Apply suggestion from @luelista

fix test case for regenerate 2fa tokens
show emergency codes only once after generating (4.10)
2026-06-18 02:26:17 +00:00 · 2026-02-18 17:20:12 +01:00 · 2025-11-25 18:07:53 +01:00 · 2025-11-25 13:05:05 +01:00 · 2025-11-25 12:42:10 +01:00 · 2025-11-25 12:42:09 +01:00
291 changed files with 106827 additions and 118346 deletions
@@ -26,10 +26,10 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
-      - name: Set up Python 3.13
+      - name: Set up Python 3.11
        uses: actions/setup-python@v5
        with:
-          python-version: 3.13
+          python-version: 3.11
      - uses: actions/cache@v4
        with:
          path: ~/.cache/pip
@@ -23,13 +23,13 @@ jobs:
    name: Tests
    strategy:
      matrix:
-        python-version: ["3.10", "3.11", "3.13"]
+        python-version: ["3.9", "3.10", "3.11"]
        database: [sqlite, postgres]
        exclude:
          - database: sqlite
-            python-version: "3.10"
+            python-version: "3.9"
          - database: sqlite
-            python-version: "3.11"
+            python-version: "3.10"
    services:
      postgres:
        image: postgres:15
@@ -6,14 +6,10 @@
 {%- else %}
  {%- set titlesuffix = "" %}
 {%- endif %}
-{%- set lang_attr = 'en' if language == None else (language | replace('_', '-')) %}
-
-{# Build sphinx_version_info tuple from sphinx_version string in pure Jinja #}
-{%- set (_ver_major, _ver_minor) = (sphinx_version.split('.') | list)[:2] | map('int') -%}
-{%- set sphinx_version_info = (_ver_major, _ver_minor, -1) -%}

 <!DOCTYPE html>
-<html class="writer-html5" lang="{{ lang_attr }}"{% if sphinx_version_info >= (7, 2) %} data-content_root="{{ content_root }}"{% endif %}>
+<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
+<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
 <head>
  <meta charset="utf-8">
  {{ metatags }}
@@ -22,50 +18,59 @@
  <title>{{ title|striptags|e }}{{ titlesuffix }}</title>
  {% endblock %}

-    {#- CSS #}
-    {%- for css_file in css_files %}
-    {%- if css_file|attr("filename") %}
-    {{ css_tag(css_file) }}
+
+  {#- CSS #}
+  {%- for css in css_files %}
+    {%- if css|attr("rel") %}
+      <link rel="{{ css.rel }}" href="{{ pathto(css.filename, 1) }}" type="text/css"{% if css.title is not none %} title="{{ css.title }}"{% endif %} />
    {%- else %}
-    <link rel="stylesheet" href="{{ pathto(css_file, 1)|escape }}" type="text/css" />
+      <link rel="stylesheet" href="{{ pathto(css, 1) }}" type="text/css" />
    {%- endif %}
-    {%- endfor %}
+  {%- endfor %}

-    {#- FAVICON #}
-    {%- if favicon_url %}
-    <link rel="shortcut icon" href="{{ favicon_url }}"/>
-    {%- endif %}
+  {%- for cssfile in extra_css_files %}
+    <link rel="stylesheet" href="{{ pathto(cssfile, 1) }}" type="text/css" />
+  {%- endfor -%}

-    {#- CANONICAL URL (deprecated) #}
-    {%- if theme_canonical_url and not pageurl %}
+  {#- FAVICON
+      favicon_url is the only context var necessary since Sphinx 4.
+      In Sphinx<4, we use favicon but need to prepend path info.
+  #}
+  {%- set _favicon_url = favicon_url | default(pathto('_static/' + (favicon or ""), 1)) %}
+  {%- if favicon_url or favicon %}
+    <link rel="shortcut icon" href="{{ _favicon_url }}"/>
+  {%- endif %}
+
+  {#- CANONICAL URL (deprecated) #}
+  {%- if theme_canonical_url and not pageurl %}
    <link rel="canonical" href="{{ theme_canonical_url }}{{ pagename }}.html"/>
-    {%- endif -%}
+  {%- endif -%}

-    {#- CANONICAL URL #}
-    {%- if pageurl %}
+  {#- CANONICAL URL #}
+  {%- if pageurl %}
    <link rel="canonical" href="{{ pageurl|e }}" />
-    {%- endif -%}
+  {%- endif -%}

-    {#- JAVASCRIPTS #}
-    {%- block scripts %}
-    {%- if not embedded %}
-    {%- for scriptfile in script_files %}
-    {{ js_tag(scriptfile) }}
-    {%- endfor %}
+  {#- JAVASCRIPTS #}
+  {%- block scripts %}
+  <!--[if lt IE 9]>
+    <script src="{{ pathto('_static/js/html5shiv.min.js', 1) }}"></script>
+  <![endif]-->
+  {%- if not embedded %}
+  {# XXX Sphinx 1.8.0 made this an external js-file, quick fix until we refactor the template to inherert more blocks directly from sphinx #}
+      {%- for scriptfile in script_files %}
+        {{ js_tag(scriptfile) }}
+      {%- endfor %}
    <script src="{{ pathto('_static/js/theme.js', 1) }}"></script>

-    {%- if READTHEDOCS or DEBUG %}
-    <script src="{{ pathto('_static/js/versions.js', 1) }}"></script>
-    {%- endif %}
-
    {#- OPENSEARCH #}
    {%- if use_opensearch %}
    <link rel="search" type="application/opensearchdescription+xml"
          title="{% trans docstitle=docstitle|e %}Search within {{ docstitle }}{% endtrans %}"
          href="{{ pathto('_static/opensearch.xml', 1) }}"/>
    {%- endif %}
-    {%- endif %}
-    {%- endblock %}
+  {%- endif %}
+  {%- endblock %}

  {%- block linktags %}
    {%- if hasdoc('about') %}
@@ -118,23 +123,23 @@
          {% endblock %}
        </div>

-          {%- block navigation %}
-          {#- Translators: This is an ARIA section label for the main navigation menu -#}
-          <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="{{ _('Navigation menu') }}">
-              {%- block menu %}
-              {%- set toctree = toctree(maxdepth=theme_navigation_depth|int,
-              collapse=theme_collapse_navigation|tobool,
-              includehidden=theme_includehidden|tobool,
-              titles_only=theme_titles_only|tobool) %}
-              {%- if toctree %}
-              {{ toctree }}
-              {%- else %}
+        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
+          {% block menu %}
+            {#
+              The singlehtml builder doesn't handle this toctree call when the
+              toctree is empty. Skip building this for now.
+            #}
+            {% if 'singlehtml' not in builder %}
+              {% set global_toc = toctree(maxdepth=theme_navigation_depth|int, collapse=theme_collapse_navigation, includehidden=True) %}
+            {% endif %}
+            {% if global_toc %}
+              {{ global_toc }}
+            {% else %}
              <!-- Local TOC -->
              <div class="local-toc">{{ toc }}</div>
-              {%- endif %}
-              {%- endblock %}
-          </div>
-          {%- endblock %}
+            {% endif %}
+          {% endblock %}
+        </div>

          {% if theme_display_version %}
              {%- set nav_version = version %}
@@ -153,42 +158,53 @@
    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      {# MOBILE NAV, TRIGGLES SIDE NAV ON TOGGLE #}
-        <nav class="wy-nav-top" aria-label="{{ _('Mobile navigation menu') }}" {% if theme_style_nav_header_background %} style="background: {{theme_style_nav_header_background}}" {% endif %}>
-            {%- block mobile_nav %}
-            <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
-            <a href="{{ pathto(master_doc) }}">{{ project }}</a>
-            {%- endblock %}
-        </nav>
+      <nav class="wy-nav-top" role="navigation" aria-label="top navigation">
+        {% block mobile_nav %}
+          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
+          <a href="{{ pathto('index') }}">{{ project }}</a>
+        {% endblock %}
+      </nav>

-        <div class="wy-nav-content">
-            {%- block content %}
-            {%- if theme_style_external_links|tobool %}
-            <div class="rst-content style-external-links">
-            {%- else %}
-            <div class="rst-content">
-            {%- endif %}
-            {% include "breadcrumbs.html" %}
-            <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
-                {%- block document %}
-                <div itemprop="articleBody">
-                    {% block body %}{% endblock %}
-                </div>
-                {%- if self.comments()|trim %}
-                <div class="articleComments">
-                    {%- block comments %}{% endblock %}
-                </div>
-                {%- endif%}
-            </div>
-            {%- endblock %}
-            {% include "footer.html" %}
-        </div>
-        {%- endblock %}
+
+      {# PAGE CONTENT #}
+      <div class="wy-nav-content">
+        <div class="rst-content">
+          {% include "breadcrumbs.html" %}
+          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
+           <div itemprop="articleBody" class="section">
+            {% block body %}{% endblock %}
+           </div>
+           <div class="articleComments">
+            {% block comments %}{% endblock %}
+           </div>
+          </div>
+          {% include "footer.html" %}
        </div>
+      </div>
+
    </section>

  </div>
  {% include "versions.html" %}

+  {% if not embedded %}
+
+    <script type="text/javascript">
+        var DOCUMENTATION_OPTIONS = {
+            URL_ROOT:'{{ url_root }}',
+            VERSION:'{{ release|e }}',
+            COLLAPSE_INDEX:false,
+            FILE_SUFFIX:'{{ '' if no_search_suffix else file_suffix }}',
+            HAS_SOURCE:  {{ has_source|lower }},
+            SOURCELINK_SUFFIX: '{{ sourcelink_suffix }}'
+        };
+    </script>
+    {%- for scriptfile in script_files %}
+      <script type="text/javascript" src="{{ pathto(scriptfile, 1) }}"></script>
+    {%- endfor %}
+
+  {% endif %}
+
  {# RTD hosts this file, so just load on non RTD builds #}
  {% if not READTHEDOCS %}
    <script type="text/javascript" src="{{ pathto('_static/js/theme.js', 1) }}"></script>
@@ -198,7 +214,7 @@
  {% if theme_sticky_navigation %}
  <script type="text/javascript">
      jQuery(function () {
-          SphinxRtdTheme.Navigation.enable({{ 'true' if theme_sticky_navigation|tobool else 'false' }});
+          SphinxRtdTheme.StickyNav.enable();
      });
  </script>
  {% endif %}
@@ -1,86 +1,136 @@
-{# TEMPLATE VAR SETTINGS #}
+{#
+    basic/layout.html
+    ~~~~~~~~~~~~~~~~~
+
+    Master layout template for Sphinx themes.
+
+    :copyright: Copyright 2007-2013 by the Sphinx team, see AUTHORS.
+    :license: BSD, see LICENSE for details.
