membership=op.membership, valid_from=op.valid_from, valid_until=op.valid_until,
-                        is_bundled=op.is_bundled,
-                    )
-                    nextposid += 1
-                    new_pos.append(pos)
-                    new_logs.append(self.order.log_action('pretix.event.order.changed.add', user=self.user, auth=self.auth, data={
-                        'position': pos.pk,
-                        'item': op.item.pk,
-                        'variation': op.variation.pk if op.variation else None,
-                        'addon_to': op.addon_to.pk if op.addon_to else None,
-                        'price': op.price.gross,
-                        'positionid': pos.positionid,
-                        'membership': pos.used_membership_id,
-                        'subevent': op.subevent.pk if op.subevent else None,
-                        'seat': op.seat.pk if op.seat else None,
-                        'valid_from': op.valid_from.isoformat() if op.valid_from else None,
-                        'valid_until': op.valid_until.isoformat() if op.valid_until else None,
-                    }, save=False))
-
-                op.result._positions = new_pos
-                LogEntry.bulk_create_and_postprocess(new_logs)
+                pos = OrderPosition.objects.create(
+                    item=op.item, variation=op.variation, addon_to=op.addon_to,
+                    price=op.price.gross, order=self.order, tax_rate=op.price.rate, tax_code=op.price.code,
+                    tax_value=op.price.tax, tax_rule=op.item.tax_rule,
+                    positionid=nextposid, subevent=op.subevent, seat=op.seat,
+                    used_membership=op.membership, valid_from=op.valid_from, valid_until=op.valid_until,
+                    is_bundled=op.is_bundled,
+                )
+                nextposid += 1
+                self.order.log_action('pretix.event.order.changed.add', user=self.user, auth=self.auth, data={
+                    'position': pos.pk,
+                    'item': op.item.pk,
+                    'variation': op.variation.pk if op.variation else None,
+                    'addon_to': op.addon_to.pk if op.addon_to else None,
+                    'price': op.price.gross,
+                    'positionid': pos.positionid,
+                    'membership': pos.used_membership_id,
+                    'subevent': op.subevent.pk if op.subevent else None,
+                    'seat': op.seat.pk if op.seat else None,
+                    'valid_from': op.valid_from.isoformat() if op.valid_from else None,
+                    'valid_until': op.valid_until.isoformat() if op.valid_until else None,
+                })
+                op.result._position = pos
             elif isinstance(op, self.SplitOperation):
                 position = position_cache.setdefault(op.position.pk, op.position)
                 split_positions.append(position)
@@ -2895,7 +2877,7 @@ class OrderChangeManager:
         return total
 
     def _check_order_size(self):
-        if (len(self.order.positions.all()) + sum([op.count for op in self._operations if isinstance(op, self.AddOperation)])) > settings.PRETIX_MAX_ORDER_SIZE:
+        if (len(self.order.positions.all()) + len([op for op in self._operations if isinstance(op, self.AddOperation)])) > settings.PRETIX_MAX_ORDER_SIZE:
             raise OrderError(
                 self.error_messages['max_order_size'] % {
                     'max': settings.PRETIX_MAX_ORDER_SIZE,
@@ -2956,7 +2938,7 @@ class OrderChangeManager:
         ]) + len([
             o for o in self._operations if isinstance(o, self.SplitOperation)
         ])
-        adds = sum([o.count for o in self._operations if isinstance(o, self.AddOperation)])
+        adds = len([o for o in self._operations if isinstance(o, self.AddOperation)])
         if current > 0 and current - cancels + adds < 1:
             raise OrderError(self.error_messages['complete_cancel'])
 
@@ -3003,18 +2985,17 @@ class OrderChangeManager:
             elif isinstance(op, self.CancelOperation) and op.position in positions_to_fake_cart:
                 fake_cart.remove(positions_to_fake_cart[op.position])
             elif isinstance(op, self.AddOperation):
-                for i in range(op.count):
-                    cp = CartPosition(
-                        event=self.event,
-                        item=op.item,
-                        variation=op.variation,
-                        used_membership=op.membership,
-                        subevent=op.subevent,
-                        seat=op.seat,
-                    )
-                    cp.override_valid_from = op.valid_from
-                    cp.override_valid_until = op.valid_until
-                    fake_cart.append(cp)
+                cp = CartPosition(
+                    event=self.event,
+                    item=op.item,
+                    variation=op.variation,
+                    used_membership=op.membership,
+                    subevent=op.subevent,
+                    seat=op.seat,
+                )
+                cp.override_valid_from = op.valid_from
+                cp.override_valid_until = op.valid_until
+                fake_cart.append(cp)
         try:
             validate_memberships_in_order(self.order.customer, fake_cart, self.event, lock=True, ignored_order=self.order, testmode=self.order.testmode)
         except ValidationError as e:

src/pretix/base/settings.py

@@ -100,7 +100,7 @@ def primary_font_kwargs():
 
     choices = [('Open Sans', 'Open Sans')]
     choices += sorted([
-        (a, FontSelect.FontOption(title=a, data=v)) for a, v in get_fonts(pdf_support_required=False).items()
+        (a, {"title": a, "data": v}) for a, v in get_fonts(pdf_support_required=False).items()
     ], key=lambda a: a[0])
     return {
         'choices': choices,
@@ -4148,14 +4148,6 @@ def validate_event_settings(event, settings_dict):
                     )
                 ]}
             )
-    if (
-        settings_dict.get('invoice_address_from_vat_id') and
-        settings_dict.get('invoice_address_from_country') and
-        settings_dict.get('invoice_address_from_country') not in VAT_ID_COUNTRIES
-    ):
-        raise ValidationError({
-            'invoice_address_from_vat_id': _('VAT-ID is not supported for "{}".').format(settings_dict.get('invoice_address_from_country'))
-        })
 
     payment_term_last = settings_dict.get('payment_term_last')
     if payment_term_last and event.presale_end:

src/pretix/base/signals.py

@@ -32,7 +32,6 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations under the License.
 
