Replacement after rebase

Co-authored-by: luelista <weller@rami.io>

doc/api/deviceauth.rst

@@ -197,10 +197,11 @@ Permissions & security profiles
 
 Device authentication is currently hardcoded to grant the following permissions:
 
-* View event meta data and products etc.
-* View orders
-* Change orders
-* Manage gift cards
+* Read event meta data and products etc.
+* Read and write orders
+* Read and write gift cards
+* Read and write reusable media
+* Read vouchers
 
 Devices cannot change events or products and cannot access vouchers.
 

doc/api/resources/devices.rst

@@ -30,7 +30,7 @@ software_brand                        string                     Device software
 software_version                      string                     Device software version (read-only)
 created                               datetime                   Creation time
 initialized                           datetime                   Time of initialization (or ``null``)
-initialization_token                  string                     Token for initialization
+initialization_token                  string                     Token for initialization (field invisible without write permission)
 revoked                               boolean                    Whether this device no longer has access
 security_profile                      string                     The name of a supported security profile restricting API access
 ===================================== ========================== =======================================================

doc/api/resources/events.rst

@@ -65,8 +65,6 @@ Endpoints
 
    Returns a list of all events within a given organizer the authenticated user/token has access to.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -161,8 +159,6 @@ Endpoints
 
    Returns information on one event, identified by its slug.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -234,8 +230,6 @@ Endpoints
    Please note that events cannot be created as 'live' using this endpoint. Quotas and payment must be added to the
    event before sales can go live.
 
-   Permission required: "Can create events"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -338,8 +332,6 @@ Endpoints
    Please note that you can only copy from events under the same organizer this way. Use the ``clone_from`` parameter
    when creating a new event for this instead.
 
-   Permission required: "Can create events"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -433,8 +425,6 @@ Endpoints
 
    Updates an event
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -510,8 +500,6 @@ Endpoints
 
    Delete an event. Note that events with orders cannot be deleted to ensure data integrity.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -561,8 +549,6 @@ organizer level.
 
    Get current values of event settings.
 
-   Permission required: "Can change event settings" (Exception: with device auth, *some* settings can always be *read*.)
-
    **Example request**:
 
    .. sourcecode:: http
@@ -615,6 +601,8 @@ organizer level.
 
    Updates event settings. Note that ``PUT`` is not allowed here, only ``PATCH``.
 
+   Permission "Can change event settings" is always required. Some keys require additional permissions.
+
     .. warning::
 
        Settings can be stored at different levels in pretix. If a value is not set on event level, a default setting

doc/api/resources/organizers.rst

@@ -110,8 +110,6 @@ Endpoints
 
    Updates an organizer. Currently only the ``plugins`` field may be updated.
 
-   Permission required: "Can change organizer settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -172,8 +170,6 @@ information about the properties.
 
    Get current values of organizer settings.
 
-   Permission required: "Can change organizer settings"
-
    **Example request**:
 
    .. sourcecode:: http

doc/api/resources/reusablemedia.rst

@@ -154,7 +154,7 @@ Endpoints
 .. http:post:: /api/v1/organizers/(organizer)/reusablemedia/lookup/
 
    Look up a new reusable medium by its identifier. In some cases, this might lead to the automatic creation of a new
-   medium behind the scenes.
+   medium behind the scenes, therefore this endpoint requires write permissions.
 
    This endpoint, and this endpoint only, might return media from a different organizer if there is a cross-acceptance
    agreement. In this case, only linked gift cards will be returned, no order position or customer records,

doc/api/resources/subevents.rst

@@ -154,8 +154,6 @@ Endpoints
 
    Creates a new subevent.
 
-   Permission required: "Can create events"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -300,8 +298,6 @@ Endpoints
    provide all fields of the resource, other fields will be reset to default. With ``PATCH``, you only need to provide
    the fields that you want to change.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -373,8 +369,6 @@ Endpoints
 
    Delete a sub-event. Note that events with orders cannot be deleted to ensure data integrity.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http

doc/api/resources/teams.rst

@@ -24,21 +24,57 @@ all_events                            boolean                    Whether this te
 limit_events                          list                       List of event slugs this team has access to
 require_2fa                           boolean                    Whether members of this team are required to use
                                                                  two-factor authentication
-can_create_events                     boolean
-can_change_teams                      boolean
-can_change_organizer_settings         boolean
-can_manage_customers                  boolean
-can_manage_reusable_media             boolean
-can_manage_gift_cards                 boolean
-can_change_event_settings             boolean
-can_change_items                      boolean
-can_view_orders                       boolean
-can_change_orders                     boolean
-can_view_vouchers                     boolean
-can_change_vouchers                   boolean
-can_checkin_orders                    boolean
+all_event_permissions                 bool                       Whether members of this team are granted all event-level
+                                                                 permissions, including future additions
+limit_event_permissions               list of strings            The event-level permissions team members are granted
+all_organizer_permissions             bool                       Whether members of this team are granted all organizer-level
+                                                                 permissions, including future additions
+all_organizer_permissions             list of strings            The organizer-level permissions team members are granted
+can_create_events                     boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_change_teams                      boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_change_organizer_settings         boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_manage_customers                  boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_manage_reusable_media             boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_manage_gift_cards                 boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_change_event_settings             boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_change_items                      boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_view_orders                       boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_change_orders                     boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_view_vouchers                     boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_change_vouchers                   boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_checkin_orders                    boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
 ===================================== ========================== =======================================================
 
+Possible values for ``limit_organizer_permissions`` defined in the core pretix system (plugins might add more)::
+
+    organizer.events:create
+    organizer.settings.general:write
+    organizer.teams:write
+    organizer.seatingplans:write
+    organizer.giftcards:read
+    organizer.giftcards:write
+    organizer.customers:read
+    organizer.customers:write
+    organizer.reusablemedia:read
+    organizer.reusablemedia:write
+    organizer.devices:read
+    organizer.devices:write
+
+Possible values for ``limit_event_permissions`` defined in the core pretix system (plugins might add more)::
+
+    event.settings.general:write
+    event.settings.payment:write
+    event.settings.tax:write
+    event.settings.invoicing:write
+    event.subevents:write
+    event.items:write
+    event.orders:read
+    event.orders:write
+    event.orders:checkin
+    event.vouchers:read
+    event.vouchers:write
+    event:cancel
+
 Team member resource
 --------------------
 
@@ -121,6 +157,10 @@ Team endpoints
             "all_events": true,
             "limit_events": [],
             "require_2fa": true,
+            "all_event_permissions": true,
+            "limit_event_permissions": [],
+            "all_organizer_permissions": true,
+            "limit_organizer_permissions": [],
             "can_create_events": true,
             ...
           }
@@ -159,6 +199,10 @@ Team endpoints
         "all_events": true,
         "limit_events": [],
         "require_2fa": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": true,
+        "limit_organizer_permissions": [],
         "can_create_events": true,
         ...
       }
@@ -187,7 +231,10 @@ Team endpoints
         "all_events": true,
         "limit_events": [],
         "require_2fa": true,
-        "can_create_events": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": true,
+        "limit_organizer_permissions": [],
         ...
       }
 
@@ -205,6 +252,10 @@ Team endpoints
         "all_events": true,
         "limit_events": [],
         "require_2fa": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": true,
+        "limit_organizer_permissions": [],
         "can_create_events": true,
         ...
       }
@@ -232,7 +283,8 @@ Team endpoints
       Content-Length: 94
 
       {
-        "can_create_events": true
+        "all_organizer_permissions": false,
+        "limit_organizer_permissions": ["organizer.events:create"]
       }
 
    **Example response**:
@@ -249,6 +301,10 @@ Team endpoints
         "all_events": true,
         "limit_events": [],
         "require_2fa": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": false,
+        "limit_organizer_permissions": ["organizer.events:create"],
         "can_create_events": true,
         ...
       }

doc/development/api/customview.rst

@@ -55,12 +55,12 @@ your views:
     )
 
     class AdminView(EventPermissionRequiredMixin, View):
-        permission = 'can_view_orders'
+        permission = 'event.orders:read'
 
         ...
 
 
-    @event_permission_required('can_view_orders')
+    @event_permission_required('event.orders:read')
     def admin_view(request, organizer, event):
         ...
 
@@ -78,7 +78,7 @@ event-related views, there is also a signal that allows you to add the view to t
     @receiver(nav_event, dispatch_uid='friends_tickets_nav')
     def navbar_info(sender, request, **kwargs):
         url = resolve(request.path_info)
-        if not request.user.has_event_permission(request.organizer, request.event, 'can_change_vouchers'):
+        if not request.user.has_event_permission(request.organizer, request.event, 'event.vouchers:read'):
             return []
         return [{
             'label': _('My plugin view'),
@@ -118,7 +118,7 @@ for good integration. If you just want to display a form, you could do it like t
 
     class MySettingsView(EventSettingsViewMixin, EventSettingsFormView):
         model = Event
-        permission = 'can_change_settings'
+        permission = 'event.settings.general:write'
         form_class = MySettingsForm
         template_name = 'my_plugin/settings.html'
 
@@ -204,13 +204,13 @@ In case of ``orga_router`` and ``event_router``, permission checking is done for
 in the control panel. However, you need to make sure on your own only to return the correct subset of data! ``request
 .event`` and ``request.organizer`` are available as usual.
 
-To require a special permission like ``can_view_orders``, you do not need to inherit from a special ViewSet base
+To require a special permission like ``event.orders:read``, you do not need to inherit from a special ViewSet base
 class, you can just set the ``permission`` attribute on your viewset:
 
 .. code-block:: python
 
     class MyViewSet(ModelViewSet):
-        permission = 'can_view_orders'
+        permission = 'event.orders:read'
         ...
 
 If you want to check the permission only for some methods of your viewset, you have to do it yourself. Note here that
@@ -220,7 +220,7 @@ following:
 .. code-block:: python
 
     perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken) else request.user)
-    if perm_holder.has_event_permission(request.event.organizer, request.event, 'can_view_orders'):
+    if perm_holder.has_event_permission(request.event.organizer, request.event, 'event.orders:read'):
         ...
 
 

doc/development/api/general.rst

@@ -14,7 +14,8 @@ Core
    :members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types, notification,
       item_copy_data, register_sales_channel_types, register_global_settings, quota_availability, global_email_filter,
       register_ticket_secret_generators, gift_card_transaction_display,
-      register_text_placeholders, register_mail_placeholders, device_info_updated
+      register_text_placeholders, register_mail_placeholders, device_info_updated,
+      register_event_permission_groups, register_organizer_permission_groups
 
 Order events
 """"""""""""

doc/development/implementation/logging.rst

@@ -196,7 +196,7 @@ A simple implementation could look like this:
 .. code-block:: python
 
     class MyNotificationType(NotificationType):
-        required_permission = "can_view_orders"
+        required_permission = "event.orders:read"
         action_type = "pretix.event.order.paid"
         verbose_name = _("Order has been paid")
 

doc/development/implementation/permissions.rst

@@ -2,7 +2,7 @@ Permissions
 ===========
 
 pretix uses a fine-grained permission system to control who is allowed to control what parts of the system.
-The central concept here is the concept of *Teams*. You can read more on `configuring teams and permissions <user-teams>`_
+The central concept here is the concept of *Teams*. You can read more on `configuring teams and permissions`_
 and the :class:`pretix.base.models.Team` model in the respective parts of the documentation. The basic digest is:
 An organizer account can have any number of teams, and any number of users can be part of a team. A team can be
 assigned a set of permissions and connected to some or all of the events of the organizer.
@@ -25,8 +25,8 @@ permission level to access a view:
 
 
     class MyOrgaView(OrganizerPermissionRequiredMixin, View):
-        permission = 'can_change_organizer_settings'
-        # Only users with the permission ``can_change_organizer_settings`` on
+        permission = 'organizer.settings.general:write'
+        # Only users with the permission ``organizer.settings.general:write`` on
         # this organizer can access this
 
 
@@ -35,9 +35,9 @@ permission level to access a view:
         # Only users with *any* permission on this organizer can access this
 
 
-    @organizer_permission_required('can_change_organizer_settings')
+    @organizer_permission_required('organizer.settings.general:write')
     def my_orga_view(request, organizer, **kwargs):
-        # Only users with the permission ``can_change_organizer_settings`` on
+        # Only users with the permission ``organizer.settings.general:write`` on
         # this organizer can access this
 
 
@@ -56,8 +56,8 @@ Of course, the same is available on event level:
 
 
     class MyEventView(EventPermissionRequiredMixin, View):
-        permission = 'can_change_event_settings'
-        # Only users with the permission ``can_change_event_settings`` on
+        permission = 'event.settings.general:write'
+        # Only users with the permission ``event.settings.general:write`` on
         # this event can access this
 
 
@@ -66,9 +66,9 @@ Of course, the same is available on event level:
         # Only users with *any* permission on this event can access this
 
 
-    @event_permission_required('can_change_event_settings')
+    @event_permission_required('event.settings.general:write')
     def my_event_view(request, organizer, **kwargs):
-        # Only users with the permission ``can_change_event_settings`` on
+        # Only users with the permission ``event.settings.general:write`` on
         # this event can access this
 
 
@@ -121,7 +121,7 @@ When creating your own ``viewset`` using Django REST framework, you just need to
 and pretix will check it automatically for you::
 
     class MyModelViewSet(viewsets.ReadOnlyModelViewSet):
-        permission = 'can_view_orders'
+        permission = 'event.orders:read'
 
 Checking permission in code
 ---------------------------
@@ -136,12 +136,12 @@ Return all users that are in any team that is connected to this event::
 
 Return all users that are in a team with a specific permission for this event::
 
-    >>> event.get_users_with_permission('can_change_event_settings')
+    >>> event.get_users_with_permission('event.orders:read')
     <QuerySet: …>
 
 Determine if a user has a certain permission for a specific event::
 
-    >>> user.has_event_permission(organizer, event, 'can_change_event_settings', request=request)
+    >>> user.has_event_permission(organizer, event, 'event.orders:read', request=request)
     True
 
 Determine if a user has any permission for a specific event::
@@ -153,27 +153,27 @@ In the two previous commands, the ``request`` argument is optional, but required
 
 The same method exists for organizer-level permissions::
 
-    >>> user.has_organizer_permission(organizer, 'can_change_event_settings', request=request)
+    >>> user.has_organizer_permission(organizer, 'event.orders:read', request=request)
     True
 
 Sometimes, it might be more useful to get the set of permissions at once::
 
     >>> user.get_event_permission_set(organizer, event)
-    {'can_change_event_settings', 'can_view_orders', 'can_change_orders'}
+    {'event.settings.general:write', 'event.orders:read', 'event.orders:write'}
 
     >>> user.get_organizer_permission_set(organizer, event)
-    {'can_change_organizer_settings', 'can_create_events'}
+    {'organizer.settings.general:write', 'organizer.events:create'}
 
 Within a view on the ``/control`` subpath, the results of these two methods are already available in the
 ``request.eventpermset`` and ``request.orgapermset`` properties. This makes it convenient to query them in templates::
 
-    {% if "can_change_orders" in request.eventpermset %}
+    {% if "event.orders:write" in request.eventpermset %}
         …
     {% endif %}
 
 You can also do the reverse to get any events a user has access to::
 
-    >>> user.get_events_with_permission('can_change_event_settings', request=request)
+    >>> user.get_events_with_permission('event.settings.general:write', request=request)
     <QuerySet: …>
 
     >>> user.get_events_with_any_permission(request=request)
@@ -195,3 +195,53 @@ staff mode is active. You can check if a user is in staff mode using their sessi
 Staff mode has a hard time limit and during staff mode, a middleware will log all requests made by that user. Later,
 the user is able to also save a message to comment on what they did in their administrative session. This feature is
 intended to help compliance with data protection rules as imposed e.g. by GDPR.
+
+Adding permissions
+------------------
+
+Plugins can add permissions through the ``register_event_permission_groups`` and ``register_organizer_permission_groups``.
+We recommend to use this only for very significant permissions, as the system will become less usable with too many
+permission levels, also because the team page will show all permission options, even those of disabled plugins.
+
+To register your permissions, you need to register a **permission group** (often representing an area of functionality
+or a key model). Below that group, there are **actions**, which represent the actual permissions. Permissions will be
+generated as ``<group_name>:<action>``. Then, you need to define **options** which are the valid combinations of the
+actions that should be possible to select for a team. This two-step mechanism exists to provide a better user experience
+and avoid useless combinations like "write but not read".
+
+Example::
+
+    @receiver(register_event_permission_groups)
+    def register_plugin_event_permissions(sender, **kwargs):
+        return [
+            PermissionGroup(
+                name="pretix_myplugin.resource",
+                label=_("Resources"),
+                actions=["read", "write"],
+                options=[
+                    PermissionOption(actions=tuple(), label=_("No access")),
+                    PermissionOption(actions=("read",), label=_("View")),
+                    PermissionOption(actions=("read", "write"), label=_("View and change")),
+                ],
+                help_text=_("Some help text")
+            ),
+        ]
+
+
+    @receiver(register_organizer_permission_groups)
+    def register_plugin_organizer_permissions(sender, **kwargs):
+        return [
+            PermissionGroup(
+                name="pretix_myplugin.resource",
+                label=_("Resources"),
+                actions=["read", "write"],
+                options=[
+                    PermissionOption(actions=tuple(), label=_("No access")),
+                    PermissionOption(actions=("read",), label=_("View")),
+                    PermissionOption(actions=("read", "write"), label=_("View and change")),
+                ],
+                help_text=_("Some help text")
+            ),
+        ]
+
+.. _configuring teams and permissions: https://docs.pretix.eu/guides/teams/

pyproject.toml

@@ -41,7 +41,7 @@ dependencies = [
   "django-compressor==4.6.0",
   "django-countries==8.2.*",
   "django-filter==25.1",
-  "django-formset-js-improved==0.5.0.4",
+  "django-formset-js-improved==0.5.0.5",
   "django-formtools==2.5.1",
   "django-hierarkey==2.0.*,>=2.0.1",
   "django-hijack==3.7.*",
@@ -65,7 +65,7 @@ dependencies = [
   "kombu==5.6.*",
   "libsass==0.23.*",
   "lxml",
-  "markdown==3.10",  # 3.3.5 requires importlib-metadata>=4.4, but django-bootstrap3 requires importlib-metadata<3.
+  "markdown==3.10.1",  # 3.3.5 requires importlib-metadata>=4.4, but django-bootstrap3 requires importlib-metadata<3.
   # We can upgrade markdown again once django-bootstrap3 upgrades or once we drop Python 3.6 and 3.7
   "mt-940==4.30.*",
   "oauthlib==3.3.*",
@@ -80,7 +80,7 @@ dependencies = [
   "protobuf==6.33.*",
   "psycopg2-binary",
   "pycountry",
-  "pycparser==2.23",
+  "pycparser==3.0",
   "pycryptodome==3.23.*",
   "pypdf==6.5.*",
   "python-bidi==0.6.*",  # Support for Arabic in reportlab
@@ -92,7 +92,7 @@ dependencies = [
   "redis==7.1.*",
   "reportlab==4.4.*",
   "requests==2.32.*",
-  "sentry-sdk==2.49.*",
+  "sentry-sdk==2.50.*",
   "sepaxml==2.7.*",
   "stripe==7.9.*",
   "text-unidecode==1.*",

src/pretix/__init__.py

@@ -19,4 +19,4 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-__version__ = "2025.11.0.dev0"
+__version__ = "2026.2.0.dev0"

src/pretix/api/auth/permission.py

@@ -124,12 +124,12 @@ class EventCRUDPermission(EventPermission):
     def has_permission(self, request, view):
         if not super(EventCRUDPermission, self).has_permission(request, view):
             return False
-        elif view.action == 'create' and 'can_create_events' not in request.orgapermset:
+        elif view.action == 'create' and 'organizer.events:create' not in request.orgapermset:
             return False
-        elif view.action == 'destroy' and 'can_change_event_settings' not in request.eventpermset:
+        elif view.action == 'destroy' and 'event.settings.general:write' not in request.eventpermset:
             return False
         elif view.action in ['update', 'partial_update'] \
-                and 'can_change_event_settings' not in request.eventpermset:
+                and 'event.settings.general:write' not in request.eventpermset:
             return False
 
         return True

src/pretix/api/serializers/event.py

@@ -300,7 +300,7 @@ class EventSerializer(SalesChannelMigrationMixin, I18nAwareModelSerializer):
     def ignored_meta_properties(self):
         perm_holder = (self.context['request'].auth if isinstance(self.context['request'].auth, (Device, TeamAPIToken))
                        else self.context['request'].user)
-        if perm_holder.has_organizer_permission(self.context['request'].organizer, 'can_change_organizer_settings', request=self.context['request']):
+        if perm_holder.has_organizer_permission(self.context['request'].organizer, 'organizer.settings.general:write', request=self.context['request']):
             return []
         return [k for k, p in self.meta_properties.items() if p.protected]
 
@@ -561,7 +561,7 @@ class SubEventSerializer(I18nAwareModelSerializer):
     def ignored_meta_properties(self):
         perm_holder = (self.context['request'].auth if isinstance(self.context['request'].auth, (Device, TeamAPIToken))
                        else self.context['request'].user)
-        if perm_holder.has_organizer_permission(self.context['request'].organizer, 'can_change_organizer_settings', request=self.context['request']):
+        if perm_holder.has_organizer_permission(self.context['request'].organizer, 'organizer.settings.general:write', request=self.context['request']):
             return []
         return [k for k, p in self.meta_properties.items() if p.protected]
 
@@ -707,7 +707,10 @@ class TaxRuleSerializer(CountryFieldMixin, I18nAwareModelSerializer):
 
 
 class EventSettingsSerializer(SettingsSerializer):
+    default_write_permission = 'event.settings.general:write'
     default_fields = [
+        # These are readable for all users with access to the events, therefore secrets stored in the settings store
+        # should not be included!
         'imprint_url',
         'checkout_email_helptext',
         'presale_has_ended_text',
@@ -806,6 +809,7 @@ class EventSettingsSerializer(SettingsSerializer):
         'invoice_reissue_after_modify',
         'invoice_include_free',
         'invoice_generate',
+        'invoice_generate_only_business',
         'invoice_period',
         'invoice_numbers_consecutive',
         'invoice_numbers_prefix',
@@ -1079,16 +1083,16 @@ class SeatSerializer(I18nAwareModelSerializer):
 
     def prefetch_expanded_data(self, items, request, expand_fields):
         if 'orderposition' in expand_fields:
-            if 'can_view_orders' not in request.eventpermset:
-                raise PermissionDenied('can_view_orders permission required for expand=orderposition')
+            if 'event.orders:read' not in request.eventpermset:
+                raise PermissionDenied('event.orders:read permission required for expand=orderposition')
             prefetch_by_id(items, OrderPosition.objects.prefetch_related('order'), 'orderposition_id', 'orderposition')
         if 'cartposition' in expand_fields:
-            if 'can_view_orders' not in request.eventpermset:
-                raise PermissionDenied('can_view_orders permission required for expand=cartposition')
+            if 'event.orders:read' not in request.eventpermset:
+                raise PermissionDenied('event.orders:read permission required for expand=cartposition')
             prefetch_by_id(items, CartPosition.objects, 'cartposition_id', 'cartposition')
         if 'voucher' in expand_fields:
-            if 'can_view_vouchers' not in request.eventpermset:
-                raise PermissionDenied('can_view_vouchers permission required for expand=voucher')
+            if 'event.vouchers:read' not in request.eventpermset:
+                raise PermissionDenied('event.vouchers:read permission required for expand=voucher')
             prefetch_by_id(items, Voucher.objects, 'voucher_id', 'voucher')
 
     def __init__(self, instance, *args, **kwargs):

src/pretix/api/serializers/media.py

@@ -24,7 +24,7 @@ from decimal import Decimal
 
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
-from rest_framework.exceptions import ValidationError
+from rest_framework.exceptions import PermissionDenied, ValidationError
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.api.serializers.order import OrderPositionSerializer
@@ -66,6 +66,9 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
         super().__init__(*args, **kwargs)
 
         if 'linked_giftcard' in self.context['request'].query_params.getlist('expand'):
+            if not self.context["can_read_giftcards"]:
+                raise PermissionDenied("No permission to access gift card details.")
+
             self.fields['linked_giftcard'] = NestedGiftCardSerializer(read_only=True, context=self.context)
             if 'linked_giftcard.owner_ticket' in self.context['request'].query_params.getlist('expand'):
                 self.fields['linked_giftcard'].fields['owner_ticket'] = NestedOrderPositionSerializer(read_only=True, context=self.context)
@@ -77,6 +80,8 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
             )
 
         if 'linked_orderposition' in self.context['request'].query_params.getlist('expand'):
+            # No additional permission check performed, documented limitation of the permission system
+            # Would get to complex/unusable otherwise since the permission depends on the event
             self.fields['linked_orderposition'] = NestedOrderPositionSerializer(read_only=True)
         else:
             self.fields['linked_orderposition'] = serializers.PrimaryKeyRelatedField(
@@ -86,6 +91,9 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
             )
 
         if 'customer' in self.context['request'].query_params.getlist('expand'):
+            if not self.context["can_read_customers"]:
+                raise PermissionDenied("No permission to access customer details.")
+
             self.fields['customer'] = CustomerSerializer(read_only=True)
         else:
             self.fields['customer'] = serializers.SlugRelatedField(

src/pretix/api/serializers/order.py

@@ -191,7 +191,7 @@ class InvoiceAddressSerializer(I18nAwareModelSerializer):
                                     {"transmission_info": {r: "This field is required for the selected type of invoice transmission."}}
                                 )
                     break  # do not call else branch of for loop
-                elif t.exclusive:
+                elif t.is_exclusive(self.context["request"].event, data.get("country"), data.get("is_business")):
                     if t.is_available(self.context["request"].event, data.get("country"), data.get("is_business")):
                         raise ValidationError({
                             "transmission_type": "The transmission type '%s' must be used for this country or address type." % (
@@ -613,7 +613,7 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
             # /events/…/checkinlists/…/positions/
             # We're unable to check this on this level if we're on /checkinrpc/, in which case we rely on the view
             # layer to not set pdf_data=true in the first place.
-            request and hasattr(request, 'eventpermset') and 'can_view_orders' not in request.eventpermset
+            request and hasattr(request, 'eventpermset') and 'event.orders:read' not in request.eventpermset
         )
         if ('pdf_data' in self.context and not self.context['pdf_data']) or pdf_data_forbidden:
             self.fields.pop('pdf_data', None)
@@ -704,6 +704,16 @@ class CheckinListOrderPositionSerializer(OrderPositionSerializer):
         if 'answers.question' in self.context['expand']:
             self.fields['answers'].child.fields['question'] = QuestionSerializer(read_only=True)
 
+        if 'addons' in self.context['expand']:
+            # Experimental feature, undocumented on purpose for now in case we need to remove it again
+            # for performance reasons
+            subl = CheckinListOrderPositionSerializer(read_only=True, many=True, context={
+                **self.context,
+                'expand': [v for v in self.context['expand'] if v != 'addons'],
+                'pdf_data': False,
+            })
+            self.fields['addons'] = subl
+
 
 class OrderPaymentTypeField(serializers.Field):
     # TODO: Remove after pretix 2.2

src/pretix/api/serializers/organizer.py

@@ -45,12 +45,19 @@ from pretix.base.models import (
     SalesChannel, SeatingPlan, Team, TeamAPIToken, TeamInvite, User,
 )
 from pretix.base.models.seating import SeatingPlanLayoutValidator
+from pretix.base.permissions import (
+    get_all_event_permission_groups, get_all_organizer_permission_groups,
+)
 from pretix.base.plugins import (
     PLUGIN_LEVEL_EVENT, PLUGIN_LEVEL_EVENT_ORGANIZER_HYBRID,
     PLUGIN_LEVEL_ORGANIZER,
 )
 from pretix.base.services.mail import SendMailException, mail
 from pretix.base.settings import validate_organizer_settings
+from pretix.helpers.permission_migration import (
+    OLD_TO_NEW_EVENT_COMPAT, OLD_TO_NEW_EVENT_MIGRATION,
+    OLD_TO_NEW_ORGANIZER_COMPAT, OLD_TO_NEW_ORGANIZER_MIGRATION,
+)
 from pretix.helpers.urls import build_absolute_uri as build_global_uri
 from pretix.multidomain.urlreverse import build_absolute_uri
 
@@ -306,23 +313,128 @@ class EventSlugField(serializers.SlugRelatedField):
         return self.context['organizer'].events.all()
 
 
+class PermissionMultipleChoiceField(serializers.MultipleChoiceField):
+    def to_internal_value(self, data):
+        return {
+            p: True for p in super().to_internal_value(data)
+        }
+
+    def to_representation(self, value):
+        return [p for p, v in value.items() if v]
+
+
 class TeamSerializer(serializers.ModelSerializer):
     limit_events = EventSlugField(slug_field='slug', many=True)
+    limit_event_permissions = PermissionMultipleChoiceField(choices=[], required=False, allow_null=False, allow_empty=True)
+    limit_organizer_permissions = PermissionMultipleChoiceField(choices=[], required=False, allow_null=False, allow_empty=True)
+
+    # Legacy fields, handled in to_representation and validate
+    can_change_event_settings = serializers.BooleanField(required=False, write_only=True)
+    can_change_items = serializers.BooleanField(required=False, write_only=True)
+    can_view_orders = serializers.BooleanField(required=False, write_only=True)
+    can_change_orders = serializers.BooleanField(required=False, write_only=True)
+    can_checkin_orders = serializers.BooleanField(required=False, write_only=True)
+    can_view_vouchers = serializers.BooleanField(required=False, write_only=True)
+    can_change_vouchers = serializers.BooleanField(required=False, write_only=True)
+    can_create_events = serializers.BooleanField(required=False, write_only=True)
+    can_change_organizer_settings = serializers.BooleanField(required=False, write_only=True)
+    can_change_teams = serializers.BooleanField(required=False, write_only=True)
+    can_manage_gift_cards = serializers.BooleanField(required=False, write_only=True)
+    can_manage_customers = serializers.BooleanField(required=False, write_only=True)
+    can_manage_reusable_media = serializers.BooleanField(required=False, write_only=True)
 
     class Meta:
         model = Team
         fields = (
-            'id', 'name', 'require_2fa', 'all_events', 'limit_events', 'can_create_events', 'can_change_teams',
-            'can_change_organizer_settings', 'can_manage_gift_cards', 'can_change_event_settings',
-            'can_change_items', 'can_view_orders', 'can_change_orders', 'can_view_vouchers',
-            'can_change_vouchers', 'can_checkin_orders', 'can_manage_customers', 'can_manage_reusable_media'
+            'id', 'name', 'require_2fa', 'all_events', 'limit_events', 'all_event_permissions', 'limit_event_permissions',
+            'all_organizer_permissions', 'limit_organizer_permissions', 'can_change_event_settings',
+            'can_change_items', 'can_view_orders', 'can_change_orders', 'can_checkin_orders', 'can_view_vouchers',
+            'can_change_vouchers', 'can_create_events', 'can_change_organizer_settings', 'can_change_teams',
+            'can_manage_gift_cards', 'can_manage_customers', 'can_manage_reusable_media'
         )
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+        event_perms_flattened = []
+        organizer_perms_flattened = []
+        for pg in get_all_event_permission_groups().values():
+            for action in pg.actions:
+                event_perms_flattened.append(f"{pg.name}:{action}")
+        for pg in get_all_organizer_permission_groups().values():
+            for action in pg.actions:
+                organizer_perms_flattened.append(f"{pg.name}:{action}")
+
+        self.fields['limit_event_permissions'].choices = [(p, p) for p in event_perms_flattened]
+        self.fields['limit_organizer_permissions'].choices = [(p, p) for p in organizer_perms_flattened]
+
+    def to_representation(self, instance):
+        r = super().to_representation(instance)
+        for old, new in OLD_TO_NEW_EVENT_COMPAT.items():
+            r[old] = instance.all_event_permissions or all(instance.limit_event_permissions.get(n) for n in new)
+        for old, new in OLD_TO_NEW_ORGANIZER_COMPAT.items():
+            r[old] = instance.all_organizer_permissions or all(instance.limit_organizer_permissions.get(n) for n in new)
+        return r
+
     def validate(self, data):
+        old_data_set = any(k.startswith("can_") for k in data)
+        new_data_set = any(k in data for k in [
+            "all_event_permissions", "limit_event_permissions", "all_organizer_permissions", "limit_organizer_permissions"
+        ])
+        if old_data_set and new_data_set:
+            raise ValidationError("You cannot set deprecated and current permission attributes at the same time.")
+
         full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
         full_data.update(data)
+
+        if new_data_set:
+            if full_data.get('limit_event_permissions') and full_data.get('all_event_permissions'):
+                raise ValidationError('Do not set both limit_event_permissions and all_event_permissions.')
+            if full_data.get('limit_organizer_permissions') and full_data.get('all_organizer_permissions'):
+                raise ValidationError('Do not set both limit_organizer_permissions and all_organizer_permissions.')
+
+        if old_data_set:
+            # Migrate with same logic as in migration 0297_pluggable_permissions
+            if all(full_data.get(k) is True for k in OLD_TO_NEW_EVENT_MIGRATION.keys() if k != "can_checkin_orders"):
+                data["all_event_permissions"] = True
+                data["limit_event_permissions"] = {}
+            else:
+                data["all_event_permissions"] = False
+                data["limit_event_permissions"] = {}
+                for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
+                    if full_data.get(k) is True:
+                        data["limit_event_permissions"].update({kk: True for kk in v})
+            if all(full_data.get(k) is True for k in OLD_TO_NEW_ORGANIZER_MIGRATION.keys() if k != "can_checkin_orders"):
+                data["all_organizer_permissions"] = True
+                data["limit_organizer_permissions"] = {}
+            else:
+                data["all_organizer_permissions"] = False
+                data["limit_organizer_permissions"] = {}
+                for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
+                    if full_data.get(k) is True:
+                        data["limit_organizer_permissions"].update({kk: True for kk in v})
+
         if full_data.get('limit_events') and full_data.get('all_events'):
             raise ValidationError('Do not set both limit_events and all_events.')
+
+        full_data.update(data)
+        for pg in get_all_event_permission_groups().values():
+            requested = ",".join(sorted(
+                a for a in pg.actions if self.instance and full_data["limit_event_permissions"].get(f"{pg.name}:{a}")
+            ))
+            if requested not in (",".join(sorted(opt.actions)) for opt in pg.options):
+                possible = '\' or \''.join(','.join(opt.actions) for opt in pg.options)
+                raise ValidationError(f"For permission group {pg.name}, the valid combinations of actions are "
+                                      f"'{possible}' but you tried to set '{requested}'.")
+        for pg in get_all_organizer_permission_groups().values():
+            requested = ",".join(sorted(
+                a for a in pg.actions if self.instance and full_data["limit_organizer_permissions"].get(f"{pg.name}:{a}")
+            ))
+            if requested not in (",".join(sorted(opt.actions)) for opt in pg.options):
+                possible = '\' or \''.join(','.join(opt.actions) for opt in pg.options)
+                raise ValidationError(f"For permission group {pg.name}, the valid combinations of actions are "
+                                      f"'{possible}' but you tried to set '{requested}'.")
+
         return data
 