+#}
+{%- block doctype -%}
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+{%- endblock %}
+{%- set reldelim1 = reldelim1 is not defined and ' &raquo;' or reldelim1 %}
+{%- set reldelim2 = reldelim2 is not defined and ' |' or reldelim2 %}
+{%- set render_sidebar = (not embedded) and (not theme_nosidebar|tobool) and
+                         (sidebars != []) %}
 {%- set url_root = pathto('', 1) %}
+{# XXX necessary? #}
 {%- if url_root == '#' %}{% set url_root = '' %}{% endif %}
 {%- if not embedded and docstitle %}
  {%- set titlesuffix = " &mdash; "|safe + docstitle|e %}
 {%- else %}
  {%- set titlesuffix = "" %}
 {%- endif %}
-{%- set lang_attr = 'en' if language == None else (language | replace('_', '-')) %}

-{# Build sphinx_version_info tuple from sphinx_version string in pure Jinja #}
-{%- set (_ver_major, _ver_minor) = (sphinx_version.split('.') | list)[:2] | map('int') -%}
-{%- set sphinx_version_info = (_ver_major, _ver_minor, -1) -%}
+{%- macro relbar() %}
+    <div class="related">
+      <h3>{{ _('Navigation') }}</h3>
+      <ul>
+        {%- for rellink in rellinks %}
+        <li class="right" {% if loop.first %}style="margin-right: 10px"{% endif %}>
+          <a href="{{ pathto(rellink[0]) }}" title="{{ rellink[1]|striptags|e }}"
+             {{ accesskey(rellink[2]) }}>{{ rellink[3] }}</a>
+          {%- if not loop.first %}{{ reldelim2 }}{% endif %}</li>
+        {%- endfor %}
+        {%- block rootrellink %}
+        <li><a href="{{ pathto(master_doc) }}">{{ shorttitle|e }}</a>{{ reldelim1 }}</li>
+        {%- endblock %}
+        {%- for parent in parents %}
+          <li><a href="{{ parent.link|e }}" {% if loop.last %}{{ accesskey("U") }}{% endif %}>{{ parent.title }}</a>{{ reldelim1 }}</li>
+        {%- endfor %}
+        {%- block relbaritems %} {% endblock %}
+      </ul>
+    </div>
+{%- endmacro %}

-<!DOCTYPE html>
-<html class="writer-html5" lang="{{ lang_attr }}"{% if sphinx_version_info >= (7, 2) %} data-content_root="{{ content_root }}"{% endif %}>
-<head>
-  <meta charset="utf-8" />
-  {%- if READTHEDOCS and not embedded %}
-  <meta name="readthedocs-addons-api-version" content="1">
-  {%- endif %}
-  {{- metatags }}
-  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-  {%- block htmltitle %}
-  <title>{{ title|striptags|e }}{{ titlesuffix }}</title>
-  {%- endblock -%}
+{%- macro sidebar() %}
+      {%- if render_sidebar %}
+      <div class="sphinxsidebar">
+        <div class="sphinxsidebarwrapper">
+          {%- block sidebarlogo %}
+          {%- if logo %}
+            <p class="logo"><a href="{{ pathto(master_doc) }}">
+              <img class="logo" src="{{ pathto('_static/' + logo, 1) }}" alt="Logo"/>
+            </a></p>
+          {%- endif %}
+          {%- endblock %}
+          {%- if sidebars != None %}
+            {#- new style sidebar: explicitly include/exclude templates #}
+            {%- for sidebartemplate in sidebars %}
+            {%- include sidebartemplate %}
+            {%- endfor %}
+          {%- else %}
+            {#- old style sidebars: using blocks -- should be deprecated #}
+            {%- block sidebartoc %}
+            {%- include "localtoc.html" %}
+            {%- endblock %}
+            {%- block sidebarrel %}
+            {%- include "relations.html" %}
+            {%- endblock %}
+            {%- block sidebarsourcelink %}
+            {%- include "sourcelink.html" %}
+            {%- endblock %}
+            {%- if customsidebar %}
+            {%- include customsidebar %}
+            {%- endif %}
+            {%- block sidebarsearch %}
+            {%- include "searchbox.html" %}
+            {%- endblock %}
+          {%- endif %}
+        </div>
+      </div>
+      {%- endif %}
+{%- endmacro %}

-  {#- CSS #}
-  {%- for css_file in css_files %}
-    {%- if css_file|attr("filename") %}
-      {{ css_tag(css_file) }}
-    {%- else %}
-      <link rel="stylesheet" href="{{ pathto(css_file, 1)|escape }}" type="text/css" />
-    {%- endif %}
-  {%- endfor %}
-
-  {#
-      "extra_css_files" is an undocumented Read the Docs theme specific option.
-      There is no need to check for ``|attr("filename")`` here because it's always a string.
-      Note that this option should be removed in favor of regular ``html_css_files``:
-      https://www.sphinx-doc.org/en/master/usage/configuration.html#confval-html_css_files
-  #}
-  {%- for css_file in extra_css_files %}
-    <link rel="stylesheet" href="{{ pathto(css_file, 1)|escape }}" type="text/css" />
-  {%- endfor -%}
-
-  {#- FAVICON #}
-  {%- if favicon_url %}
-    <link rel="shortcut icon" href="{{ favicon_url }}"/>
-  {%- endif %}
-
-  {#- CANONICAL URL (deprecated) #}
-  {%- if theme_canonical_url and not pageurl %}
-    <link rel="canonical" href="{{ theme_canonical_url }}{{ pagename }}.html"/>
-  {%- endif -%}
-
-  {#- CANONICAL URL #}
-  {%- if pageurl %}
-    <link rel="canonical" href="{{ pageurl|e }}" />
-  {%- endif -%}
-
-  {#- JAVASCRIPTS #}
-  {%- block scripts %}
-  {%- if not embedded %}
+{%- macro script() %}
+    <script type="text/javascript">
+      var DOCUMENTATION_OPTIONS = {
+        URL_ROOT:    '{{ url_root }}',
+        VERSION:     '{{ release|e }}',
+        COLLAPSE_INDEX: false,
+        FILE_SUFFIX: '{{ '' if no_search_suffix else file_suffix }}',
+        HAS_SOURCE:  {{ has_source|lower }},
+        SOURCELINK_SUFFIX: '{{ sourcelink_suffix }}'
+      };
+    </script>
    {%- for scriptfile in script_files %}
-      {{ js_tag(scriptfile) }}
+    <script type="text/javascript" src="{{ pathto(scriptfile, 1) }}"></script>
    {%- endfor %}
-    <script src="{{ pathto('_static/js/theme.js', 1) }}"></script>
+{%- endmacro %}

-    {%- if READTHEDOCS or DEBUG %}
-    <script src="{{ pathto('_static/js/versions.js', 1) }}"></script>
-    {%- endif %}
+{%- macro css() %}
+    <link rel="stylesheet" href="{{ pathto('_static/' + style, 1) }}" type="text/css" />
+    <link rel="stylesheet" href="{{ pathto('_static/pygments.css', 1) }}" type="text/css" />
+    {%- for cssfile in css_files %}
+    <link rel="stylesheet" href="{{ pathto(cssfile, 1) }}" type="text/css" />
+    {%- endfor %}
+{%- endmacro %}

-    {#- OPENSEARCH #}
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset={{ encoding }}" />
+    {{ metatags }}
+    {%- block htmltitle %}
+    <title>{{ title|striptags|e }}{{ titlesuffix }}</title>
+    {%- endblock %}
+    {{ css() }}
+    {%- if not embedded %}
+    {{ script() }}
    {%- if use_opensearch %}
    <link rel="search" type="application/opensearchdescription+xml"
          title="{% trans docstitle=docstitle|e %}Search within {{ docstitle }}{% endtrans %}"
          href="{{ pathto('_static/opensearch.xml', 1) }}"/>
    {%- endif %}
-  {%- endif %}
-  {%- endblock %}
-
-  {%- block linktags %}
+    {%- if favicon %}
+    <link rel="shortcut icon" href="{{ pathto('_static/' + favicon, 1) }}"/>
+    {%- endif %}
+    {%- if theme_canonical_url %}
+    <link rel="canonical" href="{{ theme_canonical_url }}{{ pagename }}.html"/>
+    {%- endif %}
+    {%- endif %}
+{%- block linktags %}
    {%- if hasdoc('about') %}
    <link rel="author" title="{{ _('About these documents') }}" href="{{ pathto('about') }}" />
    {%- endif %}
@@ -93,135 +143,67 @@
    {%- if hasdoc('copyright') %}
    <link rel="copyright" title="{{ _('Copyright') }}" href="{{ pathto('copyright') }}" />
    {%- endif %}
+    <link rel="top" title="{{ docstitle|e }}" href="{{ pathto('index') }}" />
+    {%- if parents %}
+    <link rel="up" title="{{ parents[-1].title|striptags|e }}" href="{{ parents[-1].link|e }}" />
+    {%- endif %}
    {%- if next %}
    <link rel="next" title="{{ next.title|striptags|e }}" href="{{ next.link|e }}" />
    {%- endif %}
    {%- if prev %}
    <link rel="prev" title="{{ prev.title|striptags|e }}" href="{{ prev.link|e }}" />
    {%- endif %}
-  {%- endblock %}
-  {%- block extrahead %} {% endblock %}
-</head>
+{%- endblock %}
+{%- block extrahead %} {% endblock %}
+  </head>
+  <body>
+{%- block header %}{% endblock %}

-<body class="wy-body-for-nav">
+{%- block relbar1 %}{{ relbar() }}{% endblock %}

-  {%- block extrabody %} {% endblock %}
-  <div class="wy-grid-for-nav">
-    {#- SIDE NAV, TOGGLES ON MOBILE #}
-    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
-      <div class="wy-side-scroll">
-        <div class="wy-side-nav-search" {% if theme_style_nav_header_background %} style="background: {{theme_style_nav_header_background}}" {% endif %}>
-          {%- block sidebartitle %}
+{%- block content %}
+  {%- block sidebar1 %} {# possible location for sidebar #} {% endblock %}

-          {# the logo helper function was removed in Sphinx 6 and deprecated since Sphinx 4 #}
-          {# the master_doc variable was renamed to root_doc in Sphinx 4 (master_doc still exists in later Sphinx versions) #}
-          {%- set _logo_url = logo_url|default(pathto('_static/' + (logo or ""), 1)) %}
-          {%- set _root_doc = root_doc|default(master_doc) %}
-          <a href="{{ pathto(_root_doc) }}"{% if not theme_logo_only %} class="icon icon-home"{% endif %}>
-            {% if not theme_logo_only %}{{ project }}{% endif %}
-            {%- if logo or logo_url %}
-              <img src="{{ _logo_url }}" class="logo" alt="{{ _('Logo') }}"/>
-            {%- endif %}
-          </a>
-
-          {%- if READTHEDOCS or DEBUG %}
-            {%- if theme_version_selector or theme_language_selector %}
-              <div class="switch-menus">
-                <div class="version-switch"></div>
-                <div class="language-switch"></div>
-              </div>
-            {%- endif %}
-          {%- endif %}
-
-          {%- include "searchbox.html" %}
-
-          {%- endblock %}
-        </div>
-
-        {%- block navigation %}
-        {#- Translators: This is an ARIA section label for the main navigation menu -#}
-        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="{{ _('Navigation menu') }}">
-          {%- block menu %}
-            {%- set toctree = toctree(maxdepth=theme_navigation_depth|int,