-import logging
 import warnings
 from typing import Any, Callable, Generic, List, Tuple, TypeVar
 
@@ -49,8 +48,6 @@ from .plugins import (
     PLUGIN_LEVEL_ORGANIZER,
 )
 
-logger = logging.getLogger(__name__)
-
 app_cache = {}
 T = TypeVar('T')
 
@@ -63,25 +60,23 @@ def _populate_app_cache():
 
 def get_defining_app(o):
     # If sentry packed this in a wrapper, unpack that
-    module = getattr(o, "__module__", None)
-    if module and "sentry" in module:
+    if "sentry" in o.__module__:
         o = o.__wrapped__
 
     if hasattr(o, "__mocked_app"):
         return o.__mocked_app
 
     # Find the Django application this belongs to
-    searchpath = module or getattr(o.__class__, "__module__", None) or ""
+    searchpath = o.__module__
 
     # Core modules are always active
-    if searchpath and any(searchpath.startswith(cm) for cm in settings.CORE_MODULES):
+    if any(searchpath.startswith(cm) for cm in settings.CORE_MODULES):
         return 'CORE'
 
     if not app_cache:
         _populate_app_cache()
 
-    app = None
-    while searchpath:
+    while True:
         app = app_cache.get(searchpath)
         if "." not in searchpath or app:
             break
@@ -162,7 +157,7 @@ class PluginSignal(Generic[T], django.dispatch.Signal):
         if not app_cache:
             _populate_app_cache()
 
-        for receiver in self._live_receivers(sender)[0]:
+        for receiver in self._sorted_receivers(sender):
             if self._is_receiver_active(sender, receiver):
                 response = receiver(signal=self, sender=sender, **named)
                 responses.append((receiver, response))
@@ -184,7 +179,7 @@ class PluginSignal(Generic[T], django.dispatch.Signal):
         if not app_cache:
             _populate_app_cache()
 
-        for receiver in self._live_receivers(sender)[0]:
+        for receiver in self._sorted_receivers(sender):
             if self._is_receiver_active(sender, receiver):
                 named[chain_kwarg_name] = response
                 response = receiver(signal=self, sender=sender, **named)
@@ -209,7 +204,7 @@ class PluginSignal(Generic[T], django.dispatch.Signal):
         if not app_cache:
             _populate_app_cache()
 
-        for receiver in self._live_receivers(sender)[0]:
+        for receiver in self._sorted_receivers(sender):
             if self._is_receiver_active(sender, receiver):
                 try:
                     response = receiver(signal=self, sender=sender, **named)
@@ -219,35 +214,17 @@ class PluginSignal(Generic[T], django.dispatch.Signal):
                     responses.append((receiver, response))
         return responses
 
-    def asend(self, sender: T, **named):
-        raise NotImplementedError()  # NOQA
-
-    def asend_robust(self, sender: T, **named):
-        raise NotImplementedError()  # NOQA
-
-    def _live_receivers(self, sender):
-        orig_list, orig_async_list = super()._live_receivers(sender)
-
-        if orig_async_list:
-            logger.error('Async receivers are not supported.')
-            raise NotImplementedError
-
-        def _getattr_fallback_to_class(obj, key):
-            return getattr(obj, key, getattr(obj.__class__, key))
-
-        def _is_core_module(receiver):
-            m = _getattr_fallback_to_class(receiver, "__module__")
-            return any(m.startswith(c) for c in settings.CORE_MODULES)
-
+    def _sorted_receivers(self, sender):
+        orig_list = self._live_receivers(sender)
         sorted_list = sorted(
             orig_list,
             key=lambda receiver: (
-                0 if _is_core_module(receiver) else 1,
-                _getattr_fallback_to_class(receiver, "__module__"),
-                _getattr_fallback_to_class(receiver, "__name__"),
+                0 if any(receiver.__module__.startswith(m) for m in settings.CORE_MODULES) else 1,
+                receiver.__module__,
+                receiver.__name__,
             )
         )
-        return sorted_list, []
+        return sorted_list
 
 
 class EventPluginSignal(PluginSignal[Event]):
@@ -323,41 +300,23 @@ class GlobalSignal(django.dispatch.Signal):
         if not self.receivers or self.sender_receivers_cache.get(sender) is NO_RECEIVERS:
             return response
 
-        for receiver in self._live_receivers(sender)[0]:
+        for receiver in self._live_receivers(sender):
             named[chain_kwarg_name] = response
             response = receiver(signal=self, sender=sender, **named)
         return response
 
-    def asend(self, sender: T, **named):
-        raise NotImplementedError()  # NOQA
-
-    def asend_robust(self, sender: T, **named):
-        raise NotImplementedError()  # NOQA
-
     def _live_receivers(self, sender):
         # Ensure consistent sorting of receivers
-        orig_list, orig_async_list = super()._live_receivers(sender)
-
-        if orig_async_list:
-            logger.error('Async receivers are not supported.')
-            raise NotImplementedError
-
-        def _getattr_fallback_to_class(obj, key):
-            return getattr(obj, key, getattr(obj.__class__, key))
-
-        def _is_core_module(receiver):
-            m = _getattr_fallback_to_class(receiver, "__module__")
-            return any(m.startswith(c) for c in settings.CORE_MODULES)
-
+        orig_list = super()._live_receivers(sender)
         sorted_list = sorted(
             orig_list,
             key=lambda receiver: (
-                0 if _is_core_module(receiver) else 1,
-                _getattr_fallback_to_class(receiver, "__module__"),
-                _getattr_fallback_to_class(receiver, "__name__"),
+                0 if any(receiver.__module__.startswith(m) for m in settings.CORE_MODULES) else 1,
+                receiver.__module__,
+                receiver.__name__,
             )
         )
-        return sorted_list, []
+        return sorted_list
 
 
 class DeprecatedSignal(GlobalSignal):

src/pretix/control/forms/__init__.py

@@ -34,7 +34,6 @@
 
 import datetime
 import os
-from dataclasses import dataclass
 
 from django import forms
 from django.conf import settings
@@ -421,11 +420,6 @@ class SplitDateTimeField(forms.SplitDateTimeField):
 class FontSelect(forms.RadioSelect):
     option_template_name = 'pretixcontrol/font_option.html'
 