 
@@ -339,7 +451,7 @@ class DeviceSerializer(serializers.ModelSerializer):
     created = serializers.DateTimeField(read_only=True)
     revoked = serializers.BooleanField(read_only=True)
     initialized = serializers.DateTimeField(read_only=True)
-    initialization_token = serializers.DateTimeField(read_only=True)
+    initialization_token = serializers.CharField(read_only=True)
     security_profile = serializers.ChoiceField(choices=[], required=False, default="full")
 
     class Meta:
@@ -353,6 +465,8 @@ class DeviceSerializer(serializers.ModelSerializer):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.fields['security_profile'].choices = [(k, v.verbose_name) for k, v in get_all_security_profiles().items()]
+        if not self.context['can_see_tokens']:
+            del self.fields['initialization_token']
 
 
 class TeamInviteSerializer(serializers.ModelSerializer):
@@ -439,7 +553,10 @@ class TeamMemberSerializer(serializers.ModelSerializer):
 
 
 class OrganizerSettingsSerializer(SettingsSerializer):
+    default_write_permission = 'organizer.settings.general:write'
     default_fields = [
+        # These are readable for all users with access to the events, therefore secrets stored in the settings store
+        # should not be included!
         'customer_accounts',
         'customer_accounts_native',
         'customer_accounts_link_by_email',

src/pretix/api/serializers/settings.py

@@ -37,6 +37,8 @@ logger = logging.getLogger(__name__)
 class SettingsSerializer(serializers.Serializer):
     default_fields = []
     readonly_fields = []
+    default_write_permission = 'organizer.settings.general:write'
+    write_permission_required = {}
 
     def __init__(self, *args, **kwargs):
         self.changed_data = []
@@ -58,9 +60,17 @@ class SettingsSerializer(serializers.Serializer):
             f._label = str(form_kwargs.get('label', fname))
             f._help_text = str(form_kwargs.get('help_text'))
             f.parent = self
+
+            self.write_permission_required[fname] = DEFAULTS[fname].get('write_permission', self.default_write_permission)
+
             self.fields[fname] = f
 
     def validate(self, attrs):
+        for k in attrs.keys():
+            p = self.write_permission_required.get(k, self.default_write_permission)
+            if p not in self.context["permissions"]:
+                raise ValidationError({k: f"Setting this field requires permission {p}"})
+
         return {k: v for k, v in attrs.items() if k not in self.readonly_fields}
 
     def update(self, instance: HierarkeyProxy, validated_data):

src/pretix/api/views/cart.py

@@ -52,8 +52,8 @@ class CartPositionViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnly
     ordering = ('datetime',)
     ordering_fields = ('datetime', 'cart_id')
     lookup_field = 'id'
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_queryset(self):
         return CartPosition.objects.filter(

src/pretix/api/views/checkin.py

@@ -118,11 +118,11 @@ class CheckinListViewSet(viewsets.ModelViewSet):
 
     def _get_permission_name(self, request):
         if request.path.endswith('/failed_checkins/'):
-            return 'can_checkin_orders', 'can_change_orders'
+            return 'event.orders:checkin', 'event.orders:write'
         elif request.method in SAFE_METHODS:
-            return 'can_view_orders', 'can_checkin_orders',
+            return 'event.orders:read', 'event.orders:checkin',
         else:
-            return 'can_change_event_settings'
+            return 'event.settings.general:write'
 
     def get_queryset(self):
         qs = self.request.event.checkin_lists.prefetch_related(
@@ -381,15 +381,21 @@ def _checkin_list_position_queryset(checkinlists, ignore_status=False, ignore_pr
 
     qs = qs.filter(reduce(operator.or_, lists_qs))
 
+    prefetch_related = [
+        Prefetch(
+            lookup='checkins',
+            queryset=Checkin.objects.filter(list_id__in=[cl.pk for cl in checkinlists]).select_related('device')
+        ),
+        Prefetch('print_logs', queryset=PrintLog.objects.select_related('device')),
+        'answers', 'answers__options', 'answers__question',
+    ]
+    select_related = [
+        'item', 'variation', 'order', 'addon_to', 'order__invoice_address', 'order', 'seat'
+    ]
+
     if pdf_data:
         qs = qs.prefetch_related(
-            Prefetch(
-                lookup='checkins',
-                queryset=Checkin.objects.filter(list_id__in=[cl.pk for cl in checkinlists]).select_related('device')
-            ),
-            Prefetch('print_logs', queryset=PrintLog.objects.select_related('device')),
-            'answers', 'answers__options', 'answers__question',
-            Prefetch('addons', OrderPosition.objects.select_related('item', 'variation')),
+            # Don't add to list, we don't want to propagate to addons
             Prefetch('order', Order.objects.select_related('invoice_address').prefetch_related(
                 Prefetch(
                     'event',
@@ -404,32 +410,39 @@ def _checkin_list_position_queryset(checkinlists, ignore_status=False, ignore_pr
                     )
                 )
             ))
-        ).select_related(
-            'item', 'variation', 'item__category', 'addon_to', 'order', 'order__invoice_address', 'seat'
         )
-    else:
-        qs = qs.prefetch_related(
-            Prefetch(
-                lookup='checkins',
-                queryset=Checkin.objects.filter(list_id__in=[cl.pk for cl in checkinlists]).select_related('device')
-            ),
-            Prefetch('print_logs', queryset=PrintLog.objects.select_related('device')),
-            'answers', 'answers__options', 'answers__question',
-            Prefetch('addons', OrderPosition.objects.select_related('item', 'variation'))
-        ).select_related('item', 'variation', 'order', 'addon_to', 'order__invoice_address', 'order', 'seat')
 
     if expand and 'subevent' in expand:
-        qs = qs.prefetch_related(
+        prefetch_related += [
             'subevent', 'subevent__event', 'subevent__subeventitem_set', 'subevent__subeventitemvariation_set',
             'subevent__seat_category_mappings', 'subevent__meta_values'
-        )
+        ]
 
     if expand and 'item' in expand:
-        qs = qs.prefetch_related('item', 'item__addons', 'item__bundles', 'item__meta_values',
-                                 'item__variations').select_related('item__tax_rule')
+        prefetch_related += [
+            'item', 'item__addons', 'item__bundles', 'item__meta_values',
+            'item__variations',
+        ]
+        select_related.append('item__tax_rule')
 
     if expand and 'variation' in expand:
-        qs = qs.prefetch_related('variation', 'variation__meta_values')
+        prefetch_related += [
+            'variation', 'variation__meta_values',
+        ]
+
+    if expand and 'addons' in expand:
+        prefetch_related += [
+            Prefetch('addons', OrderPosition.objects.prefetch_related(*prefetch_related).select_related(*select_related)),
+        ]
+    else:
+        prefetch_related += [
+            Prefetch('addons', OrderPosition.objects.select_related('item', 'variation'))
+        ]
+
+    if pdf_data:
+        select_related.remove("order")  # Don't need it twice on this queryset
+
+    qs = qs.prefetch_related(*prefetch_related).select_related(*select_related)
 
     return qs
 
@@ -457,7 +470,7 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
             'event': op.order.event,
             'pdf_data': pdf_data and (
                 user if user and user.is_authenticated else auth
-            ).has_event_permission(request.organizer, event, 'can_view_orders', request),
+            ).has_event_permission(request.organizer, event, 'event.orders:read', request),
         }
 
     common_checkin_args = dict(
@@ -822,8 +835,8 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
     }
 
     filterset_class = CheckinOrderPositionFilter
-    permission = ('can_view_orders', 'can_checkin_orders')
-    write_permission = ('can_change_orders', 'can_checkin_orders')
+    permission = ('event.orders:read', 'event.orders:checkin')
+    write_permission = ('event.orders:write', 'event.orders:checkin')
 
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
@@ -854,7 +867,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
             expand=self.request.query_params.getlist('expand'),
         )
 
-        if 'pk' not in self.request.resolver_match.kwargs and 'can_view_orders' not in self.request.eventpermset \
+        if 'pk' not in self.request.resolver_match.kwargs and 'event.orders:read' not in self.request.eventpermset \
                 and len(self.request.query_params.get('search', '')) < 3:
             qs = qs.none()
 
@@ -903,9 +916,9 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
 class CheckinRPCRedeemView(views.APIView):
     def post(self, request, *args, **kwargs):
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            events = self.request.auth.get_events_with_permission(('can_change_orders', 'can_checkin_orders'))
+            events = self.request.auth.get_events_with_permission(('event.orders:write', 'event.orders:checkin'))
         elif self.request.user.is_authenticated:
-            events = self.request.user.get_events_with_permission(('can_change_orders', 'can_checkin_orders'), self.request).filter(
+            events = self.request.user.get_events_with_permission(('event.orders:write', 'event.orders:checkin'), self.request).filter(
                 organizer=self.request.organizer
             )
         else:
@@ -966,15 +979,16 @@ class CheckinRPCSearchView(ListAPIView):
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
         ctx['expand'] = self.request.query_params.getlist('expand')
+        ctx['organizer'] = self.request.organizer
         ctx['pdf_data'] = False
         return ctx
 
     @cached_property
     def lists(self):
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            events = self.request.auth.get_events_with_permission(('can_view_orders', 'can_checkin_orders'))
+            events = self.request.auth.get_events_with_permission(('event.orders:read', 'event.orders:checkin'))
         elif self.request.user.is_authenticated:
-            events = self.request.user.get_events_with_permission(('can_view_orders', 'can_checkin_orders'), self.request).filter(
+            events = self.request.user.get_events_with_permission(('event.orders:read', 'event.orders:checkin'), self.request).filter(
                 organizer=self.request.organizer
             )
         else:
@@ -991,9 +1005,9 @@ class CheckinRPCSearchView(ListAPIView):
     @cached_property
     def has_full_access_permission(self):
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            events = self.request.auth.get_events_with_permission('can_view_orders')
+            events = self.request.auth.get_events_with_permission('event.orders:read')
         elif self.request.user.is_authenticated:
-            events = self.request.user.get_events_with_permission('can_view_orders', self.request).filter(
+            events = self.request.user.get_events_with_permission('event.orders:read', self.request).filter(
                 organizer=self.request.organizer
             )
         else:
@@ -1020,9 +1034,9 @@ class CheckinRPCSearchView(ListAPIView):
 class CheckinRPCAnnulView(views.APIView):
     def post(self, request, *args, **kwargs):
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            events = self.request.auth.get_events_with_permission(('can_change_orders', 'can_checkin_orders'))
+            events = self.request.auth.get_events_with_permission(('event.orders:write', 'event.orders:checkin'))
         elif self.request.user.is_authenticated:
-            events = self.request.user.get_events_with_permission(('can_change_orders', 'can_checkin_orders'), self.request).filter(
+            events = self.request.user.get_events_with_permission(('event.orders:write', 'event.orders:checkin'), self.request).filter(
                 organizer=self.request.organizer
             )
         else:
@@ -1100,7 +1114,7 @@ class CheckinViewSet(viewsets.ReadOnlyModelViewSet):
     filterset_class = CheckinFilter
     ordering = ('created', 'id')
     ordering_fields = ('created', 'datetime', 'id',)
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_queryset(self):
         qs = Checkin.all.filter().select_related(

src/pretix/api/views/discount.py

@@ -57,7 +57,7 @@ class DiscountViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.discounts.prefetch_related(

src/pretix/api/views/event.py

@@ -341,7 +341,7 @@ class CloneEventViewSet(viewsets.ModelViewSet):
     lookup_field = 'slug'
     lookup_url_kwarg = 'event'
     http_method_names = ['post']
-    write_permission = 'can_create_events'
+    write_permission = 'event.settings.general:write'
 
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
@@ -350,6 +350,12 @@ class CloneEventViewSet(viewsets.ModelViewSet):
         return ctx
 
     def perform_create(self, serializer):
+        # Weird edge case: Requires settings permission on the event (to read) but also on the organizer (two write)
+        perm_holder = (self.request.auth if isinstance(self.request.auth, (Device, TeamAPIToken))
+                       else self.request.user)
+        if not perm_holder.has_organizer_permission(self.request.organizer, "organizer.events:create", request=self.request):
+            raise PermissionDenied("No permission to create events")
+
         serializer.save(organizer=self.request.organizer)
 
         serializer.instance.log_action(
@@ -426,7 +432,7 @@ with scopes_disabled():
 class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
     serializer_class = SubEventSerializer
     queryset = SubEvent.objects.none()
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.subevents:write'
     filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
     ordering = ('date_from',)
     ordering_fields = ('id', 'date_from', 'last_modified')
@@ -546,7 +552,7 @@ class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
 class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet):
     serializer_class = TaxRuleSerializer
     queryset = TaxRule.objects.none()
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.settings.tax:write'
 
     def get_queryset(self):
         return self.request.event.tax_rules.all()
@@ -589,7 +595,7 @@ class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet):
 class ItemMetaPropertiesViewSet(viewsets.ModelViewSet):
     serializer_class = ItemMetaPropertiesSerializer
     queryset = ItemMetaProperty.objects.none()
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.settings.general:write'
 
     def get_queryset(self):
         qs = self.request.event.item_meta_properties.all()
@@ -636,19 +642,18 @@ class ItemMetaPropertiesViewSet(viewsets.ModelViewSet):
 
 class EventSettingsView(views.APIView):
     permission = None
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.settings.general:write'
 
     def get(self, request, *args, **kwargs):
         if isinstance(request.auth, Device):
             s = DeviceEventSettingsSerializer(instance=request.event.settings, event=request.event, context={
-                'request': request
-            })
-        elif 'can_change_event_settings' in request.eventpermset:
-            s = EventSettingsSerializer(instance=request.event.settings, event=request.event, context={
-                'request': request
+                'request': request, 'permissions': request.eventpermset
             })
         else:
-            raise PermissionDenied()
+            s = EventSettingsSerializer(instance=request.event.settings, event=request.event, context={
+                'request': request, 'permissions': request.eventpermset,
+            })
+
         if 'explain' in request.GET:
             return Response({
                 fname: {
@@ -662,7 +667,7 @@ class EventSettingsView(views.APIView):
 
     def patch(self, request, *wargs, **kwargs):
         s = EventSettingsSerializer(instance=request.event.settings, data=request.data, partial=True,
-                                    event=request.event, context={'request': request})
+                                    event=request.event, context={'request': request, 'permissions': request.eventpermset})
         s.is_valid(raise_exception=True)
         with transaction.atomic():
             s.save()
@@ -674,7 +679,7 @@ class EventSettingsView(views.APIView):
                 )
         s = EventSettingsSerializer(
             instance=request.event.settings, event=request.event, context={
-                'request': request
+                'request': request, 'permissions': request.eventpermset
             })
         return Response(s.data)
 
@@ -701,7 +706,7 @@ class SeatFilter(FilterSet):
 class SeatViewSet(ConditionalListView, viewsets.ModelViewSet):
     serializer_class = SeatSerializer
     queryset = Seat.objects.none()
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.settings.general:write'
     filter_backends = (DjangoFilterBackend, )
     filterset_class = SeatFilter
 

src/pretix/api/views/exporters.py

@@ -136,7 +136,7 @@ class ExportersMixin:
 
 
 class EventExportersViewSet(ExportersMixin, viewsets.ViewSet):
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_serializer_kwargs(self):
         return {}
@@ -169,7 +169,7 @@ class OrganizerExportersViewSet(ExportersMixin, viewsets.ViewSet):
             perm_holder = self.request.auth
         else:
             perm_holder = self.request.user
-        events = perm_holder.get_events_with_permission('can_view_orders', request=self.request).filter(
+        events = perm_holder.get_events_with_permission('event.orders:read', request=self.request).filter(
             organizer=self.request.organizer
         )
         responses = register_multievent_data_exporters.send(self.request.organizer)
@@ -196,7 +196,7 @@ class OrganizerExportersViewSet(ExportersMixin, viewsets.ViewSet):
         else:
             perm_holder = self.request.user
         return {
-            'events': perm_holder.get_events_with_permission('can_view_orders', request=self.request).filter(
+            'events': perm_holder.get_events_with_permission('event.orders:read', request=self.request).filter(
                 organizer=self.request.organizer
             )
         }
@@ -222,11 +222,11 @@ class ScheduledExportersViewSet(viewsets.ModelViewSet):
 class ScheduledEventExportViewSet(ScheduledExportersViewSet):
     serializer_class = ScheduledEventExportSerializer
     queryset = ScheduledEventExport.objects.none()
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_queryset(self):
         perm_holder = self.request.auth if isinstance(self.request.auth, (TeamAPIToken, Device)) else self.request.user
-        if not perm_holder.has_event_permission(self.request.organizer, self.request.event, 'can_change_event_settings',
+        if not perm_holder.has_event_permission(self.request.organizer, self.request.event, 'event.settings.general:write',
                                                 request=self.request):
             if self.request.user.is_authenticated:
                 qs = self.request.event.scheduled_exports.filter(owner=self.request.user)
@@ -291,7 +291,7 @@ class ScheduledOrganizerExportViewSet(ScheduledExportersViewSet):
 
     def get_queryset(self):
         perm_holder = self.request.auth if isinstance(self.request.auth, (TeamAPIToken, Device)) else self.request.user
-        if not perm_holder.has_organizer_permission(self.request.organizer, 'can_change_organizer_settings',
+        if not perm_holder.has_organizer_permission(self.request.organizer, 'organizer.settings.general:write',
                                                     request=self.request):
             if self.request.user.is_authenticated:
                 qs = self.request.organizer.scheduled_exports.filter(owner=self.request.user)
@@ -324,9 +324,9 @@ class ScheduledOrganizerExportViewSet(ScheduledExportersViewSet):
     @cached_property
     def events(self):
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            return self.request.auth.get_events_with_permission('can_view_orders')
+            return self.request.auth.get_events_with_permission('event.orders:read')
         elif self.request.user.is_authenticated:
-            return self.request.user.get_events_with_permission('can_view_orders', self.request).filter(
+            return self.request.user.get_events_with_permission('event.orders:read', self.request).filter(
                 organizer=self.request.organizer
             )
 

src/pretix/api/views/item.py

@@ -99,7 +99,7 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering = ('position', 'id')
     filterset_class = ItemFilter
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.items.select_related('tax_rule').prefetch_related(
@@ -163,7 +163,7 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     @cached_property
     def item(self):
@@ -234,7 +234,7 @@ class ItemBundleViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id',)
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     @cached_property
     def item(self):
@@ -286,7 +286,7 @@ class ItemProgramTimeViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id',)
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     @cached_property
     def item(self):
@@ -339,7 +339,7 @@ class ItemAddOnViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     @cached_property
     def item(self):
@@ -398,7 +398,7 @@ class ItemCategoryViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.categories.all()
@@ -453,7 +453,7 @@ class QuestionViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.questions.prefetch_related('options').all()
@@ -497,7 +497,7 @@ class QuestionOptionViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         q = get_object_or_404(Question, pk=self.kwargs['question'], event=self.request.event)
@@ -564,7 +564,7 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering_fields = ('id', 'size')
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.quotas.select_related('subevent').prefetch_related('items', 'variations').all()

src/pretix/api/views/media.py

@@ -62,8 +62,8 @@ with scopes_disabled():
 class ReusableMediaViewSet(viewsets.ModelViewSet):
     serializer_class = ReusableMediaSerializer
     queryset = ReusableMedium.objects.none()
-    permission = 'can_manage_reusable_media'
-    write_permission = 'can_manage_reusable_media'
+    permission = 'organizer.reusablemedia:read'
+    write_permission = 'organizer.reusablemedia:write'
     filter_backends = (DjangoFilterBackend, OrderingFilter)
     ordering = ('-updated', '-id')
     ordering_fields = ('created', 'updated', 'identifier', 'type', 'id')
@@ -95,6 +95,8 @@ class ReusableMediaViewSet(viewsets.ModelViewSet):
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
         ctx['organizer'] = self.request.organizer
+        ctx['can_read_giftcards'] = 'organizer.giftcards:read' in self.request.orgapermset
+        ctx['can_read_customers'] = 'organizer.customers:read' in self.request.orgapermset
         return ctx
 
     @transaction.atomic()

src/pretix/api/views/order.py

@@ -317,7 +317,7 @@ class OrderViewSetMixin:
 
 class OrganizerOrderViewSet(OrderViewSetMixin, viewsets.ReadOnlyModelViewSet):
     def get_base_queryset(self):
-        perm = "can_view_orders" if self.request.method in SAFE_METHODS else "can_change_orders"
+        perm = "event.orders:read" if self.request.method in SAFE_METHODS else "event.orders:write"
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
             return Order.objects.filter(
                 event__organizer=self.request.organizer,
@@ -338,8 +338,8 @@ class OrganizerOrderViewSet(OrderViewSetMixin, viewsets.ReadOnlyModelViewSet):
 
 
 class EventOrderViewSet(OrderViewSetMixin, viewsets.ModelViewSet):
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
@@ -1078,8 +1078,8 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
     ordering = ('order__datetime', 'positionid')
     ordering_fields = ('order__code', 'order__datetime', 'positionid', 'attendee_name', 'order__status',)
     filterset_class = OrderPositionFilter
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
     ordering_custom = {
         'attendee_name': {
             '_order': F('display_name').asc(nulls_first=True),
@@ -1580,8 +1580,8 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
 class PaymentViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = OrderPaymentSerializer
     queryset = OrderPayment.objects.none()
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
     lookup_field = 'local_id'
 
     def get_serializer_context(self):
@@ -1757,8 +1757,8 @@ class PaymentViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
 class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = OrderRefundSerializer
     queryset = OrderRefund.objects.none()
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
     lookup_field = 'local_id'
 
     def get_queryset(self):
@@ -1915,13 +1915,18 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
     ordering = ('nr',)
     ordering_fields = ('nr', 'date')
     filterset_class = InvoiceFilter
-    permission = 'can_view_orders'
     lookup_url_kwarg = 'number'
     lookup_field = 'nr'
-    write_permission = 'can_change_orders'
+
+    def _get_permission_name(self, request):
+        if 'event' in request.resolver_match.kwargs:
+            if request.method not in SAFE_METHODS:
+                return "event.orders:write"
+            return "event.orders:read"
+        return None  # org-level is handled by event__in check
 
     def get_queryset(self):
-        perm = "can_view_orders" if self.request.method in SAFE_METHODS else "can_change_orders"
+        perm = "event.orders:read" if self.request.method in SAFE_METHODS else "event.orders:write"
         if getattr(self.request, 'event', None):
             qs = self.request.event.invoices
         elif isinstance(self.request.auth, (TeamAPIToken, Device)):
@@ -2031,7 +2036,7 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
         else:
             order = Order.objects.select_for_update(of=OF_SELF).get(pk=inv.order_id)
             c = generate_cancellation(inv)
-            if inv.order.status != Order.STATUS_CANCELED:
+            if invoice_qualified(order):
                 inv = generate_invoice(order)
             else:
                 inv = c
@@ -2062,8 +2067,8 @@ class RevokedSecretViewSet(viewsets.ReadOnlyModelViewSet):
     ordering = ('-created',)
     ordering_fields = ('created', 'secret')
     filterset_class = RevokedSecretFilter
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_queryset(self):
         return RevokedTicketSecret.objects.filter(event=self.request.event)
@@ -2084,8 +2089,8 @@ class BlockedSecretViewSet(viewsets.ReadOnlyModelViewSet):
     filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
     ordering = ('-updated', '-pk')
     filterset_class = BlockedSecretFilter
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_queryset(self):
         return BlockedTicketSecret.objects.filter(event=self.request.event)
@@ -2120,7 +2125,7 @@ class TransactionViewSet(viewsets.ReadOnlyModelViewSet):
     ordering = ('datetime', 'pk')
     ordering_fields = ('datetime', 'created', 'id',)
     filterset_class = TransactionFilter
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_queryset(self):
         return Transaction.objects.filter(order__event=self.request.event).select_related("order")
@@ -2137,11 +2142,11 @@ class OrganizerTransactionViewSet(TransactionViewSet):
 
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
             qs = qs.filter(
-                order__event__in=self.request.auth.get_events_with_permission("can_view_orders"),
+                order__event__in=self.request.auth.get_events_with_permission("event.orders:read"),
             )
         elif self.request.user.is_authenticated:
             qs = qs.filter(
-                order__event__in=self.request.user.get_events_with_permission("can_view_orders", request=self.request)
+                order__event__in=self.request.user.get_events_with_permission("event.orders:read", request=self.request)
             )
         else:
             raise PermissionDenied("Unknown authentication scheme")

src/pretix/api/views/organizer.py

@@ -70,7 +70,7 @@ class OrganizerViewSet(mixins.UpdateModelMixin, viewsets.ReadOnlyModelViewSet):
     filter_backends = (TotalOrderingFilter,)
     ordering = ('slug',)
     ordering_fields = ('name', 'slug')
-    write_permission = "can_change_organizer_settings"
+    write_permission = "organizer.settings.general:write"
 
     def get_queryset(self):
         if self.request.user.is_authenticated:
@@ -154,8 +154,8 @@ class OrganizerViewSet(mixins.UpdateModelMixin, viewsets.ReadOnlyModelViewSet):
 class SeatingPlanViewSet(viewsets.ModelViewSet):
     serializer_class = SeatingPlanSerializer
     queryset = SeatingPlan.objects.none()
-    permission = 'can_change_organizer_settings'
-    write_permission = 'can_change_organizer_settings'
+    permission = None
+    write_permission = 'organizer.seatingplans:write'
 
     def get_queryset(self):
         return self.request.organizer.seating_plans.order_by('name')
@@ -221,8 +221,8 @@ with scopes_disabled():
 class GiftCardViewSet(viewsets.ModelViewSet):
     serializer_class = GiftCardSerializer
     queryset = GiftCard.objects.none()
-    permission = 'can_manage_gift_cards'
-    write_permission = 'can_manage_gift_cards'
+    permission = 'organizer.giftcards:read'
+    write_permission = 'organizer.giftcards:write'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = GiftCardFilter
 
@@ -323,8 +323,8 @@ class GiftCardViewSet(viewsets.ModelViewSet):
 class GiftCardTransactionViewSet(viewsets.ReadOnlyModelViewSet):
     serializer_class = GiftCardTransactionSerializer
     queryset = GiftCardTransaction.objects.none()
-    permission = 'can_manage_gift_cards'
-    write_permission = 'can_manage_gift_cards'
+    permission = 'organizer.giftcards:read'
+    write_permission = 'organizer.giftcards:write'
 
     @cached_property
     def giftcard(self):
@@ -341,8 +341,8 @@ class GiftCardTransactionViewSet(viewsets.ReadOnlyModelViewSet):
 class TeamViewSet(viewsets.ModelViewSet):
     serializer_class = TeamSerializer
     queryset = Team.objects.none()
-    permission = 'can_change_teams'
-    write_permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
+    write_permission = 'organizer.teams:write'
 
     def get_queryset(self):
         return self.request.organizer.teams.order_by('pk')
@@ -381,8 +381,8 @@ class TeamViewSet(viewsets.ModelViewSet):
 class TeamMemberViewSet(DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = TeamMemberSerializer
     queryset = User.objects.none()
-    permission = 'can_change_teams'
-    write_permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
+    write_permission = 'organizer.teams:write'
 
     @cached_property
     def team(self):
@@ -410,8 +410,8 @@ class TeamMemberViewSet(DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
 class TeamInviteViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = TeamInviteSerializer
     queryset = TeamInvite.objects.none()
-    permission = 'can_change_teams'
-    write_permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
+    write_permission = 'organizer.teams:write'
 
     @cached_property
     def team(self):
@@ -447,8 +447,8 @@ class TeamInviteViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyMo
 class TeamAPITokenViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = TeamAPITokenSerializer
     queryset = TeamAPIToken.objects.none()
-    permission = 'can_change_teams'
-    write_permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
+    write_permission = 'organizer.teams:write'
 
     @cached_property
     def team(self):
@@ -511,8 +511,8 @@ class DeviceViewSet(mixins.CreateModelMixin,
                     GenericViewSet):
     serializer_class = DeviceSerializer
     queryset = Device.objects.none()
-    permission = 'can_change_organizer_settings'
-    write_permission = 'can_change_organizer_settings'
+    permission = 'organizer.devices:read'
+    write_permission = 'organizer.devices:write'
     lookup_field = 'device_id'
 
     def get_queryset(self):
@@ -521,6 +521,9 @@ class DeviceViewSet(mixins.CreateModelMixin,
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
         ctx['organizer'] = self.request.organizer
+        ctx['can_see_tokens'] = (
+            self.request.user if self.request.user and self.request.user.is_authenticated else self.request.auth
+        ).has_organizer_permission(self.request.organizer, 'organizer.devices:write', request=self.request)
         return ctx
 