-                                      collapse=theme_collapse_navigation|tobool,
-                                      includehidden=theme_includehidden|tobool,
-                                      titles_only=theme_titles_only|tobool) %}
-            {%- if toctree %}
-              {{ toctree }}
-            {%- else %}
-              <!-- Local TOC -->
-              <div class="local-toc">{{ toc }}</div>
-            {%- endif %}
-          {%- endblock %}
-        </div>
-        {%- endblock %}
-      </div>
-    </nav>
-
-    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
-
-      {#- MOBILE NAV, TRIGGLES SIDE NAV ON TOGGLE #}
-      {#- Translators: This is an ARIA section label for the navigation menu that is visible when viewing the page on mobile devices -#}
-      <nav class="wy-nav-top" aria-label="{{ _('Mobile navigation menu') }}" {% if theme_style_nav_header_background %} style="background: {{theme_style_nav_header_background}}" {% endif %}>
-        {%- block mobile_nav %}
-          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
-          <a href="{{ pathto(master_doc) }}">{{ project }}</a>
-        {%- endblock %}
-      </nav>
-
-      <div class="wy-nav-content">
-      {%- block content %}
-        {%- if theme_style_external_links|tobool %}
-        <div class="rst-content style-external-links">
-        {%- else %}
-        <div class="rst-content">
-        {%- endif %}
-          {% include "breadcrumbs.html" %}
-          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
-          {%- block document %}
-           <div itemprop="articleBody">
-             {% block body %}{% endblock %}
-           </div>
-           {%- if self.comments()|trim %}
-             <div class="articleComments">
-               {%- block comments %}{% endblock %}
-             </div>
-           {%- endif%}
+    <div class="document">
+  {%- block document %}
+      <div class="documentwrapper">
+      {%- if render_sidebar %}
+        <div class="bodywrapper">
+      {%- endif %}
+          <div class="body">
+            {% block body %} {% endblock %}
          </div>
-          {%- endblock %}
-          {% include "footer.html" %}
+      {%- if render_sidebar %}
        </div>
-      {%- endblock %}
+      {%- endif %}
      </div>
-    </section>
-  </div>
-  {% include "versions.html" -%}
+  {%- endblock %}

-  <script>
-      jQuery(function () {
-          SphinxRtdTheme.Navigation.enable({{ 'true' if theme_sticky_navigation|tobool else 'false' }});
-      });
-  </script>
+  {%- block sidebar2 %}{{ sidebar() }}{% endblock %}
+      <div class="clearer"></div>
+    </div>
+{%- endblock %}

-  {#- Do not conflict with RTD insertion of analytics script #}
-  {%- if not READTHEDOCS %}
-    {%- if theme_analytics_id %}
-    <!-- Theme Analytics -->
-    <script async src="https://www.googletagmanager.com/gtag/js?id={{ theme_analytics_id }}"></script>
-    <script>
-      window.dataLayer = window.dataLayer || [];
-      function gtag(){dataLayer.push(arguments);}
-      gtag('js', new Date());
-
-      gtag('config', '{{ theme_analytics_id }}', {
-          'anonymize_ip': {{ 'true' if theme_analytics_anonymize_ip|tobool else 'false' }},
-      });
-    </script>
+{%- block relbar2 %}{{ relbar() }}{% endblock %}

+{%- block footer %}
+    <div class="footer">
+    {%- if show_copyright %}
+      {%- if hasdoc('copyright') %}
+        {% trans path=pathto('copyright'), copyright=copyright|e %}&copy; <a href="{{ path }}">Copyright</a> {{ copyright }}.{% endtrans %}
+      {%- else %}
+        {% trans copyright=copyright|e %}&copy; Copyright {{ copyright }}.{% endtrans %}
+      {%- endif %}
    {%- endif %}
-  {%- endif %}
+    {%- if last_updated %}
+      {% trans last_updated=last_updated|e %}Last updated on {{ last_updated }}.{% endtrans %}
+    {%- endif %}
+    {%- if show_sphinx %}
+      {% trans sphinx_version=sphinx_version|e %}Created using <a href="http://sphinx-doc.org/">Sphinx</a> {{ sphinx_version }}.{% endtrans %}
+    {%- endif %}
+    </div>
+    <p>asdf asdf asdf asdf 22</p>
+{%- endblock %}
+  </body>
+</html>

-  {%- block footer %} {% endblock %}
-
-</body>
-</html>
@@ -39,7 +39,7 @@ as well as the type of underlying hardware. Example:
       "rsa_pubkey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqh…nswIDAQAB\n-----END PUBLIC KEY-----\n"
   }

-The ``rsa_pubkey`` is optional any only required for certain features such as working with reusable
+The ``rsa_pubkey`` is optional any only required for certain fatures such as working with reusable
 media and NFC cryptography.

 Every initialization token can only be used once. On success, you will receive a response containing
@@ -117,7 +117,7 @@ List-level conditional fetching
 If modification checks are not possible with this granularity, you can instead check for the full list.
 In this case, the list of objects may contain a regular HTTP header ``Last-Modified`` with the date of the
 last modification to any item of that resource. You can then pass this date back in your next request in the
-``If-Modified-Since`` header. If any object has changed in the meantime, you will receive back a full list
+``If-Modified-Since`` header. If the any object has changed in the meantime, you will receive back a full list
 (if something it missing, this means the object has been deleted). If nothing happened, we'll send back a
 ``304 Not Modified`` return code.

@@ -46,28 +46,28 @@ Endpoints
      Vary: Accept
      Content-Type: application/json

-      {
-         "count": 3,
-         "next": null,
-         "previous": null,
-         "results": [
-            {
-               "id": 2,
-               "start": "2025-08-14T22:00:00Z",
-               "end": "2025-08-15T00:00:00Z"
-            },
-            {
-               "id": 3,
-               "start": "2025-08-12T22:00:00Z",
-               "end": "2025-08-13T22:00:00Z"
-            },
-            {
-               "id": 14,
-               "start": "2025-08-15T22:00:00Z",
-               "end": "2025-08-17T22:00:00Z"
-            }
-        ]
-      }
+   {
+      "count": 3,
+      "next": null,
+      "previous": null,
+      "results": [
+         {
+            "id": 2,
+            "start": "2025-08-14T22:00:00Z",
+            "end": "2025-08-15T00:00:00Z"
+         },
+         {
+            "id": 3,
+            "start": "2025-08-12T22:00:00Z",
+            "end": "2025-08-13T22:00:00Z"
+         },
+         {
+            "id": 14,
+            "start": "2025-08-15T22:00:00Z",
+            "end": "2025-08-17T22:00:00Z"
+         }
+      ]
+   }

   :param organizer: The ``slug`` field of the organizer to fetch
   :param event: The ``slug`` field of the event to fetch
@@ -211,7 +211,7 @@ The line-based computation has a few significant advantages:

 The main disadvantage is that the tax looks "wrong" when computed from the sum. Taking the sum of net prices (420.15)
 and multiplying it with the tax rate (19%) yields a tax amount of 79.83 (instead of 79.85) and a gross sum of 499.98
-(instead of 500.00). This becomes a problem when juristictions, data formats, or external systems expect this calculation
+(instead of 499.98). This becomes a problem when juristictions, data formats, or external systems expect this calculation
 to work on the level of the entire order. A prominent example is the EN 16931 standard for e-invoicing that
 does not allow the computation as created by pretix.

@@ -1,8 +1,9 @@
-sphinx==9.1.*
-sphinx-rtd-theme~=3.1.0
-sphinxcontrib-httpdomain~=1.8.1
-sphinxcontrib-images~=1.0.1
-sphinxcontrib-jquery~=4.1
-sphinxcontrib-spelling~=8.0.2
-sphinxemoji~=0.3.2
+sphinx==7.4.*
+jinja2==3.1.*
+sphinx-rtd-theme
+sphinxcontrib-httpdomain
+sphinxcontrib-images
+sphinxcontrib-jquery
+sphinxcontrib-spelling==8.*
+sphinxemoji
 pyenchant==3.3.*
@@ -1,9 +1,10 @@
 -e ../
-sphinx==9.1.*
-sphinx-rtd-theme~=3.1.0
-sphinxcontrib-httpdomain~=1.8.1
-sphinxcontrib-images~=1.0.1
-sphinxcontrib-jquery~=4.1
-sphinxcontrib-spelling~=8.0.2
-sphinxemoji~=0.3.2
+sphinx==7.4.*
+jinja2==3.1.*
+sphinx-rtd-theme
+sphinxcontrib-httpdomain
+sphinxcontrib-images
+sphinxcontrib-jquery
+sphinxcontrib-spelling==8.*
+sphinxemoji
 pyenchant==3.3.*
@@ -3,7 +3,7 @@ name = "pretix"
 dynamic = ["version"]
 description = "Reinventing presales, one ticket at a time"
 readme = "README.rst"
-requires-python = ">=3.10"
+requires-python = ">=3.9"
 license = {file = "LICENSE"}
 keywords = ["tickets", "web", "shop", "ecommerce"]
 authors = [
@@ -29,17 +29,16 @@ dependencies = [
  "arabic-reshaper==3.0.0",  # Support for Arabic in reportlab
  "babel",
  "BeautifulSoup4==4.14.*",
-  "bleach==6.3.*",
-  "celery==5.6.*",
+  "bleach==6.2.*",
+  "celery==5.5.*",
  "chardet==5.2.*",
  "cryptography>=44.0.0",
-  "css-inline==0.19.*",
+  "css-inline==0.18.*",
  "defusedcsv>=1.1.0",
-  "dnspython==2.*",
  "Django[argon2]==4.2.*,>=4.2.26",
-  "django-bootstrap3==26.1",
-  "django-compressor==4.6.0",
-  "django-countries==8.2.*",
+  "django-bootstrap3==25.2",
+  "django-compressor==4.5.1",
+  "django-countries==7.6.*",
  "django-filter==25.1",
  "django-formset-js-improved==0.5.0.4",
  "django-formtools==2.5.1",
@@ -50,22 +49,22 @@ dependencies = [
  "django-localflavor==5.0",
  "django-markup",
  "django-oauth-toolkit==2.3.*",
-  "django-otp==1.7.*",
-  "django-phonenumber-field==8.4.*",
+  "django-otp==1.6.*",
+  "django-phonenumber-field==7.3.*",
  "django-redis==6.0.*",
  "django-scopes==2.0.*",
  "django-statici18n==2.6.*",
  "djangorestframework==3.16.*",
-  "dnspython==2.8.*",
+  "dnspython==2.7.*",
  "drf_ujson2==1.7.*",
  "geoip2==5.*",
  "importlib_metadata==8.*",  # Polyfill, we can probably drop this once we require Python 3.10+
  "isoweek",
  "jsonschema",
-  "kombu==5.6.*",
+  "kombu==5.5.*",
  "libsass==0.23.*",
  "lxml",
-  "markdown==3.10",  # 3.3.5 requires importlib-metadata>=4.4, but django-bootstrap3 requires importlib-metadata<3.
+  "markdown==3.9",  # 3.3.5 requires importlib-metadata>=4.4, but django-bootstrap3 requires importlib-metadata<3.