-    @dataclass
-    class FontOption:
-        title: str
-        data: str
-
 
 class ItemMultipleChoiceField(SafeModelMultipleChoiceField):
     def label_from_instance(self, obj):

src/pretix/control/forms/event.py

@@ -63,7 +63,7 @@ from pretix.base.forms import (
 from pretix.base.models import Event, Organizer, TaxRule, Team
 from pretix.base.models.event import EventFooterLink, EventMetaValue, SubEvent
 from pretix.base.models.organizer import TeamQuerySet
-from pretix.base.models.tax import TAX_CODE_LISTS, VAT_ID_COUNTRIES
+from pretix.base.models.tax import TAX_CODE_LISTS
 from pretix.base.reldate import RelativeDateField, RelativeDateTimeField
 from pretix.base.services.placeholders import FormPlaceholderMixin
 from pretix.base.settings import (
@@ -73,8 +73,8 @@ from pretix.base.settings import (
 )
 from pretix.base.validators import multimail_validate
 from pretix.control.forms import (
-    FontSelect, MultipleLanguagesWidget, SalesChannelCheckboxSelectMultiple,
-    SlugWidget, SplitDateTimeField, SplitDateTimePickerWidget,
+    MultipleLanguagesWidget, SalesChannelCheckboxSelectMultiple, SlugWidget,
+    SplitDateTimeField, SplitDateTimePickerWidget,
 )
 from pretix.control.forms.widgets import Select2
 from pretix.helpers.countries import CachedCountries
@@ -531,13 +531,6 @@ class EventUpdateForm(I18nModelForm):
 
 class EventSettingsValidationMixin:
 
-    def clean_invoice_address_from_vat_id(self):
-        value = self.cleaned_data.get('invoice_address_from_vat_id')
-        country = self.cleaned_data.get('invoice_address_from_country')
-        if value and country and country not in VAT_ID_COUNTRIES:
-            return None
-        return value
-
     def clean(self):
         data = super().clean()
         settings_dict = self.obj.settings.freeze()
@@ -729,7 +722,7 @@ class EventSettingsForm(EventSettingsValidationMixin, FormPlaceholderMixin, Sett
             del self.fields['event_list_filters']
             del self.fields['event_calendar_future_only']
         self.fields['primary_font'].choices = [('Open Sans', 'Open Sans')] + sorted([
-            (a, FontSelect.FontOption(title=a, data=v)) for a, v in get_fonts(self.event, pdf_support_required=False).items()
+            (a, {"title": a, "data": v}) for a, v in get_fonts(self.event, pdf_support_required=False).items()
         ], key=lambda a: a[0])
 
         # create "virtual" fields for better UX when editing <name>_asked and <name>_required fields

src/pretix/control/forms/orders.py

@@ -331,10 +331,6 @@ class OtherOperationsForm(forms.Form):
 
 
 class OrderPositionAddForm(forms.Form):
-    count = forms.IntegerField(
-        label=_('Number of products to add'),
-        initial=1,
-    )
     itemvar = forms.ChoiceField(
         label=_('Product')
     )
@@ -436,10 +432,6 @@ class OrderPositionAddForm(forms.Form):
             d['used_membership'] = [m for m in self.memberships if str(m.pk) == d['used_membership']][0]
         else:
             d['used_membership'] = None
-        if d.get("count", 1) > 1 and d.get("seat"):
-            raise ValidationError({
-                "seat": _("You can not choose a seat when adding multiple products at once.")
-            })
         return d
 
 

src/pretix/control/navigation.py

@@ -363,7 +363,7 @@ def get_global_navigation(request):
             'icon': 'dashboard',
         },
     ]
-    if request.user.is_in_any_teams or request.user.is_staff:
+    if request.user.is_in_any_teams:
         nav += [
             {
                 'label': _('Events'),

src/pretix/control/templates/pretixcontrol/order/change.html

@@ -329,7 +329,6 @@
                                         {{ add_form.custom_error }}
                                     </div>
                                 {% endif %}
-                                {% bootstrap_field add_form.count layout="control" %}
                                 {% bootstrap_field add_form.itemvar layout="control" %}
                                 {% bootstrap_field add_form.price addon_after=request.event.currency layout="control" %}
                                 {% if add_form.addon_to %}
@@ -365,7 +364,6 @@
                         </div>
                         <div class="panel-body">
                             <div class="form-horizontal">
-                                {% bootstrap_field add_position_formset.empty_form.count layout="control" %}
                                 {% bootstrap_field add_position_formset.empty_form.itemvar layout="control" %}
                                 {% bootstrap_field add_position_formset.empty_form.price addon_after=request.event.currency layout="control" %}
                                 {% if add_position_formset.empty_form.addon_to %}

src/pretix/control/templates/pretixcontrol/user/2fa_add.html

@@ -6,44 +6,35 @@
     <h1>{% trans "Add a two-factor authentication device" %}</h1>
     <form action="" method="post" class="form-horizontal">
         {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
         {% bootstrap_form_errors form %}
         {% bootstrap_field form.name layout='horizontal' %}
 