     @transaction.atomic()
@@ -547,11 +550,11 @@ class DeviceViewSet(mixins.CreateModelMixin,
 
 class OrganizerSettingsView(views.APIView):
     permission = None
-    write_permission = 'can_change_organizer_settings'
+    write_permission = 'organizer.settings.general:write'
 
     def get(self, request, *args, **kwargs):
         s = OrganizerSettingsSerializer(instance=request.organizer.settings, organizer=request.organizer, context={
-            'request': request
+            'request': request, 'permissions': request.orgapermset
         })
         if 'explain' in request.GET:
             return Response({
@@ -568,7 +571,7 @@ class OrganizerSettingsView(views.APIView):
         s = OrganizerSettingsSerializer(
             instance=request.organizer.settings, data=request.data, partial=True,
             organizer=request.organizer, context={
-                'request': request
+                'request': request, 'permissions': request.orgapermset
             }
         )
         s.is_valid(raise_exception=True)
@@ -580,7 +583,7 @@ class OrganizerSettingsView(views.APIView):
                 }
             )
         s = OrganizerSettingsSerializer(instance=request.organizer.settings, organizer=request.organizer, context={
-            'request': request
+            'request': request, 'permissions': request.orgapermset
         })
         return Response(s.data)
 
@@ -597,7 +600,8 @@ with scopes_disabled():
 class CustomerViewSet(viewsets.ModelViewSet):
     serializer_class = CustomerSerializer
     queryset = Customer.objects.none()
-    permission = 'can_manage_customers'
+    permission = 'organizer.customers:read'
+    write_permission = 'organizer.customers:write'
     lookup_field = 'identifier'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = CustomerFilter
@@ -657,7 +661,7 @@ class CustomerViewSet(viewsets.ModelViewSet):
 class MembershipTypeViewSet(viewsets.ModelViewSet):
     serializer_class = MembershipTypeSerializer
     queryset = MembershipType.objects.none()
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
 
     def get_queryset(self):
         qs = self.request.organizer.membership_types.all()
@@ -714,7 +718,8 @@ with scopes_disabled():
 class MembershipViewSet(viewsets.ModelViewSet):
     serializer_class = MembershipSerializer
     queryset = Membership.objects.none()
-    permission = 'can_manage_customers'
+    permission = 'organizer.customers:read'
+    write_permission = 'organizer.customers:write'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = MembershipFilter
 
@@ -764,8 +769,8 @@ with scopes_disabled():
 class SalesChannelViewSet(viewsets.ModelViewSet):
     serializer_class = SalesChannelSerializer
     queryset = SalesChannel.objects.none()
-    permission = 'can_change_organizer_settings'
-    write_permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
+    write_permission = 'organizer.settings.general:write'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = SalesChannelFilter
     lookup_field = 'identifier'

src/pretix/api/views/shredders.py

@@ -204,7 +204,7 @@ class ShreddersMixin:
 
 
 class EventShreddersViewSet(ShreddersMixin, viewsets.ViewSet):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def get_serializer_kwargs(self):
         return {}

src/pretix/api/views/voucher.py

@@ -62,8 +62,8 @@ class VoucherViewSet(viewsets.ModelViewSet):
     ordering = ('id',)
     ordering_fields = ('id', 'code', 'max_usages', 'valid_until', 'value')
     filterset_class = VoucherFilter
-    permission = 'can_view_vouchers'
-    write_permission = 'can_change_vouchers'
+    permission = 'event.vouchers:read'
+    write_permission = 'event.vouchers:write'
 
     @scopes_disabled()  # we have an event check here, and we can save some performance on subqueries
     def get_queryset(self):

src/pretix/api/views/waitinglist.py

@@ -51,8 +51,8 @@ class WaitingListViewSet(viewsets.ModelViewSet):
     ordering = ('created', 'pk',)
     ordering_fields = ('id', 'created', 'email', 'item')
     filterset_class = WaitingListFilter
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_queryset(self):
         return self.request.event.waitinglistentries.all()

src/pretix/api/views/webhooks.py

@@ -35,8 +35,8 @@ class WebhookFilter(FilterSet):
 class WebHookViewSet(viewsets.ModelViewSet):
     serializer_class = WebHookSerializer
     queryset = WebHook.objects.none()
-    permission = 'can_change_organizer_settings'
-    write_permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
+    write_permission = 'organizer.settings.general:write'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = WebhookFilter
 

src/pretix/base/auth.py

@@ -224,7 +224,7 @@ class HistoryPasswordValidator:
         ).delete()
 
 
-def has_event_access_permission(request, permission='can_change_event_settings'):
+def has_event_access_permission(request, permission='event.settings.general:write'):
     return (
         request.user.is_authenticated and
         request.user.has_event_permission(request.organizer, request.event, permission, request=request)

src/pretix/base/exporter.py

@@ -184,7 +184,7 @@ class OrganizerLevelExportMixin:
         The permission level required to use this exporter. Only useful for organizer-level exports,
         not for event-level exports.
         """
-        return 'can_view_orders'
+        return 'event.orders:read'
 
 
 class ListExporter(BaseExporter):

src/pretix/base/exporters/customers.py

@@ -47,7 +47,7 @@ from ..signals import register_multievent_data_exporters
 class CustomerListExporter(OrganizerLevelExportMixin, ListExporter):
     identifier = 'customerlist'
     verbose_name = gettext_lazy('Customer accounts')
-    organizer_required_permission = 'can_manage_customers'
+    organizer_required_permission = 'organizer.customers:write'
     category = pgettext_lazy('export_category', 'Customer accounts')
     description = gettext_lazy('Download a spreadsheet of all currently registered customer accounts.')
 

src/pretix/base/exporters/orderlist.py

@@ -39,8 +39,8 @@ from zoneinfo import ZoneInfo
 from django import forms
 from django.conf import settings
 from django.db.models import (
-    Case, CharField, Count, DateTimeField, F, IntegerField, Max, Min, OuterRef,
-    Q, Subquery, Sum, When,
+    Case, CharField, Count, DateTimeField, Exists, F, IntegerField, Max, Min,
+    OuterRef, Q, Subquery, Sum, When,
 )
 from django.db.models.functions import Coalesce
 from django.dispatch import receiver
@@ -144,6 +144,18 @@ class OrderListExporter(MultiSheetListExporter):
         d = OrderedDict(d)
         if not self.is_multievent and not self.event.has_subevents:
             del d['event_date_range']
+        if not self.is_multievent:
+            d["items"] = forms.ModelMultipleChoiceField(
+                label=_("Products"),
+                queryset=self.event.items.all(),
+                widget=forms.CheckboxSelectMultiple(
+                    attrs={"class": "scrolling-multiple-choice"}
+                ),
+                help_text=_("If none are selected, all products are included. Orders are included if they contain "
+                            "at least one position of this product. The order totals etc. still include all products "
+                            "contained in the order."),
+                required=False,
+            )
         return d
 
     def _get_all_payment_methods(self, qs):
@@ -249,6 +261,14 @@ class OrderListExporter(MultiSheetListExporter):
             pcnt=Subquery(s, output_field=IntegerField())
         ).select_related('invoice_address', 'customer')
 
+        if form_data.get('items'):
+            qs = qs.filter(
+                Exists(OrderPosition.all.filter(
+                    order=OuterRef('pk'),
+                    item__in=form_data["items"]
+                ))
+            )
+
         qs = self._date_filter(qs, form_data, rel='')
 
         if form_data['paid_only']:
@@ -364,7 +384,7 @@ class OrderListExporter(MultiSheetListExporter):
                     order.invoice_address.city,
                     order.invoice_address.country if order.invoice_address.country else
                     order.invoice_address.country_old,
-                    order.invoice_address.state,
+                    order.invoice_address.state_for_address,
                     order.invoice_address.custom_field,
                     order.invoice_address.vat_id,
                 ]
@@ -440,6 +460,14 @@ class OrderListExporter(MultiSheetListExporter):
         if form_data['paid_only']:
             qs = qs.filter(order__status=Order.STATUS_PAID, canceled=False)
 
+        if form_data.get('items'):
+            qs = qs.filter(
+                Exists(OrderPosition.all.filter(
+                    order=OuterRef('order'),
+                    item__in=form_data["items"]
+                ))
+            )
+
         qs = self._date_filter(qs, form_data, rel='order__')
         return qs
 
@@ -515,7 +543,7 @@ class OrderListExporter(MultiSheetListExporter):
                     order.invoice_address.city,
                     order.invoice_address.country if order.invoice_address.country else
                     order.invoice_address.country_old,
-                    order.invoice_address.state,
+                    order.invoice_address.state_for_address,
                     order.invoice_address.vat_id,
                 ]
             except InvoiceAddress.DoesNotExist:
@@ -535,6 +563,11 @@ class OrderListExporter(MultiSheetListExporter):
         if form_data['paid_only']:
             qs = qs.filter(order__status=Order.STATUS_PAID, canceled=False)
 
+        if form_data.get('items'):
+            qs = qs.filter(
+                item__in=form_data["items"]
+            )
+
         qs = self._date_filter(qs, form_data, rel='order__')
         return qs
 
@@ -617,6 +650,7 @@ class OrderListExporter(MultiSheetListExporter):
             _('Country'),
             pgettext('address', 'State'),
             _('Voucher'),
+            _('Voucher budget usage'),
             _('Pseudonymization ID'),
             _('Ticket secret'),
             _('Seat ID'),
@@ -732,8 +766,9 @@ class OrderListExporter(MultiSheetListExporter):
                     op.zipcode or '',
                     op.city or '',
                     op.country if op.country else '',
-                    op.state or '',
+                    op.state_for_address or '',
                     op.voucher.code if op.voucher else '',
+                    op.voucher_budget_use if op.voucher_budget_use else '',
                     op.pseudonymization_id,
                     op.secret,
                 ]
@@ -797,7 +832,7 @@ class OrderListExporter(MultiSheetListExporter):
                         order.invoice_address.city,
                         order.invoice_address.country if order.invoice_address.country else
                         order.invoice_address.country_old,
-                        order.invoice_address.state,
+                        order.invoice_address.state_for_address,
                         order.invoice_address.vat_id,
                     ]
                 except InvoiceAddress.DoesNotExist:
@@ -1200,7 +1235,7 @@ class QuotaListExporter(ListExporter):
 class GiftcardTransactionListExporter(OrganizerLevelExportMixin, ListExporter):
     identifier = 'giftcardtransactionlist'
     verbose_name = gettext_lazy('Gift card transactions')
-    organizer_required_permission = 'can_manage_gift_cards'
+    organizer_required_permission = 'organizer.giftcards:write'
     category = pgettext_lazy('export_category', 'Gift cards')
     description = gettext_lazy('Download a spreadsheet of all gift card transactions.')
     repeatable_read = False
@@ -1307,7 +1342,7 @@ class GiftcardRedemptionListExporter(ListExporter):
 class GiftcardListExporter(OrganizerLevelExportMixin, ListExporter):
     identifier = 'giftcardlist'
     verbose_name = gettext_lazy('Gift cards')
-    organizer_required_permission = 'can_manage_gift_cards'
+    organizer_required_permission = 'organizer.giftcards:write'
     category = pgettext_lazy('export_category', 'Gift cards')
     description = gettext_lazy('Download a spreadsheet of all gift cards including their current value.')
 

src/pretix/base/forms/questions.py

@@ -1417,7 +1417,7 @@ class BaseInvoiceAddressForm(forms.ModelForm):
 
                 self.instance.transmission_type = transmission_type.identifier
                 self.instance.transmission_info = transmission_type.form_data_to_transmission_info(data)
-            elif transmission_type.exclusive:
+            elif transmission_type.is_exclusive(self.event, data.get("country"), data.get("is_business")):
                 if transmission_type.is_available(self.event, data.get("country"), data.get("is_business")):
                     raise ValidationError({
                         "transmission_type": "The transmission type '%s' must be used for this country or address type." % (

src/pretix/base/i18n.py

@@ -141,7 +141,7 @@ def get_babel_locale():
 
     for locale in try_locales:
         if localedata.exists(locale):
-            return locale
+            return localedata.normalize_locale(locale)
 
     return "en"
 

src/pretix/base/invoicing/national.py

@@ -36,9 +36,11 @@ class ItalianSdITransmissionType(TransmissionType):
     identifier = "it_sdi"
     verbose_name = pgettext_lazy("italian_invoice", "Italian Exchange System (SdI)")
     public_name = pgettext_lazy("italian_invoice", "Exchange System (SdI)")
-    exclusive = True
     enforce_transmission = True
 
+    def is_exclusive(self, event, country: Country, is_business: bool) -> bool:
+        return str(country) == "IT"
+
     def is_available(self, event, country: Country, is_business: bool):
         return str(country) == "IT" and super().is_available(event, country, is_business)
 

src/pretix/base/invoicing/peppol.py

@@ -179,6 +179,12 @@ class PeppolTransmissionType(TransmissionType):
     def is_available(self, event, country: Country, is_business: bool):
         return is_business and super().is_available(event, country, is_business)
 
+    def is_exclusive(self, event, country: Country, is_business: bool) -> bool:
+        if is_business and str(country) == "BE" and event and event.settings.invoice_address_from_country == "BE":
+            # Peppol is required to be used for intra-Belgian B2B invoices
+            return True
+        return False
+
     @property
     def invoice_address_form_fields(self) -> dict:
         return {

src/pretix/base/invoicing/transmission.py

@@ -58,15 +58,6 @@ class TransmissionType:
         """
         return 100
 
-    @property
-    def exclusive(self) -> bool:
-        """
-        If a transmission type is exclusive, no other type can be chosen if this type is
-        available. Use e.g. if a certain transmission type is legally required in a certain
-        jurisdiction.
-        """
-        return False
-
     @property
     def enforce_transmission(self) -> bool:
         """
@@ -82,6 +73,15 @@ class TransmissionType:
             for provider, _ in providers
         )
 
+    def is_exclusive(self, event, country: Country, is_business: bool) -> bool:
+        """
+        If a transmission type is exclusive, no other type can be chosen if this type is
+        available. Use e.g. if a certain transmission type is legally required in a certain
+        jurisdiction. Event can be None in organizer-level contexts. Exclusiveness has no effect if
+        the type is not available.
+        """
+        return False
+
     def invoice_address_form_fields_required(self, country: Country, is_business: bool):
         return set()
 

src/pretix/base/migrations/0297_pluggable_permissions.py

@@ -0,0 +1,129 @@
+from django.db import migrations, models
+
+from pretix.helpers.permission_migration import (
+    OLD_TO_NEW_EVENT_MIGRATION, OLD_TO_NEW_ORGANIZER_MIGRATION,
+)
+
+
+def migrate_teams_forward(apps, schema_editor):
+    Team = apps.get_model("pretixbase", "Team")
+
+    for team in Team.objects.iterator():
+        if all(getattr(team, k) for k in OLD_TO_NEW_EVENT_MIGRATION.keys() if k != "can_checkin_orders"):
+            team.all_event_permissions = True
+            team.limit_event_permissions = {}
+        else:
+            team.all_event_permissions = False
+            for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
+                if getattr(team, k):
+                    team.limit_event_permissions.update({kk: True for kk in v})
+
+        if all(getattr(team, k) for k in OLD_TO_NEW_ORGANIZER_MIGRATION.keys()):
+            team.all_organizer_permissions = True
+            team.limit_organizer_permissions = {}
+        else:
+            team.all_organizer_permissions = False
+            for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
+                if getattr(team, k):
+                    team.limit_organizer_permissions.update({kk: True for kk in v})
+
+        team.save(update_fields=[
+            "all_event_permissions", "limit_event_permissions", "all_organizer_permissions", "limit_organizer_permissions"
+        ])
+
+
+def migrate_teams_backward(apps, schema_editor):
+    Team = apps.get_model("pretixbase", "Team")
+
+    for team in Team.objects.iterator():
+        for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
+            setattr(team, k, team.all_event_permissions or all(team.limit_event_permissions.get(kk) for kk in v))
+        for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
+            setattr(team, k, team.all_organizer_permissions or all(team.limit_organizer_permissions.get(kk) for kk in v))
+        team.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("pretixbase", "0296_invoice_invoice_from_state"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="team",
+            name="all_event_permissions",
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name="team",
+            name="all_organizer_permissions",
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name="team",
+            name="limit_event_permissions",
+            field=models.JSONField(default=dict),
+        ),
+        migrations.AddField(
+            model_name="team",
+            name="limit_organizer_permissions",
+            field=models.JSONField(default=dict),
+        ),
+        migrations.RunPython(
+            migrate_teams_forward,
+            migrate_teams_backward,
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_event_settings",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_items",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_orders",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_organizer_settings",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_teams",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_vouchers",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_checkin_orders",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_create_events",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_manage_customers",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_manage_gift_cards",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_manage_reusable_media",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_view_orders",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_view_vouchers",
+        ),
+    ]

src/pretix/base/models/auth.py

@@ -472,7 +472,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         :return: set
         """
         teams = self._get_teams_for_event(organizer, event)
-        sets = [t.permission_set() for t in teams]
+        sets = [t.event_permission_set() for t in teams]
         if sets:
             return set.union(*sets)
         else:
@@ -486,7 +486,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         :return: set
         """
         teams = self._get_teams_for_organizer(organizer)
-        sets = [t.permission_set() for t in teams]
+        sets = [t.organizer_permission_set() for t in teams]
         if sets:
             return set.union(*sets)
         else:
@@ -501,7 +501,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
 
         :param organizer: The organizer of the event
         :param event: The event to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``event.orders:read``
         :param request: The current request (optional)
         :param session_key: The current session key (optional)
         :return: bool
@@ -513,8 +513,8 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         if teams:
             self._teamcache['e{}'.format(event.pk)] = teams
             if isinstance(perm_name, (tuple, list)):
-                return any([any(team.has_permission(p) for team in teams) for p in perm_name])
-            if not perm_name or any([team.has_permission(perm_name) for team in teams]):
+                return any([any(team.has_event_permission(p) for team in teams) for p in perm_name])
+            if not perm_name or any([team.has_event_permission(perm_name) for team in teams]):
                 return True
         return False
 
@@ -524,7 +524,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         to the organizer ``organizer``.
 
         :param organizer: The organizer to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``organizer.events:create``
         :param request: The current request (optional). Required to detect staff sessions properly.
         :return: bool
         """
@@ -533,8 +533,8 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         teams = self._get_teams_for_organizer(organizer)
         if teams:
             if isinstance(perm_name, (tuple, list)):
-                return any([any(team.has_permission(p) for team in teams) for p in perm_name])
-            if not perm_name or any([team.has_permission(perm_name) for team in teams]):
+                return any([any(team.has_organizer_permission(p) for team in teams) for p in perm_name])
+            if not perm_name or any([team.has_organizer_permission(perm_name) for team in teams]):
                 return True
         return False
 
@@ -565,14 +565,15 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         :return: Iterable of Events
         """
         from .event import Event
+        from .organizer import TeamQuerySet
 
         if request and self.has_active_staff_session(request.session.session_key):
             return Event.objects.all()
 
         if isinstance(permission, (tuple, list)):
-            q = reduce(operator.or_, [Q(**{p: True}) for p in permission])
+            q = reduce(operator.or_, [TeamQuerySet.event_permission_q(p) for p in permission])
         else:
-            q = Q(**{permission: True})
+            q = TeamQuerySet.event_permission_q(permission)
 
         return Event.objects.filter(
             Q(organizer_id__in=self.teams.filter(q, all_events=True).values_list('organizer', flat=True))
@@ -605,14 +606,13 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         :return: Iterable of Organizers
         """
         from .event import Organizer
+        from .organizer import TeamQuerySet
 
         if request and self.has_active_staff_session(request.session.session_key):
             return Organizer.objects.all()
 
-        kwargs = {permission: True}
-
         return Organizer.objects.filter(
-            id__in=self.teams.filter(**kwargs).values_list('organizer', flat=True)
+            id__in=self.teams.filter(TeamQuerySet.organizer_permission_q(permission)).values_list('organizer', flat=True)
         )
 
     def has_active_staff_session(self, session_key=None):

src/pretix/base/models/customers.py

@@ -349,7 +349,7 @@ class AttendeeProfile(models.Model):
     def state_name(self):
         sd = pycountry.subdivisions.get(code='{}-{}'.format(self.country, self.state))
         if sd:
-            return sd.name
+            return _(sd.name)
         return self.state
 
     @property

src/pretix/base/models/devices.py

@@ -189,13 +189,19 @@ class Device(LoggedModel):
                 kwargs['update_fields'] = {'device_id'}.union(kwargs['update_fields'])
         super().save(*args, **kwargs)
 
-    def permission_set(self) -> set:
+    def _event_permission_set(self) -> set:
         return {
-            'can_view_orders',
-            'can_change_orders',
-            'can_view_vouchers',
-            'can_manage_gift_cards',
-            'can_manage_reusable_media',
+            'event.orders:read',
+            'event.orders:write',
+            'event.vouchers:read',
+        }
+
+    def _organizer_permission_set(self) -> set:
+        return {
+            'organizer.giftcards:read',
+            'organizer.giftcards:write',
+            'organizer.reusablemedia:read',
+            'organizer.reusablemedia:write',
         }
 
     def get_event_permission_set(self, organizer, event) -> set:
@@ -209,7 +215,7 @@ class Device(LoggedModel):
         has_event_access = (self.all_events and organizer == self.organizer) or (
             event in self.limit_events.all()
         )
-        return self.permission_set() if has_event_access else set()
+        return self._event_permission_set() if has_event_access else set()
 
     def get_organizer_permission_set(self, organizer) -> set:
         """
@@ -218,7 +224,7 @@ class Device(LoggedModel):
         :param organizer: The organizer of the event
         :return: set of permissions
         """
-        return self.permission_set() if self.organizer == organizer else set()
+        return self._organizer_permission_set() if self.organizer == organizer else set()
 
     def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
         """
@@ -227,7 +233,7 @@ class Device(LoggedModel):
 
         :param organizer: The organizer of the event
         :param event: The event to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``event.orders:read``
         :param request: This parameter is ignored and only defined for compatibility reasons.
         :return: bool
         """
@@ -235,8 +241,8 @@ class Device(LoggedModel):
             event in self.limit_events.all()
         )
         if isinstance(perm_name, (tuple, list)):
-            return has_event_access and any(p in self.permission_set() for p in perm_name)
-        return has_event_access and (not perm_name or perm_name in self.permission_set())
+            return has_event_access and any(p in self._event_permission_set() for p in perm_name)
+        return has_event_access and (not perm_name or perm_name in self._event_permission_set())
 
     def has_organizer_permission(self, organizer, perm_name=None, request=None):
         """
@@ -244,13 +250,13 @@ class Device(LoggedModel):
         to the organizer ``organizer``.
 
         :param organizer: The organizer to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``organizer.events:create``
         :param request: This parameter is ignored and only defined for compatibility reasons.
         :return: bool
         """
         if isinstance(perm_name, (tuple, list)):
-            return organizer == self.organizer and any(p in self.permission_set() for p in perm_name)
-        return organizer == self.organizer and (not perm_name or perm_name in self.permission_set())
+            return organizer == self.organizer and any(p in self._organizer_permission_set() for p in perm_name)
+        return organizer == self.organizer and (not perm_name or perm_name in self._organizer_permission_set())
 
     def get_events_with_any_permission(self):
         """
@@ -271,8 +277,8 @@ class Device(LoggedModel):
         :return: Iterable of Events
         """
         if (
-                isinstance(permission, (list, tuple)) and any(p in self.permission_set() for p in permission)
-        ) or (isinstance(permission, str) and permission in self.permission_set()):
+            isinstance(permission, (list, tuple)) and any(p in self._event_permission_set() for p in permission)
+        ) or (isinstance(permission, str) and permission in self._event_permission_set()):
             return self.get_events_with_any_permission()
         else:
             return self.organizer.events.none()

src/pretix/base/models/event.py

@@ -1386,14 +1386,13 @@ class Event(EventMixin, LoggedModel):
         from .auth import User
 
         if permission:
-            kwargs = {permission: True}
+            qs = Team.objects.with_event_permission(permission)
         else:
-            kwargs = {}
+            qs = Team.objects.all()
 
-        team_with_perm = Team.objects.filter(
+        team_with_perm = qs.filter(
             members__pk=OuterRef('pk'),
             organizer=self.organizer,
-            **kwargs
         ).filter(
             Q(all_events=True) | Q(limit_events__pk=self.pk)
         )

src/pretix/base/models/items.py

@@ -594,10 +594,11 @@ class Item(LoggedModel):
         on_delete=models.SET_NULL,
         verbose_name=_("Only show after sellout of"),
         help_text=_("If you select a product here, this product will only be shown when that product is "
-                    "sold out. If combined with the option to hide sold-out products, this allows you to "
-                    "swap out products for more expensive ones once the cheaper option is sold out. There might "
-                    "be a short period in which both products are visible while all tickets of the referenced "
-                    "product are reserved, but not yet sold.")
+                    "no longer available. This will happen either because the other product has sold out or because "
+                    "the time is outside of the sales window for the other product. If combined with the option "
+                    "to hide sold-out products, this allows you to swap out products for more expensive ones once "
+                    "the cheaper option is sold out. There might be a short period in which both products are visible "
+                    "while all tickets of the referenced product are reserved, but not yet sold.")
     )
     hidden_if_item_available_mode = models.CharField(
         choices=UNAVAIL_MODES,

src/pretix/base/models/orders.py

@@ -1675,7 +1675,7 @@ class AbstractPosition(RoundingCorrectionMixin, models.Model):
     def state_name(self):
         sd = pycountry.subdivisions.get(code='{}-{}'.format(self.country, self.state))
         if sd:
-            return sd.name
+            return _(sd.name)
         return self.state
 
     @property
@@ -3480,7 +3480,7 @@ class InvoiceAddress(models.Model):
     def state_name(self):
         sd = pycountry.subdivisions.get(code='{}-{}'.format(self.country, self.state))
         if sd:
-            return sd.name
+            return _(sd.name)
         return self.state
 
     @property

src/pretix/base/models/organizer.py

@@ -31,9 +31,10 @@
 # Unless required by applicable law or agreed to in writing, software distributed under the Apache License 2.0 is
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations under the License.
-
+import operator
 import string
 from datetime import date, datetime, time
+from functools import reduce
 
 import pytz_deprecation_shim
 from django.conf import settings
@@ -53,6 +54,10 @@ from i18nfield.strings import LazyI18nString
 from pretix.base.models.base import LoggedModel
 from pretix.base.validators import OrganizerSlugBanlistValidator
 
+from ...helpers.permission_migration import (
+    OLD_TO_NEW_EVENT_COMPAT, OLD_TO_NEW_ORGANIZER_COMPAT,
+    LegacyPermissionProperty,
+)
 from ..settings import settings_hierarkey
 from .auth import User
 
@@ -309,6 +314,32 @@ def generate_api_token():
     return get_random_string(length=64, allowed_chars=string.ascii_lowercase + string.digits)
 
 
+class TeamQuerySet(models.QuerySet):
+    @classmethod
+    def event_permission_q(cls, perm_name):
+        if perm_name.startswith('can_') and perm_name in OLD_TO_NEW_EVENT_COMPAT:  # legacy
+            return reduce(operator.and_, [cls.event_permission_q(p) for p in OLD_TO_NEW_EVENT_COMPAT[perm_name]])
+        return (
+            Q(all_event_permissions=True) |
+            Q(**{f'limit_event_permissions__{perm_name}': True})
+        )
+
+    @classmethod
+    def organizer_permission_q(cls, perm_name):
+        if perm_name.startswith('can_') and perm_name in OLD_TO_NEW_ORGANIZER_COMPAT:  # legacy
+            return reduce(operator.and_, [cls.organizer_permission_q(p) for p in OLD_TO_NEW_ORGANIZER_COMPAT[perm_name]])
+        return (
+            Q(all_organizer_permissions=True) |
+            Q(**{f'limit_organizer_permissions__{perm_name}': True})
+        )
+
+    def with_event_permission(self, perm_name):
+        return self.filter(self.event_permission_q(perm_name))
+
+    def with_organizer_permission(self, perm_name):
+        return self.filter(self.organizer_permission_q(perm_name))
+
+
 class Team(LoggedModel):
     """
     A team is a collection of people given certain access rights to one or more events of an organizer.
@@ -321,36 +352,10 @@ class Team(LoggedModel):
     :param all_events: Whether this team has access to all events of this organizer
     :type all_events: bool
     :param limit_events: A set of events this team has access to. Irrelevant if ``all_events`` is ``True``.
-    :param can_create_events: Whether or not the members can create new events with this organizer account.
-    :type can_create_events: bool
-    :param can_change_teams: If ``True``, the members can change the teams of this organizer account.
-    :type can_change_teams: bool
-    :param can_manage_customers: If ``True``, the members can view and change organizer-level customer accounts.
-    :type can_manage_customers: bool
-    :param can_manage_reusable_media: If ``True``, the members can view and change organizer-level reusable media.
-    :type can_manage_reusable_media: bool
-    :param can_change_organizer_settings: If ``True``, the members can change the settings of this organizer account.
-    :type can_change_organizer_settings: bool
-    :param can_change_event_settings: If ``True``, the members can change the settings of the associated events.
-    :type can_change_event_settings: bool
-    :param can_change_items: If ``True``, the members can change and add items and related objects for the associated events.
-    :type can_change_items: bool
-    :param can_view_orders: If ``True``, the members can inspect details of all orders of the associated events.
-    :type can_view_orders: bool
-    :param can_change_orders: If ``True``, the members can change details of orders of the associated events.
-    :type can_change_orders: bool
-    :param can_checkin_orders: If ``True``, the members can perform check-in related actions.
-    :type can_checkin_orders: bool
-    :param can_view_vouchers: If ``True``, the members can inspect details of all vouchers of the associated events.
-    :type can_view_vouchers: bool
-    :param can_change_vouchers: If ``True``, the members can change and create vouchers for the associated events.
-    :type can_change_vouchers: bool
     """
     organizer = models.ForeignKey(Organizer, related_name="teams", on_delete=models.CASCADE)
     name = models.CharField(max_length=190, verbose_name=_("Team name"))
     members = models.ManyToManyField(User, related_name="teams", verbose_name=_("Team members"))
-    all_events = models.BooleanField(default=False, verbose_name=_("All events (including newly created ones)"))
-    limit_events = models.ManyToManyField('Event', verbose_name=_("Limit to events"), blank=True)
     require_2fa = models.BooleanField(
         default=False, verbose_name=_("Require all members of this team to use two-factor authentication"),
         help_text=_("If you turn this on, all members of the team will be required to either set up two-factor "
@@ -358,62 +363,33 @@ class Team(LoggedModel):
                     "all users.")
     )
 
-    can_create_events = models.BooleanField(
-        default=False,
-        verbose_name=_("Can create events"),
-    )
-    can_change_teams = models.BooleanField(
-        default=False,
-        verbose_name=_("Can change teams and permissions"),
-    )
-    can_change_organizer_settings = models.BooleanField(
-        default=False,
-        verbose_name=_("Can change organizer settings"),
-        help_text=_('Someone with this setting can get access to most data of all of your events, i.e. via privacy '
-                    'reports, so be careful who you add to this team!')
-    )
-    can_manage_customers = models.BooleanField(
-        default=False,
-        verbose_name=_("Can manage customer accounts")
-    )
-    can_manage_reusable_media = models.BooleanField(
-        default=False,
-        verbose_name=_("Can manage reusable media")
-    )
-    can_manage_gift_cards = models.BooleanField(
-        default=False,
-        verbose_name=_("Can manage gift cards")
-    )
-    can_change_event_settings = models.BooleanField(
-        default=False,
-        verbose_name=_("Can change event settings")
-    )
-    can_change_items = models.BooleanField(
-        default=False,
-        verbose_name=_("Can change product settings")
-    )
-    can_view_orders = models.BooleanField(
-        default=False,
-        verbose_name=_("Can view orders")
-    )
-    can_change_orders = models.BooleanField(
-        default=False,
-        verbose_name=_("Can change orders")
-    )
-    can_checkin_orders = models.BooleanField(
-        default=False,
-        verbose_name=_("Can perform check-ins"),
-        help_text=_('This includes searching for attendees, which can be used to obtain personal information about '
-                    'attendees. Users with "can change orders" can also perform check-ins.')
-    )
-    can_view_vouchers = models.BooleanField(
-        default=False,
-        verbose_name=_("Can view vouchers")
-    )
-    can_change_vouchers = models.BooleanField(
-        default=False,
-        verbose_name=_("Can change vouchers")
-    )
+    # Scope
+    all_events = models.BooleanField(default=False, verbose_name=_("All events (including newly created ones)"))
+    limit_events = models.ManyToManyField('Event', verbose_name=_("Limit to events"), blank=True)
+
+    # Permissions
+    # We store them as {key: True} instead of [key] because otherwise not all lookups we need are supported on SQLite
+    all_event_permissions = models.BooleanField(default=False, verbose_name=_("All event permissions"))
+    limit_event_permissions = models.JSONField(default=dict, verbose_name=_("Event permissions"))
+    all_organizer_permissions = models.BooleanField(default=False, verbose_name=_("All organizer permissions"))
+    limit_organizer_permissions = models.JSONField(default=dict, verbose_name=_("Organizer permissions"))
+
+    # Legacy lookups for plugin compatibility
+    can_change_event_settings = LegacyPermissionProperty()
+    can_change_items = LegacyPermissionProperty()
+    can_view_orders = LegacyPermissionProperty()
+    can_change_orders = LegacyPermissionProperty()
+    can_checkin_orders = LegacyPermissionProperty()
+    can_view_vouchers = LegacyPermissionProperty()
+    can_change_vouchers = LegacyPermissionProperty()
+    can_create_events = LegacyPermissionProperty()
+    can_change_organizer_settings = LegacyPermissionProperty()
+    can_change_teams = LegacyPermissionProperty()
+    can_manage_gift_cards = LegacyPermissionProperty()
+    can_manage_customers = LegacyPermissionProperty()
+    can_manage_reusable_media = LegacyPermissionProperty()
+
+    objects = TeamQuerySet.as_manager()
 
     def __str__(self) -> str:
         return _("%(name)s on %(object)s") % {
@@ -421,21 +397,53 @@ class Team(LoggedModel):
             'object': str(self.organizer),
         }
 