  # We can upgrade markdown again once django-bootstrap3 upgrades or once we drop Python 3.6 and 3.7
  "mt-940==4.30.*",
  "oauthlib==3.3.*",
@@ -75,30 +74,31 @@ dependencies = [
  "paypal-checkout-serversdk==1.0.*",
  "PyJWT==2.10.*",
  "phonenumberslite==9.0.*",
-  "Pillow==12.1.*",
+  "Pillow==11.3.*",
  "pretix-plugin-build",
  "protobuf==6.33.*",
  "psycopg2-binary",
  "pycountry",
  "pycparser==2.23",
  "pycryptodome==3.23.*",
-  "pypdf==6.5.*",
+  "pypdf==6.3.*",
  "python-bidi==0.6.*",  # Support for Arabic in reportlab
  "python-dateutil==2.9.*",
  "pytz",
  "pytz-deprecation-shim==0.1.*",
  "pyuca",
  "qrcode==8.2",
-  "redis==7.1.*",
+  "redis==6.4.*",
  "reportlab==4.4.*",
  "requests==2.32.*",
-  "sentry-sdk==2.49.*",
+  "sentry-sdk==2.45.*",
  "sepaxml==2.7.*",
  "stripe==7.9.*",
  "text-unidecode==1.*",
  "tlds>=2020041600",
  "tqdm==4.*",
  "ua-parser==1.0.*",
+  "vat_moss_forked==2020.3.20.0.11.0",
  "vobject==0.9.*",
  "webauthn==2.7.*",
  "zeep==4.3.*"
@@ -110,10 +110,10 @@ dev = [
  "aiohttp==3.13.*",
  "coverage",
  "coveralls",
-  "fakeredis==2.33.*",
+  "fakeredis==2.32.*",
  "flake8==7.3.*",
  "freezegun",
-  "isort==7.0.*",
+  "isort==6.1.*",
  "pep8-naming==0.15.*",
  "potypo",
  "pytest-asyncio>=0.24",
@@ -123,7 +123,7 @@ dev = [
  "pytest-mock==3.15.*",
  "pytest-sugar",
  "pytest-xdist==3.8.*",
-  "pytest==9.0.*",
+  "pytest==8.4.*",
  "responses",
 ]

@@ -19,4 +19,4 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-__version__ = "2025.11.0.dev0"
+__version__ = "2025.10.0.dev0"
@@ -795,7 +795,6 @@ class EventSettingsSerializer(SettingsSerializer):
        'invoice_address_asked',
        'invoice_address_required',
        'invoice_address_vatid',
-        'invoice_address_vatid_required_countries',
        'invoice_address_company_required',
        'invoice_address_beneficiary',
        'invoice_address_custom_field',
@@ -944,7 +943,6 @@ class DeviceEventSettingsSerializer(EventSettingsSerializer):
        'invoice_address_asked',
        'invoice_address_required',
        'invoice_address_vatid',
-        'invoice_address_vatid_required_countries',
        'invoice_address_company_required',
        'invoice_address_beneficiary',
        'invoice_address_custom_field',
@@ -1601,7 +1601,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                order.sales_channel,
                [
                    (cp.item_id, cp.subevent_id, cp.subevent.date_from if cp.subevent_id else None, cp.price,
-                     cp.addon_to, cp.is_bundled, pos._voucher_discount)
+                     bool(cp.addon_to), cp.is_bundled, pos._voucher_discount)
                    for cp in order_positions
                ]
            )
@@ -33,7 +33,7 @@ from pretix.api.serializers.order import (
    OrderFeeCreateSerializer, OrderPositionCreateSerializer,
 )
 from pretix.base.models import ItemVariation, Order, OrderFee, OrderPosition
-from pretix.base.services.orders import OrderChangeManager, OrderError
+from pretix.base.services.orders import OrderError
 from pretix.base.settings import COUNTRIES_WITH_STATE_IN_ADDRESS

 logger = logging.getLogger(__name__)
@@ -82,11 +82,11 @@ class OrderPositionCreateForExistingOrderSerializer(OrderPositionCreateSerialize
        return data

    def create(self, validated_data):
-        ocm: OrderChangeManager = self.context['ocm']
+        ocm = self.context['ocm']
        check_quotas = self.context.get('check_quotas', True)

        try:
-            new_position = ocm.add_position(
+            ocm.add_position(
                item=validated_data['item'],
                variation=validated_data.get('variation'),
                price=validated_data.get('price'),
@@ -98,7 +98,7 @@ class OrderPositionCreateForExistingOrderSerializer(OrderPositionCreateSerialize
            )
            if self.context.get('commit', True):
                ocm.commit(check_quotas=check_quotas)
-                return new_position.position
+                return validated_data['order'].positions.order_by('-positionid').first()
            else:
                return OrderPosition()  # fake to appease DRF
        except OrderError as e:
@@ -131,7 +131,7 @@ class OrderFeeCreateForExistingOrderSerializer(OrderFeeCreateSerializer):
        return data

    def create(self, validated_data):
-        ocm: OrderChangeManager = self.context['ocm']
+        ocm = self.context['ocm']

        try:
            f = OrderFee(
@@ -146,7 +146,7 @@ class OrderFeeCreateForExistingOrderSerializer(OrderFeeCreateSerializer):
            ocm.add_fee(f)
            if self.context.get('commit', True):
                ocm.commit()
-                return f
+                return validated_data['order'].fees.order_by('-pk').first()
            else:
                return OrderFee()  # fake to appease DRF
        except OrderError as e:
@@ -310,7 +310,7 @@ class OrderPositionChangeSerializer(serializers.ModelSerializer):
        return data

    def update(self, instance, validated_data):
-        ocm: OrderChangeManager = self.context['ocm']
+        ocm = self.context['ocm']
        check_quotas = self.context.get('check_quotas', True)
        current_seat = {'seat_guid': instance.seat.seat_guid} if instance.seat else None
        item = validated_data.get('item', instance.item)
@@ -399,7 +399,7 @@ class OrderFeeChangeSerializer(serializers.ModelSerializer):
        )

    def update(self, instance, validated_data):
-        ocm: OrderChangeManager = self.context['ocm']
+        ocm = self.context['ocm']
        value = validated_data.get('value', instance.value)

        try:
@@ -443,7 +443,6 @@ class OrganizerSettingsSerializer(SettingsSerializer):
        'customer_accounts',
        'customer_accounts_native',
        'customer_accounts_link_by_email',
-        'customer_accounts_require_login_for_order_access',
        'invoice_regenerate_allowed',
        'contact_mail',
        'imprint_url',
@@ -74,11 +74,6 @@ class ExportersMixin:
    @action(detail=True, methods=['GET'], url_name='download', url_path='download/(?P<asyncid>[^/]+)/(?P<cfid>[^/]+)')
    def download(self, *args, **kwargs):
        cf = get_object_or_404(CachedFile, id=kwargs['cfid'])
-        if not cf.allowed_for_session(self.request, "exporters-api"):
-            return Response(
-                {'status': 'failed', 'message': 'Unknown file ID or export failed'},
-                status=status.HTTP_410_GONE
-            )
        if cf.file:
            resp = ChunkBasedFileResponse(cf.file.file, content_type=cf.type)
            resp['Content-Disposition'] = 'attachment; filename="{}"'.format(cf.filename).encode("ascii", "ignore")
@@ -114,8 +109,7 @@ class ExportersMixin:
        serializer = JobRunSerializer(exporter=instance, data=self.request.data, **self.get_serializer_kwargs())
        serializer.is_valid(raise_exception=True)

-        cf = CachedFile(web_download=True)
-        cf.bind_to_session(self.request, "exporters-api")
+        cf = CachedFile(web_download=False)
        cf.date = now()
        cf.expires = now() + timedelta(hours=24)
        cf.save()
@@ -106,7 +106,7 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
            'variations', 'addons', 'bundles', 'meta_values', 'meta_values__property',
            'variations__meta_values', 'variations__meta_values__property',
            'require_membership_types', 'variations__require_membership_types',
-            'limit_sales_channels', 'variations__limit_sales_channels', 'program_times'
+            'limit_sales_channels', 'variations__limit_sales_channels',
        ).all()

    def perform_create(self, serializer):
@@ -567,7 +567,7 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
    write_permission = 'can_change_items'

    def get_queryset(self):
-        return self.request.event.quotas.select_related('subevent').prefetch_related('items', 'variations').all()
+        return self.request.event.quotas.all()

    def list(self, request, *args, **kwargs):
        queryset = self.filter_queryset(self.get_queryset()).distinct()
@@ -721,7 +721,7 @@ class MembershipViewSet(viewsets.ModelViewSet):
    def get_queryset(self):
        return Membership.objects.filter(
            customer__organizer=self.request.organizer
-        ).select_related('customer')
+        )

    def get_serializer_context(self):
        ctx = super().get_serializer_context()
@@ -19,7 +19,6 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-
 from django.db import transaction
 from django.db.models import F, Q
 from django.utils.timezone import now
@@ -65,13 +64,8 @@ class VoucherViewSet(viewsets.ModelViewSet):
    permission = 'can_view_vouchers'
    write_permission = 'can_change_vouchers'

-    @scopes_disabled()  # we have an event check here, and we can save some performance on subqueries
    def get_queryset(self):
-        return Voucher.annotate_budget_used(
-            self.request.event.vouchers
-        ).select_related(
-            'item', 'quota', 'seat', 'variation'
-        )
+        return self.request.event.vouchers.select_related('seat').all()

    @transaction.atomic()
    def create(self, request, *args, **kwargs):
@@ -43,7 +43,6 @@ from pretix.base.services.tasks import ProfiledTask, TransactionAwareTask
 from pretix.base.signals import periodic_task
 from pretix.celery_app import app
 from pretix.helpers import OF_SELF
-from pretix.helpers.celery import get_task_priority

 logger = logging.getLogger(__name__)
 _ALL_EVENTS = None
@@ -475,10 +474,7 @@ def notify_webhooks(logentry_ids: list):
                )

        for wh in webhooks:
-            send_webhook.apply_async(
-                args=(logentry.id, notification_type.action_type, wh.pk),
-                priority=get_task_priority("notifications", logentry.organizer_id),
-            )
+            send_webhook.apply_async(args=(logentry.id, notification_type.action_type, wh.pk))


@app.task(base=ProfiledTask, bind=True, max_retries=5, default_retry_delay=60, acks_late=True, autoretry_for=(DatabaseError,),)
@@ -90,7 +90,6 @@ StaticMapping = namedtuple('StaticMapping', ('id', 'pretix_model', 'external_obj

 class OutboundSyncProvider:
    max_attempts = 5
-    list_field_joiner = ","  # set to None to keep native lists in properties

    def __init__(self, event):
        self.event = event
@@ -282,8 +281,7 @@ class OutboundSyncProvider:
                            'Please update value mapping for field "{field_name}" - option "{val}" not assigned'
                        ).format(field_name=key, val=val)])

-            if self.list_field_joiner:
-                val = self.list_field_joiner.join(val)
+            val = ",".join(val)
        return val

    def get_properties(self, inputs: dict, property_mappings: List[dict]):
@@ -71,20 +71,15 @@ def assign_properties(
    return out


-def _add_to_list(out, field_name, current_value, new_item_input, list_sep):
+def _add_to_list(out, field_name, current_value, new_item, list_sep):
+    new_item = str(new_item)
    if list_sep is not None:
-        new_items = str(new_item_input).split(list_sep)
+        new_item = new_item.replace(list_sep, "")
        current_value = current_value.split(list_sep) if current_value else []
-    else:
-        new_items = [str(new_item_input)]
-        if not isinstance(current_value, (list, tuple)):
-            current_value = [str(current_value)]
-
-    new_list = list(current_value)
-    for new_item in new_items:
-        if new_item not in current_value:
-            new_list.append(new_item)
-    if new_list != current_value:
+    elif not isinstance(current_value, (list, tuple)):
+        current_value = [str(current_value)]
+    if new_item not in current_value:
+        new_list = current_value + [new_item]
        if list_sep is not None:
            new_list = list_sep.join(new_list)
        out[field_name] = new_list
@@ -24,7 +24,6 @@ from itertools import groupby
 from smtplib import SMTPResponseException
 from typing import TypeVar

-import bleach
 import css_inline
 from django.conf import settings
 from django.core.mail.backends.smtp import EmailBackend
@@ -35,10 +34,7 @@ from django.utils.translation import get_language, gettext_lazy as _

 from pretix.base.models import Event
 from pretix.base.signals import register_html_mail_renderers
-from pretix.base.templatetags.rich_text import (
-    DEFAULT_CALLBACKS, EMAIL_RE, URL_RE, abslink_callback,
-    markdown_compile_email, truelink_callback,
-)
+from pretix.base.templatetags.rich_text import markdown_compile_email
 from pretix.helpers.format import SafeFormatter, format_map

 from pretix.base.services.placeholders import (  # noqa
@@ -137,24 +133,13 @@ class TemplateBasedMailRenderer(BaseHTMLMailRenderer):
    def template_name(self):
        raise NotImplementedError()