-        <div class="form-group{% if form.devicetype.errors %} has-error{% endif %}">
+        <div class="form-group">
             <label class="col-md-3 control-label">{% trans "Device type" %}</label>
             <div class="col-md-9">
-                <div>
-                    <div class="big-radio radio">
-                        <label>
-                            <input type="radio" required value="totp" name="{{ form.devicetype.html_name }}" {% if form.devicetype.value == "totp" %}checked{% endif %}>
-                            <strong>{% trans "Smartphone with Authenticator app" %}</strong><br>
-                            <div class="help-block">
-                                {% blocktrans trimmed %}
-                                    Use your smartphone with any Time-based One-Time-Password app like freeOTP, Google Authenticator or Proton Authenticator.
-                                {% endblocktrans %}
-                            </div>
-                        </label>
-                    </div>
-                    <div class="big-radio radio">
-                        <label>
-                            <input type="radio" required value="webauthn" name="{{ form.devicetype.html_name }}" {% if form.devicetype.value == "webauthn" %}checked{% endif %}>
-                            <strong>{% trans "WebAuthn-compatible hardware token" %}</strong><br>
-                            <div class="help-block">
-                                {% blocktrans trimmed %}
-                                    Use a hardware token like the Yubikey, or other biometric authentication like fingerprint or face recognition.
-                                {% endblocktrans %}
-                            </div>
-                        </label>
-                    </div>
+                <div class="big-radio radio">
+                    <label>
+                        <input type="radio" value="totp" name="{{ form.devicetype.html_name }}" {% if form.devicetype.value == "totp" %}checked{% endif %}>
+                        <strong>{% trans "Smartphone with the Authenticator application" %}</strong><br>
+                        <div class="help-block">
+                            {% blocktrans trimmed %}
+                                Use your smartphone with any Time-based One-Time-Password app like freeOTP, Google Authenticator or Proton Authenticator.
+                            {% endblocktrans %}
+                        </div>
+                    </label>
+                </div>
+                <div class="big-radio radio">
+                    <label>
+                        <input type="radio" value="webauthn" name="{{ form.devicetype.html_name }}" {% if form.devicetype.value == "webauthn" %}checked{% endif %}>
+                        <strong>{% trans "WebAuthn-compatible hardware token" %}</strong><br>
+                        <div class="help-block">
+                            {% blocktrans trimmed %}
+                                Use a hardware token like the Yubikey, or biometric authentication on iOS, macOS and Android.
+                            {% endblocktrans %}
+                        </div>
+                    </label>
                 </div>
-
-                {% if form.devicetype.errors %}
-                    <div class="help-block">
-                    {% for error in form.devicetype.errors %}
-                        <p>{{ error|escape }}</p>
-                    {% endfor %}
-                    </div>
-                {% endif %}
             </div>
         </div>
 

src/pretix/control/templates/pretixcontrol/user/2fa_confirm_totp.html

@@ -69,14 +69,11 @@
             {% trans "Enter the displayed code here:" %}
             <form class="form form-inline" method="post" action="">
                 {% csrf_token %}
+                <input type="hidden" name="flow_token" value="{{ flow_token }}">
                 <input type="number" name="token" class="form-control" required="required">
                 <button class="btn btn-primary" type="submit">
                     {% trans "Continue" %}
                 </button><br>
-                <label>
-                    <input type="checkbox" name="activate" checked="checked" value="on">
-                    {% trans "Require second factor for future logins" %}
-                </label>
             </form>
         </li>
     </ol>

src/pretix/control/templates/pretixcontrol/user/2fa_confirm_webauthn.html

@@ -12,13 +12,9 @@
     </p>
     <form class="form form-inline" method="post" action="" id="webauthn-form">
         {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
         <input type="hidden" id="webauthn-response" name="token" class="form-control" required="required">
-        <p>
-            <label>
-                <input type="checkbox" name="activate" checked="checked" value="on">
-                {% trans "Require second factor for future logins" %}
-            </label>
-        </p>
+
         <button class="btn btn-primary sr-only" type="submit"></button>
     </form>
 

src/pretix/control/templates/pretixcontrol/user/2fa_delete.html

@@ -6,6 +6,7 @@
     <h1>{% trans "Delete a two-factor authentication device" %}</h1>
     <form action="" method="post" class="form-horizontal">
         {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
         <p>{% blocktrans trimmed with device=device.name %}
             Are you sure you want to delete the authentication device "{{ device }}"?
         {% endblocktrans %}</p>

src/pretix/control/templates/pretixcontrol/user/2fa_disable.html

@@ -6,6 +6,7 @@
     <h1>{% trans "Disable two-factor authentication" %}</h1>
     <form action="" method="post" class="form-horizontal">
         {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
         <p>
             {% trans "Do you really want to disable two-factor authentication?" %}
         </p>