-    def permission_set(self) -> set:
-        attribs = dir(self)
-        return {
-            a for a in attribs if a.startswith('can_') and self.has_permission(a)
-        }
+    def event_permission_set(self, include_legacy=True) -> set:
+        from ..permissions import get_all_event_permission_groups
+
+        result = set()
+        for pg in get_all_event_permission_groups().values():
+            for action in pg.actions:
+                if self.all_event_permissions or self.limit_event_permissions.get(f"{pg.name}:{action}"):
+                    result.add(f"{pg.name}:{action}")
+
+        if include_legacy:
+            # Add legacy permissions as well for plugin compatibility
+            for k, v in OLD_TO_NEW_EVENT_COMPAT.items():
+                if self.all_event_permissions or all(self.limit_event_permissions.get(kk) for kk in v):
+                    result.add(k)
+
+        return result
+
+    def organizer_permission_set(self, include_legacy=True) -> set:
+        from ..permissions import get_all_organizer_permission_groups
+
+        result = set()
+        for pg in get_all_organizer_permission_groups().values():
+            for action in pg.actions:
+                if self.all_organizer_permissions or self.limit_organizer_permissions.get(f"{pg.name}:{action}"):
+                    result.add(f"{pg.name}:{action}")
+
+        if include_legacy:
+            # Add legacy permissions as well for plugin compatibility
+            for k, v in OLD_TO_NEW_ORGANIZER_COMPAT.items():
+                if self.all_organizer_permissions or all(self.limit_organizer_permissions.get(kk) for kk in v):
+                    result.add(k)
+
+        return result
 
     @property
-    def can_change_settings(self):  # Legacy compatiblilty
+    def can_change_settings(self):  # Legacy compatibility
         return self.can_change_event_settings
 
-    def has_permission(self, perm_name):
-        try:
+    def has_event_permission(self, perm_name):
+        if perm_name.startswith('can_') and hasattr(self, perm_name):  # legacy
             return getattr(self, perm_name)
-        except AttributeError:
-            raise ValueError('Invalid required permission: %s' % perm_name)
+        return self.all_event_permissions or self.limit_event_permissions.get(perm_name, False)
+
+    def has_organizer_permission(self, perm_name):
+        if perm_name.startswith('can_') and hasattr(self, perm_name):  # legacy
+            return getattr(self, perm_name)
+        return self.all_organizer_permissions or self.limit_organizer_permissions.get(perm_name, False)
 
     def permission_for_event(self, event):
         if self.all_events:
@@ -447,6 +455,19 @@ class Team(LoggedModel):
     def active_tokens(self):
         return self.tokens.filter(active=True)
 
+    def save(self, **kwargs):
+        if not isinstance(self.limit_event_permissions, dict):
+            raise TypeError("Permissions must be a dictionary")
+        if not isinstance(self.limit_organizer_permissions, dict):
+            raise TypeError("Permissions must be a dictionary")
+        for k in self.limit_event_permissions.values():
+            if k is not True:
+                raise TypeError("Permissions must only contain True values")
+        for k in self.limit_organizer_permissions.values():
+            if k is not True:
+                raise TypeError("Permissions must only contain True values")
+        return super().save(**kwargs)
+
     class Meta:
         verbose_name = _("Team")
         verbose_name_plural = _("Teams")
@@ -503,7 +524,7 @@ class TeamAPIToken(models.Model):
         has_event_access = (self.team.all_events and organizer == self.team.organizer) or (
             event in self.team.limit_events.all()
         )
-        return self.team.permission_set() if has_event_access else set()
+        return self.team.event_permission_set() if has_event_access else set()
 
     def get_organizer_permission_set(self, organizer) -> set:
         """
@@ -512,7 +533,7 @@ class TeamAPIToken(models.Model):
         :param organizer: The organizer of the event
         :return: set of permissions
         """
-        return self.team.permission_set() if self.team.organizer == organizer else set()
+        return self.team.organizer_permission_set() if self.team.organizer == organizer else set()
 
     def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
         """
@@ -521,7 +542,7 @@ class TeamAPIToken(models.Model):
 
         :param organizer: The organizer of the event
         :param event: The event to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``event.orders:read``
         :param request: This parameter is ignored and only defined for compatibility reasons.
         :return: bool
         """
@@ -529,8 +550,8 @@ class TeamAPIToken(models.Model):
             event in self.team.limit_events.all()
         )
         if isinstance(perm_name, (tuple, list)):
-            return has_event_access and any(self.team.has_permission(p) for p in perm_name)
-        return has_event_access and (not perm_name or self.team.has_permission(perm_name))
+            return has_event_access and any(self.team.has_event_permission(p) for p in perm_name)
+        return has_event_access and (not perm_name or self.team.has_event_permission(perm_name))
 
     def has_organizer_permission(self, organizer, perm_name=None, request=None):
         """
@@ -538,13 +559,13 @@ class TeamAPIToken(models.Model):
         to the organizer ``organizer``.
 
         :param organizer: The organizer to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``organizer:events.create``
         :param request: This parameter is ignored and only defined for compatibility reasons.
         :return: bool
         """
         if isinstance(perm_name, (tuple, list)):
-            return organizer == self.team.organizer and any(self.team.has_permission(p) for p in perm_name)
-        return organizer == self.team.organizer and (not perm_name or self.team.has_permission(perm_name))
+            return organizer == self.team.organizer and any(self.team.has_organizer_permission(p) for p in perm_name)
+        return organizer == self.team.organizer and (not perm_name or self.team.has_organizer_permission(perm_name))
 
     def get_events_with_any_permission(self):
         """
@@ -565,8 +586,8 @@ class TeamAPIToken(models.Model):
         :return: Iterable of Events
         """
         if (
-                isinstance(permission, (list, tuple)) and any(getattr(self.team, p, False) for p in permission)
-        ) or (isinstance(permission, str) and getattr(self.team, permission, False)):
+            isinstance(permission, (list, tuple)) and any(self.team.has_event_permission(p) for p in permission)
+        ) or (isinstance(permission, str) and self.team.has_event_permission(permission)):
             return self.get_events_with_any_permission()
         else:
             return self.team.organizer.events.none()

src/pretix/base/models/waitinglist.py

@@ -159,6 +159,7 @@ class WaitingListEntry(LoggedModel):
         if availability[1] is None or availability[1] < 1:
             raise WaitingListException(_('This product is currently not available.'))
 
+        event = self.event
         ev = self.subevent or self.event
         if ev.seat_category_mappings.filter(product=self.item).exists():
             # Generally, we advertise the waiting list to be based on quotas only. This makes it dangerous
@@ -191,6 +192,7 @@ class WaitingListEntry(LoggedModel):
 
         with transaction.atomic():
             locked_wle = WaitingListEntry.objects.select_for_update(of=OF_SELF).get(pk=self.pk)
+            locked_wle.event = event
             if locked_wle.voucher:
                 raise WaitingListException(_('A voucher has already been sent to this person.'))
             e = locked_wle.email
@@ -227,6 +229,7 @@ class WaitingListEntry(LoggedModel):
             locked_wle.save()
 
         self.refresh_from_db()
+        self.event = event
 
         with language(self.locale, self.event.settings.region):
             self.send_mail(

src/pretix/base/notifications.py

@@ -151,7 +151,7 @@ def get_all_notification_types(event=None):
 
 
 class ParametrizedOrderNotificationType(NotificationType):
-    required_permission = "can_view_orders"
+    required_permission = "event.orders:read"
 
     def __init__(self, event, action_type, verbose_name, title):
         self._action_type = action_type

src/pretix/base/permissions.py

@@ -0,0 +1,251 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020  Raphael Michel and contributors
+# Copyright (C) 2020-today pretix GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+
+import logging
+from collections import OrderedDict
+from typing import Dict, List, NamedTuple, Tuple
+
+from django.dispatch import receiver
+from django.utils.functional import Promise
+from django.utils.translation import gettext_lazy as _, pgettext_lazy
+
+from pretix.base.signals import (
+    register_event_permission_groups, register_organizer_permission_groups,
+)
+
+logger = logging.getLogger(__name__)
+_ALL_EVENT_PERMISSIONS = None
+_ALL_ORGANIZER_PERMISSIONS = None
+
+
+class PermissionOption(NamedTuple):
+    actions: Tuple[str, ...]
+    label: str | Promise
+    help_text: str | Promise = None
+
+
+class PermissionGroup(NamedTuple):
+    name: str
+    label: str | Promise
+    actions: List[str]
+    options: List[PermissionOption]
+    help_text: str | Promise = None
+
+
+def get_all_event_permission_groups() -> Dict[str, PermissionGroup]:
+    global _ALL_EVENT_PERMISSIONS
+
+    if _ALL_EVENT_PERMISSIONS:
+        return _ALL_EVENT_PERMISSIONS
+
+    types = OrderedDict()
+    for recv, ret in register_event_permission_groups.send(None):
+        if isinstance(ret, (list, tuple)):
+            for r in ret:
+                types[r.name] = r
+        else:
+            types[ret.name] = ret
+    _ALL_EVENT_PERMISSIONS = types
+    return types
+
+
+def get_all_organizer_permission_groups() -> Dict[str, PermissionGroup]:
+    global _ALL_ORGANIZER_PERMISSIONS
+
+    if _ALL_ORGANIZER_PERMISSIONS:
+        return _ALL_ORGANIZER_PERMISSIONS
+
+    types = OrderedDict()
+    for recv, ret in register_organizer_permission_groups.send(None):
+        if isinstance(ret, (list, tuple)):
+            for r in ret:
+                types[r.name] = r
+        else:
+            types[ret.name] = ret
+    _ALL_ORGANIZER_PERMISSIONS = types
+    return types
+
+
+OPTS_ALL_READ = [
+    PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "View")),
+    PermissionOption(actions=("write",), label=pgettext_lazy("permission_level", "View and change")),
+]
+OPTS_ALL_READ_SETTINGS_API = [
+    PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "View"),
+                     help_text=_("API only")),
+    PermissionOption(actions=("write",), label=pgettext_lazy("permission_level", "View and change")),
+]
+OPTS_ALL_READ_SETTINGS_PARENT = [
+    PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "View"),
+                     help_text=_("Menu item will only show up if the user has permission for general settings.")),
+    PermissionOption(actions=("write",), label=pgettext_lazy("permission_level", "View and change")),
+]
+OPTS_READ_WRITE = [
+    PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "No access")),
+    PermissionOption(actions=("read",), label=pgettext_lazy("permission_level", "View")),
+    PermissionOption(actions=("read", "write"), label=pgettext_lazy("permission_level", "View and change")),
+]
+
+
+@receiver(register_event_permission_groups, dispatch_uid="base_register_default_event_permissions")
+def register_default_event_permissions(sender, **kwargs):
+    return [
+        PermissionGroup(
+            name="event.settings.general",
+            label=_("General settings"),
+            actions=["write"],
+            options=OPTS_ALL_READ_SETTINGS_API,
+            help_text=_(
+                "This includes access to all settings not listed explicitly below, including plugin settings."
+            ),
+        ),
+        PermissionGroup(
+            name="event.settings.payment",
+            label=_("Payment settings"),
+            actions=["write"],
+            options=OPTS_ALL_READ_SETTINGS_PARENT,
+        ),
+        PermissionGroup(
+            name="event.settings.tax",
+            label=_("Tax settings"),
+            actions=["write"],
+            options=OPTS_ALL_READ_SETTINGS_PARENT,
+        ),
+        PermissionGroup(
+            name="event.settings.invoicing",
+            label=_("Invoicing settings"),
+            actions=["write"],
+            options=OPTS_ALL_READ_SETTINGS_PARENT,
+        ),
+        PermissionGroup(
+            name="event.subevents",
+            label=_("Event series dates"),
+            actions=["write"],
+            options=OPTS_ALL_READ,
+        ),
+        PermissionGroup(
+            name="event.items",
+            label=_("Products, quotas and questions"),
+            actions=["write"],
+            options=OPTS_ALL_READ,
+            help_text=_("Also includes related objects like categories or discounts."),
+        ),
+        PermissionGroup(
+            name="event.orders",
+            label=_("Orders"),
+            actions=["read", "write", "checkin"],
+            options=[
+                PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "No access")),
+                PermissionOption(actions=("checkin",), label=pgettext_lazy("permission_level", "Only check-in")),
+                PermissionOption(actions=("read",), label=pgettext_lazy("permission_level", "View all")),
+                PermissionOption(actions=("read", "checkin"), label=pgettext_lazy("permission_level", "View all and check-in")),
+                PermissionOption(actions=("read", "write"), label=pgettext_lazy("permission_level", "View all and change"),
+                                 help_text=_("Includes the ability to cancel and refund individual orders.")),
+            ],
+            help_text=_("Also includes related objects like the waiting list."),
+        ),
+        PermissionGroup(
+            name="event.vouchers",
+            label=_("Vouchers"),
+            actions=["read", "write"],
+            options=OPTS_READ_WRITE,
+        ),
+        PermissionGroup(
+            name="event",
+            label=_("Full event or date cancellation"),
+            actions=["cancel"],
+            options=[
+                # If we ever add more actions, we need a new UI idea here
+                PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "Not allowed")),
+                PermissionOption(actions=("cancel",), label=pgettext_lazy("permission_level", "Allowed")),
+            ],
+            help_text="",
+        ),
+    ]
+
+
+@receiver(register_organizer_permission_groups, dispatch_uid="base_register_default_organizer_permissions")
+def register_default_organizer_permissions(sender, **kwargs):
+    return [
+        PermissionGroup(
+            name="organizer.events",
+            label=_("Events"),
+            actions=["create"],
+            options=[
+                PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "Only existing events")),
+                PermissionOption(actions=("create",), label=pgettext_lazy("permission_level", "Create new events")),
+            ],
+            help_text="",
+        ),
+        PermissionGroup(
+            name="organizer.settings.general",
+            label=_("Settings"),
+            actions=["write"],
+            options=OPTS_ALL_READ_SETTINGS_API,
+            help_text=_("This includes access to all organizer-level functionality not listed explicitly below, including plugin settings."),
+        ),
+        PermissionGroup(
+            name="organizer.teams",
+            label=_("Teams"),
+            actions=["write"],
+            options=[
+                PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "No access")),
+                PermissionOption(actions=("write",), label=pgettext_lazy("permission_level", "View and change"),
+                                 help_text=_("Includes the ability to give someone (including oneself) additional permissions.")),
+            ],
+        ),
+        PermissionGroup(
+            name="organizer.giftcards",
+            label=_("Gift cards"),
+            actions=["read", "write"],
+            options=OPTS_READ_WRITE,
+        ),
+        PermissionGroup(
+            name="organizer.customers",
+            label=_("Customers"),
+            actions=["read", "write"],
+            options=OPTS_READ_WRITE,
+        ),
+        PermissionGroup(
+            name="organizer.reusablemedia",
+            label=_("Reusable media"),
+            actions=["read", "write"],
+            options=OPTS_READ_WRITE,
+        ),
+        PermissionGroup(
+            name="organizer.devices",
+            label=_("Devices"),
+            actions=["read", "write"],
+            options=[
+                PermissionOption(actions=tuple(), label=pgettext_lazy("permission_level", "No access")),
+                PermissionOption(actions=("read",), label=pgettext_lazy("permission_level", "View")),
+                PermissionOption(actions=("read", "write"), label=pgettext_lazy("permission_level", "View and change"),
+                                 help_text=_("Includes the ability to give access to events and data oneself does not have access to.")),
+            ],
+        ),
+        PermissionGroup(
+            name="organizer.seatingplans",
+            label=_("Seating plans"),
+            actions=["write"],
+            options=OPTS_ALL_READ,
+        ),
+    ]

src/pretix/base/services/export.py

@@ -106,7 +106,7 @@ def multiexport(self, organizer: Organizer, user: User, device: int, token: int,
         device = Device.objects.get(pk=device)
     if token:
         device = TeamAPIToken.objects.get(pk=token)
-    allowed_events = (device or token or user).get_events_with_permission('can_view_orders')
+    allowed_events = (device or token or user).get_events_with_permission('event.orders:read')
     if user and staff_session:
         allowed_events = organizer.events.all()
 
@@ -291,7 +291,7 @@ def _run_scheduled_export(schedule, context: Union[Event, Organizer], exporter,
 def scheduled_organizer_export(self, organizer: Organizer, schedule: int) -> None:
     schedule = organizer.scheduled_exports.get(pk=schedule)
 
-    allowed_events = schedule.owner.get_events_with_permission('can_view_orders')
+    allowed_events = schedule.owner.get_events_with_permission('event.orders:read')
     if schedule.export_form_data.get('events') is not None and not schedule.export_form_data.get('all_events'):
         if isinstance(schedule.export_form_data['events'][0], str):
             events = allowed_events.filter(slug__in=schedule.export_form_data.get('events'), organizer=organizer)
@@ -346,7 +346,7 @@ def scheduled_event_export(self, event: Event, schedule: int) -> None:
             exporter = ex
             break
 
-    has_permission = schedule.owner.is_active and schedule.owner.has_event_permission(event.organizer, event, 'can_view_orders')
+    has_permission = schedule.owner.is_active and schedule.owner.has_event_permission(event.organizer, event, 'event.orders:read')
 
     _run_scheduled_export(
         schedule,

src/pretix/base/services/invoices.py

@@ -521,9 +521,20 @@ def invoice_pdf_task(invoice: int):
 
 
 def invoice_qualified(order: Order):
-    if order.total == Decimal('0.00') or order.require_approval or \
-            order.sales_channel.identifier not in order.event.settings.get('invoice_generate_sales_channels'):
+    if order.total == Decimal('0.00'):
         return False
+    if order.require_approval:
+        return False
+    if order.sales_channel.identifier not in order.event.settings.invoice_generate_sales_channels:
+        return False
+    if order.status in (Order.STATUS_CANCELED, Order.STATUS_EXPIRED):
+        return False
+    if order.event.settings.invoice_generate_only_business:
+        try:
+            ia = order.invoice_address
+            return ia.is_business
+        except InvoiceAddress.DoesNotExist:
+            return False
     return True
 
 

src/pretix/base/services/stats.py

@@ -112,7 +112,8 @@ def dictsum(*dicts) -> dict:
 
 def order_overview(
         event: Event, subevent: SubEvent=None, date_filter='', date_from=None, date_until=None, fees=False,
-        admission_only=False, base_qs=None, base_fees_qs=None, subevent_date_from=None, subevent_date_until=None
+        admission_only=False, base_qs=None, base_fees_qs=None, subevent_date_from=None, subevent_date_until=None,
+        skip_empty_lines=False,
 ) -> Tuple[List[Tuple[ItemCategory, List[Item]]], Dict[str, Tuple[Decimal, Decimal]]]:
     items = event.items.all().select_related(
         'category',  # for re-grouping
@@ -205,13 +206,21 @@ def order_overview(
                 for l in states.keys():
                     var.num[l] = num[l].get((item.id, variid), (0, 0, 0))
                 var.num['total'] = num['total'].get((item.id, variid), (0, 0, 0))
+                var._skip = all(v[0] == 0 for v in var.num.values())
             for l in states.keys():
                 item.num[l] = tuplesum(var.num[l] for var in item.all_variations)
             item.num['total'] = tuplesum(var.num['total'] for var in item.all_variations)
+            if skip_empty_lines:
+                item.all_variations = [v for v in item.all_variations if not v._skip]
+                item._skip = not item.all_variations
         else:
             for l in states.keys():
                 item.num[l] = num[l].get((item.id, None), (0, 0, 0))
             item.num['total'] = num['total'].get((item.id, None), (0, 0, 0))
+            item._skip = all(v[0] == 0 for v in item.num.values())
+
+    if skip_empty_lines:
+        items = [i for i in items if not i._skip]
 
     nonecat = ItemCategory(name=_('Uncategorized'))
     # Regroup those by category

src/pretix/base/settings.py

@@ -76,7 +76,7 @@ from pretix.base.validators import multimail_validate
 from pretix.control.forms import (
     ExtFileField, FontSelect, MultipleLanguagesWidget, SingleLanguageWidget,
 )
-from pretix.helpers.countries import CachedCountries
+from pretix.helpers.countries import CachedCountries, pycountry_add
 
 ROUNDING_MODES = (
     ('line', _('Compute taxes for every line individually')),
@@ -344,6 +344,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.tax:write',
         'form_kwargs': dict(
             label=_("Show net prices instead of gross prices in the product list"),
             help_text=_("Independent of your choice, the cart will show gross prices as this is the price that needs to be "
@@ -491,6 +492,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.ChoiceField,
         'serializer_class': serializers.ChoiceField,
+        'write_permission': 'event.settings.tax:write',
         'form_kwargs': dict(
             label=_("Rounding of taxes"),
             widget=forms.RadioSelect,
@@ -510,15 +512,17 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Ask for invoice address"),
-        )
+        ),
     },
     'invoice_address_not_asked_free': {
         'default': 'False',
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_('Do not ask for invoice address if an order is free'),
         )
@@ -528,6 +532,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Require customer name"),
         )
@@ -537,6 +542,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Show attendee names on invoices"),
         )
@@ -546,6 +552,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Show event location on invoices"),
             help_text=_("The event location will be shown below the list of products if it is the same for all "
@@ -557,6 +564,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.ChoiceField,
         'serializer_class': serializers.ChoiceField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Show exchange rates"),
             widget=forms.RadioSelect,
@@ -580,6 +588,7 @@ DEFAULTS = {
         'default': 'False',
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'type': bool,
         'form_kwargs': dict(
             label=_("Require invoice address"),
@@ -590,6 +599,7 @@ DEFAULTS = {
         'default': 'False',
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'type': bool,
         'form_kwargs': dict(
             label=_("Require a business address"),
@@ -602,6 +612,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Ask for beneficiary"),
             widget=forms.CheckboxInput(attrs={'data-checkbox-dependency': '#id_invoice_address_asked'}),
@@ -612,6 +623,7 @@ DEFAULTS = {
         'type': LazyI18nString,
         'form_class': I18nFormField,
         'serializer_class': I18nField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Custom recipient field label"),
             widget=I18nTextInput,
@@ -627,6 +639,7 @@ DEFAULTS = {
         'type': LazyI18nString,
         'form_class': I18nFormField,
         'serializer_class': I18nField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Custom recipient field help text"),
             widget=I18nTextInput,
@@ -639,6 +652,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Ask for VAT ID"),
             help_text=format_lazy(
@@ -654,6 +668,7 @@ DEFAULTS = {
         'type': list,
         'form_class': forms.MultipleChoiceField,
         'serializer_class': serializers.MultipleChoiceField,
+        'write_permission': 'event.settings.invoicing:write',
         'serializer_kwargs': dict(
             choices=lazy(
                 lambda *args: sorted([(cc, gettext(Country(cc).name)) for cc in VAT_ID_COUNTRIES], key=lambda c: c[1]),
@@ -681,6 +696,7 @@ DEFAULTS = {
         'type': LazyI18nString,
         'form_class': I18nFormField,
         'serializer_class': I18nField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Invoice address explanation"),
             widget=I18nMarkdownTextarea,
@@ -693,6 +709,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Show paid amount on partially paid invoices"),
             help_text=_("If an invoice has already been paid partially, this option will add the paid and pending "
@@ -704,6 +721,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Show free products on invoices"),
             help_text=_("Note that invoices will never be generated for orders that contain only free "
@@ -715,6 +733,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Show expiration date of order"),
             help_text=_("The expiration date will not be shown if the invoice is generated after the order is paid."),
@@ -726,6 +745,7 @@ DEFAULTS = {
         'form_class': forms.IntegerField,
         'serializer_class': serializers.IntegerField,
         'serializer_kwargs': dict(),
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Minimum length of invoice number after prefix"),
             help_text=_("The part of your invoice number after your prefix will be filled up with leading zeros up to this length, e.g. INV-001 or INV-00001."),
@@ -739,6 +759,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Generate invoices with consecutive numbers"),
             help_text=_("If deactivated, the order code will be used in the invoice number."),
@@ -749,6 +770,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Invoice number prefix"),
             help_text=_("This will be prepended to invoice numbers. If you leave this field empty, your event slug will "
@@ -776,6 +798,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Invoice number prefix for cancellations"),
             help_text=_("This will be prepended to invoice numbers of cancellations. If you leave this field empty, "
@@ -799,6 +822,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Highlight order code to make it stand out visibly"),
             help_text=_("Only respected by some invoice renderers."),
@@ -810,6 +834,7 @@ DEFAULTS = {
         'form_class': forms.ChoiceField,
         'serializer_class': serializers.ChoiceField,
         'serializer_kwargs': lambda: dict(**invoice_font_kwargs()),
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': lambda: dict(
             label=_('Font'),
             help_text=_("Only respected by some invoice renderers."),
@@ -820,6 +845,7 @@ DEFAULTS = {
     'invoice_renderer': {
         'default': 'classic',  # default for new events is 'modern1'
         'type': str,
+        'write_permission': 'event.settings.invoicing:write',
     },
     'ticket_secret_generator': {
         'default': 'random',
@@ -896,6 +922,7 @@ DEFAULTS = {
         'type': LazyI18nString,
         'form_class': I18nFormField,
         'serializer_class': I18nField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             widget=I18nMarkdownTextarea,
             widget_kwargs={'attrs': {
@@ -917,6 +944,7 @@ DEFAULTS = {
                 ('minutes', _("in minutes"))
             ),
         ),
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_("Set payment term"),
             widget=forms.RadioSelect,
@@ -934,6 +962,7 @@ DEFAULTS = {
         'type': int,
         'form_class': forms.IntegerField,
         'serializer_class': serializers.IntegerField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Payment term in days'),
             widget=forms.NumberInput(
@@ -959,6 +988,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Only end payment terms on weekdays'),
             help_text=_("If this is activated and the payment term of any order ends on a Saturday or Sunday, it will be "
@@ -976,6 +1006,7 @@ DEFAULTS = {
         'type': int,
         'form_class': forms.IntegerField,
         'serializer_class': serializers.IntegerField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Payment term in minutes'),
             help_text=_("The number of minutes after placing an order the user has to pay to preserve their reservation. "
@@ -1000,6 +1031,7 @@ DEFAULTS = {
         'type': RelativeDateWrapper,
         'form_class': RelativeDateField,
         'serializer_class': SerializerRelativeDateField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Last date of payments'),
             help_text=_("The last date any payments are accepted. This has precedence over the terms "
@@ -1012,6 +1044,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Automatically expire unpaid orders'),
             help_text=_("If checked, all unpaid orders will automatically go from 'pending' to 'expired' "
@@ -1024,6 +1057,7 @@ DEFAULTS = {
         'type': int,
         'form_class': forms.IntegerField,
         'serializer_class': serializers.IntegerField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Expiration delay'),
             help_text=_("The order will only actually expire this many days after the expiration date communicated "
@@ -1046,6 +1080,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Hide "payment pending" state on customer-facing pages'),
             help_text=_("The payment instructions panel will still be shown to the primary customer, but no indication "
@@ -1057,9 +1092,11 @@ DEFAULTS = {
         'default': 'True',
         'type': bool,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.payment:write',
     },
     'payment_giftcard_public_name': {
         'default': LazyI18nString.from_gettext(gettext_noop('Gift card')),
+        'write_permission': 'event.settings.payment:write',
         'type': LazyI18nString
     },
     'payment_giftcard_public_description': {
@@ -1068,10 +1105,12 @@ DEFAULTS = {
             'enough credit to pay for the full order, you will be shown this page again and you can either '
             'redeem another gift card or select a different payment method for the difference.'
         )),
+        'write_permission': 'event.settings.payment:write',
         'type': LazyI18nString
     },
     'payment_resellers__restrict_to_sales_channels': {
         'default': ['resellers'],
+        'write_permission': 'event.settings.payment:write',
         'type': list
     },
     'payment_term_accept_late': {
@@ -1079,6 +1118,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Accept late payments'),
             help_text=_("Accept payments for orders even when they are in 'expired' state as long as enough "
@@ -1108,6 +1148,7 @@ DEFAULTS = {
                 ('none', _('Charge no taxes')),
             ),
         ),
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_("Tax handling on payment fees"),
             widget=forms.RadioSelect,
@@ -1154,6 +1195,7 @@ DEFAULTS = {
                 ('paid', _('Automatically on payment or when required by payment method')),
             ),
         ),
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Generate invoices"),
             widget=forms.RadioSelect,
@@ -1182,6 +1224,7 @@ DEFAULTS = {
                 ('invoice_date', _('Invoice date')),
             ),
         ),
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Date of service"),
             widget=forms.RadioSelect,
@@ -1202,6 +1245,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Automatically cancel and reissue invoice on address changes"),
             help_text=_("If customers change their invoice address on an existing order, the invoice will "
@@ -1214,6 +1258,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Allow to update existing invoices"),
             help_text=_("By default, invoices can never again be changed once they are issued. In most countries, we "
@@ -1223,13 +1268,24 @@ DEFAULTS = {
     },
     'invoice_generate_sales_channels': {
         'default': json.dumps(['web']),
+        'write_permission': 'event.settings.invoicing:write',
         'type': list
     },
+    'invoice_generate_only_business': {
+        'default': 'False',
+        'type': bool,
+        'form_class': forms.BooleanField,
+        'serializer_class': serializers.BooleanField,
+        'form_kwargs': dict(
+            label=_("Only issue invoices to business customers"),
+        )
+    },
     'invoice_address_from': {
         'default': '',
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Address line"),
             widget=forms.Textarea(attrs={
@@ -1245,6 +1301,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             max_length=190,
             label=_("Company name"),
@@ -1255,6 +1312,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             widget=forms.TextInput(attrs={
                 'placeholder': '12345'
@@ -1268,6 +1326,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             widget=forms.TextInput(attrs={
                 'placeholder': _('Random City')
@@ -1284,6 +1343,7 @@ DEFAULTS = {
         'serializer_kwargs': {
             'choices': [('', '')],
         },
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': {
             "label": pgettext_lazy('address', 'State'),
             'choices': [('', '')],
@@ -1295,6 +1355,7 @@ DEFAULTS = {
         'form_class': forms.ChoiceField,
         'serializer_class': serializers.ChoiceField,
         'serializer_kwargs': lambda: dict(**country_choice_kwargs()),
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': lambda: dict(
             label=_('Country'),
             widget=forms.Select(attrs={
@@ -1308,6 +1369,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Domestic tax ID"),
             help_text=_("e.g. tax number in Germany, ABN in Australia, …"),
@@ -1319,6 +1381,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("EU VAT ID"),
             max_length=190,
@@ -1329,6 +1392,7 @@ DEFAULTS = {
         'type': LazyI18nString,
         'form_class': I18nFormField,
         'serializer_class': I18nField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             widget=I18nTextarea,
             widget_kwargs={'attrs': {
@@ -1346,6 +1410,7 @@ DEFAULTS = {
         'type': LazyI18nString,
         'form_class': I18nFormField,
         'serializer_class': I18nField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             widget=I18nTextarea,
             widget_kwargs={'attrs': {
@@ -1363,6 +1428,7 @@ DEFAULTS = {
         'type': LazyI18nString,
         'form_class': I18nFormField,
         'serializer_class': I18nField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             widget=I18nTextarea,
             widget_kwargs={'attrs': {
@@ -1377,6 +1443,7 @@ DEFAULTS = {
     },
     'invoice_language': {
         'default': '__user__',
+        'write_permission': 'event.settings.invoicing:write',
         'type': str
     },
     'invoice_email_attachment': {
@@ -1384,6 +1451,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Attach invoices to emails"),
             help_text=_("If invoices are automatically generated for all orders, they will be attached to the order "
@@ -1397,6 +1465,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Email address to receive a copy of each invoice"),
             help_text=_("Each newly created invoice will be sent to this email address shortly after creation. You can "
@@ -3228,7 +3297,8 @@ Your {organizer} team"""))  # noqa: W291
                 'image/png', 'image/jpeg', 'image/gif'
             ],
             max_size=settings.FILE_UPLOAD_MAX_SIZE_IMAGE,
-        )
+        ),
+        'write_permission': 'event.settings.invoicing:write',
     },
     'frontpage_text': {
         'default': '',
@@ -3927,7 +3997,7 @@ COUNTRIES_WITH_STATE_IN_ADDRESS = {
     'MX': (['State', 'Federal district', 'Federal entity'], 'short'),
     'US': (['State', 'Outlying area', 'District'], 'short'),
     'IT': (['Province', 'Free municipal consortium', 'Metropolitan city', 'Autonomous province',
-            'Free municipal consortium', 'Decentralized regional entity'], 'short'),
+            'Decentralized regional entity'], 'short'),
 }
 COUNTRY_STATE_LABEL = {
     # Countries in which the "State" field should not be called "State"
@@ -3935,6 +4005,8 @@ COUNTRY_STATE_LABEL = {
     'JP': pgettext_lazy('address', 'Prefecture'),
     'IT': pgettext_lazy('address', 'Province'),
 }
+# Workaround for https://github.com/pretix/pretix/issues/5796
+pycountry_add(pycountry.subdivisions, code="IT-AO", country_code="IT", name="Valle d'Aosta", parent="23", parent_code="IT-23", type="Province")
 
 settings_hierarkey = Hierarkey(attribute_name='settings')
 

src/pretix/base/signals.py

@@ -561,6 +561,18 @@ however for this signal, the ``sender`` **may also be None** to allow creating t
 notification settings!
 """
 
+register_event_permission_groups = GlobalSignal()
+"""
+This signal is sent out to get all known permissions. Receivers should return an
+instance of pretix.base.permissions.PermissionGroup or a list of such instances.
+"""
+
+register_organizer_permission_groups = GlobalSignal()
+"""
+This signal is sent out to get all known permissions. Receivers should return an
+instance of pretix.base.permissions.PermissionGroup or a list of such instances.
+"""
+
 notification = EventPluginSignal()
 """
 Arguments: ``logentry_id``, ``notification_type``
@@ -1098,6 +1110,9 @@ api_event_settings_fields = EventPluginSignal()
 This signal is sent out to collect serializable settings fields for the API. You are expected to
 return a dictionary mapping names of attributes in the settings store to DRF serializer field instances.
 