-    def compile_markdown(self, plaintext, context=None):
-        return markdown_compile_email(plaintext, context=context)
+    def compile_markdown(self, plaintext):
+        return markdown_compile_email(plaintext)

    def render(self, plain_body: str, plain_signature: str, subject: str, order, position, context) -> str:
-        body_md = self.compile_markdown(plain_body, context)
+        body_md = self.compile_markdown(plain_body)
        if context:
-            linker = bleach.Linker(
-                url_re=URL_RE,
-                email_re=EMAIL_RE,
-                callbacks=DEFAULT_CALLBACKS + [truelink_callback, abslink_callback],
-                parse_email=True
-            )
-            body_md = format_map(
-                body_md,
-                context=context,
-                mode=SafeFormatter.MODE_RICH_TO_HTML,
-                linkifier=linker
-            )
+            body_md = format_map(body_md, context=context, mode=SafeFormatter.MODE_RICH_TO_HTML)
        htmlctx = {
            'site': settings.PRETIX_INSTANCE_NAME,
            'site_url': settings.SITE_URL,
@@ -66,10 +66,8 @@ from geoip2.errors import AddressNotFoundError
 from phonenumber_field.formfields import PhoneNumberField
 from phonenumber_field.phonenumber import PhoneNumber
 from phonenumber_field.widgets import PhoneNumberPrefixWidget
-from phonenumbers import (
-    COUNTRY_CODE_TO_REGION_CODE, REGION_CODE_FOR_NON_GEO_ENTITY,
-    NumberParseException, national_significant_number,
-)
+from phonenumbers import NumberParseException, national_significant_number
+from phonenumbers.data import _COUNTRY_CODE_TO_REGION_CODE
 from PIL import ImageOps

 from pretix.base.forms.widgets import (
@@ -85,7 +83,7 @@ from pretix.base.invoicing.transmission import (
 from pretix.base.models import InvoiceAddress, Item, Question, QuestionOption
 from pretix.base.models.tax import ask_for_vat_id
 from pretix.base.services.tax import (
-    VATIDFinalError, VATIDTemporaryError, normalize_vat_id, validate_vat_id,
+    VATIDFinalError, VATIDTemporaryError, validate_vat_id,
 )
 from pretix.base.settings import (
    COUNTRIES_WITH_STATE_IN_ADDRESS, COUNTRY_STATE_LABEL,
@@ -307,9 +305,7 @@ class WrappedPhonePrefixSelect(Select):
        choices = [("", "---------")]

        if initial:
-            for prefix, values in COUNTRY_CODE_TO_REGION_CODE.items():
-                if all(v == REGION_CODE_FOR_NON_GEO_ENTITY for v in values):
-                    continue
+            for prefix, values in _COUNTRY_CODE_TO_REGION_CODE.items():
                if initial in values:
                    self.initial = "+%d" % prefix
                    break
@@ -441,9 +437,7 @@ def guess_phone_prefix_from_request(request, event):


 def get_phone_prefix(country):
-    if country == REGION_CODE_FOR_NON_GEO_ENTITY:
-        return None
-    for prefix, values in COUNTRY_CODE_TO_REGION_CODE.items():
+    for prefix, values in _COUNTRY_CODE_TO_REGION_CODE.items():
        if country in values:
            return prefix
    return None
@@ -1171,11 +1165,13 @@ class BaseInvoiceAddressForm(forms.ModelForm):
            self.fields['vat_id'].help_text = '<br/>'.join([
                str(_('Optional, but depending on the country you reside in we might need to charge you '
                      'additional taxes if you do not enter it.')),
+                str(_('If you are registered in Switzerland, you can enter your UID instead.')),
            ])
        else:
            self.fields['vat_id'].help_text = '<br/>'.join([
                str(_('Optional, but it might be required for you to claim tax benefits on your invoice '
                      'depending on your and the seller’s country of residence.')),
+                str(_('If you are registered in Switzerland, you can enter your UID instead.')),
            ])

        transmission_type_choices = [
@@ -1362,24 +1358,13 @@ class BaseInvoiceAddressForm(forms.ModelForm):
                                            "transmission method.")}
                )

-        vat_id_applicable = (
-            'vat_id' in self.fields and
-            data.get('is_business') and
-            ask_for_vat_id(data.get('country'))
-        )
-        vat_id_required = vat_id_applicable and str(data.get('country')) in self.event.settings.invoice_address_vatid_required_countries
-        if vat_id_required and not data.get('vat_id'):
-            raise ValidationError({
-                "vat_id": _("This field is required.")
-            })
-
        if self.validate_vat_id and self.instance.vat_id_validated and 'vat_id' not in self.changed_data:
-            pass  # Skip re-validation if it is validated
-        elif self.validate_vat_id and vat_id_applicable:
+            pass
+        elif self.validate_vat_id and data.get('is_business') and ask_for_vat_id(data.get('country')) and data.get('vat_id'):
            try:
                normalized_id = validate_vat_id(data.get('vat_id'), str(data.get('country')))
                self.instance.vat_id_validated = True
-                self.instance.vat_id = data['vat_id'] = normalized_id
+                self.instance.vat_id = normalized_id
            except VATIDFinalError as e:
                if self.all_optional:
                    self.instance.vat_id_validated = False
@@ -1387,9 +1372,6 @@ class BaseInvoiceAddressForm(forms.ModelForm):
                else:
                    raise ValidationError({"vat_id": e.message})
            except VATIDTemporaryError as e:
-                # We couldn't check it online, but we can still normalize it
-                normalized_id = normalize_vat_id(data.get('vat_id'), str(data.get('country')))
-                self.instance.vat_id = data['vat_id'] = normalized_id
                self.instance.vat_id_validated = False
                if self.request and self.vat_warning:
                    messages.warning(self.request, e.message)
@@ -89,6 +89,8 @@ class User2FADeviceAddForm(forms.Form):

 class UserPasswordChangeForm(forms.Form):
    error_messages = {
+        'pw_current': _("Please enter your current password if you want to change your email address "
+                        "or password."),
        'pw_current_wrong': _("The current password you entered was not correct."),
        'pw_mismatch': _("Please enter the same password twice"),
        'rate_limit': _("For security reasons, please wait 5 minutes before you try again."),
@@ -101,19 +103,19 @@ class UserPasswordChangeForm(forms.Form):
                                 attrs={'autocomplete': 'username'},
                             ))
    old_pw = forms.CharField(max_length=255,
-                             required=True,
+                             required=False,
                             label=_("Your current password"),
                             widget=forms.PasswordInput(
                                 attrs={'autocomplete': 'current-password'},
                             ))
    new_pw = forms.CharField(max_length=255,
-                             required=True,
+                             required=False,
                             label=_("New password"),
                             widget=forms.PasswordInput(
                                 attrs={'autocomplete': 'new-password'},
                             ))
    new_pw_repeat = forms.CharField(max_length=255,
-                                    required=True,
+                                    required=False,
                                    label=_("Repeat new password"),
                                    widget=forms.PasswordInput(
                                        attrs={'autocomplete': 'new-password'},
@@ -128,7 +130,7 @@ class UserPasswordChangeForm(forms.Form):
    def clean_old_pw(self):
        old_pw = self.cleaned_data.get('old_pw')

-        if settings.HAS_REDIS:
+        if old_pw and settings.HAS_REDIS:
            from django_redis import get_redis_connection
            rc = get_redis_connection("redis")
            cnt = rc.incr('pretix_pwchange_%s' % self.user.pk)
@@ -139,7 +141,7 @@ class UserPasswordChangeForm(forms.Form):
                    code='rate_limit',
                )

-        if not check_password(old_pw, self.user.password):
+        if old_pw and not check_password(old_pw, self.user.password):
            raise forms.ValidationError(
                self.error_messages['pw_current_wrong'],
                code='pw_current_wrong',
@@ -149,22 +151,17 @@ class UserPasswordChangeForm(forms.Form):

    def clean_new_pw(self):
        password1 = self.cleaned_data.get('new_pw', '')
-        if validate_password(password1, user=self.user) is not None:
+        if password1 and validate_password(password1, user=self.user) is not None:
            raise forms.ValidationError(
                _(password_validators_help_texts()),
                code='pw_invalid'
            )
-        if self.user.check_password(password1):
-            raise forms.ValidationError(
-                self.error_messages['pw_equal'],
-                code='pw_equal',
-            )
        return password1

    def clean_new_pw_repeat(self):
        password1 = self.cleaned_data.get('new_pw')
        password2 = self.cleaned_data.get('new_pw_repeat')
-        if password1 != password2:
+        if password1 and password1 != password2:
            raise forms.ValidationError(
                self.error_messages['pw_mismatch'],
                code='pw_mismatch'
@@ -34,13 +34,14 @@

 from contextlib import contextmanager

-from asgiref.local import Local
 from babel import localedata
 from django.conf import settings
 from django.utils import translation
 from django.utils.formats import date_format, number_format
 from django.utils.translation import gettext

+from pretix.base.templatetags.money import money_filter
+
 from i18nfield.fields import (  # noqa
    I18nCharField, I18nTextarea, I18nTextField, I18nTextInput,
 )
@@ -50,9 +51,6 @@ from i18nfield.strings import LazyI18nString  # noqa
 from i18nfield.utils import I18nJSONEncoder  # noqa


-_active_region = Local()
-
-
 class LazyDate:
    def __init__(self, value):
        self.value = value
@@ -88,8 +86,6 @@ class LazyCurrencyNumber:
        return self.__str__()

    def __str__(self):
-        from pretix.base.templatetags.money import money_filter
-
        return money_filter(self.value, self.currency)


@@ -109,41 +105,14 @@ ALLOWED_LANGUAGES = dict(settings.LANGUAGES)


 def get_babel_locale():
-    # Babel, and therefore also django-phonenumberfield, do not support our custom locales such das de_Informal
-    # Also, this returns best-effort region information for number formatting etc
-    current_language = translation.get_language()
-    current_region = getattr(_active_region, "value", None)
-
-    # Babel only accepts locales that exist on the system. We try combinations in the following order:
-    # language-languageversion-region
-    # language-region
-    # language-languageversion
-    # language
-    # fallback to system default
-    # fallback to english
-
-    try_locales = []
-    if current_language:
-        if "-" in current_language:
-            lng_parts = current_language.split("-")
-            if current_region:
-                try_locales.append(f"{lng_parts[0]}_{lng_parts[1].title()}_{current_region.upper()}")
-                try_locales.append(f"{lng_parts[0]}_{current_region.upper()}")
-            try_locales.append(f"{lng_parts[0]}_{lng_parts[1].upper()}")
-            try_locales.append(f"{lng_parts[0]}_{lng_parts[1].title()}")
-            try_locales.append(f"{lng_parts[0]}")
-        else:
-            if current_region:
-                try_locales.append(f"{current_language}_{current_region.upper()}")
-            try_locales.append(f"{current_language}")
-
-    try_locales.append(settings.LANGUAGE_CODE)
-
-    for locale in try_locales:
-        if localedata.exists(locale):
-            return locale
-
-    return "en"
+    babel_locale = 'en'
+    # Babel, and therefore django-phonenumberfield, do not support our custom locales such das de_Informal
+    if translation.get_language():
+        if localedata.exists(translation.get_language()):
+            babel_locale = translation.get_language()
+        elif localedata.exists(translation.get_language()[:2]):
+            babel_locale = translation.get_language()[:2]
+    return babel_locale


 def get_language_without_region(lng=None):
@@ -163,10 +132,6 @@ def get_language_without_region(lng=None):
    return lng


-def set_region(region):
-    _active_region.value = region
-
-
@contextmanager
 def language(lng, region=None):
    """
@@ -178,18 +143,15 @@ def language(lng, region=None):
    formatting. If you pass a ``lng`` that already contains a region, e.g. ``pt-br``, the ``region``
    attribute will be ignored.