src/pretix/control/templates/pretixcontrol/user/2fa_enable.html

@@ -1,23 +1,58 @@
 {% extends "pretixcontrol/base.html" %}
 {% load i18n %}
 {% load bootstrap3 %}
+{% load icon %}
 {% block title %}{% trans "Enable two-factor authentication" %}{% endblock %}
 {% block content %}
     <h1>{% trans "Enable two-factor authentication" %}</h1>
     <form action="" method="post" class="form-horizontal">
         {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
         <p>
             {% trans "Do you really want to enable two-factor authentication?" %}
         </p>
         <p>
             {% trans "You will no longer be able to log in to pretix without one of your configured devices." %}
-            {% trans "Please make sure to print out or copy the emergency tokens and store them in a safe place." %}
         </p>
+        {% if new_emergency_tokens %}
+            <div class="panel panel-default">
+                <div class="panel-heading">
+                    <h3 class="panel-title">{% trans "Your emergency codes" %}</h3>
+                </div>
+                <div class="panel-body">
+                    <p>
+                        {% blocktrans trimmed %}
+                            If you lose access to your devices, you can use one of your emergency tokens to log in.
+                            We recommend to store them in a safe place, e.g. printed out or in a password manager.
+                            Every token can be used at most once.
+                        {% endblocktrans %}
+                    </p>
+                    <ul>
+                        {% for code in new_emergency_tokens %}
+                        <li>{{ code }}</li>
+                        {% endfor %}
+                    </ul>
+                    <p>
+                        <label>
+                            <input type="checkbox" required>
+                            {% trans "I stored my emergency tokens in a safe place." %}
+                        </label>
+                    </p>
+                </div>
+            </div>
+        {% else %}
+            <p>
+                {% icon "info-circle" %}
+                {% blocktrans trimmed with generation_date_time=static_tokens_device.created_at %}
+                    You generated your emergency tokens on {{ generation_date_time }}.
+                {% endblocktrans %}
+            </p>
+        {% endif %}
         <div class="form-group submit-group">
             <a href="{% url "control:user.settings.2fa" %}" class="btn btn-default btn-cancel">
                 {% trans "Cancel" %}
             </a>
-            <button type="submit" class="btn btn-danger btn-save">
+            <button type="submit" class="btn btn-primary btn-save">
                 {% trans "Enable" %}
             </button>
         </div>

src/pretix/control/templates/pretixcontrol/user/2fa_leaveteams.html

@@ -6,6 +6,7 @@
     <h1>{% trans "Leave teams that require two-factor authentication" %}</h1>
     <form action="" method="post" class="form-horizontal">
         {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
         <p>
             <strong>{% trans "Do you really want to leave the following teams?" %}</strong>
         </p>

src/pretix/control/templates/pretixcontrol/user/2fa_main.html

@@ -1,5 +1,6 @@
 {% extends "pretixcontrol/base.html" %}
 {% load i18n %}
+{% load icon %}
 {% load bootstrap3 %}
 {% block title %}{% trans "Two-factor authentication" %}{% endblock %}
 {% block content %}
@@ -120,7 +121,7 @@
                         Delete
                     </a>
                     {% if d.devicetype == "totp" %}
-                        <span class="fa fa-mobile"></span>
+                        <span class="fa fa-mobile fa-lg"></span>
                     {% elif d.devicetype == "webauthn" %}
                         <span class="fa fa-usb"></span>
                     {% elif d.devicetype == "u2f" %}
@@ -152,19 +153,30 @@
             </p>
             {% if static_tokens_device %}
                 <p>
+                    {% icon "info-circle" %}
                     {% blocktrans trimmed with generation_date_time=static_tokens_device.created_at %}
                         You generated your emergency tokens on {{ generation_date_time }}.
                     {% endblocktrans %}
                 </p>
-            {% else %}
+                <a href="{% url "control:user.settings.2fa.regenemergency" %}" class="btn btn-default">
+                    <span class="fa fa-refresh"></span>
+                    {% trans "Generate new emergency tokens" %}
+                </a>
+            {% elif user.require_2fa %}
                 <p>
-                    {% trans "You don't have any emergency tokens yet." %}
+                    {% icon "warning" %}
+                    <strong>{% trans "You don't have any emergency tokens yet." %}</strong>
+                </p>
+                <a href="{% url "control:user.settings.2fa.regenemergency" %}" class="btn btn-default">
+                    <span class="fa fa-refresh"></span>
+                    {% trans "Generate emergency tokens" %}
+                </a>
+            {% else %}
+                <p class="help-block">
+                    {% icon "info-circle" %}
+                    {% trans "Emergency tokens will be generated when you enable two-factor authentication." %}
                 </p>
             {% endif %}
-            <a href="{% url "control:user.settings.2fa.regenemergency" %}" class="btn btn-default">
-                <span class="fa fa-refresh"></span>
-                {% trans "Generate new emergency tokens" %}
-            </a>
         </div>
     </div>
 {% endblock %}

src/pretix/control/templates/pretixcontrol/user/2fa_regenemergency.html

@@ -6,6 +6,7 @@
     <h1>{% trans "Regenerate emergency codes" %}</h1>
     <form action="" method="post" class="form-horizontal">
         {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
         <p>
             {% trans "Do you really want to regenerate your emergency codes?" %}
         </p>

src/pretix/control/templates/pretixcontrol/user/change_email.html

@@ -8,6 +8,7 @@
             {% trans "Change login email address" %}
         </h1>
         {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
         {% bootstrap_form_errors form %}
         <p class="text-muted">
             {% trans "This changes the email address used to login to your account, as well as where we send email notifications." %}

src/pretix/control/templates/pretixcontrol/user/change_password.html

@@ -9,6 +9,7 @@
         </h1>
         <br>
         {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
         {% bootstrap_form_errors form %}
         {% bootstrap_field form.email %}
         {% bootstrap_field form.old_pw %}

src/pretix/control/views/dashboards.py

@@ -641,7 +641,7 @@ def user_index(request):
 
     ctx = {
         'widgets': rearrange(widgets),
-        'can_create_event': request.user.teams.with_organizer_permission("organizer.events:create").exists() or request.user.is_staff,
+        'can_create_event': request.user.teams.with_organizer_permission("organizer.events:create").exists(),
         'upcoming': widgets_for_event_qs(
             request,
             annotated_event_query(request, lazy=True).filter(