+These are readable for all users with access to the events, therefore secrets stored in the settings store
+should not be included!
+
 As with all event-plugin signals, the ``sender`` keyword argument will contain the event.
 """
 

src/pretix/base/timeline.py

@@ -32,7 +32,11 @@ from pretix.base.models import ItemVariation
 from pretix.base.reldate import RelativeDateWrapper
 from pretix.base.signals import timeline_events
 
-TimelineEvent = namedtuple('TimelineEvent', ('event', 'subevent', 'datetime', 'description', 'edit_url'))
+TimelineEvent = namedtuple(
+    'TimelineEvent',
+    ('event', 'subevent', 'datetime', 'description', 'edit_url', 'edit_permission'),
+    defaults=(None, None, None, None, None, 'event.settings.general:write')
+)
 
 
 def timeline_for_event(event, subevent=None):
@@ -46,6 +50,7 @@ def timeline_for_event(event, subevent=None):
                 'subevent': subevent.pk
             }
         )
+        ev_edit_permission = 'event.subevents:write'
     else:
         ev_edit_url = reverse(
             'control:event.settings', kwargs={
@@ -53,12 +58,14 @@ def timeline_for_event(event, subevent=None):
                 'organizer': event.organizer.slug
             }
         )
+        ev_edit_permission = 'event.settings.general:write'
 
     tl.append(TimelineEvent(
         event=event, subevent=subevent,
         datetime=ev.date_from,
         description=pgettext_lazy('timeline', 'Your event starts'),
-        edit_url=ev_edit_url + '#id_date_from_0'
+        edit_url=ev_edit_url + '#id_date_from_0',
+        edit_permission=ev_edit_permission,
     ))
 
     if ev.date_to:
@@ -66,7 +73,8 @@ def timeline_for_event(event, subevent=None):
             event=event, subevent=subevent,
             datetime=ev.date_to,
             description=pgettext_lazy('timeline', 'Your event ends'),
-            edit_url=ev_edit_url + '#id_date_to_0'
+            edit_url=ev_edit_url + '#id_date_to_0',
+            edit_permission=ev_edit_permission,
         ))
 
     if ev.date_admission:
@@ -74,7 +82,8 @@ def timeline_for_event(event, subevent=None):
             event=event, subevent=subevent,
             datetime=ev.date_admission,
             description=pgettext_lazy('timeline', 'Admissions for your event start'),
-            edit_url=ev_edit_url + '#id_date_admission_0'
+            edit_url=ev_edit_url + '#id_date_admission_0',
+            edit_permission=ev_edit_permission,
         ))
 
     if ev.presale_start:
@@ -82,7 +91,8 @@ def timeline_for_event(event, subevent=None):
             event=event, subevent=subevent,
             datetime=ev.presale_start,
             description=pgettext_lazy('timeline', 'Start of ticket sales'),
-            edit_url=ev_edit_url + '#id_presale_start_0'
+            edit_url=ev_edit_url + '#id_presale_start_0',
+            edit_permission=ev_edit_permission,
         ))
 
     tl.append(TimelineEvent(
@@ -97,7 +107,8 @@ def timeline_for_event(event, subevent=None):
         ) if not ev.presale_end else (
             pgettext_lazy('timeline', 'End of ticket sales')
         ),
-        edit_url=ev_edit_url + '#id_presale_end_0'
+        edit_url=ev_edit_url + '#id_presale_end_0',
+        edit_permission=ev_edit_permission,
     ))
 
     rd = event.settings.get('last_order_modification_date', as_type=RelativeDateWrapper)
@@ -106,7 +117,8 @@ def timeline_for_event(event, subevent=None):
             event=event, subevent=subevent,
             datetime=rd.datetime(ev),
             description=pgettext_lazy('timeline', 'Customers can no longer modify their order information'),
-            edit_url=ev_edit_url + '#id_settings-last_order_modification_date_0_0'
+            edit_url=ev_edit_url + '#id_settings-last_order_modification_date_0_0',
+            edit_permission='event.settings.general:write',
         ))
 
     rd = event.settings.get('payment_term_last', as_type=RelativeDateWrapper)
@@ -122,7 +134,8 @@ def timeline_for_event(event, subevent=None):
             edit_url=reverse('control:event.settings.payment', kwargs={
                 'event': event.slug,
                 'organizer': event.organizer.slug
-            })
+            }),
+            edit_permission='event.settings.payment:write',
         ))
 
     rd = event.settings.get('ticket_download_date', as_type=RelativeDateWrapper)
@@ -134,7 +147,8 @@ def timeline_for_event(event, subevent=None):
             edit_url=reverse('control:event.settings.tickets', kwargs={
                 'event': event.slug,
                 'organizer': event.organizer.slug
-            })
+            }),
+            edit_permission='event.settings.general:write',
         ))
 
     rd = event.settings.get('cancel_allow_user_until', as_type=RelativeDateWrapper)
@@ -146,7 +160,8 @@ def timeline_for_event(event, subevent=None):
             edit_url=reverse('control:event.settings.cancel', kwargs={
                 'event': event.slug,
                 'organizer': event.organizer.slug
-            })
+            }),
+            edit_permission='event.settings.general:write',
         ))
 
     rd = event.settings.get('cancel_allow_user_paid_until', as_type=RelativeDateWrapper)
@@ -158,7 +173,8 @@ def timeline_for_event(event, subevent=None):
             edit_url=reverse('control:event.settings.cancel', kwargs={
                 'event': event.slug,
                 'organizer': event.organizer.slug
-            })
+            }),
+            edit_permission='event.settings.general:write',
         ))
 
     rd = event.settings.get('change_allow_user_until', as_type=RelativeDateWrapper)
@@ -170,7 +186,8 @@ def timeline_for_event(event, subevent=None):
             edit_url=reverse('control:event.settings.cancel', kwargs={
                 'event': event.slug,
                 'organizer': event.organizer.slug
-            })
+            }),
+            edit_permission='event.settings.general:write',
         ))
 
     rd = event.settings.get('waiting_list_auto_disable', as_type=RelativeDateWrapper)
@@ -182,7 +199,8 @@ def timeline_for_event(event, subevent=None):
             edit_url=reverse('control:event.settings', kwargs={
                 'event': event.slug,
                 'organizer': event.organizer.slug
-            }) + '#waiting-list-open'
+            }) + '#waiting-list-open',
+            edit_permission='event.settings.general:write',
         ))
 
     if not event.has_subevents:
@@ -196,7 +214,8 @@ def timeline_for_event(event, subevent=None):
                 edit_url=reverse('control:event.settings.mail', kwargs={
                     'event': event.slug,
                     'organizer': event.organizer.slug
-                })
+                }),
+                edit_permission='event.settings.general:write',
             ))
 
     if subevent:
@@ -210,7 +229,8 @@ def timeline_for_event(event, subevent=None):
                         'event': event.slug,
                         'organizer': event.organizer.slug,
                         'subevent': subevent.pk,
-                    })
+                    }),
+                    edit_permission='event.subevents:write',
                 ))
             if sei.available_until:
                 tl.append(TimelineEvent(
@@ -221,7 +241,8 @@ def timeline_for_event(event, subevent=None):
                         'event': event.slug,
                         'organizer': event.organizer.slug,
                         'subevent': subevent.pk,
-                    })
+                    }),
+                    edit_permission='event.subevents:write',
                 ))
         for sei in subevent.var_overrides.values():
             if sei.available_from:
@@ -234,7 +255,8 @@ def timeline_for_event(event, subevent=None):
                         'event': event.slug,
                         'organizer': event.organizer.slug,
                         'subevent': subevent.pk,
-                    })
+                    }),
+                    edit_permission='event.subevents:write',
                 ))
             if sei.available_until:
                 tl.append(TimelineEvent(
@@ -246,7 +268,8 @@ def timeline_for_event(event, subevent=None):
                         'event': event.slug,
                         'organizer': event.organizer.slug,
                         'subevent': subevent.pk,
-                    })
+                    }),
+                    edit_permission='event.subevents:write',
                 ))
 
     for d in event.discounts.filter(Q(available_from__isnull=False) | Q(available_until__isnull=False)):
@@ -259,7 +282,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'discount': d.pk,
-                })
+                }),
+                edit_permission='event.items:write',
             ))
         if d.available_until:
             tl.append(TimelineEvent(
@@ -270,7 +294,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'discount': d.pk,
-                })
+                }),
+                edit_permission='event.items:write',
             ))
 
     for p in event.items.filter(Q(available_from__isnull=False) | Q(available_until__isnull=False)):
@@ -283,7 +308,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'item': p.pk,
-                }) + '#id_available_from_0'
+                }) + '#id_available_from_0',
+                edit_permission='event.items:write',
             ))
         if p.available_until:
             tl.append(TimelineEvent(
@@ -294,7 +320,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'item': p.pk,
-                }) + '#id_available_until_0'
+                }) + '#id_available_until_0',
+                edit_permission='event.items:write',
             ))
 
     for v in ItemVariation.objects.filter(
@@ -313,7 +340,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'item': v.item.pk,
-                }) + '#tab-0-3-open'
+                }) + '#tab-0-3-open',
+                edit_permission='event.items:write',
             ))
         if v.available_until:
             tl.append(TimelineEvent(
@@ -327,7 +355,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'item': v.item.pk,
-                }) + '#tab-0-3-open'
+                }) + '#tab-0-3-open',
+                edit_permission='event.items:write',
             ))
 
     pprovs = event.get_payment_providers()
@@ -357,7 +386,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'provider': pprov.identifier,
-                })
+                }),
+                edit_permission='event.settings.payment:write',
             ))
         availability_date = pprov.settings.get('_availability_date', as_type=RelativeDateWrapper)
         if availability_date:
@@ -375,7 +405,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'provider': pprov.identifier,
-                })
+                }),
+                edit_permission='event.settings.payment:write',
             ))
 
     for recv, resp in timeline_events.send(sender=event, subevent=subevent):

src/pretix/base/views/js_helpers.py

@@ -82,7 +82,7 @@ def _info(cc):
     statelist = [s for s in pycountry.subdivisions.get(country_code=cc) if s.type in types]
     return {
         'data': [
-            {'name': s.name, 'code': s.code[3:]}
+            {'name': gettext(s.name), 'code': s.code[3:]}
             for s in sorted(statelist, key=lambda s: s.name)
         ],
         **info,
@@ -109,7 +109,7 @@ def address_form(request):
             for t in get_transmission_types():
                 if t.is_available(event=event, country=country, is_business=is_business):
                     result = {"name": str(t.public_name), "code": t.identifier}
-                    if t.exclusive:
+                    if t.is_exclusive(event=event, country=country, is_business=is_business):
                         info["transmission_types"] = [result]
                         break
                     else:

src/pretix/control/context.py

@@ -102,7 +102,7 @@ def _default_context(request):
                     complain_testmode_orders = request.event.orders.filter(testmode=True).exists()
                     request.event.cache.set('complain_testmode_orders', complain_testmode_orders, 30)
             ctx['complain_testmode_orders'] = complain_testmode_orders and request.user.has_event_permission(
-                request.organizer, request.event, 'can_view_orders', request=request
+                request.organizer, request.event, 'event.orders:read', request=request
             )
         else:
             ctx['complain_testmode_orders'] = False

src/pretix/control/forms/event.py

@@ -62,6 +62,7 @@ from pretix.base.forms import (
 )
 from pretix.base.models import Event, Organizer, TaxRule, Team
 from pretix.base.models.event import EventFooterLink, EventMetaValue, SubEvent
+from pretix.base.models.organizer import TeamQuerySet
 from pretix.base.models.tax import TAX_CODE_LISTS
 from pretix.base.reldate import RelativeDateField, RelativeDateTimeField
 from pretix.base.services.placeholders import FormPlaceholderMixin
@@ -104,7 +105,7 @@ class EventWizardFoundationForm(forms.Form):
         qs = Organizer.objects.all()
         if not self.user.has_active_staff_session(self.session.session_key):
             qs = qs.filter(
-                id__in=self.user.teams.filter(can_create_events=True).values_list('organizer', flat=True)
+                id__in=self.user.teams.filter(TeamQuerySet.organizer_permission_q("organizer.events:create")).values_list('organizer', flat=True)
             )
         self.fields['organizer'] = forms.ModelChoiceField(
             label=_("Organizer"),
@@ -262,8 +263,12 @@ class EventWizardBasicsForm(I18nModelForm):
     @staticmethod
     def has_control_rights(user, organizer, session):
         return user.teams.filter(
-            organizer=organizer, all_events=True, can_change_event_settings=True, can_change_items=True,
-            can_change_orders=True, can_change_vouchers=True
+            TeamQuerySet.event_permission_q("event.items:write"),
+            TeamQuerySet.event_permission_q("event.orders:write"),
+            TeamQuerySet.event_permission_q("event.vouchers:write"),
+            TeamQuerySet.event_permission_q("event.settings.general:write"),
+            organizer=organizer,
+            all_events=True,
         ).exists() or user.has_active_staff_session(session.session_key)
 
 
@@ -294,9 +299,14 @@ class EventWizardCopyForm(forms.Form):
             return Event.objects.all()
         return Event.objects.filter(
             Q(organizer_id__in=user.teams.filter(
-                all_events=True, can_change_event_settings=True, can_change_items=True
+                # TODO: review these!
+                # Restrict cross-organizer copying further than same-organizer copying?
+                TeamQuerySet.event_permission_q("event.settings.general:write"),
+                TeamQuerySet.event_permission_q("event.items:write"),
+                all_events=True,
             ).values_list('organizer', flat=True)) | Q(id__in=user.teams.filter(
-                can_change_event_settings=True, can_change_items=True
+                TeamQuerySet.event_permission_q("event.settings.general:write"),
+                TeamQuerySet.event_permission_q("event.items:write"),
             ).values_list('limit_events__id', flat=True))
         )
 
@@ -939,6 +949,7 @@ class InvoiceSettingsForm(EventSettingsValidationMixin, SettingsForm):
         'invoice_show_payments',
         'invoice_reissue_after_modify',
         'invoice_generate',
+        'invoice_generate_only_business',
         'invoice_period',
         'invoice_attendee_name',
         'invoice_event_location',

src/pretix/control/forms/filter.py

@@ -1110,7 +1110,7 @@ class OrderPaymentSearchFilterForm(forms.Form):
             self.fields['organizer'].queryset = Organizer.objects.filter(
                 pk__in=self.request.user.teams.values_list('organizer', flat=True)
             )
-            self.fields['event'].queryset = self.request.user.get_events_with_permission('can_view_orders')
+            self.fields['event'].queryset = self.request.user.get_events_with_permission('event.orders:read')
 
         self.fields['provider'].choices += get_all_payment_providers()
 
@@ -1315,10 +1315,10 @@ class QuestionAnswerFilterForm(forms.Form):
 
         if date_range is not None:
             d_start, d_end = resolve_timeframe_to_datetime_start_inclusive_end_exclusive(now(), date_range, self.event.timezone)
-            opqs = opqs.filter(
-                subevent__date_from__gte=d_start,
-                subevent__date_from__lt=d_end
-            )
+            if d_start:
+                opqs = opqs.filter(subevent__date_from__gte=d_start)
+            if d_end:
+                opqs = opqs.filter(subevent__date_from__lt=d_end)
 
         s = fdata.get("status", Order.STATUS_PENDING + Order.STATUS_PAID)
         if s != "":

src/pretix/control/forms/organizer.py

@@ -75,7 +75,10 @@ from pretix.base.models import (
     ReusableMedium, SalesChannel, Team,
 )
 from pretix.base.models.customers import CustomerSSOClient, CustomerSSOProvider
-from pretix.base.models.organizer import OrganizerFooterLink
+from pretix.base.models.organizer import OrganizerFooterLink, TeamQuerySet
+from pretix.base.permissions import (
+    get_all_event_permission_groups, get_all_organizer_permission_groups,
+)
 from pretix.base.settings import (
     PERSON_NAME_SCHEMES, PERSON_NAME_TITLE_GROUPS, validate_organizer_settings,
 )
@@ -297,7 +300,34 @@ class MembershipTypeForm(I18nModelForm):
         fields = ['name', 'transferable', 'allow_parallel_usage', 'max_usages']
 
 
+class PermissionMultipleChoiceField(forms.MultipleChoiceField):
+    def to_python(self, value):
+        return {
+            k: True for k in super().to_python(value) if k
+        }
+
+    def prepare_value(self, value):
+        if isinstance(value, dict):
+            return [k for k, v in value.items() if v is True]
+        return super().prepare_value(value)
+
+
 class TeamForm(forms.ModelForm):
+    def _make_label(self, p):
+        source = '{}'
+        params = [p.label]
+
+        if p.plugin_name:
+            source = '<span class="fa fa-puzzle-piece text-muted" data-toggle="tooltip" title="{}"></span> ' + source
+            params.insert(0, _("Provided by a plugin"))
+
+        if p.help_text:
+            source += ' <span class="fa fa-info-circle text-muted" data-toggle="tooltip" title="{}"></span>'
+            params.append(p.help_text)
+
+        source += ' (<code>{}</code>)'
+        params.append(p.name)
+        return format_html(source, *params)
 
     def __init__(self, *args, **kwargs):
         organizer = kwargs.pop('organizer')
@@ -305,16 +335,62 @@ class TeamForm(forms.ModelForm):
         self.fields['limit_events'].queryset = organizer.events.all().order_by(
             '-has_subevents', '-date_from'
         )
+        self.event_field_names = []
+        for pg in get_all_event_permission_groups().values():
+            initial = ",".join(sorted(
+                a for a in pg.actions if self.instance and self.instance.limit_event_permissions.get(f"{pg.name}:{a}")
+            )) or "EMPTY"
+            self.fields[f'event_{pg.name}'] = forms.ChoiceField(
+                choices=[
+                    (
+                        ",".join(sorted(opt.actions)) or "EMPTY",
+                        format_html(
+                            '{label} '
+                            '<span class="fa fa-question-circle fa-fw text-muted" data-toggle="tooltip"'
+                            ' data-placement="right" title="{help_text}"></span>',
+                            label=opt.label,
+                            help_text=opt.help_text,
+                        ) if opt.help_text else opt.label,
+                    )
+                    for opt in pg.options
+                ],
+                label=pg.label,
+                help_text=pg.help_text,
+                initial=initial,
+                widget=forms.RadioSelect,
+            )
+            self.event_field_names.append(f'event_{pg.name}')
+        self.organizer_field_names = []
+        for pg in get_all_organizer_permission_groups().values():
+            initial = ",".join(sorted(
+                a for a in pg.actions if self.instance and self.instance.limit_organizer_permissions.get(f"{pg.name}:{a}")
+            )) or "EMPTY"
+            self.fields[f'organizer_{pg.name}'] = forms.ChoiceField(
+                choices=[
+                    (
+                        ",".join(sorted(opt.actions)) or "EMPTY",
+                        format_html(
+                            '{label} '
+                            '<span class="fa fa-question-circle fa-fw text-muted" data-toggle="tooltip"'
+                            ' data-placement="right" title="{help_text}"></span>',
+                            label=opt.label,
+                            help_text=opt.help_text,
+                        ) if opt.help_text else opt.label,
+                    )
+                    for opt in pg.options
+                ],
+                label=pg.label,
+                help_text=pg.help_text,
+                initial=initial,
+                widget=forms.RadioSelect,
+            )
+            self.organizer_field_names.append(f'organizer_{pg.name}')
 
     class Meta:
         model = Team
-        fields = ['name', 'require_2fa', 'all_events', 'limit_events', 'can_create_events',
-                  'can_change_teams', 'can_change_organizer_settings',
-                  'can_manage_gift_cards', 'can_manage_customers',
-                  'can_manage_reusable_media',
-                  'can_change_event_settings', 'can_change_items',
-                  'can_view_orders', 'can_change_orders', 'can_checkin_orders',
-                  'can_view_vouchers', 'can_change_vouchers']
+        fields = ['name', 'require_2fa', 'all_events', 'limit_events',
+                  'all_event_permissions',
+                  'all_organizer_permissions',]
         widgets = {
             'limit_events': forms.CheckboxSelectMultiple(attrs={
                 'data-inverse-dependency': '#id_all_events',
@@ -327,15 +403,57 @@ class TeamForm(forms.ModelForm):
 
     def clean(self):
         data = super().clean()
-        if self.instance.pk and not data['can_change_teams']:
+
+        data['limit_event_permissions'] = {}
+        if not data['all_event_permissions']:
+            for pg in get_all_event_permission_groups().values():
+                selected = data.get(f'event_{pg.name}', 'EMPTY')
+                if selected == "EMPTY":
+                    selected_actions = []
+                else:
+                    selected_actions = selected.split(',')
+                for action in pg.actions:
+                    if action in selected_actions:
+                        data['limit_event_permissions'][f"{pg.name}:{action}"] = True
+        self.instance.limit_event_permissions = data['limit_event_permissions']
+
+        data['limit_organizer_permissions'] = {}
+        if not data['all_organizer_permissions']:
+            for pg in get_all_organizer_permission_groups().values():
+                selected = data.get(f'organizer_{pg.name}', 'EMPTY')
+                if selected == "EMPTY":
+                    selected_actions = []
+                else:
+                    selected_actions = selected.split(',')
+                for action in pg.actions:
+                    if action in selected_actions:
+                        data['limit_organizer_permissions'][f"{pg.name}:{action}"] = True
+        self.instance.limit_organizer_permissions = data['limit_organizer_permissions']
+
+        if self.instance.pk and not data['all_organizer_permissions'] and 'organizer.teams:write' not in data.get('limit_organizer_permissions', []):
             if not self.instance.organizer.teams.exclude(pk=self.instance.pk).filter(
-                    can_change_teams=True, members__isnull=False
+                TeamQuerySet.organizer_permission_q("organizer.teams:write"),
+                members__isnull=False
             ).exists():
                 raise ValidationError(_('The changes could not be saved because there would be no remaining team with '
                                         'the permission to change teams and permissions.'))
 
         return data
 
+    @property
+    def changed_data_for_log(self):
+        r = {}
+        for k in self.changed_data:
+            if k == "limit_events":
+                r[k] = [e.id for e in getattr(self.instance, k).all()]
+            elif k.startswith("event_"):
+                r["limit_event_permissions"] = self.instance.limit_event_permissions
+            elif k.startswith("organizer_"):
+                r["limit_organizer_permissions"] = self.instance.limit_organizer_permissions
+            else:
+                r[k] = getattr(self.instance, k)
+        return r
+
 
 class GateForm(forms.ModelForm):
 

src/pretix/control/navigation.py

@@ -43,24 +43,29 @@ def get_event_navigation(request: HttpRequest):
             'icon': 'dashboard',
         }
     ]
-    if 'can_change_event_settings' in request.eventpermset:
-        event_settings = [
-            {
-                'label': _('General'),
-                'url': reverse('control:event.settings', kwargs={
-                    'event': request.event.slug,
-                    'organizer': request.event.organizer.slug,
-                }),
-                'active': url.url_name == 'event.settings',
-            },
-            {
-                'label': _('Payment'),
-                'url': reverse('control:event.settings.payment', kwargs={
-                    'event': request.event.slug,
-                    'organizer': request.event.organizer.slug,
-                }),
-                'active': url.url_name in ('event.settings.payment', 'event.settings.payment.provider'),
-            },
+    event_settings = []
+    if "event.settings.general:write" in request.eventpermset:
+        event_settings.append({
+            'label': _('General'),
+            'url': reverse('control:event.settings', kwargs={
+                'event': request.event.slug,
+                'organizer': request.event.organizer.slug,
+            }),
+            'active': url.url_name == 'event.settings',
+        })
+
+    if "event.settings.payment:write" in request.eventpermset or "event.settings.general:write" in request.eventpermset:
+        event_settings.append({
+            'label': _('Payment'),
+            'url': reverse('control:event.settings.payment', kwargs={
+                'event': request.event.slug,
+                'organizer': request.event.organizer.slug,
+            }),
+            'active': url.url_name in ('event.settings.payment', 'event.settings.payment.provider'),
+        })
+
+    if "event.settings.general:write" in request.eventpermset:
+        event_settings += [
             {
                 'label': _('Plugins'),
                 'url': reverse('control:event.settings.plugins', kwargs={
@@ -84,23 +89,31 @@ def get_event_navigation(request: HttpRequest):
                     'organizer': request.event.organizer.slug,
                 }),
                 'active': url.url_name == 'event.settings.mail',
-            },
-            {
-                'label': _('Taxes'),
-                'url': reverse('control:event.settings.tax', kwargs={
-                    'event': request.event.slug,
-                    'organizer': request.event.organizer.slug,
-                }),
-                'active': url.url_name.startswith('event.settings.tax'),
-            },
-            {
-                'label': _('Invoicing'),
-                'url': reverse('control:event.settings.invoice', kwargs={
-                    'event': request.event.slug,
-                    'organizer': request.event.organizer.slug,
-                }),
-                'active': url.url_name == 'event.settings.invoice',
-            },
+            }
+        ]
+
+    if "event.settings.tax:write" in request.eventpermset or "event.settings.general:write" in request.eventpermset:
+        event_settings.append({
+            'label': _('Taxes'),
+            'url': reverse('control:event.settings.tax', kwargs={
+                'event': request.event.slug,
+                'organizer': request.event.organizer.slug,
+            }),
+            'active': url.url_name.startswith('event.settings.tax'),
+        })
+
+    if "event.settings.invoicing:write" in request.eventpermset or "event.settings.general:write" in request.eventpermset:
+        event_settings.append({
+            'label': _('Invoicing'),
+            'url': reverse('control:event.settings.invoice', kwargs={
+                'event': request.event.slug,
+                'organizer': request.event.organizer.slug,
+            }),
+            'active': url.url_name == 'event.settings.invoice',
+        })
+
+    if "event.settings.general:write" in request.eventpermset:
+        event_settings += [
             {
                 'label': pgettext_lazy('action', 'Cancellation'),
                 'url': reverse('control:event.settings.cancel', kwargs={
@@ -118,88 +131,87 @@ def get_event_navigation(request: HttpRequest):
                 'active': url.url_name == 'event.settings.widget',
             },
         ]
+
+        # It would be better to allow plugins to handle the permission themselves, but for backwards compatibility
+        # we need to have it in the "if" statement
         event_settings += sorted(
             sum((list(a[1]) for a in nav_event_settings.send(request.event, request=request)), []),
             key=lambda r: r['label']
         )
+    if event_settings:
         nav.append({
             'label': _('Settings'),
-            'url': reverse('control:event.settings', kwargs={
-                'event': request.event.slug,
-                'organizer': request.event.organizer.slug,
-            }),
+            'url': event_settings[0]["url"],
             'active': False,
             'icon': 'wrench',
             'children': event_settings
         })
 