    """
-    lng_before = translation.get_language()
-    region_before = getattr(_active_region, "value", None)
+    _lng = translation.get_language()
    lng = lng or settings.LANGUAGE_CODE
    if '-' not in lng and region:
        lng += '-' + region.lower()
    translation.activate(lng)
-    _active_region.value = region
    try:
        yield
    finally:
-        translation.activate(lng_before)
-        _active_region.value = region_before
+        translation.activate(_lng)


 class LazyLocaleException(Exception):
@@ -32,6 +32,7 @@ from itertools import groupby
 from typing import Tuple

 import bleach
+import vat_moss.exchange_rates
 from bidi import get_display
 from django.contrib.staticfiles import finders
 from django.db.models import Sum
@@ -46,6 +47,7 @@ from reportlab.lib.styles import ParagraphStyle, StyleSheet1
 from reportlab.lib.units import mm
 from reportlab.pdfbase import pdfmetrics
 from reportlab.pdfbase.pdfmetrics import stringWidth
+from reportlab.pdfbase.ttfonts import TTFont
 from reportlab.pdfgen.canvas import Canvas
 from reportlab.platypus import (
    BaseDocTemplate, Flowable, Frame, KeepTogether, NextPageTemplate,
@@ -58,8 +60,7 @@ from pretix.base.services.currencies import SOURCE_NAMES
 from pretix.base.signals import register_invoice_renderers
 from pretix.base.templatetags.money import money_filter
 from pretix.helpers.reportlab import (
-    FontFallbackParagraph, ThumbnailingImageReader, register_ttf_font_if_new,
-    reshaper,
+    FontFallbackParagraph, ThumbnailingImageReader, reshaper,
 )
 from pretix.presale.style import get_fonts

@@ -234,25 +235,25 @@ class BaseReportlabInvoiceRenderer(BaseInvoiceRenderer):
        """
        Register fonts with reportlab. By default, this registers the OpenSans font family
        """
-        register_ttf_font_if_new('OpenSans', finders.find('fonts/OpenSans-Regular.ttf'))
-        register_ttf_font_if_new('OpenSansIt', finders.find('fonts/OpenSans-Italic.ttf'))
-        register_ttf_font_if_new('OpenSansBd', finders.find('fonts/OpenSans-Bold.ttf'))
-        register_ttf_font_if_new('OpenSansBI', finders.find('fonts/OpenSans-BoldItalic.ttf'))
+        pdfmetrics.registerFont(TTFont('OpenSans', finders.find('fonts/OpenSans-Regular.ttf')))
+        pdfmetrics.registerFont(TTFont('OpenSansIt', finders.find('fonts/OpenSans-Italic.ttf')))
+        pdfmetrics.registerFont(TTFont('OpenSansBd', finders.find('fonts/OpenSans-Bold.ttf')))
+        pdfmetrics.registerFont(TTFont('OpenSansBI', finders.find('fonts/OpenSans-BoldItalic.ttf')))
        pdfmetrics.registerFontFamily('OpenSans', normal='OpenSans', bold='OpenSansBd',
                                      italic='OpenSansIt', boldItalic='OpenSansBI')

        for family, styles in get_fonts(event=self.event, pdf_support_required=True).items():
-            register_ttf_font_if_new(family, finders.find(styles['regular']['truetype']))
+            pdfmetrics.registerFont(TTFont(family, finders.find(styles['regular']['truetype'])))
            if family == self.event.settings.invoice_renderer_font:
                self.font_regular = family
                if 'bold' in styles:
                    self.font_bold = family + ' B'
            if 'italic' in styles:
-                register_ttf_font_if_new(family + ' I', finders.find(styles['italic']['truetype']))
+                pdfmetrics.registerFont(TTFont(family + ' I', finders.find(styles['italic']['truetype'])))
            if 'bold' in styles:
-                register_ttf_font_if_new(family + ' B', finders.find(styles['bold']['truetype']))
+                pdfmetrics.registerFont(TTFont(family + ' B', finders.find(styles['bold']['truetype'])))
            if 'bolditalic' in styles:
-                register_ttf_font_if_new(family + ' B I', finders.find(styles['bolditalic']['truetype']))
+                pdfmetrics.registerFont(TTFont(family + ' B I', finders.find(styles['bolditalic']['truetype'])))

    def _normalize(self, text):
        # reportlab does not support unicode combination characters
@@ -1058,7 +1059,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):

        def fmt(val):
            try:
-                return money_filter(val, self.invoice.foreign_currency_display)
+                return vat_moss.exchange_rates.format(val, self.invoice.foreign_currency_display)
            except ValueError:
                return localize(val) + ' ' + self.invoice.foreign_currency_display

@@ -19,11 +19,8 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-import base64
-import hashlib
 import re

-import dns.resolver
 from django import forms
 from django.core.exceptions import ValidationError
 from django.utils.translation import gettext_lazy as _, pgettext
@@ -64,7 +61,7 @@ class PeppolIdValidator:
        "0020": "[0-9]{9}",
        "0201": "[0-9a-zA-Z]{6}",
        "0204": "[0-9]{2,12}(-[0-9A-Z]{0,30})?-[0-9]{2}",
-        "0208": "[01][0-9]{9}",
+        "0208": "0[0-9]{9}",
        "0209": ".*",
        "0210": "[A-Z0-9]+",
        "0211": "IT[0-9]{11}",
@@ -73,9 +70,6 @@ class PeppolIdValidator:
        "0205": "[A-Z0-9]+",
        "0221": "T[0-9]{13}",
        "0230": ".*",
-        "0244": "[0-9]{13}",
-        "0245": "[0-9]{10}",
-        "0246": "DE[0-9]{9}(-[0-9]{5})?(\\.[0-9A-Z]{1,8})?",
        "9901": ".*",
        "9902": "[1-9][0-9]{7}",
        "9904": "DK[0-9]{8}",
@@ -123,14 +117,12 @@ class PeppolIdValidator:
        "9951": ".*",
        "9952": ".*",
        "9953": ".*",
+        "9954": ".*",
        "9956": "0[0-9]{9}",
        "9957": ".*",
        "9959": ".*",
    }

-    def __init__(self, validate_online=False):
-        self.validate_online = validate_online
-
    def __call__(self, value):
        if ":" not in value:
            raise ValidationError(_("A Peppol participant ID always starts with a prefix, followed by a colon (:)."))
@@ -144,28 +136,6 @@ class PeppolIdValidator:
            raise ValidationError(_("The Peppol participant ID does not match the validation rules for the prefix "
                                    "%(number)s. Please reach out to us if you are sure this ID is correct."),
                                  params={"number": prefix})
-
-        if self.validate_online:
-            base_hostnames = ['edelivery.tech.ec.europa.eu', 'acc.edelivery.tech.ec.europa.eu']
-            smp_id = base64.b32encode(hashlib.sha256(value.lower().encode()).digest()).decode().rstrip("=")
-            for base_hostname in base_hostnames:
-                smp_domain = f'{smp_id}.iso6523-actorid-upis.{base_hostname}'
-                resolver = dns.resolver.Resolver()
-                try:
-                    answers = resolver.resolve(smp_domain, 'NAPTR', lifetime=1.0)
-                    if answers:
-                        return value
-                except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
-                    # ID not registered, do not set found=True
-                    pass
-                except Exception:  # noqa
-                    # Error likely on our end or infrastructure is down, allow user to proceed
-                    return value
-
-            raise ValidationError(
-                _("The Peppol participant ID is not registered on the Peppol network."),
-            )
-
        return value


@@ -185,9 +155,7 @@ class PeppolTransmissionType(TransmissionType):
            "transmission_peppol_participant_id": forms.CharField(
                label=_("Peppol participant ID"),
                validators=[
-                    PeppolIdValidator(
-                        validate_online=True,
-                    ),
+                    PeppolIdValidator(),
                ]
            ),
        }
@@ -35,7 +35,7 @@ from django.utils.translation.trans_real import (
    parse_accept_lang_header,
 )

-from pretix.base.i18n import get_language_without_region, set_region
+from pretix.base.i18n import get_language_without_region
 from pretix.base.settings import global_settings_object
 from pretix.multidomain.urlreverse import (
    get_event_domain, get_organizer_domain,
@@ -92,14 +92,10 @@ class LocaleMiddleware(MiddlewareMixin):
                )
                if '-' not in language and settings_holder.settings.region:
                    language += '-' + settings_holder.settings.region
-                if settings_holder.settings.region:
-                    set_region(settings_holder.settings.region)
        else:
            gs = global_settings_object(request)
            if '-' not in language and gs.settings.region:
                language += '-' + gs.settings.region
-            if gs.settings.region:
-                set_region(gs.settings.region)

        translation.activate(language)
        request.LANGUAGE_CODE = get_language_without_region()
@@ -47,19 +47,6 @@ class DataImportError(LazyLocaleException):
        super().__init__(msg)


-def rename_duplicates(values):
-    used = set()
-    had_duplicates = False
-    for i, value in enumerate(values):
-        c = 0
-        while values[i] in used:
-            c += 1
-            values[i] = f'{value}__{c}'
-            had_duplicates = True
-        used.add(values[i])
-    return had_duplicates
-
-
 def parse_csv(file, length=None, mode="strict", charset=None):
    file.seek(0)
    data = file.read(length)
@@ -83,7 +70,6 @@ def parse_csv(file, length=None, mode="strict", charset=None):
        return None

    reader = csv.DictReader(io.StringIO(data), dialect=dialect)
-    reader._had_duplicates = rename_duplicates(reader.fieldnames)
    return reader


@@ -53,6 +53,7 @@ from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_otp.models import Device
 from django_scopes import scopes_disabled
+from webauthn.helpers.structs import PublicKeyCredentialDescriptor

 from pretix.base.i18n import language
 from pretix.helpers.urls import build_absolute_uri
@@ -707,8 +708,6 @@ class U2FDevice(Device):

    @property
    def webauthndevice(self):
-        from webauthn.helpers.structs import PublicKeyCredentialDescriptor
-
        d = json.loads(self.json_data)
        return PublicKeyCredentialDescriptor(websafe_decode(d['keyHandle']))

@@ -738,8 +737,6 @@ class WebAuthnDevice(Device):

    @property
    def webauthndevice(self):
-        from webauthn.helpers.structs import PublicKeyCredentialDescriptor
-
        return PublicKeyCredentialDescriptor(websafe_decode(self.credential_id))

    @property
@@ -31,7 +31,6 @@ from django.urls import reverse
 from django.utils.crypto import get_random_string
 from django.utils.functional import cached_property

-from pretix.helpers.celery import get_task_priority
 from pretix.helpers.json import CustomJSONEncoder


@@ -59,37 +58,6 @@ class CachedFile(models.Model):
    web_download = models.BooleanField(default=True)  # allow web download, True for backwards compatibility in plugins
    session_key = models.TextField(null=True, blank=True)  # only allow download in this session

-    def session_key_for_request(self, request, salt=None):
-        from ...api.models import OAuthAccessToken, OAuthApplication
-        from .devices import Device
-        from .organizer import TeamAPIToken
-
-        if hasattr(request, "auth") and isinstance(request.auth, OAuthAccessToken):
-            k = f'app:{request.auth.application.pk}'
-        elif hasattr(request, "auth") and isinstance(request.auth, OAuthApplication):
-            k = f'app:{request.auth.pk}'
-        elif hasattr(request, "auth") and isinstance(request.auth, TeamAPIToken):
-            k = f'token:{request.auth.pk}'
-        elif hasattr(request, "auth") and isinstance(request.auth, Device):
-            k = f'device:{request.auth.pk}'
-        elif request.session.session_key:
-            k = request.session.session_key
-        else:
-            raise ValueError("No auth method found to bind to")
-
-        if salt:
-            k = f"{k}!{salt}"
-        return k
-
-    def allowed_for_session(self, request, salt=None):
-        return (
-            not self.session_key or
-            self.session_key_for_request(request, salt) == self.session_key
-        )
-
-    def bind_to_session(self, request, salt=None):
-        self.session_key = self.session_key_for_request(request, salt)
-

@receiver(post_delete, sender=CachedFile)
 def cached_file_delete(sender, instance, **kwargs):
@@ -163,15 +131,9 @@ class LoggingMixin:
            logentry.save()

            if logentry.notification_type:
-                notify.apply_async(
-                    args=(logentry.pk,),
-                    priority=get_task_priority("notifications", logentry.organizer_id),
-                )
+                notify.apply_async(args=(logentry.pk,))
            if logentry.webhook_type:
-                notify_webhooks.apply_async(
-                    args=(logentry.pk,),
-                    priority=get_task_priority("notifications", logentry.organizer_id),
-                )
+                notify_webhooks.apply_async(args=(logentry.pk,))

        return logentry

@@ -37,7 +37,7 @@ from pretix.base.decimal import round_decimal
 from pretix.base.models.base import LoggedModel

 PositionInfo = namedtuple('PositionInfo',
-                          ['item_id', 'subevent_id', 'subevent_date_from', 'line_price_gross', 'addon_to',
+                          ['item_id', 'subevent_id', 'subevent_date_from', 'line_price_gross', 'is_addon_to',
                           'voucher_discount'])


@@ -279,42 +279,6 @@ class Discount(LoggedModel):
            for idx in condition_idx_group:
                collect_potential_discounts[idx] = [(self, inf, -1, subevent_id)]

-    def _addon_idx(self, positions, idx):
-        """
-        If we have the following cart:
-
-        - Main product
-          - 10x Addon product 5€
-        - Main product
-          - 10x Addon product 5€
-
-        And we have a discount rule that grants "every 10th product is free", people tend to expect
-
-        - Main product
-          - 9x Addon product 5€
-          - 1x Addon product free
-        - Main product
-          - 9x Addon product 5€
-          - 1x Addon product free
-
-        And get confused if they get
-
-        - Main product
-          - 8x Addon product 5€
-          - 2x Addon product free
-        - Main product
-          - 10x Addon product 5€
-
-        Even if the result is the same. Therefore, we sort positions in the cart not only by price, but also by their
-        relative index within their addon group. This is only a heuristic and there are *still* scenarios where the more
-        unexpected version happens, e.g. if prices are different. We need to accept this as long as discounts work on
-        cart level and not on addon-group level, but this simple sorting reduces the number of support issues by making
-        the weird case less likely.