src/pretix/control/views/orders.py

@@ -2059,13 +2059,12 @@ class OrderChange(OrderView):
                 else:
                     variation = None
                 try:
-                    for i in range(f.cleaned_data.get("count", 1)):
-                        ocm.add_position(item, variation,
-                                         f.cleaned_data['price'],
-                                         f.cleaned_data.get('addon_to'),
-                                         f.cleaned_data.get('subevent'),
-                                         f.cleaned_data.get('seat'),
-                                         f.cleaned_data.get('used_membership'))
+                    ocm.add_position(item, variation,
+                                     f.cleaned_data['price'],
+                                     f.cleaned_data.get('addon_to'),
+                                     f.cleaned_data.get('subevent'),
+                                     f.cleaned_data.get('seat'),
+                                     f.cleaned_data.get('used_membership'))
                 except OrderError as e:
                     f.custom_error = str(e)
                     return False

src/pretix/control/views/organizer.py

@@ -1322,7 +1322,7 @@ class DeviceUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixi
     def form_valid(self, form):
         if form.has_changed():
             self.object.log_action('pretix.device.changed', user=self.request.user, data={
-                k: form.cleaned_data[k] if k != 'limit_events' else [e.id for e in form.cleaned_data[k]]
+                k: getattr(self.object, k) if k != 'limit_events' else [e.id for e in getattr(self.object, k).all()]
                 for k in form.changed_data
             })
 

src/pretix/control/views/user.py

@@ -89,13 +89,31 @@ logger = logging.getLogger(__name__)
 
 class RecentAuthenticationRequiredMixin:
     max_time = 900
+    max_form_time = 900
 
     @method_decorator(never_cache)
     def dispatch(self, request, *args, **kwargs):
-        tdelta = time.time() - request.session.get('pretix_auth_login_time', 0)
-        if tdelta > self.max_time:
+        auth_is_recent = time.time() - request.session.get('pretix_auth_login_time', 0) < self.max_time
+        allowed_by_token = (
+            request.session.pop('pretix_reauthed_flow_token', None) == request.POST.get('flow_token', '')
+            and request.session.pop('pretix_reauthed_flow_allowed_url', None) == request.get_full_path()
+            and time.time() - request.session.pop('pretix_reauthed_flow_start_time', 0) < self.max_form_time
+        )
+        if auth_is_recent or allowed_by_token:
+            return super().dispatch(request, *args, **kwargs)
+        else:
             return redirect(reverse('control:user.reauth') + '?next=' + quote(request.get_full_path()))
-        return super().dispatch(request, *args, **kwargs)
+
+    def get_flow_token(self):
+        self.request.session['pretix_reauthed_flow_allowed_url'] = self.request.get_full_path()
+        self.request.session['pretix_reauthed_flow_token'] = get_random_string(22)
+        self.request.session['pretix_reauthed_flow_start_time'] = time.time()
+        return self.request.session['pretix_reauthed_flow_token']
+
+    def get_context_data(self, **kwargs):
+        ctx = super().get_context_data()
+        ctx['flow_token'] = self.get_flow_token()
+        return ctx
 
 
 class ReauthView(TemplateView):
@@ -283,6 +301,7 @@ class UserHistoryView(ListView):
 
 
 class User2FAMainView(RecentAuthenticationRequiredMixin, TemplateView):
+    max_time = 7200
     template_name = 'pretixcontrol/user/2fa_main.html'
 
     def get_context_data(self, **kwargs):
@@ -465,25 +484,15 @@ class User2FADeviceConfirmWebAuthnView(RecentAuthenticationRequiredMixin, Templa
             notices = [
                 _('A new two-factor authentication device has been added to your account.')
             ]
-            activate = request.POST.get('activate', '')
-            if activate == 'on' and not self.request.user.require_2fa:
-                self.request.user.require_2fa = True
-                self.request.user.save()
-                self.request.user.log_action('pretix.user.settings.2fa.enabled', user=self.request.user)
-                notices.append(
-                    _('Two-factor authentication has been enabled.')
-                )
             self.request.user.send_security_notice(notices)
             self.request.user.update_session_token()
             update_session_auth_hash(self.request, self.request.user)
 
-            note = ''
-            if not self.request.user.require_2fa:
-                note = ' ' + str(_('Please note that you still need to enable two-factor authentication for your '
-                                   'account using the buttons below to make a second factor required for logging '
-                                   'into your account.'))
-            messages.success(request, str(_('The device has been verified and can now be used.')) + note)
-            return redirect(reverse('control:user.settings.2fa'))
+            messages.success(request, str(_('The device has been verified and can now be used.')))
+            if self.request.user.require_2fa:
+                return redirect(reverse('control:user.settings.2fa'))
+            else:
+                return redirect(reverse('control:user.settings.2fa.enable'))
         except Exception:
             messages.error(request, _('The registration could not be completed. Please try again.'))
             logger.exception('WebAuthn registration failed')
@@ -494,6 +503,7 @@ class User2FADeviceConfirmWebAuthnView(RecentAuthenticationRequiredMixin, Templa
 
 class User2FADeviceConfirmTOTPView(RecentAuthenticationRequiredMixin, TemplateView):
     template_name = 'pretixcontrol/user/2fa_confirm_totp.html'
+    max_form_time = 7200  # this should have effectively no timeout, as the user might need to download the 2fa app first
 
     @cached_property
     def device(self):
@@ -514,7 +524,6 @@ class User2FADeviceConfirmTOTPView(RecentAuthenticationRequiredMixin, TemplateVi
 
     def post(self, request, *args, **kwargs):
         token = request.POST.get('token', '')
-        activate = request.POST.get('activate', '')
         if self.device.verify_token(token):
             self.device.confirmed = True
             self.device.save()
@@ -526,24 +535,15 @@ class User2FADeviceConfirmTOTPView(RecentAuthenticationRequiredMixin, TemplateVi
             notices = [
                 _('A new two-factor authentication device has been added to your account.')
             ]
-            if activate == 'on' and not self.request.user.require_2fa:
-                self.request.user.require_2fa = True
-                self.request.user.save()
-                self.request.user.log_action('pretix.user.settings.2fa.enabled', user=self.request.user)
-                notices.append(
-                    _('Two-factor authentication has been enabled.')
-                )
             self.request.user.send_security_notice(notices)
             self.request.user.update_session_token()
             update_session_auth_hash(self.request, self.request.user)
 