-    if 'can_change_items' in request.eventpermset:
-        nav.append({
-            'label': _('Products'),
-            'url': reverse('control:event.items', kwargs={
-                'event': request.event.slug,
-                'organizer': request.event.organizer.slug,
-            }),
-            'active': False,
-            'icon': 'ticket',
-            'children': [
-                {
-                    'label': _('Products'),
-                    'url': reverse('control:event.items', kwargs={
-                        'event': request.event.slug,
-                        'organizer': request.event.organizer.slug,
-                    }),
-                    'active': url.url_name in (
-                        'event.item', 'event.items.add', 'event.items') or "event.item." in url.url_name,
-                },
-                {
-                    'label': _('Quotas'),
-                    'url': reverse('control:event.items.quotas', kwargs={
-                        'event': request.event.slug,
-                        'organizer': request.event.organizer.slug,
-                    }),
-                    'active': 'event.items.quota' in url.url_name,
-                },
-                {
-                    'label': _('Categories'),
-                    'url': reverse('control:event.items.categories', kwargs={
-                        'event': request.event.slug,
-                        'organizer': request.event.organizer.slug,
-                    }),
-                    'active': 'event.items.categories' in url.url_name,
-                },
-                {
-                    'label': _('Questions'),
-                    'url': reverse('control:event.items.questions', kwargs={
-                        'event': request.event.slug,
-                        'organizer': request.event.organizer.slug,
-                    }),
-                    'active': 'event.items.questions' in url.url_name,
-                },
-                {
-                    'label': _('Discounts'),
-                    'url': reverse('control:event.items.discounts', kwargs={
-                        'event': request.event.slug,
-                        'organizer': request.event.organizer.slug,
-                    }),
-                    'active': 'event.items.discounts' in url.url_name,
-                },
-            ]
-        })
-
-    if 'can_change_event_settings' in request.eventpermset:
-        if request.event.has_subevents:
-            nav.append({
-                'label': pgettext_lazy('subevent', 'Dates'),
-                'url': reverse('control:event.subevents', kwargs={
+    nav.append({
+        'label': _('Products'),
+        'url': reverse('control:event.items', kwargs={
+            'event': request.event.slug,
+            'organizer': request.event.organizer.slug,
+        }),
+        'active': False,
+        'icon': 'ticket',
+        'children': [
+            {
+                'label': _('Products'),
+                'url': reverse('control:event.items', kwargs={
                     'event': request.event.slug,
                     'organizer': request.event.organizer.slug,
                 }),
-                'active': ('event.subevent' in url.url_name),
-                'icon': 'calendar',
-            })
+                'active': url.url_name in (
+                    'event.item', 'event.items.add', 'event.items') or "event.item." in url.url_name,
+            },
+            {
+                'label': _('Quotas'),
+                'url': reverse('control:event.items.quotas', kwargs={
+                    'event': request.event.slug,
+                    'organizer': request.event.organizer.slug,
+                }),
+                'active': 'event.items.quota' in url.url_name,
+            },
+            {
+                'label': _('Categories'),
+                'url': reverse('control:event.items.categories', kwargs={
+                    'event': request.event.slug,
+                    'organizer': request.event.organizer.slug,
+                }),
+                'active': 'event.items.categories' in url.url_name,
+            },
+            {
+                'label': _('Questions'),
+                'url': reverse('control:event.items.questions', kwargs={
+                    'event': request.event.slug,
+                    'organizer': request.event.organizer.slug,
+                }),
+                'active': 'event.items.questions' in url.url_name,
+            },
+            {
+                'label': _('Discounts'),
+                'url': reverse('control:event.items.discounts', kwargs={
+                    'event': request.event.slug,
+                    'organizer': request.event.organizer.slug,
+                }),
+                'active': 'event.items.discounts' in url.url_name,
+            },
+        ]
+    })
 
-    if 'can_view_orders' in request.eventpermset:
+    if request.event.has_subevents:
+        nav.append({
+            'label': pgettext_lazy('subevent', 'Dates'),
+            'url': reverse('control:event.subevents', kwargs={
+                'event': request.event.slug,
+                'organizer': request.event.organizer.slug,
+            }),
+            'active': ('event.subevent' in url.url_name),
+            'icon': 'calendar',
+        })
+
+    if 'event.orders:read' in request.eventpermset:
         children = [
             {
                 'label': _('All orders'),
@@ -242,7 +254,7 @@ def get_event_navigation(request: HttpRequest):
                 'active': 'event.orders.waitinglist' in url.url_name,
             },
         ]
-        if 'can_change_orders' in request.eventpermset:
+        if 'event.orders:write' in request.eventpermset:
             children.append({
                 'label': _('Import'),
                 'url': reverse('control:event.orders.import', kwargs={
@@ -262,7 +274,7 @@ def get_event_navigation(request: HttpRequest):
             'children': children
         })
 
-    if 'can_view_vouchers' in request.eventpermset:
+    if 'event.vouchers:read' in request.eventpermset:
         nav.append({
             'label': _('Vouchers'),
             'url': reverse('control:event.vouchers', kwargs={
@@ -291,7 +303,7 @@ def get_event_navigation(request: HttpRequest):
             ]
         })
 
-    if 'can_view_orders' in request.eventpermset:
+    if 'event.orders:read' in request.eventpermset or 'event.settings.general:write' in request.eventpermset:
         nav.append({
             'label': pgettext_lazy('navigation', 'Check-in'),
             'url': reverse('control:event.orders.checkinlists', kwargs={
@@ -480,7 +492,7 @@ def get_organizer_navigation(request):
             'icon': 'calendar',
         },
     ]
-    if 'can_change_organizer_settings' in request.orgapermset:
+    if 'organizer.settings.general:write' in request.orgapermset:
         nav.append({
             'label': _('Settings'),
             'url': reverse('control:organizer.edit', kwargs={
@@ -534,7 +546,7 @@ def get_organizer_navigation(request):
             ]
         })
 
-    if 'can_change_teams' in request.orgapermset:
+    if 'organizer.teams:write' in request.orgapermset:
         nav.append({
             'label': _('Teams'),
             'url': reverse('control:organizer.teams', kwargs={
@@ -544,7 +556,7 @@ def get_organizer_navigation(request):
             'icon': 'group',
         })
 
-    if 'can_manage_gift_cards' in request.orgapermset:
+    if 'organizer.giftcards:read' in request.orgapermset or 'organizer.giftcards:write' in request.orgapermset:
         children = []
         children.append({
             'label': _('Gift cards'),
@@ -554,7 +566,7 @@ def get_organizer_navigation(request):
             'active': 'organizer.giftcard' in url.url_name and 'acceptance' not in url.url_name,
             'children': children,
         })
-        if 'can_change_organizer_settings' in request.orgapermset:
+        if 'organizer.settings.general:write' in request.orgapermset:
             children.append(
                 {
                     'label': _('Acceptance'),
@@ -575,7 +587,7 @@ def get_organizer_navigation(request):
 
     if request.organizer.settings.customer_accounts:
         children = []
-        if 'can_manage_customers' in request.orgapermset:
+        if 'organizer.customers:read' in request.orgapermset or 'organizer.customers:write' in request.orgapermset:
             children.append(
                 {
                     'label': _('Customers'),
@@ -585,7 +597,7 @@ def get_organizer_navigation(request):
                     'active': 'organizer.customer' in url.url_name,
                 }
             )
-        if 'can_change_organizer_settings' in request.orgapermset:
+        if 'organizer.settings.general:write' in request.orgapermset:
             children.append(
                 {
                     'label': _('Membership types'),
@@ -624,16 +636,17 @@ def get_organizer_navigation(request):
             })
 
     if request.organizer.settings.reusable_media_active:
-        nav.append({
-            'label': _('Reusable media'),
-            'url': reverse('control:organizer.reusable_media', kwargs={
-                'organizer': request.organizer.slug
-            }),
-            'icon': 'key',
-            'active': 'organizer.reusable_medi' in url.url_name,
-        })
+        if 'organizer.reusablemedia:read' in request.orgapermset or 'organizer.reusablemedia:write' in request.orgapermset:
+            nav.append({
+                'label': _('Reusable media'),
+                'url': reverse('control:organizer.reusable_media', kwargs={
+                    'organizer': request.organizer.slug
+                }),
+                'icon': 'key',
+                'active': 'organizer.reusable_medi' in url.url_name,
+            })
 
-    if 'can_change_organizer_settings' in request.orgapermset:
+    if 'organizer.devices:read' in request.orgapermset or 'organizer.devices:write' in request.orgapermset:
         nav.append({
             'label': _('Devices'),
             'url': reverse('control:organizer.devices', kwargs={
@@ -667,7 +680,7 @@ def get_organizer_navigation(request):
         'icon': 'download',
     })
 
-    if 'can_change_organizer_settings' in request.orgapermset:
+    if 'organizer.settings.general:write' in request.orgapermset:
         merge_in(nav, [{
             'parent': reverse('control:organizer.export', kwargs={
                 'organizer': request.organizer.slug,

src/pretix/control/permissions.py

@@ -55,7 +55,7 @@ def event_permission_required(permission):
     """
     if permission == 'can_change_settings':
         # Legacy support
-        permission = 'can_change_event_settings'
+        permission = 'event.settings.general:write'
 
     def decorator(function):
         def wrapper(request, *args, **kw):
@@ -92,9 +92,9 @@ def organizer_permission_required(permission):
     This view decorator rejects all requests with a 403 response which are not from
     users having the given permission for the event the request is associated with.
     """
-    if permission == 'can_change_settings':
+    if permission == 'event.settings.general:write':
         # Legacy support
-        permission = 'can_change_organizer_settings'
+        permission = 'organizer.settings.general:write'
 
     def decorator(function):
         def wrapper(request, *args, **kw):

src/pretix/control/templates/pretixcontrol/checkin/index.html

@@ -9,7 +9,7 @@
 {% block content %}
     <h1>
         {% blocktrans with name=checkinlist.name %}Check-in list: {{ name }}{% endblocktrans %}
-        {% if 'can_change_event_settings' in request.eventpermset %}
+        {% if 'event.settings.general:write' in request.eventpermset %}
             <a href="{% url "control:event.orders.checkinlists.edit" event=request.event.slug organizer=request.event.organizer.slug list=checkinlist.pk %}"
                     class="btn btn-default">
                 <span class="fa fa-wrench"></span>
@@ -87,7 +87,7 @@
                     <thead>
                     <tr>
                         <th>
-                            {% if "can_change_orders" in request.eventpermset or "can_checkin_orders" in request.eventpermset %}
+                            {% if "event.orders:write" in request.eventpermset or "event.orders:checkin" in request.eventpermset %}
                                 <label aria-label="{% trans "select all rows for batch-operation" %}"
                                        class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
                             {% endif %}
@@ -132,7 +132,7 @@
                     {% for e in entries %}
                         <tr>
                             <td>
-                                {% if "can_change_orders" in request.eventpermset or "can_checkin_orders" in request.eventpermset %}
+                                {% if "event.orders:write" in request.eventpermset or "event.orders:checkin" in request.eventpermset %}
                                     <input type="checkbox" name="checkin" id="id_checkin" class="" value="{{ e.pk }}"/>
                                 {% endif %}
                             </td>
@@ -207,7 +207,7 @@
                 </table>
             </div>
             <div class="batch-select-actions">
-                {% if "can_change_orders" in request.eventpermset or "can_checkin_orders" in request.eventpermset %}
+                {% if "event.orders:write" in request.eventpermset or "event.orders:checkin" in request.eventpermset %}
                     <button type="submit" class="btn btn-primary btn-save">
                         <span class="fa fa-sign-in" aria-hidden="true"></span>
                         {% trans "Check-In selected attendees" %}
@@ -217,7 +217,7 @@
                         {% trans "Check-Out selected attendees" %}
                     </button>
                 {% endif %}
-                {% if "can_change_orders" in request.eventpermset %}
+                {% if "event.orders:write" in request.eventpermset %}
                     <button type="submit" class="btn btn-danger btn-save" name="revert"
                             formaction="{% url "control:event.orders.checkinlists.bulk_revert" event=request.event.slug organizer=request.event.organizer.slug list=checkinlist.pk %}"
                             data-no-asynctask

src/pretix/control/templates/pretixcontrol/checkin/lists.html

@@ -63,27 +63,27 @@
                 {% endif %}
             </p>
 
-            {% if "can_change_event_settings" in request.eventpermset %}
+            {% if "event.settings.general:write" in request.eventpermset %}
                 <a href="{% url "control:event.orders.checkinlists.add" organizer=request.event.organizer.slug event=request.event.slug %}"
                    class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new check-in list" %}
                 </a>
             {% endif %}
-            {% if can_change_organizer_settings %}
+            {% if link_device_settings %}
                 <a href="{% url "control:organizer.devices" organizer=request.organizer.slug %}"
                    class="btn btn-default btn-lg"><i class="fa fa-tablet"></i> {% trans "Connected devices" %}</a>
             {% endif %}
         </div>
     {% else %}
         <p>
-            {% if "can_change_event_settings" in request.eventpermset %}
+            {% if "event.settings.general:write" in request.eventpermset %}
                 <a href="{% url "control:event.orders.checkinlists.add" organizer=request.event.organizer.slug event=request.event.slug %}"
                    class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new check-in list" %}</a>
             {% endif %}
-            {% if can_change_organizer_settings %}
+            {% if link_device_settings %}
                 <a href="{% url "control:organizer.devices" organizer=request.organizer.slug %}"
                    class="btn btn-default"><i class="fa fa-tablet"></i> {% trans "Connected devices" %}</a>
             {% endif %}
-            {% if "can_change_orders" in request.eventpermset %}
+            {% if "event.settings.general:write" in request.eventpermset and "event.orders:write" in request.eventpermset %}
                 <a href="{% url "control:event.orders.checkinlists.reset" organizer=request.event.organizer.slug event=request.event.slug %}"
                    class="btn btn-default">
                     <span class="fa fa-repeat"></span>
@@ -100,7 +100,9 @@
                         <a href="?{% url_replace request 'ordering' '-name' %}"><i class="fa fa-caret-down"></i></a>
                         <a href="?{% url_replace request 'ordering' 'name' %}"><i class="fa fa-caret-up"></i></a>
                     </th>
-                    <th>{% trans "Checked in" %}</th>
+                    {% if "event.orders:read" in request.eventpermset %}
+                        <th>{% trans "Checked in" %}</th>
+                    {% endif %}
                     {% if request.event.has_subevents %}
                         <th>
                             {% trans "Date" context "subevent" %}
@@ -119,18 +121,20 @@
                             <strong><a
                                     href="{% url "control:event.orders.checkinlists.show" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}">{{ cl.name }}</a></strong>
                         </td>
-                        <td>
-                            <div class="quotabox availability">
-                                <div class="progress">
-                                    <div class="progress-bar progress-bar-success progress-bar-{{ cl.percent }}">
+                        {% if "event.orders:read" in request.eventpermset %}
+                            <td>
+                                <div class="quotabox availability">
+                                    <div class="progress">
+                                        <div class="progress-bar progress-bar-success progress-bar-{{ cl.percent }}">
+                                        </div>
+                                    </div>
+                                    <div class="numbers">
+                                        {{ cl.checkin_count|default_if_none:"0" }} /
+                                        {{ cl.position_count|default_if_none:"0" }}
                                     </div>
                                 </div>
-                                <div class="numbers">
-                                    {{ cl.checkin_count|default_if_none:"0" }} /
-                                    {{ cl.position_count|default_if_none:"0" }}
-                                </div>
-                            </div>
-                        </td>
+                            </td>
+                        {% endif %}
                         {% if request.event.has_subevents %}
                             {% if cl.subevent %}
                                 <td>
@@ -156,16 +160,18 @@
                             {% endif %}
                         </td>
                         <td class="text-right flip">
-                            <a href="{% url "control:event.orders.checkinlists.show" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"
-                               class="btn btn-default btn-sm"><i class="fa fa-eye"></i></a>
-                            {% if "can_change_event_settings" in request.eventpermset %}
+                            {% if "event.orders:read" in request.eventpermset %}
+                                <a href="{% url "control:event.orders.checkinlists.show" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"
+                                   class="btn btn-default btn-sm"><i class="fa fa-eye"></i></a>
+                                <a href="{% url "control:event.orders.checkinlists.simulator" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"
+                                   title="{% trans "Check-in simulator" %}" data-toggle="tooltip"
+                                   class="btn btn-default btn-sm"><i class="fa fa-flask"></i></a>
+                            {% endif %}
+                            {% if "event.settings.general:write" in request.eventpermset %}
                                 <a href="{% url "control:event.orders.checkinlists.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ cl.id }}"
                                    class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
                                     <span class="fa fa-copy"></span>
                                 </a>
-                                <a href="{% url "control:event.orders.checkinlists.simulator" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"
-                                   title="{% trans "Check-in simulator" %}" data-toggle="tooltip"
-                                   class="btn btn-default btn-sm"><i class="fa fa-flask"></i></a>
                                 <a href="{% url "control:event.orders.checkinlists.edit" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"
                                    class="btn btn-default btn-sm"><i class="fa fa-wrench"></i></a>
                                 <a href="{% url "control:event.orders.checkinlists.delete" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"

src/pretix/control/templates/pretixcontrol/checkin/simulator.html

@@ -9,7 +9,7 @@
 {% block inside %}
     <h1>
         {% blocktrans with name=checkinlist.name %}Check-in list: {{ name }}{% endblocktrans %}
-        {% if 'can_change_event_settings' in request.eventpermset %}
+        {% if 'event.settings.general:write' in request.eventpermset %}
             <a href="{% url "control:event.orders.checkinlists.edit" event=request.event.slug organizer=request.event.organizer.slug list=checkinlist.pk %}"
                class="btn btn-default">
                 <span class="fa fa-wrench"></span>

src/pretix/control/templates/pretixcontrol/datasync/control_order_info.html

@@ -11,18 +11,20 @@
     <ul class="list-group">
         {% for identifier, display_name, pending, objects in providers %}
             <li class="list-group-item">
-                <form action="{% url "control:event.order.sync_job" organizer=event.organizer.slug event=event.slug code=order.code provider=identifier %}" method="post" class="form-inline pull-right">
-                    {% csrf_token %}
-                    {% if pending %}
-                        {% if pending.not_before > now or pending.need_manual_retry %}
-                            <button type="submit" name="run_job_now" value="{{ pending.pk }}" class="btn btn-default"><i class="fa fa-refresh"></i> {% trans "Retry now" %}</button>
+                {% if "event.orders:write" in request.eventpermset %}
+                    <form action="{% url "control:event.order.sync_job" organizer=event.organizer.slug event=event.slug code=order.code provider=identifier %}" method="post" class="form-inline pull-right">
+                        {% csrf_token %}
+                        {% if pending %}
+                            {% if pending.not_before > now or pending.need_manual_retry %}
+                                <button type="submit" name="run_job_now" value="{{ pending.pk }}" class="btn btn-default"><i class="fa fa-refresh"></i> {% trans "Retry now" %}</button>
+                            {% endif %}
+                            <button type="submit" name="cancel_job" value="{{ pending.pk }}" class="btn btn-danger"><i class="fa fa-times"></i> {% trans "Cancel" %}</button>
+                        {% else %}
+                            <button type="submit" class="btn btn-default"><i class="fa fa-refresh"></i> {% trans "Sync now" %}</button>
+                            <input type="hidden" name="queue_sync" value="true">
                         {% endif %}
-                        <button type="submit" name="cancel_job" value="{{ pending.pk }}" class="btn btn-danger"><i class="fa fa-times"></i> {% trans "Cancel" %}</button>
-                    {% else %}
-                        <button type="submit" class="btn btn-default"><i class="fa fa-refresh"></i> {% trans "Sync now" %}</button>
-                        <input type="hidden" name="queue_sync" value="true">
-                    {% endif %}
-                </form>
+                    </form>
+                {% endif %}
                 <p><b>{{ display_name }}</b></p>
                 {% if pending %}
                     <p>

src/pretix/control/templates/pretixcontrol/event/dangerzone.html

@@ -40,12 +40,16 @@
                     this option.
                 {% endblocktrans %}
             </div>
-            <div class="col-sm-12 col-md-3">
-                <a href="{% url "control:event.cancel" organizer=request.organizer.slug event=request.event.slug %}"
-                        class="btn btn-danger btn-block btn-lg">
-                    <span class="fa fa-ban"></span>
-                    {% trans "Cancel event" %}
-                </a>
+            <div class="col-sm-12 col-md-3 text-center">
+                {% if "event:cancel" in request.eventpermset %}
+                    <a href="{% url "control:event.cancel" organizer=request.organizer.slug event=request.event.slug %}"
+                            class="btn btn-danger btn-block btn-lg">
+                        <span class="fa fa-ban"></span>
+                        {% trans "Cancel event" %}
+                    </a>
+                {% else %}
+                    {% trans "No permission" %}
+                {% endif %}
             </div>
         </div>
     </div>

src/pretix/control/templates/pretixcontrol/event/fragment_timeline.html

@@ -19,7 +19,7 @@
                         <span class="{% if e.time < nearly_now %}text-muted{% endif %}">
                             {{ e.entry.description }}
                         </span>
-                        {% if e.entry.edit_url %}
+                        {% if e.entry.edit_url and e.entry.edit_permission in request.eventpermset %}
                             &nbsp;
                             <a href="{{ e.entry.edit_url }}" class="text-muted">
                                 <span class="fa fa-edit"></span>

src/pretix/control/templates/pretixcontrol/event/index.html

@@ -155,22 +155,24 @@
             </form>
         </div>
     </div>
-    <div class="panel panel-default">
-        <div class="panel-heading">
-            <h3 class="panel-title">
-                {% trans "Event logs" %}
-            </h3>
-        </div>
-        <ul class="list-group" id="logs_target">
-            <div class="logs-lazy-loading">
-                <span class="fa fa-cog fa-4x"></span>
+    {% if "event.orders:read" in request.eventpermset or "event.orders:write" in request.eventpermset or "event.settings.general:write" in request.eventpermset or "event.items:write" in request.eventpermset %}
+        <div class="panel panel-default">
+            <div class="panel-heading">
+                <h3 class="panel-title">
+                    {% trans "Event logs" %}
+                </h3>
+            </div>
+            <ul class="list-group" id="logs_target">
+                <div class="logs-lazy-loading">
+                    <span class="fa fa-cog fa-4x"></span>
+                </div>
+            </ul>
+            <div class="panel-footer">
+                <a href="{% url "control:event.log" event=request.event.slug organizer=request.event.organizer.slug %}">
+                    {% trans "Show more logs" %}
+                </a>
             </div>
-        </ul>
-        <div class="panel-footer">
-            <a href="{% url "control:event.log" event=request.event.slug organizer=request.event.organizer.slug %}">
-                {% trans "Show more logs" %}
-            </a>
         </div>
-    </div>
+    {% endif %}
 
 {% endblock %}

src/pretix/control/templates/pretixcontrol/event/invoicing.html

@@ -12,6 +12,7 @@
                 <legend>{% trans "Invoice generation" %}</legend>
                 {% bootstrap_field form.invoice_generate layout="control" %}
                 {% bootstrap_field form.invoice_generate_sales_channels layout="control" %}
+                {% bootstrap_field form.invoice_generate_only_business layout="control" %}
                 {% bootstrap_field form.invoice_email_attachment layout="control" %}
                 {% bootstrap_field form.invoice_email_organizer layout="control" %}
                 {% bootstrap_field form.invoice_language layout="control" %}
@@ -111,11 +112,6 @@
                                             <span class="text-success">
                                                 <span class="fa fa-check fa-fw"></span>
                                                 {% trans "Available" %}
-                                                {% if t.exclusive %}
-                                                    <span data-toggle="tooltip" title="{% trans "When this type is available for an invoice address, no other type can be selected." %}">
-                                                        {% trans "(exclusive)" %}
-                                                    </span>
-                                                {% endif %}
                                             </span>
                                         {% else %}
                                             <span class="text-muted">
@@ -169,13 +165,15 @@
                 </p>
             </fieldset>
         </div>
-        <div class="form-group submit-group">
-            <button type="submit" class="btn btn-default btn-lg" name="preview" value="preview" formtarget="_blank">
-                {% trans "Save and show preview" %}
-            </button>
-            <button type="submit" class="btn btn-primary btn-save">
-                {% trans "Save" %}
-            </button>
-        </div>
+        {% if "event.settings.invoicing:write" in request.eventpermset %}
+            <div class="form-group submit-group">
+                <button type="submit" class="btn btn-default btn-lg" name="preview" value="preview" formtarget="_blank">
+                    {% trans "Save and show preview" %}
+                </button>
+                <button type="submit" class="btn btn-primary btn-save">
+                    {% trans "Save" %}
+                </button>
+            </div>
+        {% endif %}
     </form>
 {% endblock %}

src/pretix/control/templates/pretixcontrol/event/payment.html

@@ -41,14 +41,17 @@
                                 {% endfor %}
                             </td>
                             <td class="text-right flip">
-                                <a href="{% url 'control:event.settings.payment.provider' event=request.event.slug organizer=request.organizer.slug provider=provider.identifier %}"
-                                        class="btn btn-default">
-                                    <span class="fa fa-cog"></span>
-                                    {% trans "Settings" %}
-                                </a>
+                                {% if "event.settings.payment:write" in request.eventpermset %}
+                                    <a href="{% url 'control:event.settings.payment.provider' event=request.event.slug organizer=request.organizer.slug provider=provider.identifier %}"
+                                            class="btn btn-default">
+                                        <span class="fa fa-cog"></span>
+                                        {% trans "Settings" %}
+                                    </a>
+                                {% endif %}
                             </td>
                         </tr>
                     {% endfor %}
+                    {% if "event.settings.general:write" in request.eventpermset %}
                         <tr>
                             <td colspan="4">
                                 <br>
@@ -58,6 +61,7 @@
                                 </a>
                             </td>
                         </tr>
+                    {% endif %}
                     </tbody>
                 </table>
 
@@ -83,10 +87,12 @@
                 {% bootstrap_field form.payment_explanation layout="control" %}
             </fieldset>
         </div>
-        <div class="form-group submit-group">
-            <button type="submit" class="btn btn-primary btn-save">
-                {% trans "Save" %}
-            </button>
-        </div>
+        {% if "event.settings.payment:write" in request.eventpermset %}
+            <div class="form-group submit-group">
+                <button type="submit" class="btn btn-primary btn-save">
+                    {% trans "Save" %}
+                </button>
+            </div>
+        {% endif %}
     </form>
 {% endblock %}

src/pretix/control/templates/pretixcontrol/event/tax.html

@@ -23,8 +23,10 @@
                     {% endblocktrans %}
                 </p>
 
-                <a href="{% url "control:event.settings.tax.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-                   class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new tax rule" %}</a>
+                {% if "event.settings.tax:write" in request.eventpermset %}
+                    <a href="{% url "control:event.settings.tax.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                       class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new tax rule" %}</a>
+                {% endif %}
             </div>
         {% else %}
             <div class="table-responsive">
@@ -42,10 +44,14 @@
                     {% for tr in taxrules %}
                         <tr>
                             <td>
-                                <strong><a
-                                        href="{% url "control:event.settings.tax.edit" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}">
-                                    {{ tr.internal_name|default:tr.name }}
-                                </a></strong>
+                                {% if "event.settings.tax:write" in request.eventpermset %}
+                                    <strong><a
+                                            href="{% url "control:event.settings.tax.edit" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}">
+                                        {{ tr.internal_name|default:tr.name }}
+                                    </a></strong>
+                                {% else %}
+                                    <strong>{{ tr.internal_name|default:tr.name }}</strong>
+                                {% endif %}
                             </td>
                             <td>
                                 {% if tr.default %}
@@ -53,7 +59,7 @@
                                     <span class="fa fa-check"></span>
                                     {% trans "Default" %}
                                 </span>
-                                {% else %}
+                                {% elif "event.settings.tax:write" in request.eventpermset %}
                                     <form class="form-inline" method="post"
                                           action="{% url "control:event.settings.tax.default" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}">
                                         {% csrf_token %}
@@ -83,10 +89,12 @@
                                 {% endif %}
                             </td>
                             <td class="text-right flip">
-                                <a href="{% url "control:event.settings.tax.edit" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}"
-                                   class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                                <a href="{% url "control:event.settings.tax.delete" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}"
-                                   class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                                {% if "event.settings.tax:write" in request.eventpermset %}
+                                    <a href="{% url "control:event.settings.tax.edit" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}"
+                                       class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                    <a href="{% url "control:event.settings.tax.delete" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}"
+                                       class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                                {% endif %}
                             </td>
                         </tr>
                     {% endfor %}
@@ -94,9 +102,11 @@
                     <tfoot>
                     <tr>
                         <td colspan="5">
-                            <a href="{% url "control:event.settings.tax.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-                               class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new tax rule" %}
-                            </a>
+                            {% if "event.settings.tax:write" in request.eventpermset %}
+                                <a href="{% url "control:event.settings.tax.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                                   class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new tax rule" %}
+                                </a>
+                            {% endif %}
                         </td>
                     </tr>
                     </tfoot>
@@ -111,10 +121,12 @@
             {% bootstrap_field form.tax_rounding layout="control" %}
             {% bootstrap_field form.display_net_prices layout="control" %}
         </fieldset>
-        <div class="form-group submit-group">
-            <button type="submit" class="btn btn-primary btn-save">
-                {% trans "Save" %}
-            </button>
-        </div>
+        {% if "event.settings.tax:write" in request.eventpermset %}
+            <div class="form-group submit-group">
+                <button type="submit" class="btn btn-primary btn-save">
+                    {% trans "Save" %}
+                </button>
+            </div>
+        {% endif %}
     </form>
 {% endblock %}

src/pretix/control/templates/pretixcontrol/items/categories.html

@@ -16,14 +16,18 @@
                 {% endblocktrans %}
             </p>
 
-            <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-                    class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new category" %}</a>
+            {% if 'event.items:write' in request.eventpermset %}
+                <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                        class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new category" %}</a>
+            {% endif %}
         </div>
     {% else %}
-        <p>
-            <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new category" %}
-            </a>
-        </p>
+        {% if 'event.items:write' in request.eventpermset %}
+            <p>
+                <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new category" %}
+                </a>
+            </p>
+        {% endif %}
         <form method="post">
             {% csrf_token %}
         <div class="table-responsive">
@@ -39,7 +43,11 @@
                 {% for c in categories %}
                     <tr data-dnd-id="{{ c.id }}">
                         <td>
-                            <strong><a href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}">{{ c.internal_name|default:c.name }}</a></strong>
+                            {% if 'event.items:write' in request.eventpermset %}
+                                <strong><a href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}">{{ c.internal_name|default:c.name }}</a></strong>
+                            {% else %}
+                                <strong>{{ c.internal_name|default:c.name }}</strong>
+                            {% endif %}
                             <br>
                             <small class="text-muted">
                                 #{{ c.pk }}
@@ -49,15 +57,17 @@
                             {{ c.get_category_type_display }}
                         </td>
                         <td class="text-right flip">
-                            <button title="{% trans "Move up" %}" formaction="{% url "control:event.items.categories.up" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm sortable-up"{% if forloop.counter0 == 0 and not page_obj.has_previous %} disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
-                            <button title="{% trans "Move down" %}" formaction="{% url "control:event.items.categories.down" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm sortable-down"{% if forloop.revcounter0 == 0 and not page_obj.has_next %} disabled{% endif %}><i class="fa fa-arrow-down"></i></button>
-                            <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
-                            <a title="{% trans "Edit" %}" href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                            <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ c.id }}"
-                               class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
-                                <span class="fa fa-copy"></span>
-                            </a>
-                            <a title="{% trans "Delete" %}" href="{% url "control:event.items.categories.delete" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                            {% if 'event.items:write' in request.eventpermset %}
+                                <button title="{% trans "Move up" %}" formaction="{% url "control:event.items.categories.up" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm sortable-up"{% if forloop.counter0 == 0 and not page_obj.has_previous %} disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
+                                <button title="{% trans "Move down" %}" formaction="{% url "control:event.items.categories.down" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm sortable-down"{% if forloop.revcounter0 == 0 and not page_obj.has_next %} disabled{% endif %}><i class="fa fa-arrow-down"></i></button>
+                                <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
+                                <a title="{% trans "Edit" %}" href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ c.id }}"
+                                   class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
+                                    <span class="fa fa-copy"></span>
+                                </a>
+                                <a title="{% trans "Delete" %}" href="{% url "control:event.items.categories.delete" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                            {% endif %}
                         </td>
                     </tr>
                 {% endfor %}