-        """
-        if not positions[idx].addon_to:
-            return 0
-        return len([1 for i, p in positions.items() if i < idx and p.addon_to == positions[idx].addon_to])
-
    def _apply_min_count(self, positions, condition_idx_group, benefit_idx_group, result, collect_potential_discounts, subevent_id):
        if len(condition_idx_group) < self.condition_min_count:
            return
@@ -324,8 +288,8 @@ class Discount(LoggedModel):

        if self.benefit_only_apply_to_cheapest_n_matches:
            # sort by line_price
-            condition_idx_group = sorted(condition_idx_group, key=lambda idx: (positions[idx].line_price_gross, self._addon_idx(positions, idx), -idx))
-            benefit_idx_group = sorted(benefit_idx_group, key=lambda idx: (positions[idx].line_price_gross, self._addon_idx(positions, idx), -idx))
+            condition_idx_group = sorted(condition_idx_group, key=lambda idx: (positions[idx].line_price_gross, -idx))
+            benefit_idx_group = sorted(benefit_idx_group, key=lambda idx: (positions[idx].line_price_gross, -idx))

            # Prevent over-consuming of items, i.e. if our discount is "buy 2, get 1 free", we only
            # want to match multiples of 3
@@ -470,7 +434,7 @@ class Discount(LoggedModel):
            for idx, p in positions.items():
                subevent_to_idx[p.subevent_id].append(idx)
            for v in subevent_to_idx.values():
-                v.sort(key=lambda idx: (positions[idx].line_price_gross, self._addon_idx(positions, idx)))
+                v.sort(key=lambda idx: positions[idx].line_price_gross)
            subevent_order = sorted(list(subevent_to_idx.keys()), key=lambda s: len(subevent_to_idx[s]), reverse=True)

            # Build groups of exactly condition_min_count distinct subevents
@@ -494,7 +458,7 @@ class Discount(LoggedModel):

                # Sort the list by prices, then pick one. For "buy 2 get 1 free" we apply a "pick 1 from the start
                # and 2 from the end" scheme to optimize price distribution among groups
-                candidates = sorted(candidates, key=lambda idx: (positions[idx].line_price_gross, self._addon_idx(positions, idx)))
+                candidates = sorted(candidates, key=lambda idx: positions[idx].line_price_gross)
                if len(current_group) < (self.benefit_only_apply_to_cheapest_n_matches or 0):
                    candidate = candidates[0]
                else:
@@ -35,14 +35,11 @@
 import json
 import logging

-from django.conf import settings
 from django.contrib.contenttypes.fields import GenericForeignKey
 from django.contrib.contenttypes.models import ContentType
 from django.db import connections, models
 from django.utils.functional import cached_property

-from pretix.helpers.celery import get_task_priority
-

 class VisibleOnlyManager(models.Manager):
    def get_queryset(self):
@@ -141,9 +138,8 @@ class LogEntry(models.Model):

        log_entry_type, meta = log_entry_types.get(action_type=self.action_type)
        if log_entry_type:
-            sender = self.event if self.event else self.organizer
            link_info = log_entry_type.get_object_link_info(self)
-            if is_app_active(sender, meta['plugin']):
+            if is_app_active(self.event, meta['plugin']):
                return make_link(link_info, log_entry_type.object_link_wrapper)
            else:
                return make_link(link_info, log_entry_type.object_link_wrapper, is_active=False,
@@ -190,19 +186,7 @@ class LogEntry(models.Model):

        to_notify = [o.id for o in objects if o.notification_type]
        if to_notify:
-            organizer_ids = set(o.organizer_id for o in objects if o.notification_type)
-            notify.apply_async(
-                args=(to_notify,),
-                priority=settings.PRIORITY_CELERY_HIGHEST_FUNC(
-                    get_task_priority("notifications", oid) for oid in organizer_ids
-                ),
-            )
+            notify.apply_async(args=(to_notify,))
        to_wh = [o.id for o in objects if o.webhook_type]
        if to_wh:
-            organizer_ids = set(o.organizer_id for o in objects if o.webhook_type)
-            notify_webhooks.apply_async(
-                args=(to_wh,),
-                priority=settings.PRIORITY_CELERY_HIGHEST_FUNC(
-                    get_task_priority("notifications", oid) for oid in organizer_ids
-                ),
-            )
+            notify_webhooks.apply_async(args=(to_wh,))
@@ -22,6 +22,7 @@
 import json
 from collections import namedtuple

+import jsonschema
 from django.contrib.staticfiles import finders
 from django.core.exceptions import ValidationError
 from django.db import models
@@ -37,8 +38,6 @@ from pretix.base.models import Event, Item, LoggedModel, Organizer, SubEvent
@deconstructible
 class SeatingPlanLayoutValidator:
    def __call__(self, value):
-        import jsonschema
-
        if not isinstance(value, dict):
            try:
                val = json.loads(value)
@@ -23,6 +23,7 @@ import json
 from decimal import Decimal
 from typing import Optional

+import jsonschema
 from django.contrib.staticfiles import finders
 from django.core.exceptions import ValidationError
 from django.core.validators import MaxValueValidator, MinValueValidator
@@ -297,8 +298,6 @@ def cc_to_vat_prefix(country_code):
@deconstructible
 class CustomRulesValidator:
    def __call__(self, value):
-        import jsonschema
-
        if not isinstance(value, dict):
            try:
                val = json.loads(value)
@@ -623,7 +623,7 @@ class Voucher(LoggedModel):
        return max(1, self.min_usages - self.redeemed)

    @classmethod
-    def annotate_budget_used(cls, qs):
+    def annotate_budget_used_orders(cls, qs):
        opq = OrderPosition.objects.filter(
            voucher_id=OuterRef('pk'),
            voucher_budget_use__isnull=False,
@@ -632,7 +632,7 @@ class Voucher(LoggedModel):
                Order.STATUS_PENDING
            ]
        ).order_by().values('voucher_id').annotate(s=Sum('voucher_budget_use')).values('s')
-        return qs.annotate(budget_used=Coalesce(Subquery(opq, output_field=models.DecimalField(max_digits=13, decimal_places=2)), Decimal('0.00')))
+        return qs.annotate(budget_used_orders=Coalesce(Subquery(opq, output_field=models.DecimalField(max_digits=13, decimal_places=2)), Decimal('0.00')))

    def budget_used(self):
        ops = OrderPosition.objects.filter(
@@ -35,7 +35,6 @@ from pretix.base.email import get_email_context
 from pretix.base.i18n import language
 from pretix.base.models import User, Voucher
 from pretix.base.services.mail import SendMailException, mail, render_mail
-from pretix.helpers import OF_SELF

 from ...helpers.format import format_map
 from ...helpers.names import build_name
@@ -186,47 +185,44 @@ class WaitingListEntry(LoggedModel):
            if not free_seats:
                raise WaitingListException(_('No seat with this product is currently available.'))

+        if self.voucher:
+            raise WaitingListException(_('A voucher has already been sent to this person.'))
        if '@' not in self.email:
            raise WaitingListException(_('This entry is anonymized and can no longer be used.'))

        with transaction.atomic():
-            locked_wle = WaitingListEntry.objects.select_for_update(of=OF_SELF).get(pk=self.pk)
-            if locked_wle.voucher:
-                raise WaitingListException(_('A voucher has already been sent to this person.'))