-            note = ''
-            if not self.request.user.require_2fa:
-                note = ' ' + str(_('Please note that you still need to enable two-factor authentication for your '
-                                   'account using the buttons below to make a second factor required for logging '
-                                   'into your account.'))
-            messages.success(request, str(_('The device has been verified and can now be used.')) + note)
-            return redirect(reverse('control:user.settings.2fa'))
+            messages.success(request, str(_('The device has been verified and can now be used.')))
+            if self.request.user.require_2fa:
+                return redirect(reverse('control:user.settings.2fa'))
+            else:
+                return redirect(reverse('control:user.settings.2fa.enable'))
         else:
             messages.error(request, _('The code you entered was not valid. If this problem persists, please check '
                                       'that the date and time of your phone are configured correctly.'))
@@ -576,6 +576,7 @@ class User2FALeaveTeamsView(RecentAuthenticationRequiredMixin, TemplateView):
 
 class User2FAEnableView(RecentAuthenticationRequiredMixin, TemplateView):
     template_name = 'pretixcontrol/user/2fa_enable.html'
+    max_form_time = 7200  # this should have effectively no timeout, as the user might take some time to print out their emergency codes, and they would become invalid in case of a timeout
 
     def dispatch(self, request, *args, **kwargs):
         if not any(dt.objects.filter(user=self.request.user, confirmed=True) for dt in REAL_DEVICE_TYPES):
@@ -584,14 +585,39 @@ class User2FAEnableView(RecentAuthenticationRequiredMixin, TemplateView):
             return redirect(reverse('control:user.settings.2fa'))
         return super().dispatch(request, *args, **kwargs)
 
+    def get(self, request, *args, **kwargs):
+        new_tokens = None
+        try:
+            static_tokens_device = StaticDevice.objects.get(user=self.request.user, name='emergency')
+        except StaticDevice.MultipleObjectsReturned:
+            static_tokens_device = StaticDevice.objects.filter(
+                user=self.request.user, name='emergency'
+            ).first()
+        except StaticDevice.DoesNotExist:
+            static_tokens_device = None
+
+            new_tokens = [get_random_string(length=12, allowed_chars='1234567890') for _ in range(10)]
+            request.session['pretix_2fa_new_emergency_tokens'] = new_tokens
+        return super().get(request, *args, new_emergency_tokens=new_tokens, static_tokens_device=static_tokens_device, **kwargs)
+
     def post(self, request, *args, **kwargs):
+        notices = [
+            _('Two-factor authentication has been enabled.')
+        ]
+        if 'pretix_2fa_new_emergency_tokens' in request.session:
+            d = StaticDevice.objects.create(user=self.request.user, name='emergency')
+            for code in request.session['pretix_2fa_new_emergency_tokens']:
+                d.token_set.create(token=code)
+            self.request.user.log_action('pretix.user.settings.2fa.regenemergency', user=self.request.user)
+            notices += [
+                _('Your two-factor emergency codes have been regenerated.')
+            ]
+            del request.session['pretix_2fa_new_emergency_tokens']
         self.request.user.require_2fa = True
         self.request.user.save()
         self.request.user.log_action('pretix.user.settings.2fa.enabled', user=self.request.user)
         messages.success(request, _('Two-factor authentication is now enabled for your account.'))
-        self.request.user.send_security_notice([
-            _('Two-factor authentication has been enabled.')
-        ])
+        self.request.user.send_security_notice(notices)
         self.request.user.update_session_token()
         update_session_auth_hash(self.request, self.request.user)
         return redirect(reverse('control:user.settings.2fa'))

src/pretix/helpers/security.py

@@ -25,7 +25,7 @@ import time
 
 from django.conf import settings
 from django.contrib.auth import login as auth_login
-from django.contrib.gis import geoip2
+from django.contrib.gis.geoip2 import GeoIP2
 from django.core.cache import cache
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
@@ -63,20 +63,14 @@ def get_user_agent_hash(request):
 _geoip = None
 
 
-def get_geoip() -> geoip2.GeoIP2:
-    # See https://code.djangoproject.com/ticket/36988#ticket
+def _get_country(request):
     global _geoip
 
-    geoip2.SUPPORTED_DATABASE_TYPES.add("Geoacumen-Country")
-
     if not _geoip:
-        _geoip = geoip2.GeoIP2()
-    return _geoip
+        _geoip = GeoIP2()
 
-
-def _get_country(request):
     try:
-        res = get_geoip().country(get_client_ip(request))
+        res = _geoip.country(get_client_ip(request))
     except AddressNotFoundError:
         return None
     return res['country_code']

src/pretix/locale/de/wordlist.txt

@@ -32,7 +32,6 @@ ausgecheckt
 ausgeklappt
 auswahl
 Authentication
-Authenticator
 Authenticator-App
 Autorisierungscode
 Autorisierungs-Endpunktes
@@ -131,7 +130,6 @@ Eingangsscan
 Einlassbuchung
 Einlassdatum
 Einlasskontrolle
-Einmalpasswörter
 einzuchecken
 email
 E-Mail-Renderer
@@ -165,7 +163,6 @@ Explorer
 FA
 Favicon
 F-Droid
-freeOTP
 Footer
 Footer-Link
 Footer-Text
@@ -560,7 +557,6 @@ Zahlungs-ID
 Zahlungspflichtig
 Zehnerkarten
 Zeitbasiert
-zeitbasierte
 Zeitslotbuchung
 Zimpler
 ZIP-Datei