src/pretix/control/templates/pretixcontrol/items/discounts.html

@@ -39,15 +39,19 @@
                 {% endblocktrans %}
             </p>
 
-            <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-               class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new discount" %}</a>
+            {% if 'event.items:write' in request.eventpermset %}
+                <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                   class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new discount" %}</a>
+            {% endif %}
         </div>
     {% else %}
-        <p>
-            <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-               class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new discount" %}
-            </a>
-        </p>
+        {% if 'event.items:write' in request.eventpermset %}
+            <p>
+                <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                   class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new discount" %}
+                </a>
+            </p>
+        {% endif %}
         <form method="post">
             {% csrf_token %}
             <div class="table-responsive">
@@ -70,8 +74,12 @@
                                 {% else %}
                                     <del>
                                 {% endif %}
-                                    <a  href="{% url "control:event.items.discounts.edit" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}">
+                                {% if 'event.items:write' in request.eventpermset %}
+                                    <a href="{% url "control:event.items.discounts.edit" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}">
                                     {{ d.internal_name }}</a>
+                                {% else %}
+                                    {{ d.internal_name }}
+                                {% endif %}
                                 {% if d.active %}
                                     </strong>
                                 {% else %}
@@ -134,23 +142,25 @@
                                 </td>
                             {% endif %}
                             <td class="text-right flip">
-                                <button formaction="{% url "control:event.items.discounts.up" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
-                                        class="btn btn-default btn-sm sortable-up" title="{% trans "Move up" %}"
-                                        {% if forloop.counter0 == 0 and not page_obj.has_previous %}
-                                        disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
-                                <button formaction="{% url "control:event.items.discounts.down" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
-                                        class="btn btn-default btn-sm sortable-down" title="{% trans "Move down" %}"
-                                        {% if forloop.revcounter0 == 0 and not page_obj.has_next %} disabled{% endif %}>
-                                    <i class="fa fa-arrow-down"></i></button>
-                                <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
-                                <a href="{% url "control:event.items.discounts.edit" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
-                                   class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                                <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ d.id }}"
-                                   class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
-                                    <span class="fa fa-copy"></span>
-                                </a>
-                                <a href="{% url "control:event.items.discounts.delete" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
-                                   class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                                {% if 'event.items:write' in request.eventpermset %}
+                                    <button formaction="{% url "control:event.items.discounts.up" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
+                                            class="btn btn-default btn-sm sortable-up" title="{% trans "Move up" %}"
+                                            {% if forloop.counter0 == 0 and not page_obj.has_previous %}
+                                            disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
+                                    <button formaction="{% url "control:event.items.discounts.down" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
+                                            class="btn btn-default btn-sm sortable-down" title="{% trans "Move down" %}"
+                                            {% if forloop.revcounter0 == 0 and not page_obj.has_next %} disabled{% endif %}>
+                                        <i class="fa fa-arrow-down"></i></button>
+                                    <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
+                                    <a href="{% url "control:event.items.discounts.edit" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
+                                       class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                    <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ d.id }}"
+                                       class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
+                                        <span class="fa fa-copy"></span>
+                                    </a>
+                                    <a href="{% url "control:event.items.discounts.delete" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
+                                       class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                                {% endif %}
                             </td>
                         </tr>
                     {% endfor %}

src/pretix/control/templates/pretixcontrol/items/index.html

@@ -21,14 +21,18 @@
                 {% endblocktrans %}
             </p>
 
-            <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-                    class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new product" %}</a>
+            {% if 'event.items:write' in request.eventpermset %}
+                <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                        class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new product" %}</a>
+            {% endif %}
         </div>
     {% else %}
-        <p>
-            <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-                    class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new product" %}</a>
-        </p>
+        {% if 'event.items:write' in request.eventpermset %}
+            <p>
+                <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                        class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new product" %}</a>
+            </p>
+        {% endif %}
         <form method="post">
             {% csrf_token %}
         <div class="table-responsive">
@@ -51,7 +55,9 @@
                         <tbody>
                             <tr class="sortable-disabled"><th colspan="9" scope="colgroup" class="text-muted">
                                 {{ c.internal_name|default:c.name }}{% if c.category_type != "normal" %} <span class="font-normal">({{ c.get_category_type_display }})</span>{% endif %}
-                                <a href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" title="{% trans "Edit" %}"><span class="fa fa-edit fa-fw"></span></a>
+                                {% if 'event.items:write' in request.eventpermset %}
+                                    <a href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" title="{% trans "Edit" %}"><span class="fa fa-edit fa-fw"></span></a>
+                                {% endif %}
                             </th></tr>
                         </tbody>
                     {% endif %}
@@ -62,7 +68,11 @@
                         <tr data-dnd-id="{{ i.id }}" {% if not i.active %}class="row-muted"{% endif %}>
                             <td><strong>
                                 {% if not i.active %}<strike>{% endif %}
-                                <a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}">{{ i }}</a>
+                                {% if 'event.items:write' in request.eventpermset %}
+                                    <a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}">{{ i }}</a>
+                                {% else %}
+                                    {{ i }}
+                                {% endif %}
                                 {% if not i.active %}</strike>{% endif %}
                                 </strong>
                                 <br>
@@ -158,12 +168,14 @@
                                 {% endif %}
                             </td>
                             <td class="text-right flip col-actions">
-                                <button title="{% trans "Move up" %}" formaction="{% url "control:event.items.up" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm sortable-up"{% if forloop.counter0 == 0 %} disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
-                                <button title="{% trans "Move down" %}" formaction="{% url "control:event.items.down" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm sortable-down"{% if forloop.revcounter0 == 0 %} disabled{% endif %}><i class="fa fa-arrow-down"></i></button>
-                                <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
-                                <a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm" title="{% trans "Edit" %}"><i class="fa fa-edit"></i></a>
-                                <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ i.id }}" class="btn btn-default btn-sm" title="{% trans "Clone" %}" data-toggle="tooltip"><i class="fa fa-copy"></i></a>
-                                <a href="{% url "control:event.items.delete" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-danger btn-sm" title="{% trans "Delete" %}"><i class="fa fa-trash"></i></a>
+                                {% if 'event.items:write' in request.eventpermset %}
+                                    <button title="{% trans "Move up" %}" formaction="{% url "control:event.items.up" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm sortable-up"{% if forloop.counter0 == 0 %} disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
+                                    <button title="{% trans "Move down" %}" formaction="{% url "control:event.items.down" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm sortable-down"{% if forloop.revcounter0 == 0 %} disabled{% endif %}><i class="fa fa-arrow-down"></i></button>
+                                    <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
+                                    <a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm" title="{% trans "Edit" %}"><i class="fa fa-edit"></i></a>
+                                    <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ i.id }}" class="btn btn-default btn-sm" title="{% trans "Clone" %}" data-toggle="tooltip"><i class="fa fa-copy"></i></a>
+                                    <a href="{% url "control:event.items.delete" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-danger btn-sm" title="{% trans "Delete" %}"><i class="fa fa-trash"></i></a>
+                                {% endif %}
                             </td>
                         </tr>
                     {% endfor %}

src/pretix/control/templates/pretixcontrol/items/question.html

@@ -7,45 +7,57 @@
 {% block inside %}
     <h1>
         {% blocktrans with name=question.question %}Question: {{ name }}{% endblocktrans %}
-        <a href="{% url "control:event.items.questions.edit" event=request.event.slug organizer=request.event.organizer.slug question=question.pk %}"
-                class="btn btn-default">
-            <span class="fa fa-edit"></span>
-            {% trans "Edit question" %}
-        </a>
+        {% if 'event.items:write' in request.eventpermset %}
+            <a href="{% url "control:event.items.questions.edit" event=request.event.slug organizer=request.event.organizer.slug question=question.pk %}"
+                    class="btn btn-default">
+                <span class="fa fa-edit"></span>
+                {% trans "Edit question" %}
+            </a>
+        {% endif %}
     </h1>
 
-    <div class="panel panel-default">
-        <div class="panel-heading">
-            <h3 class="panel-title">{% trans "Filter" %}</h3>
+    {% if 'event.orders:read' in request.eventpermset %}
+        <div class="panel panel-default">
+            <div class="panel-heading">
+                <h3 class="panel-title">{% trans "Filter" %}</h3>
+            </div>
+            <form class="panel-body filter-form" action="" method="get">
+                <div class="row">
+                     <div class="col-md-2 col-xs-6">
+                         {% bootstrap_field form.status %}
+                     </div>
+                     <div class="col-md-3 col-xs-6">
+                         {% bootstrap_field form.item %}
+                     </div>
+                {% if has_subevents %}
+                    <div class="col-md-3 col-xs-6">
+                        {% bootstrap_field form.subevent %}
+                    </div>
+                    <div class="col-md-4 col-xs-6">
+                        {% bootstrap_field form.date_range %}
+                    </div>
+                {% endif %}
+                </div>
+                <div class="text-right">
+                    <button class="btn btn-primary btn-lg" type="submit">
+                        <span class="fa fa-filter"></span>
+                        {% trans "Filter" %}
+                    </button>
+                </div>
+            </form>
         </div>
-        <form class="panel-body filter-form" action="" method="get">
-            <div class="row">
-                 <div class="col-md-2 col-xs-6">
-                     {% bootstrap_field form.status %}
-                 </div>
-                 <div class="col-md-3 col-xs-6">
-                     {% bootstrap_field form.item %}
-                 </div>
-            {% if has_subevents %}
-                <div class="col-md-3 col-xs-6">
-                    {% bootstrap_field form.subevent %}
-                </div>
-                <div class="col-md-4 col-xs-6">
-                    {% bootstrap_field form.date_range %}
-                </div>
-            {% endif %}
-            </div>
-            <div class="text-right">
-                <button class="btn btn-primary btn-lg" type="submit">
-                    <span class="fa fa-filter"></span>
-                    {% trans "Filter" %}
-                </button>
-            </div>
-        </form>
-    </div>
+    {% endif %}
 
     <div class="row">
-        {% if not stats %}
+        {% if 'event.orders:read' not in request.eventpermset %}
+            <div class="empty-collection col-md-10 col-xs-12">
+                <p>
+                    {% blocktrans trimmed %}
+                        No permission to view answers.
+                    {% endblocktrans %}
+                </p>
+            </div>
+        {% elif not stats %}
             <div class="empty-collection col-md-10 col-xs-12">
                 <p>
                     {% blocktrans trimmed %}

src/pretix/control/templates/pretixcontrol/items/questions.html

@@ -10,10 +10,12 @@
         {% endblocktrans %}
     </p>
     {% csrf_token %}
-    <p>
-        <a href="{% url "control:event.items.questions.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new question" %}
-        </a>
-    </p>
+    {% if 'event.items:write' in request.eventpermset %}
+        <p>
+            <a href="{% url "control:event.items.questions.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new question" %}
+            </a>
+        </p>
+    {% endif %}
     <div class="table-responsive">
         <table class="table table-hover table-quotas">
             <thead>
@@ -24,7 +26,9 @@
                 <th class="iconcol"></th>
                 <th class="iconcol"></th>
                 <th>{% trans "Products" %}</th>
-                <th class="action-col-2"></th>
+                {% if 'event.items:write' in request.eventpermset %}
+                    <th class="action-col-2"></th>
+                {% endif %}
                 <th class="action-col-2"></th>
             </tr>
             </thead>
@@ -79,16 +83,22 @@
                             <small>{% trans "All personalized products" %}</small>
                         {% endif %}
                     </td>
-                    <td class="dnd-container">
-                    </td>
+                    {% if 'event.items:write' in request.eventpermset %}
+                        <td class="dnd-container">
+                        </td>
+                    {% endif %}
                     <td class="text-right flip">
                         {% if q.pk %}
                             <a href="{% url "control:event.items.questions.show" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-bar-chart"></i></a>
-                            <a href="{% url "control:event.items.questions.edit" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                            <a href="{% url "control:event.items.questions.delete" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                            {% if 'event.items:write' in request.eventpermset %}
+                                <a href="{% url "control:event.items.questions.edit" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                <a href="{% url "control:event.items.questions.delete" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                            {% endif %}
                         {% else %}
-                            <a href="{% url "control:event.settings" organizer=request.event.organizer.slug event=request.event.slug %}#tab-0-2-open"
-                                    class="btn btn-default btn-sm"><i class="fa fa-wrench"></i></a>
+                            {% if 'event.settings.general:write' in request.eventpermset %}
+                                <a href="{% url "control:event.settings" organizer=request.event.organizer.slug event=request.event.slug %}#tab-0-2-open"
+                                        class="btn btn-default btn-sm"><i class="fa fa-wrench"></i></a>
+                            {% endif %}
                         {% endif %}
                     </td>
                 </tr>

src/pretix/control/templates/pretixcontrol/items/quota.html

@@ -7,7 +7,7 @@
 {% block inside %}
     <h1>
         {% blocktrans with name=quota.name %}Quota: {{ name }}{% endblocktrans %}
-        {% if 'can_change_items' in request.eventpermset %}
+        {% if 'event.items:write' in request.eventpermset %}
             <a href="{% url "control:event.items.quotas.edit" event=request.event.slug organizer=request.event.organizer.slug quota=quota.pk %}"
                class="btn btn-default">
                 <span class="fa fa-edit"></span>

src/pretix/control/templates/pretixcontrol/items/quotas.html

@@ -30,14 +30,18 @@
                 {% endif %}
             </p>
 
-            <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-                    class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new quota" %}</a>
+            {% if 'event.items:write' in request.eventpermset %}
+                <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                        class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new quota" %}</a>
+            {% endif %}
         </div>
     {% else %}
-        <p>
-            <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new quota" %}
-            </a>
-        </p>
+        {% if 'event.items:write' in request.eventpermset %}
+            <p>
+                <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new quota" %}
+                </a>
+            </p>
+        {% endif %}
         <div class="table-responsive">
             <table class="table table-hover table-quotas">
                 <thead>
@@ -91,12 +95,14 @@
                         <td>{% if q.size == None %}Unlimited{% else %}{{ q.size }}{% endif %}</td>
                         <td>{% include "pretixcontrol/items/fragment_quota_availability.html" with availability=q.cached_avail closed=q.closed %}</td>
                         <td class="text-right flip">
-                            <a href="{% url "control:event.items.quotas.edit" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                            <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ q.id }}"
-                               class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
-                                <span class="fa fa-copy"></span>
-                            </a>
-                            <a href="{% url "control:event.items.quotas.delete" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                            {% if 'event.items:write' in request.eventpermset %}
+                                <a href="{% url "control:event.items.quotas.edit" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ q.id }}"
+                                   class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
+                                    <span class="fa fa-copy"></span>
+                                </a>
+                                <a href="{% url "control:event.items.quotas.delete" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                            {% endif %}
                         </td>
                     </tr>
                 {% endfor %}

src/pretix/control/templates/pretixcontrol/order/index.html

@@ -26,7 +26,7 @@
         {% endif %}
         {% include "pretixcontrol/orders/fragment_order_status.html" with order=order class="pull-right flip" %}
     </h1>
-    {% if 'can_change_orders' in request.eventpermset %}
+    {% if 'event.orders:write' in request.eventpermset %}
         <form action="{% url "control:event.order.transition" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}"
                 method="post">
             {% csrf_token %}
@@ -193,7 +193,7 @@
                         <dt>{% trans "Order locale" %}</dt>
                         <dd>
                             {{ display_locale }}
-                            {% if "can_change_orders" in request.eventpermset %}
+                            {% if "event.orders:write" in request.eventpermset %}
                                 <a href="{% url "control:event.order.locale" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs">
                                     <span class="fa fa-edit"></span>
                                 </a>
@@ -220,7 +220,7 @@
                                         {{ order.customer.identifier }} – {{ order.customer.email }}
                                     </a>
                                 {% endif %}
-                                {% if "can_change_orders" in request.eventpermset %}
+                                {% if "event.orders:write" in request.eventpermset %}
                                     <a href="{% url "control:event.order.contact" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs">
                                         <span class="fa fa-edit"></span>
                                     </a>
@@ -233,7 +233,7 @@
                             {% if order.email and order.email_known_to_work %}
                                 <span class="fa fa-check-circle text-success" data-toggle="tooltip" title="{% trans "We know that this email address works because the user clicked a link we sent them." %}"></span>
                             {% endif %}
-                            {% if "can_change_orders" in request.eventpermset %}
+                            {% if "event.orders:write" in request.eventpermset %}
                                 <a href="{% url "control:event.order.contact" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs">
                                     <span class="fa fa-edit"></span>
                                 </a>
@@ -257,7 +257,7 @@
                             <dt>{% trans "Phone number" %}</dt>
                             <dd>
                                 {{ order.phone|default_if_none:""|phone_format }}
-                                {% if "can_change_orders" in request.eventpermset %}
+                                {% if "event.orders:write" in request.eventpermset %}
                                     <a href="{% url "control:event.order.contact" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs">
                                         <span class="fa fa-edit"></span>
                                     </a>
@@ -319,7 +319,7 @@
                                             <span class="fa fa-check text-success fa-stack-1x fa-stack-shifted"></span>
                                         </span>
                                     {% endif %}
-                                    {% if i.transmission_status != "inflight" %}
+                                    {% if i.transmission_status != "inflight" and "event.orders:write" in request.eventpermset %}
                                         <form class="form-inline helper-display-inline" method="post"
                                               action="{% url "control:event.order.retransmitinvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code id=i.pk %}">
                                             {% csrf_token %}
@@ -334,7 +334,7 @@
                                         </form>
                                     {% endif %}
                                     {% if not i.canceled %}
-                                        {% if i.regenerate_allowed %}
+                                        {% if i.regenerate_allowed and "event.orders:write" in request.eventpermset %}
                                             <form class="form-inline helper-display-inline" method="post"
                                                     action="{% url "control:event.order.regeninvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code id=i.pk %}">
                                                 {% csrf_token %}
@@ -344,7 +344,7 @@
                                                 </button>
                                             </form>
                                         {% endif %}
-                                        {% if not i.is_cancellation %}
+                                        {% if not i.is_cancellation and "event.orders:write" in request.eventpermset %}
                                             <form class="form-inline helper-display-inline" method="post"
                                                     action="{% url "control:event.order.reissueinvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code id=i.pk %}">
                                                 {% csrf_token %}
@@ -353,7 +353,7 @@
                                                             data-toggle="tooltip"
                                                             title="{% trans 'Generate a cancellation document for this invoice and create a new invoice with a new invoice number.' %}"
                                                         {% endif %}>
-                                                    {% if order.status == "c" %}
+                                                    {% if order.status == "c" or not invoice_qualified %}
                                                         {% trans "Generate cancellation" %}
                                                     {% else %}
                                                         {% trans "Cancel and reissue" %}
@@ -371,7 +371,7 @@
                                         <br/>
                                     {% endif %}
                                 {% endfor %}
-                                {% if can_generate_invoice and 'can_change_orders' in request.eventpermset %}
+                                {% if can_generate_invoice and 'event.orders:write' in request.eventpermset %}
                                     <br/>
                                     <form class="form-inline helper-display-inline" method="post"
                                             action="{% url "control:event.order.geninvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}">
@@ -382,7 +382,7 @@
                                     </form>
                                 {% endif %}
                             </dd>
-                        {% elif can_generate_invoice and 'can_change_orders' in request.eventpermset %}
+                        {% elif can_generate_invoice and 'event.orders:write' in request.eventpermset %}
                             <dt>{% trans "Invoices" %}</dt>
                             <dd>
                                 <form class="form-inline helper-display-inline" method="post"
@@ -400,7 +400,7 @@
             <div class="panel panel-default items">
                 <div class="panel-heading">
                     <div class="pull-right flip">
-                        {% if 'can_change_orders' in request.eventpermset %}
+                        {% if 'event.orders:write' in request.eventpermset %}
                             <a href="{% url "control:event.order.info" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}">
                                 <span class="fa fa-edit"></span>
                                 {% trans "Change answers" %}
@@ -893,7 +893,7 @@
                                     {% endfor %}
                                     </tbody>
                                 </table>
-                                {% if order.payment_refund_sum > 0 and "can_change_orders" in request.eventpermset %}
+                                {% if order.payment_refund_sum > 0 and "event.orders:write" in request.eventpermset %}
                                     <a href="{% url "control:event.order.refunds.start" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default">
                                         {% trans "Create a refund" %}
                                     </a>
@@ -1012,7 +1012,7 @@
                         <div class="panel panel-default">
                             <div class="panel-heading">
                                 <div class="pull-right flip">
-                                    {% if 'can_change_orders' in request.eventpermset %}
+                                    {% if 'event.orders:write' in request.eventpermset %}
                                         <a href="{% url "control:event.order.info" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}">
                                             <span class="fa fa-edit"></span>
                                             {% trans "Change" %}
@@ -1088,7 +1088,7 @@
                                 {% bootstrap_field comment_form.custom_followup_at %}
                                 {% bootstrap_field comment_form.checkin_attention show_help=True show_label=False %}
                                 {% bootstrap_field comment_form.checkin_text show_help=True show_label=False %}
-                                {% if "can_change_orders" in request.eventpermset %}
+                                {% if "event.orders:write" in request.eventpermset %}
                                     <button class="btn btn-default">
                                         {% trans "Update comment" %}
                                     </button>

src/pretix/control/templates/pretixcontrol/orders/export.html

@@ -22,7 +22,7 @@
                                 {{ s.owner.fullname|default:s.owner.email }}
                             </span>
                         </div>
-                        <div class="col-lg-5 col-md-6 col-xs-12">
+                        <div class="col-lg-4 col-md-5 col-xs-12">
                             {% if s.schedule_next_run %}
                                 <span class="fa fa-clock-o fa-fw"></span>
                                 {% trans "Next run:" %}
@@ -53,7 +53,7 @@
                                 {{ s.mail_subject }}
                             </span>
                         </div>
-                        <div class="col-lg-2 col-md-2 col-xs-12 text-right">
+                        <div class="col-lg-3 col-md-3 col-xs-12 text-right">
                             <form action="{% url "control:event.orders.export.do" event=request.event.slug organizer=request.organizer.slug %}"
                                   method="post" class="form-horizontal" data-asynctask data-asynctask-download
                                   data-asynctask-long>
@@ -73,6 +73,9 @@
                                     <a href="?identifier={{ s.export_identifier }}&scheduled={{ s.pk }}" class="btn btn-default" title="{% trans "Edit" %}" data-toggle="tooltip">
                                         <span class="fa fa-edit"></span>
                                     </a>
+                                    <a href="?identifier={{ s.export_identifier }}&scheduled_copy_from={{ s.pk }}" class="btn btn-default" title="{% trans "Copy" %}" data-toggle="tooltip">
+                                        <span class="fa fa-copy"></span>
+                                    </a>
                                 {% endif %}
                                 <a href="{% url "control:event.orders.export.scheduled.delete" event=request.event.slug organizer=request.event.organizer.slug pk=s.pk %}" class="btn btn-danger" title="{% trans "Delete" %}" data-toggle="tooltip">
                                     <span class="fa fa-trash"></span>

src/pretix/control/templates/pretixcontrol/orders/export_form.html

@@ -42,7 +42,11 @@
             <div class="form-group submit-group">
                 <button formaction="{{ request.get_full_path }}" name="schedule" value="save" type="submit"
                         class="btn btn-primary btn-save" data-no-asynctask>
-                    {% trans "Save" %}
+                    {% if scheduled_copy_from %}
+                        {% trans "Save copy" %}
+                    {% else %}
+                        {% trans "Save" %}
+                    {% endif %}
                 </button>
             </div>
         {% else %}

src/pretix/control/templates/pretixcontrol/orders/index.html

@@ -122,7 +122,7 @@
                 <table class="table table-condensed table-hover table-orders">
                     <thead>
                     <tr>
-                        {% if "can_change_orders" in request.eventpermset %}
+                        {% if "event.orders:write" in request.eventpermset %}
                             <th>
                                 <label aria-label="{% trans "select all rows for batch-operation" %}"
                                        class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
@@ -154,7 +154,7 @@
                             <a href="?{% url_replace request 'ordering' 'status' %}"><i class="fa fa-caret-up"></i></a>
                         </th>
                     </tr>
-                    {% if page_obj.paginator.num_pages > 1 and "can_change_orders" in request.eventpermset %}
+                    {% if page_obj.paginator.num_pages > 1 and "event.orders:write" in request.eventpermset %}
                         <tr class="table-select-all warning hidden">
                             <td>
                                 <input type="checkbox" name="__ALL" id="__all"
@@ -171,7 +171,7 @@
                     <tbody>
                     {% for o in orders %}
                         <tr>
-                            {% if "can_change_orders" in request.eventpermset %}
+                            {% if "event.orders:write" in request.eventpermset %}
                                 <td>
                                     <label aria-label="{% trans "select row for batch-operation" %}"
                                            class="batch-select-label"><input type="checkbox" name="order"
@@ -281,7 +281,7 @@
                     {% endif %}
                 </table>
             </div>
-            {% if "can_change_orders" in request.eventpermset %}
+            {% if "event.orders:write" in request.eventpermset %}
                 <div class="batch-select-actions">
                     <div class="btn-group dropup">
                         <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown"

src/pretix/control/templates/pretixcontrol/orders/refunds.html

@@ -100,28 +100,30 @@
                             {{ r.amount|money:request.event.currency }}
                         </td>
                         <td class="text-right flip">
-                            {% if r.state == "transit" or r.state == "created" %}
-                                <a href="{% url "control:event.order.refunds.cancel" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
-                                   class="btn btn-danger btn-xs" data-toggle="tooltip">
-                                    <span class="fa fa-times"></span>
-                                    {% trans "Cancel" %}
-                                </a>
-                                <a href="{% url "control:event.order.refunds.done" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
-                                   class="btn btn-primary btn-xs" data-toggle="tooltip">
-                                    <span class="fa fa-check"></span>
-                                    {% trans "Confirm as done" %}
-                                </a>
+                            {% if "event.orders:write" in request.eventpermset %}
+                                {% if r.state == "transit" or r.state == "created" %}
+                                    <a href="{% url "control:event.order.refunds.cancel" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
+                                       class="btn btn-danger btn-xs" data-toggle="tooltip">
+                                        <span class="fa fa-times"></span>
+                                        {% trans "Cancel" %}
+                                    </a>
+                                    <a href="{% url "control:event.order.refunds.done" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
+                                       class="btn btn-primary btn-xs" data-toggle="tooltip">
+                                        <span class="fa fa-check"></span>
+                                        {% trans "Confirm as done" %}
+                                    </a>
                                 {% elif r.state == "external" %}
-                                <a href="{% url "control:event.order.refunds.cancel" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
-                                   class="btn btn-default btn-xs" data-toggle="tooltip">
-                                    <span class="fa fa-times"></span>
-                                    {% trans "Ignore" %}
-                                </a>
-                                <a href="{% url "control:event.order.refunds.process" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
-                                   class="btn btn-primary btn-xs" data-toggle="tooltip">
-                                    <span class="fa fa-check"></span>
-                                    {% trans "Process refund" %}
-                                </a>
+                                    <a href="{% url "control:event.order.refunds.cancel" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
+                                       class="btn btn-default btn-xs" data-toggle="tooltip">
+                                        <span class="fa fa-times"></span>
+                                        {% trans "Ignore" %}
+                                    </a>
+                                    <a href="{% url "control:event.order.refunds.process" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
+                                       class="btn btn-primary btn-xs" data-toggle="tooltip">
+                                        <span class="fa fa-check"></span>
+                                        {% trans "Process refund" %}
+                                    </a>
+                                {% endif %}
                             {% endif %}
                         </td>
                     </tr>

src/pretix/control/templates/pretixcontrol/organizers/customer.html

@@ -93,16 +93,18 @@
                         {% endif %}
                         </dl>
                     </form>
-                    <div class="text-right">
-                        <a href="{% url "control:organizer.customer.edit" organizer=request.organizer.slug customer=customer.identifier %}"
-                                class="btn btn-default">
-                            <i class="fa fa-edit"></i> {% trans "Edit" %}
-                        </a>
-                        <a href="{% url "control:organizer.customer.anonymize" organizer=request.organizer.slug customer=customer.identifier %}"
-                                class="btn btn-danger">
-                            <i class="fa fa-trash"></i> {% trans "Anonymize" %}
-                        </a>
-                    </div>
+                    {% if "organizer.customers:write" in request.orgapermset %}
+                        <div class="text-right">
+                            <a href="{% url "control:organizer.customer.edit" organizer=request.organizer.slug customer=customer.identifier %}"
+                                    class="btn btn-default">
+                                <i class="fa fa-edit"></i> {% trans "Edit" %}
+                            </a>
+                            <a href="{% url "control:organizer.customer.anonymize" organizer=request.organizer.slug customer=customer.identifier %}"
+                                    class="btn btn-danger">
+                                <i class="fa fa-trash"></i> {% trans "Anonymize" %}
+                            </a>
+                        </div>
+                    {% endif %}
                 </div>
             </div>
             <div class="panel panel-default items">
@@ -162,35 +164,39 @@
                                 </div>
                             </td>
                             <td class="text-right flip">
-                                <a href="{% url "control:organizer.customer.membership.edit" organizer=request.organizer.slug customer=customer.identifier id=m.pk %}"
-                                        data-toggle="tooltip"
-                                        title="{% trans "Edit" %}"
-                                        class="btn btn-default">
-                                    <i class="fa fa-edit"></i>
-                                </a>
-                                {% if m.testmode %}
-                                    <a href="{% url "control:organizer.customer.membership.delete" organizer=request.organizer.slug customer=customer.identifier id=m.pk %}"
+                                {% if "organizer.customers:write" in request.orgapermset %}
+                                    <a href="{% url "control:organizer.customer.membership.edit" organizer=request.organizer.slug customer=customer.identifier id=m.pk %}"
                                             data-toggle="tooltip"
-                                            title="{% trans "Delete" %}"
-                                            class="btn btn-danger">
-                                        <i class="fa fa-trash"></i>
+                                            title="{% trans "Edit" %}"
+                                            class="btn btn-default">
+                                        <i class="fa fa-edit"></i>
                                     </a>
+                                    {% if m.testmode %}
+                                        <a href="{% url "control:organizer.customer.membership.delete" organizer=request.organizer.slug customer=customer.identifier id=m.pk %}"
+                                                data-toggle="tooltip"
+                                                title="{% trans "Delete" %}"
+                                                class="btn btn-danger">
+                                            <i class="fa fa-trash"></i>
+                                        </a>
+                                    {% endif %}
                                 {% endif %}
                             </td>
                         </tr>
                     {% endfor %}
                     </tbody>
-                    <tfoot>
-                    <tr>
-                        <td colspan="7">
-                            <a href="{% url "control:organizer.customer.membership.add" organizer=request.organizer.slug customer=customer.identifier %}"
-                                    class="btn btn-default">
-                                <i class="fa fa-plus"></i>
-                                {% trans "Add membership" %}
-                            </a>
-                        </td>
-                    </tr>
-                    </tfoot>
+                    {% if "organizer.customers:write" in request.orgapermset %}
+                        <tfoot>
+                        <tr>
+                            <td colspan="7">
+                                <a href="{% url "control:organizer.customer.membership.add" organizer=request.organizer.slug customer=customer.identifier %}"
+                                        class="btn btn-default">
+                                    <i class="fa fa-plus"></i>
+                                    {% trans "Add membership" %}
+                                </a>
+                            </td>
+                        </tr>
+                        </tfoot>
+                    {% endif %}
                 </table>
             </div>
             <div class="panel panel-default items">
@@ -300,14 +306,18 @@
                         {% for gc in gift_cards %}
                             <tr>
                                 <td>
-                                    <a href="{% url "control:organizer.giftcard" organizer=organizer.slug giftcard=gc.id %}">
-                                <strong>{{ gc.secret }}</strong></a>
-                                {% if gc.testmode %}
-                                    <span class="label label-warning">{% trans "TEST MODE" %}</span>
-                                {% endif %}
-                                {% if gc.expired %}
-                                    <span class="label label-danger">{% trans "Expired" %}</span>
-                                {% endif %}
+                                    {% if "organizer.giftcards:read" in request.orgapermset %}
+                                        <a href="{% url "control:organizer.giftcard" organizer=organizer.slug giftcard=gc.id %}">
+                                            <strong>{{ gc.secret }}</strong></a>
+                                    {% else %}
+                                        <strong>{{ gc.secret|slice:":3" }}…</strong>
+                                    {% endif %}
+                                    {% if gc.testmode %}
+                                        <span class="label label-warning">{% trans "TEST MODE" %}</span>
+                                    {% endif %}
+                                    {% if gc.expired %}
+                                        <span class="label label-danger">{% trans "Expired" %}</span>
+                                    {% endif %}
                                 </td>
                                 <td>{{ gc.issuance|date:"SHORT_DATETIME_FORMAT" }}</td>
                                 <td>{% if gc.expires %}{{ gc.expires|date:"SHORT_DATETIME_FORMAT" }}{% endif %}</td>
@@ -316,10 +326,12 @@
                                     <p class="text-right">{{ gc.value|money:gc.currency }}</p>
                                 </td>
                                 <td class="text-right">
-                                    <a href="{% url "control:organizer.giftcard" organizer=organizer.slug giftcard=gc.id %}"
-                                            class="btn btn-default btn-sm" data-toggle="tooltip" title="{% trans "Details" %}">
-                                        <i class="fa fa-eye"></i>
-                                    </a>
+                                    {% if "organizer.giftcards:read" in request.orgapermset %}
+                                        <a href="{% url "control:organizer.giftcard" organizer=organizer.slug giftcard=gc.id %}"
+                                                class="btn btn-default btn-sm" data-toggle="tooltip" title="{% trans "Details" %}">
+                                            <i class="fa fa-eye"></i>
+                                        </a>
+                                    {% endif %}
                                 </td>
                             </tr>
                         {% endfor %}