src/pretix/locale/de_Informal/wordlist.txt

@@ -32,7 +32,6 @@ ausgecheckt
 ausgeklappt
 auswahl
 Authentication
-Authenticator
 Authenticator-App
 Autorisierungscode
 Autorisierungs-Endpunktes
@@ -131,7 +130,6 @@ Eingangsscan
 Einlassbuchung
 Einlassdatum
 Einlasskontrolle
-Einmalpasswörter
 einzuchecken
 email
 E-Mail-Renderer
@@ -165,7 +163,6 @@ Explorer
 FA
 Favicon
 F-Droid
-freeOTP
 Footer
 Footer-Link
 Footer-Text
@@ -560,7 +557,6 @@ Zahlungs-ID
 Zahlungspflichtig
 Zehnerkarten
 Zeitbasiert
-zeitbasierte
 Zeitslotbuchung
 Zimpler
 ZIP-Datei

src/pretix/locale/djangojs.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-30 11:25+0000\n"
+"POT-Creation-Date: 2026-03-17 14:06+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

src/pretix/locale/es/LC_MESSAGES/djangojs.po

@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-03-17 14:06+0000\n"
-"PO-Revision-Date: 2026-03-30 03:00+0000\n"
+"PO-Revision-Date: 2026-03-18 12:23+0000\n"
 "Last-Translator: CVZ-es <damien.bremont@casadevelazquez.org>\n"
 "Language-Team: Spanish <https://translate.pretix.eu/projects/pretix/pretix-"
 "js/es/>\n"
@@ -329,7 +329,7 @@ msgstr "Pedido no aprobado"
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:68
 msgid "Checked-in Tickets"
-msgstr "Billetes registrados"
+msgstr "Registro de código QR"
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:69
 msgid "Valid Tickets"

src/pretix/locale/it/LC_MESSAGES/djangojs.po

@@ -8,8 +8,8 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-03-17 14:06+0000\n"
-"PO-Revision-Date: 2026-03-25 14:14+0000\n"
-"Last-Translator: Pietro Isotti <isottipietro@gmail.com>\n"
+"PO-Revision-Date: 2026-02-10 16:49+0000\n"
+"Last-Translator: Raffaele Doretto <ced@comune.portogruaro.ve.it>\n"
 "Language-Team: Italian <https://translate.pretix.eu/projects/pretix/pretix-"
 "js/it/>\n"
 "Language: it\n"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.16.2\n"
+"X-Generator: Weblate 5.15.2\n"
 
 #: pretix/plugins/banktransfer/static/pretixplugins/banktransfer/ui.js:56
 #: pretix/plugins/banktransfer/static/pretixplugins/banktransfer/ui.js:62
@@ -310,8 +310,9 @@ msgid "Ticket code revoked/changed"
 msgstr "Codice biglietto annullato/modificato"
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:63
+#, fuzzy
 msgid "Ticket blocked"
-msgstr "Biglietto bloccato"
+msgstr "Biglietto non pagato"
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:64
 msgid "Ticket not valid at this time"
@@ -428,7 +429,7 @@ msgstr ""
 
 #: pretix/static/pretixbase/js/asynctask.js:276
 msgid "If this takes longer than a few minutes, please contact us."
-msgstr "Se questa operazione richiede alcuni minuti, si prega di contattarci."
+msgstr ""
 
 #: pretix/static/pretixbase/js/asynctask.js:331
 msgid "Close message"

src/pretix/locale/ja/LC_MESSAGES/djangojs.po

@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-03-17 14:06+0000\n"
-"PO-Revision-Date: 2026-03-23 21:00+0000\n"
+"PO-Revision-Date: 2026-02-23 10:00+0000\n"
 "Last-Translator: Hijiri Umemoto <hijiri@umemoto.org>\n"
 "Language-Team: Japanese <https://translate.pretix.eu/projects/pretix/pretix-"
 "js/ja/>\n"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Weblate 5.16.2\n"
+"X-Generator: Weblate 5.16\n"
 
 #: pretix/plugins/banktransfer/static/pretixplugins/banktransfer/ui.js:56
 #: pretix/plugins/banktransfer/static/pretixplugins/banktransfer/ui.js:62
@@ -60,7 +60,7 @@ msgstr "PayPal後払い"
 
 #: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:41
 msgid "iDEAL | Wero"
-msgstr "iDEAL | Wero"
+msgstr ""
 
 #: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:42
 msgid "SEPA Direct Debit"

src/pretix/locale/pt_BR/LC_MESSAGES/djangojs.po

@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-03-17 14:06+0000\n"
-"PO-Revision-Date: 2026-03-25 08:00+0000\n"
+"PO-Revision-Date: 2026-01-26 22:00+0000\n"
 "Last-Translator: Renne Rocha <renne@rocha.dev.br>\n"
 "Language-Team: Portuguese (Brazil) <https://translate.pretix.eu/projects/"
 "pretix/pretix-js/pt_BR/>\n"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n > 1;\n"
-"X-Generator: Weblate 5.16.2\n"
+"X-Generator: Weblate 5.15.2\n"
 
 #: pretix/plugins/banktransfer/static/pretixplugins/banktransfer/ui.js:56
 #: pretix/plugins/banktransfer/static/pretixplugins/banktransfer/ui.js:62
@@ -60,7 +60,7 @@ msgstr "PayPal Pay Later"
 
 #: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:41
 msgid "iDEAL | Wero"
-msgstr "iDEAL | Wero"
+msgstr ""
 
 #: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:42
 msgid "SEPA Direct Debit"