src/pretix/control/templates/pretixcontrol/organizers/customers.html

@@ -15,8 +15,10 @@
                     No customer accounts have been created yet.
                 {% endblocktrans %}
             </p>
-            <a href="{% url "control:organizer.customer.create" organizer=request.organizer.slug %}"
-               class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new customer" %}</a>
+            {% if "organizer.customers:write" in request.orgapermset %}
+                <a href="{% url "control:organizer.customer.create" organizer=request.organizer.slug %}"
+                   class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new customer" %}</a>
+            {% endif %}
         </div>
     {% else %}
         <div class="panel panel-default">
@@ -43,10 +45,12 @@
                 </div>
             </form>
         </div>
-        <p>
-            <a href="{% url "control:organizer.customer.create" organizer=request.organizer.slug %}"
-               class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new customer" %}</a>
-        </p>
+        {% if "organizer.customers:write" in request.orgapermset %}
+            <p>
+                <a href="{% url "control:organizer.customer.create" organizer=request.organizer.slug %}"
+                   class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new customer" %}</a>
+            </p>
+        {% endif %}
         <div class="table-responsive">
             <table class="table table-condensed table-hover">
                 <thead>

src/pretix/control/templates/pretixcontrol/organizers/detail.html

@@ -6,7 +6,7 @@
         {% blocktrans with name=request.organizer.name %}Organizer: {{ name }}{% endblocktrans %}
     </h1>
     {% if events|length == 0 and not filter_form.filtered %}
-        {% if "can_create_events" in request.orgapermset %}
+        {% if "organizer.events:create" in request.orgapermset %}
             <p>
                 <a href="{% url "control:events.add" %}?organizer={{ request.organizer.slug }}" class="btn btn-primary">
                     <span class="fa fa-plus"></span>
@@ -50,7 +50,7 @@
                 </div>
             </form>
         </div>
-        {% if "can_create_events" in request.orgapermset %}
+        {% if "organizer.events:create" in request.orgapermset %}
             <p>
                 <a href="{% url "control:events.add" %}?organizer={{ request.organizer.slug }}" class="btn btn-primary">
                     <span class="fa fa-plus"></span>
@@ -125,7 +125,7 @@
                                 data-toggle="tooltip">
                             <span class="fa fa-eye"></span>
                         </a>
-                        {% if "can_create_events" in request.orgapermset %}
+                        {% if "organizer.events:create" in request.orgapermset %}
                             <a href="{% url "control:events.add" %}?clone={{ e.pk }}" class="btn btn-sm btn-default"
                                     title="{% trans "Clone event" %}" data-toggle="tooltip">
                                 <span class="fa fa-copy"></span>

src/pretix/control/templates/pretixcontrol/organizers/devices.html

@@ -51,10 +51,12 @@
                 </div>
             </form>
         </div>
-        <p>
-            <a href="{% url "control:organizer.device.add" organizer=request.organizer.slug %}"
-               class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Connect a device" %}</a>
-        </p>
+        {% if "organizer.devices:write" in request.orgapermset %}
+            <p>
+                <a href="{% url "control:organizer.device.add" organizer=request.organizer.slug %}"
+                   class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Connect a device" %}</a>
+            </p>
+        {% endif %}
         <form action="{% url "control:organizer.device.bulk_edit" organizer=request.organizer.slug %}" method="post">
             {% csrf_token %}
             {% for field in filter_form %}
@@ -64,10 +66,12 @@
                 <table class="table table-condensed table-hover table-quotas">
                     <thead>
                     <tr>
-                        <th>
-                            <label aria-label="{% trans "select all rows for batch-operation" %}"
-                                   class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
-                        </th>
+                        {% if "organizer.devices:write" in request.orgapermset %}
+                            <th>
+                                <label aria-label="{% trans "select all rows for batch-operation" %}"
+                                       class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
+                            </th>
+                        {% endif %}
                         <th>{% trans "Device ID" %}
                             <a href="?{% url_replace request 'ordering' '-device_id' %}"><i
                                     class="fa fa-caret-down"></i></a>
@@ -105,12 +109,14 @@
                     <tbody>
                     {% for d in devices %}
                         <tr {% if d.revoked %}class="text-muted"{% endif %}>
-                            <td>
-                                <label aria-label="{% trans "select row for batch-operation" %}"
-                                       class="batch-select-label"><input type="checkbox" name="device"
-                                                                         class="batch-select-checkbox"
-                                                                         value="{{ d.pk }}"/></label>
-                            </td>
+                            {% if "organizer.devices:write" in request.orgapermset %}
+                                <td>
+                                    <label aria-label="{% trans "select row for batch-operation" %}"
+                                           class="batch-select-label"><input type="checkbox" name="device"
+                                                                             class="batch-select-checkbox"
+                                                                             value="{{ d.pk }}"/></label>
+                                </td>
+                            {% endif %}
                             <td>
                                 {{ d.device_id }}
                             </td>
@@ -158,15 +164,17 @@
                                 {% endif %}
                             </td>
                             <td class="text-right flip">
-                                {% if not d.initialized %}
-                                    <a href="{% url "control:organizer.device.connect" organizer=request.organizer.slug device=d.id %}"
-                                       class="btn btn-primary btn-sm"><i class="fa fa-link"></i>
-                                        {% trans "Connect" %}</a>
-                                {% endif %}
-                                {% if not d.initialized or d.api_token %}
-                                    <a href="{% url "control:organizer.device.revoke" organizer=request.organizer.slug device=d.id %}"
-                                       class="btn btn-default btn-sm">
-                                        {% trans "Revoke access" %}</a>
+                                {% if "organizer.devices:write" in request.orgapermset %}
+                                    {% if not d.initialized %}
+                                        <a href="{% url "control:organizer.device.connect" organizer=request.organizer.slug device=d.id %}"
+                                           class="btn btn-primary btn-sm"><i class="fa fa-link"></i>
+                                            {% trans "Connect" %}</a>
+                                    {% endif %}
+                                    {% if not d.initialized or d.api_token %}
+                                        <a href="{% url "control:organizer.device.revoke" organizer=request.organizer.slug device=d.id %}"
+                                           class="btn btn-default btn-sm">
+                                            {% trans "Revoke access" %}</a>
+                                    {% endif %}
                                 {% endif %}
                                 {% if d.initialized %}
                                     <a href="{% url "control:organizer.device.logs" organizer=request.organizer.slug device=d.id %}"
@@ -175,19 +183,23 @@
                                         {% trans "Logs" %}
                                     </a>
                                 {% endif %}
-                                <a href="{% url "control:organizer.device.edit" organizer=request.organizer.slug device=d.id %}"
-                                   class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                {% if "organizer.devices:write" in request.orgapermset %}
+                                    <a href="{% url "control:organizer.device.edit" organizer=request.organizer.slug device=d.id %}"
+                                       class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                {% endif %}
                             </td>
                         </tr>
                     {% endfor %}
                     </tbody>
                 </table>
             </div>
-            <div class="batch-select-actions">
-                <button type="submit" class="btn btn-primary btn-save" name="action" value="edit">
-                    <i class="fa fa-edit"></i>{% trans "Edit selected" %}
-                </button>
-            </div>
+            {% if "organizer.devices:write" in request.orgapermset %}
+                <div class="batch-select-actions">
+                    <button type="submit" class="btn btn-primary btn-save" name="action" value="edit">
+                        <i class="fa fa-edit"></i>{% trans "Edit selected" %}
+                    </button>
+                </div>
+            {% endif %}
         </form>
         {% include "pretixcontrol/pagination.html" %}
     {% endif %}

src/pretix/control/templates/pretixcontrol/organizers/export.html

@@ -22,7 +22,7 @@
                                 {{ s.owner.fullname|default:s.owner.email }}
                             </span>
                         </div>
-                        <div class="col-lg-5 col-md-6 col-xs-12">
+                        <div class="col-lg-4 col-md-5 col-xs-12">
                             {% if s.schedule_next_run %}
                                 <span class="fa fa-clock-o fa-fw"></span>
                                 {% trans "Next run:" %}
@@ -53,7 +53,7 @@
                                 {{ s.mail_subject }}
                             </span>
                         </div>
-                        <div class="col-lg-2 col-md-2 col-xs-12 text-right">
+                        <div class="col-lg-3 col-md-3 col-xs-12 text-right">
                             <form action="{% url "control:organizer.export.do" organizer=request.organizer.slug %}"
                                   method="post" class="form-horizontal" data-asynctask data-asynctask-download
                                   data-asynctask-long>
@@ -73,6 +73,9 @@
                                     <a href="?identifier={{ s.export_identifier }}&scheduled={{ s.pk }}" class="btn btn-default" title="{% trans "Edit" %}" data-toggle="tooltip">
                                         <span class="fa fa-edit"></span>
                                     </a>
+                                    <a href="?identifier={{ s.export_identifier }}&scheduled_copy_from={{ s.pk }}" class="btn btn-default" title="{% trans "Copy" %}" data-toggle="tooltip">
+                                        <span class="fa fa-copy"></span>
+                                    </a>
                                 {% endif %}
                                 <a href="{% url "control:organizer.export.scheduled.delete" organizer=request.organizer.slug pk=s.pk %}" class="btn btn-danger" title="{% trans "Delete" %}" data-toggle="tooltip">
                                     <span class="fa fa-trash"></span>

src/pretix/control/templates/pretixcontrol/organizers/export_form.html

@@ -43,7 +43,11 @@
             <div class="form-group submit-group">
                 <button formaction="{{ request.get_full_path }}" name="schedule" value="save" type="submit"
                         class="btn btn-primary btn-save" data-no-asynctask>
-                    {% trans "Save" %}
+                    {% if scheduled_copy_from %}
+                        {% trans "Save copy" %}
+                    {% else %}
+                        {% trans "Save" %}
+                    {% endif %}
                 </button>
             </div>
         {% else %}

src/pretix/control/templates/pretixcontrol/organizers/gates.html

@@ -6,10 +6,12 @@
     <p>
         {% trans "The list below shows gates that you can use to group check-in devices." %}
     </p>
-    <a href="{% url "control:organizer.gate.add" organizer=request.organizer.slug %}" class="btn btn-default">
-        <span class="fa fa-plus"></span>
-        {% trans "Create a new gate" %}
-    </a>
+    {% if "organizer.devices:write" in request.orgapermset %}
+        <a href="{% url "control:organizer.gate.add" organizer=request.organizer.slug %}" class="btn btn-default">
+            <span class="fa fa-plus"></span>
+            {% trans "Create a new gate" %}
+        </a>
+    {% endif %}
     <table class="table table-condensed table-hover">
         <thead>
         <tr>
@@ -21,15 +23,21 @@
         {% for g in gates %}
             <tr>
                 <td><strong>
-                    <a href="{% url "control:organizer.gate.edit" organizer=request.organizer.slug gate=g.id %}">
+                    {% if "organizer.devices:write" in request.orgapermset %}
+                        <a href="{% url "control:organizer.gate.edit" organizer=request.organizer.slug gate=g.id %}">
+                            {{ g.name }}
+                        </a>
+                    {% else %}
                         {{ g.name }}
-                    </a>
+                    {% endif %}
                 </strong></td>
                 <td class="text-right flip">
-                    <a href="{% url "control:organizer.gate.edit" organizer=request.organizer.slug gate=g.id %}"
-                            class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                    <a href="{% url "control:organizer.gate.delete" organizer=request.organizer.slug gate=g.id %}"
-                            class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                    {% if "organizer.devices:write" in request.orgapermset %}
+                        <a href="{% url "control:organizer.gate.edit" organizer=request.organizer.slug gate=g.id %}"
+                                class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                        <a href="{% url "control:organizer.gate.delete" organizer=request.organizer.slug gate=g.id %}"
+                                class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                    {% endif %}
                 </td>
             </tr>
         {% endfor %}

src/pretix/control/templates/pretixcontrol/organizers/giftcard.html

@@ -10,10 +10,12 @@
         {% if card.testmode %}
             <span class="label label-warning">{% trans "TEST MODE" %}</span>
         {% endif %}
-        <a href="{% url "control:organizer.giftcard.edit" organizer=request.organizer.slug giftcard=card.id %}"
-                class="btn btn-default">
-            <i class="fa fa-edit"></i> {% trans "Edit" %}
-        </a>
+        {% if "organizer.giftcards:write" in request.orgapermset %}
+            <a href="{% url "control:organizer.giftcard.edit" organizer=request.organizer.slug giftcard=card.id %}"
+                    class="btn btn-default">
+                <i class="fa fa-edit"></i> {% trans "Edit" %}
+            </a>
+        {% endif %}
     </h1>
     <div class="row">
         <div class="col-md-10 col-xs-12">
@@ -112,22 +114,24 @@
                             </tr>
                         {% endfor %}
                         </tbody>
-                        <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <input type="text" class="form-control helper-display-block" placeholder="{% trans "Text" %}"
-                                        name="text">
-                            </td>
-                            <td class="text-right form-inline">
-                                <input type="text" class="form-control input-sm" placeholder="{% trans "Value" %}" name="value">
-                                <button type="submit" class="btn btn-primary">
-                                    <span class="fa fa-plus"></span>
-                                </button>
-                            </td>
+                        {% if "organizer.giftcards:write" in request.orgapermset %}
+                            <tfoot>
+                            <tr>
+                                <td></td>
+                                <td>
+                                    <input type="text" class="form-control helper-display-block" placeholder="{% trans "Text" %}"
+                                            name="text">
+                                </td>
+                                <td class="text-right form-inline">
+                                    <input type="text" class="form-control input-sm" placeholder="{% trans "Value" %}" name="value">
+                                    <button type="submit" class="btn btn-primary">
+                                        <span class="fa fa-plus"></span>
+                                    </button>
+                                </td>
 
-                        </tr>
-                        </tfoot>
+                            </tr>
+                            </tfoot>
+                        {% endif %}
                     </table>
                 </form>
             </div>

src/pretix/control/templates/pretixcontrol/organizers/giftcards.html

@@ -15,10 +15,11 @@
                     or you can manually issue gift cards.
                 {% endblocktrans %}
             </p>
-
-            <a href="{% url "control:organizer.giftcard.add" organizer=request.organizer.slug %}"
-                    class="btn btn-default btn-lg"><i class="fa fa-plus"></i> {% trans "Manually issue a gift card" %}
-            </a>
+            {% if "organizer.giftcards:write" in request.orgapermset %}
+                <a href="{% url "control:organizer.giftcard.add" organizer=request.organizer.slug %}"
+                        class="btn btn-default btn-lg"><i class="fa fa-plus"></i> {% trans "Manually issue a gift card" %}
+                </a>
+            {% endif %}
         </div>
     {% else %}
         <div class="panel panel-default">
@@ -45,10 +46,12 @@
                 </div>
             </form>
         </div>
-        <p>
-            <a href="{% url "control:organizer.giftcard.add" organizer=request.organizer.slug %}"
-                    class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Manually issue a gift card" %}</a>
-        </p>
+        {% if "organizer.giftcards:write" in request.orgapermset %}
+            <p>
+                <a href="{% url "control:organizer.giftcard.add" organizer=request.organizer.slug %}"
+                        class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Manually issue a gift card" %}</a>
+            </p>
+        {% endif %}
         <div class="table-responsive">
             <table class="table table-condensed table-hover">
                 <thead>

src/pretix/control/templates/pretixcontrol/organizers/reusable_media.html

@@ -15,8 +15,10 @@
                     No media have been created yet.
                 {% endblocktrans %}
             </p>
-            <a href="{% url "control:organizer.reusable_medium.create" organizer=request.organizer.slug %}"
-               class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new medium" %}</a>
+            {% if "organizer.reusablemedia:write" in request.orgapermset %}
+                <a href="{% url "control:organizer.reusable_medium.create" organizer=request.organizer.slug %}"
+                   class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new medium" %}</a>
+            {% endif %}
         </div>
     {% else %}
         <div class="panel panel-default">
@@ -40,10 +42,12 @@
                 </div>
             </form>
         </div>
-        <p>
-            <a href="{% url "control:organizer.reusable_medium.create" organizer=request.organizer.slug %}"
-               class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new medium" %}</a>
-        </p>
+        {% if "organizer.reusablemedia:write" in request.orgapermset %}
+            <p>
+                <a href="{% url "control:organizer.reusable_medium.create" organizer=request.organizer.slug %}"
+                   class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new medium" %}</a>
+            </p>
+        {% endif %}
         <div class="table-responsive">
             <table class="table table-condensed table-hover">
                 <thead>
@@ -77,9 +81,13 @@
                             {% if m.customer %}
                                 <span class="helper-display-block">
                                     <span class="fa fa-user fa-fw"></span>
-                                    <a href="{% url "control:organizer.customer" organizer=request.organizer.slug customer=m.customer.identifier %}">
+                                    {% if "organizer.customers:read" in request.orgapermset %}
+                                        <a href="{% url "control:organizer.customer" organizer=request.organizer.slug customer=m.customer.identifier %}">
+                                            {{ m.customer }}
+                                        </a>
+                                    {% else %}
                                         {{ m.customer }}
-                                    </a>
+                                    {% endif %}
                                 </span>
                             {% endif %}
                             {% if m.linked_orderposition %}
@@ -92,8 +100,12 @@
                             {% if m.linked_giftcard %}
                                 <span class="helper-display-block">
                                     <span class="fa fa-credit-card fa-fw"></span>
-                                    <a href="{% url "control:organizer.giftcard" organizer=request.organizer.slug giftcard=m.linked_giftcard.id %}">
-                                        {{ m.linked_giftcard.secret }}</a>
+                                    {% if "organizer.giftcards:read" in request.orgapermset %}
+                                        <a href="{% url "control:organizer.giftcard" organizer=request.organizer.slug giftcard=m.linked_giftcard.id %}">
+                                            {{ m.linked_giftcard.secret }}</a>
+                                    {% else %}
+                                        {{ m.linked_giftcard.secret|slice:":3" }}…
+                                    {% endif %}
                                 </span>
                             {% endif %}
                         </td>

src/pretix/control/templates/pretixcontrol/organizers/reusable_medium.html

@@ -22,60 +22,69 @@
                     </h3>
                 </div>
                 <div class="panel-body">
-                    <form action="" method="post">
-                        {% csrf_token %}
-                        <dl class="dl-horizontal">
-                            <dt>{% trans "Media type" context "reusable_media" %}</dt>
-                            <dd>{{ medium.get_type_display }}</dd>
-                            <dt>{% trans "Identifier" context "reusable_media" %}</dt>
-                            <dd><code>{{ medium.identifier }}</code></dd>
-                            <dt>{% trans "Status" %}</dt>
-                            <dd>
-                                {% if not medium.active %}
-                                    {% trans "disabled" %}
-                                {% elif medium.is_expired %}
-                                    {% trans "expired" %}
-                                {% else %}
-                                    {% trans "active" %}
-                                {% endif %}
-                            </dd>
-                            <dt>{% trans "Connections" context "reusable_media" %}</dt>
-                            <dd>
-                                {% if medium.customer %}
-                                    <span class="helper-display-block">
-                                    <span class="fa fa-user fa-fw"></span>
+                    {% csrf_token %}
+                    <dl class="dl-horizontal">
+                        <dt>{% trans "Media type" context "reusable_media" %}</dt>
+                        <dd>{{ medium.get_type_display }}</dd>
+                        <dt>{% trans "Identifier" context "reusable_media" %}</dt>
+                        <dd><code>{{ medium.identifier }}</code></dd>
+                        <dt>{% trans "Status" %}</dt>
+                        <dd>
+                            {% if not medium.active %}
+                                {% trans "disabled" %}
+                            {% elif medium.is_expired %}
+                                {% trans "expired" %}
+                            {% else %}
+                                {% trans "active" %}
+                            {% endif %}
+                        </dd>
+                        <dt>{% trans "Connections" context "reusable_media" %}</dt>
+                        <dd>
+                            {% if medium.customer %}
+                                <span class="helper-display-block">
+                                <span class="fa fa-user fa-fw"></span>
+                                {% if "organizer.customers:read" in request.orgapermset %}
                                     <a href="{% url "control:organizer.customer" organizer=request.organizer.slug customer=medium.customer.identifier %}">
                                         {{ medium.customer }}
                                     </a>
-                                </span>
+                                {% else %}
+                                    {{ medium.customer }}
                                 {% endif %}
-                                {% if medium.linked_orderposition %}
-                                    <span class="helper-display-block">
-                                    <span class="fa fa-ticket fa-fw"></span>
-                                    <a href="{% url "control:event.order" event=medium.linked_orderposition.order.event.slug organizer=request.organizer.slug code=medium.linked_orderposition.order.code %}">
-                                        {{ medium.linked_orderposition.order.code }}</a>-{{ medium.linked_orderposition.positionid }}
-                                </span>
-                                {% endif %}
-                                {% if medium.linked_giftcard %}
-                                    <span class="helper-display-block">
-                                    <span class="fa fa-credit-card fa-fw"></span>
-                                    <a href="{% url "control:organizer.giftcard" organizer=request.organizer.slug giftcard=medium.linked_giftcard.id %}">
-                                        {{ medium.linked_giftcard.secret }}</a>
-                                </span>
-                                {% endif %}
-                            </dd>
-                            {% if medium.notes %}
-                                <dt>{% trans "Notes" %}</dt>
-                                <dd>{{ medium.notes }}</dd>
+                            </span>
                             {% endif %}
-                        </dl>
-                    </form>
-                    <div class="text-right">
-                        <a href="{% url "control:organizer.reusable_medium.edit" organizer=request.organizer.slug pk=medium.pk %}"
-                           class="btn btn-default">
-                            <i class="fa fa-edit"></i> {% trans "Edit" %}
-                        </a>
-                    </div>
+                            {% if medium.linked_orderposition %}
+                                <span class="helper-display-block">
+                                <span class="fa fa-ticket fa-fw"></span>
+                                <a href="{% url "control:event.order" event=medium.linked_orderposition.order.event.slug organizer=request.organizer.slug code=medium.linked_orderposition.order.code %}">
+                                    {{ medium.linked_orderposition.order.code }}</a>-{{ medium.linked_orderposition.positionid }}
+                            </span>
+                            {% endif %}
+                            {% if medium.linked_giftcard %}
+                                <span class="helper-display-block">
+                                <span class="fa fa-credit-card fa-fw"></span>
+                                {% if "organizer.giftcards:read" in request.orgapermset %}
+                                    <a href="{% url "control:organizer.giftcard" organizer=request.organizer.slug giftcard=medium.linked_giftcard.id %}">
+                                        {{ medium.linked_giftcard.secret }}
+                                    </a>
+                                {% else %}
+                                    {{ medium.linked_giftcard.secret|slice:":3" }}…
+                                {% endif %}
+                            </span>
+                            {% endif %}
+                        </dd>
+                        {% if medium.notes %}
+                            <dt>{% trans "Notes" %}</dt>
+                            <dd>{{ medium.notes }}</dd>
+                        {% endif %}
+                    </dl>
+                    {% if "organizer.reusablemedia:write" in request.orgapermset %}
+                        <div class="text-right">
+                            <a href="{% url "control:organizer.reusable_medium.edit" organizer=request.organizer.slug pk=medium.pk %}"
+                               class="btn btn-default">
+                                <i class="fa fa-edit"></i> {% trans "Edit" %}
+                            </a>
+                        </div>
+                    {% endif %}
                 </div>
             </div>
         </div>

src/pretix/control/templates/pretixcontrol/organizers/team_edit.html

@@ -1,6 +1,7 @@
 {% extends "pretixcontrol/organizers/base.html" %}
 {% load i18n %}
 {% load bootstrap3 %}
+{% load getitem %}
 {% block inner %}
     {% if team %}
         <h1>{% trans "Team:" %} {{ team.name }}</h1>
@@ -22,25 +23,24 @@
         </fieldset>
         <fieldset>
             <legend>{% trans "Organizer permissions" %}</legend>
-            {% bootstrap_field form.can_create_events layout="control" %}
-            {% bootstrap_field form.can_manage_gift_cards layout="control" %}
-            {% bootstrap_field form.can_manage_customers layout="control" %}
-            {% bootstrap_field form.can_manage_reusable_media layout="control" %}
-            {% bootstrap_field form.can_change_teams layout="control" %}
-            {% bootstrap_field form.can_change_organizer_settings layout="control" %}
+            {% bootstrap_field form.all_organizer_permissions layout="control" %}
+            <div class="team-permission-groups col-md-9 col-md-offset-3" data-display-dependency="#id_all_organizer_permissions" data-inverse>
+                {% for f in form.organizer_field_names %}
+                    {% bootstrap_field form|getitem:f layout="control" %}
+                {% endfor %}
+            </div>
         </fieldset>
         <fieldset>
             <legend>{% trans "Event permissions" %}</legend>
 
             {% bootstrap_field form.all_events layout="control" %}
             {% bootstrap_field form.limit_events layout="control" %}
-            {% bootstrap_field form.can_change_event_settings layout="control" %}
-            {% bootstrap_field form.can_change_items layout="control" %}
-            {% bootstrap_field form.can_view_orders layout="control" %}
-            {% bootstrap_field form.can_change_orders layout="control" %}
-            {% bootstrap_field form.can_checkin_orders layout="control" %}
-            {% bootstrap_field form.can_view_vouchers layout="control" %}
-            {% bootstrap_field form.can_change_vouchers layout="control" %}
+            {% bootstrap_field form.all_event_permissions layout="control" %}
+            <div class="team-permission-groups col-md-9 col-md-offset-3" data-display-dependency="#id_all_event_permissions" data-inverse>
+                {% for f in form.event_field_names %}
+                    {% bootstrap_field form|getitem:f layout="control" %}
+                {% endfor %}
+            </div>
         </fieldset>
         <div class="form-group submit-group">
             <button type="submit" class="btn btn-primary btn-save">

src/pretix/control/templates/pretixcontrol/subevents/index.html

@@ -13,12 +13,14 @@
                 {% endblocktrans %}
             </p>
 
-            <a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-                    class="btn btn-primary btn-lg"><i class="fa fa-plus"></i>
-                {% trans "Create a new date" context "subevent" %}</a>
-            <a href="{% url "control:event.subevents.bulk" organizer=request.event.organizer.slug event=request.event.slug %}"
-                    class="btn btn-primary btn-lg"><i class="fa fa-plus"></i>
-                {% trans "Create many new dates" context "subevent" %}</a>
+            {% if "event.subevents:write" in request.eventpermset %}
+                <a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                        class="btn btn-primary btn-lg"><i class="fa fa-plus"></i>
+                    {% trans "Create a new date" context "subevent" %}</a>
+                <a href="{% url "control:event.subevents.bulk" organizer=request.event.organizer.slug event=request.event.slug %}"
+                        class="btn btn-primary btn-lg"><i class="fa fa-plus"></i>
+                    {% trans "Create many new dates" context "subevent" %}</a>
+            {% endif %}
         </div>
     {% else %}
         <div class="panel panel-default">
@@ -65,7 +67,7 @@
                 </div>
             </form>
         </div>
-        {% if "can_change_event_settings" in request.eventpermset %}
+        {% if "event.subevents:write" in request.eventpermset %}
             <p>
                 <a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}"
                         class="btn btn-default"><i class="fa fa-plus"></i>
@@ -84,11 +86,13 @@
                 <table class="table table-hover table-quotas">
                     <thead>
                     <tr>
-                        <th>
-                            {% if "can_change_event_settings" in request.eventpermset %}
-                                <label aria-label="{% trans "select all rows for batch-operation" %}" class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
-                            {% endif %}
-                        </th>
+                        {% if "event.subevents:write" in request.eventpermset %}
+                            <th>
+                                {% if "event.subevents:write" in request.eventpermset %}
+                                    <label aria-label="{% trans "select all rows for batch-operation" %}" class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
+                                {% endif %}
+                            </th>
+                        {% endif %}
                         <th>
                             {% trans "Name" %}
                         </th>
@@ -107,7 +111,7 @@
                         </th>
                         <th></th>
                     </tr>
-                    {% if "can_change_event_settings" in request.eventpermset and page_obj.paginator.num_pages > 1 %}
+                    {% if "event.subevents:write" in request.eventpermset and page_obj.paginator.num_pages > 1 %}
                         <tr class="table-select-all warning hidden">
                             <td>
                                 <input type="checkbox" name="__ALL" id="__all" data-results-total="{{ page_obj.paginator.count }}">
@@ -123,11 +127,11 @@
                     <tbody>
                     {% for s in subevents %}
                         <tr>
-                            <td>
-                                {% if "can_change_event_settings" in request.eventpermset %}
+                            {% if "event.subevents:write" in request.eventpermset %}
+                                <td>
                                     <label aria-label="{% trans "select row for batch-operation" %}" class="batch-select-label"><input type="checkbox" name="subevent" class="batch-select-checkbox" value="{{ s.pk }}"/></label>
-                                {% endif %}
-                            </td>
+                                </td>
+                            {% endif %}
                             <td>
                                 <strong><a href="{% url "control:event.subevent" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}">
                                     {{ s.name }}</a></strong><br>
@@ -173,35 +177,39 @@
                                 {% endif %}
                             </td>
                             <td class="text-right flip">
-                                <a href="{% url "control:event.orders" organizer=request.event.organizer.slug event=request.event.slug %}?subevent={{ s.id }}" class="btn btn-default btn-sm" title="{% trans "Show orders" %}"><i class="fa fa-shopping-cart" aria-hidden="true"></i></a>
+                                {% if "event.orders:read" in request.eventpermset %}
+                                    <a href="{% url "control:event.orders" organizer=request.event.organizer.slug event=request.event.slug %}?subevent={{ s.id }}" class="btn btn-default btn-sm" title="{% trans "Show orders" %}"><i class="fa fa-shopping-cart" aria-hidden="true"></i></a>
+                                {% endif %}
 
-                                <a href="{% url "control:event.subevent" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                                <div class="btn-group {% if forloop.revcounter0 < 2 %}dropup{% endif %}">
-                                    <button type="button" class="btn btn-default btn-sm dropdown-toggle"
-                                            data-toggle="dropdown">
-                                        <span class="fa fa-copy"></span>
-                                    </button>
-                                    <ul class="dropdown-menu dropdown-menu-right">
-                                        <li>
-                                            <a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ s.id }}">
-                                                {% trans "Use as a template for a new date" context "subevent" %}
-                                            </a>
-                                        </li>
-                                        <li>
-                                            <a href="{% url "control:event.subevents.bulk" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ s.id }}">
-                                                {% trans "Use as a template for many new dates" context "subevent" %}
-                                            </a>
-                                        </li>
-                                    </ul>
-                                </div>
-                                <a href="{% url "control:event.subevent.delete" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                                {% if "event.subevents:write" in request.eventpermset %}
+                                    <a href="{% url "control:event.subevent" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                    <div class="btn-group {% if forloop.revcounter0 < 2 %}dropup{% endif %}">
+                                        <button type="button" class="btn btn-default btn-sm dropdown-toggle"
+                                                data-toggle="dropdown">
+                                            <span class="fa fa-copy"></span>
+                                        </button>
+                                        <ul class="dropdown-menu dropdown-menu-right">
+                                            <li>
+                                                <a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ s.id }}">
+                                                    {% trans "Use as a template for a new date" context "subevent" %}
+                                                </a>
+                                            </li>
+                                            <li>
+                                                <a href="{% url "control:event.subevents.bulk" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ s.id }}">
+                                                    {% trans "Use as a template for many new dates" context "subevent" %}
+                                                </a>
+                                            </li>
+                                        </ul>
+                                    </div>
+                                    <a href="{% url "control:event.subevent.delete" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                                {% endif %}
                             </td>
                         </tr>
                     {% endfor %}
                     </tbody>
                 </table>
             </div>
-            {% if "can_change_event_settings" in request.eventpermset %}
+            {% if "event.subevents:write" in request.eventpermset %}
                 <div class="batch-select-actions">
                     <button type="submit" class="btn btn-danger btn-save" name="action" value="delete">
                         <i class="fa fa-trash"></i>{% trans "Delete selected" %}