-            e = locked_wle.email
-            if locked_wle.name:
-                e += ' / ' + locked_wle.name
+            e = self.email
+            if self.name:
+                e += ' / ' + self.name
            v = Voucher.objects.create(
-                event=locked_wle.event,
+                event=self.event,
                max_usages=1,
-                valid_until=now() + timedelta(hours=locked_wle.event.settings.waiting_list_hours),
-                item=locked_wle.item,
-                variation=locked_wle.variation,
+                valid_until=now() + timedelta(hours=self.event.settings.waiting_list_hours),
+                item=self.item,
+                variation=self.variation,
                tag='waiting-list',
                comment=_('Automatically created from waiting list entry for {email}').format(
                    email=e
                ),
                block_quota=True,
-                subevent=locked_wle.subevent,
+                subevent=self.subevent,
            )
            v.log_action('pretix.voucher.added', {
-                'item': locked_wle.item.pk,
-                'variation': locked_wle.variation.pk if locked_wle.variation else None,
+                'item': self.item.pk,
+                'variation': self.variation.pk if self.variation else None,
                'tag': 'waiting-list',
                'block_quota': True,
                'valid_until': v.valid_until.isoformat(),
                'max_usages': 1,
-                'subevent': locked_wle.subevent.pk if locked_wle.subevent else None,
+                'subevent': self.subevent.pk if self.subevent else None,
                'source': 'waitinglist',
            }, user=user, auth=auth)
            v.log_action('pretix.voucher.added.waitinglist', {
-                'email': locked_wle.email,
-                'waitinglistentry': locked_wle.pk,
+                'email': self.email,
+                'waitinglistentry': self.pk,
            }, user=user, auth=auth)
-            locked_wle.voucher = v
-            locked_wle.save()
-
-        self.refresh_from_db()
+            self.voucher = v
+            self.save()

        with language(self.locale, self.event.settings.region):
            self.send_mail(
@@ -47,6 +47,7 @@ from collections import OrderedDict, defaultdict
 from functools import partial
 from io import BytesIO

+import jsonschema
 import pypdf
 import pypdf.generic
 import reportlab.rl_config
@@ -71,7 +72,9 @@ from reportlab.lib.colors import Color
 from reportlab.lib.enums import TA_CENTER, TA_LEFT, TA_RIGHT
 from reportlab.lib.styles import ParagraphStyle
 from reportlab.lib.units import mm
+from reportlab.pdfbase import pdfmetrics
 from reportlab.pdfbase.pdfmetrics import getAscentDescent
+from reportlab.pdfbase.ttfonts import TTFont
 from reportlab.pdfgen.canvas import Canvas
 from reportlab.platypus import Paragraph

@@ -82,9 +85,7 @@ from pretix.base.signals import layout_image_variables, layout_text_variables
 from pretix.base.templatetags.money import money_filter
 from pretix.base.templatetags.phone_format import phone_format
 from pretix.helpers.daterange import datetimerange
-from pretix.helpers.reportlab import (
-    ThumbnailingImageReader, register_ttf_font_if_new, reshaper,
-)
+from pretix.helpers.reportlab import ThumbnailingImageReader, reshaper
 from pretix.presale.style import get_fonts

 logger = logging.getLogger(__name__)
@@ -794,19 +795,19 @@ class Renderer:
    def _register_fonts(cls, event: Event = None):
        if hasattr(cls, '_fonts_registered'):
            return
-        register_ttf_font_if_new('Open Sans', finders.find('fonts/OpenSans-Regular.ttf'))
-        register_ttf_font_if_new('Open Sans I', finders.find('fonts/OpenSans-Italic.ttf'))
-        register_ttf_font_if_new('Open Sans B', finders.find('fonts/OpenSans-Bold.ttf'))
-        register_ttf_font_if_new('Open Sans B I', finders.find('fonts/OpenSans-BoldItalic.ttf'))
+        pdfmetrics.registerFont(TTFont('Open Sans', finders.find('fonts/OpenSans-Regular.ttf')))
+        pdfmetrics.registerFont(TTFont('Open Sans I', finders.find('fonts/OpenSans-Italic.ttf')))
+        pdfmetrics.registerFont(TTFont('Open Sans B', finders.find('fonts/OpenSans-Bold.ttf')))
+        pdfmetrics.registerFont(TTFont('Open Sans B I', finders.find('fonts/OpenSans-BoldItalic.ttf')))

        for family, styles in get_fonts(event, pdf_support_required=True).items():
-            register_ttf_font_if_new(family, finders.find(styles['regular']['truetype']))
+            pdfmetrics.registerFont(TTFont(family, finders.find(styles['regular']['truetype'])))
            if 'italic' in styles:
-                register_ttf_font_if_new(family + ' I', finders.find(styles['italic']['truetype']))
+                pdfmetrics.registerFont(TTFont(family + ' I', finders.find(styles['italic']['truetype'])))
            if 'bold' in styles:
-                register_ttf_font_if_new(family + ' B', finders.find(styles['bold']['truetype']))
+                pdfmetrics.registerFont(TTFont(family + ' B', finders.find(styles['bold']['truetype'])))
            if 'bolditalic' in styles:
-                register_ttf_font_if_new(family + ' B I', finders.find(styles['bolditalic']['truetype']))
+                pdfmetrics.registerFont(TTFont(family + ' B I', finders.find(styles['bolditalic']['truetype'])))

        cls._fonts_registered = True

@@ -1310,8 +1311,6 @@ def _correct_page_media_box(page: pypdf.PageObject):
@deconstructible
 class PdfLayoutValidator:
    def __call__(self, value):
-        import jsonschema
-
        if not isinstance(value, dict):
            try:
                val = json.loads(value)
@@ -97,10 +97,6 @@ class CartError(Exception):
        super().__init__(msg)


-class CartPositionError(CartError):
-    pass
-
-
 error_messages = {
    'busy': gettext_lazy(
        'We were not able to process your request completely as the '
@@ -110,9 +106,6 @@ error_messages = {
    'unknown_position': gettext_lazy('Unknown cart position.'),
    'subevent_required': pgettext_lazy('subevent', 'No date was specified.'),
    'not_for_sale': gettext_lazy('You selected a product which is not available for sale.'),
-    'positions_removed': gettext_lazy(
-        'Some products can no longer be purchased and have been removed from your cart for the following reason: %s'
-    ),
    'unavailable': gettext_lazy(
        'Some of the products you selected are no longer available. '
        'Please see below for details.'
@@ -265,138 +258,6 @@ def _get_voucher_availability(event, voucher_use_diff, now_dt, exclude_position_
    return vouchers_ok, _voucher_depend_on_cart


-def _check_position_constraints(
-    event: Event, item: Item, variation: ItemVariation, voucher: Voucher, subevent: SubEvent,
-    seat: Seat, sales_channel: SalesChannel, already_in_cart: bool, cart_is_expired: bool, real_now_dt: datetime,
-    item_requires_seat: bool, is_addon: bool, is_bundled: bool,
-):
-    """
-    Checks if a cart position with the given constraints can still be sold. This checks configuration and time-based
-    constraints of item, subevent, and voucher.
-
-    It does NOT
-    - check if quota/voucher/seat are still available
-    - check prices
-    - check memberships
-    - perform any checks that go beyond the single line (like item.max_per_order)
-    """
-    time_machine_now_dt = time_machine_now(real_now_dt)
-    # Item or variation disabled
-    # Item disabled or unavailable by time
-    if not item.is_available(time_machine_now_dt) or (variation and not variation.is_available(time_machine_now_dt)):
-        raise CartPositionError(error_messages['unavailable'])
-
-    # Invalid media policy for online sale
-    if item.media_policy in (Item.MEDIA_POLICY_NEW, Item.MEDIA_POLICY_REUSE_OR_NEW):
-        mt = MEDIA_TYPES[item.media_type]
-        if not mt.medium_created_by_server:
-            raise CartPositionError(error_messages['media_usage_not_implemented'])
-    elif item.media_policy == Item.MEDIA_POLICY_REUSE:
-        raise CartPositionError(error_messages['media_usage_not_implemented'])
-
-    # Item removed from sales channel
-    if not item.all_sales_channels:
-        if sales_channel.identifier not in (s.identifier for s in item.limit_sales_channels.all()):
-            raise CartPositionError(error_messages['unavailable'])
-
-    # Variation removed from sales channel
-    if variation and not variation.all_sales_channels:
-        if sales_channel.identifier not in (s.identifier for s in variation.limit_sales_channels.all()):
-            raise CartPositionError(error_messages['unavailable'])
-
-    # Item disabled or unavailable by time in subevent
-    if subevent and item.pk in subevent.item_overrides and not subevent.item_overrides[item.pk].is_available(time_machine_now_dt):
-        raise CartPositionError(error_messages['not_for_sale'])
-
-    # Variation disabled or unavailable by time in subevent
-    if subevent and variation and variation.pk in subevent.var_overrides and \
-            not subevent.var_overrides[variation.pk].is_available(time_machine_now_dt):
-        raise CartPositionError(error_messages['not_for_sale'])
-
-    # Item requires a variation (should never happen)
-    if item.has_variations and not variation:
-        raise CartPositionError(error_messages['not_for_sale'])
-
-    # Variation belongs to wrong item (should never happen)
-    if variation and variation.item_id != item.pk:
-        raise CartPositionError(error_messages['not_for_sale'])
-
-    # Voucher does not apply to product
-    if voucher and not voucher.applies_to(item, variation):
-        raise CartPositionError(error_messages['voucher_invalid_item'])
-
-    # Voucher does not apply to seat
-    if voucher and voucher.seat and voucher.seat != seat:
-        raise CartPositionError(error_messages['voucher_invalid_seat'])
-
-    # Voucher does not apply to subevent
-    if voucher and voucher.subevent_id and voucher.subevent_id != subevent.pk:
-        raise CartPositionError(error_messages['voucher_invalid_subevent'])
-
-    # Voucher expired
-    if voucher and voucher.valid_until and voucher.valid_until < time_machine_now_dt:
-        raise CartPositionError(error_messages['voucher_expired'])
-
-    # Subevent has been disabled
-    if subevent and not subevent.active:
-        raise CartPositionError(error_messages['inactive_subevent'])
-
-    # Subevent sale not started
-    if subevent and subevent.effective_presale_start and time_machine_now_dt < subevent.effective_presale_start:
-        raise CartPositionError(error_messages['not_started'])
-
-    # Subevent sale has ended
-    if subevent and subevent.presale_has_ended:
-        raise CartPositionError(error_messages['ended'])
-
-    # Payment for subevent no longer possible
-    if subevent:
-        tlv = event.settings.get('payment_term_last', as_type=RelativeDateWrapper)
-        if tlv:
-            term_last = make_aware(datetime.combine(
-                tlv.datetime(subevent).date(),
-                time(hour=23, minute=59, second=59)
-            ), event.timezone)
-            if term_last < time_machine_now_dt:
-                raise CartPositionError(error_messages['payment_ended'])
-
-    # Seat required but no seat given
-    if item_requires_seat and not seat:
-        raise CartPositionError(error_messages['seat_invalid'])
-
-    # Seat given but no seat required
-    if seat and not item_requires_seat:
-        raise CartPositionError(error_messages['seat_forbidden'])
-
-    # Item requires to be add-on but is top-level position
-    if item.category and item.category.is_addon and not is_addon:
-        raise CartPositionError(error_messages['addon_only'])
-
-    # Item requires bundling but is top-level position
-    if item.require_bundling and not is_bundled:
-        raise CartPositionError(error_messages['bundled_only'])
-
-    # Seat for wrong product
-    if seat and seat.product != item:
-        raise CartPositionError(error_messages['seat_invalid'])
-
-    # Seat blocked
-    if seat and seat.blocked and sales_channel.identifier not in event.settings.seating_allow_blocked_seats_for_channel:
-        raise CartPositionError(error_messages['seat_invalid'])
-
-    # Item requires voucher but no voucher given
-    if item.require_voucher and voucher is None and not is_bundled:
-        raise CartPositionError(error_messages['voucher_required'])
-
-    # Item or variation is hidden without voucher but no voucher is given
-    if (
-        (item.hide_without_voucher or (variation and variation.hide_without_voucher)) and
-        (voucher is None or not voucher.show_hidden_items) and
-        not is_bundled
-    ):
-        raise CartPositionError(error_messages['voucher_required'])
-
-
 class CartManager:
    AddOperation = namedtuple('AddOperation', ('count', 'item', 'variation', 'voucher', 'quotas',
                                               'addon_to', 'subevent', 'bundled', 'seat', 'listed_price',
@@ -433,7 +294,6 @@ class CartManager:
        self._widget_data = widget_data or {}
        self._sales_channel = sales_channel
        self.num_extended_positions = 0
-        self.price_change_for_extended = False

        if reservation_time:
            self._reservation_time = reservation_time
@@ -561,14 +421,14 @@ class CartManager:
            if cartsize > limit:
                raise CartError(error_messages['max_items'] % limit)

-    def _check_item_constraints(self, op):
+    def _check_item_constraints(self, op, current_ops=[]):
        if isinstance(op, (self.AddOperation, self.ExtendOperation)):
            if not (
                (isinstance(op, self.AddOperation) and op.addon_to == 'FAKE') or
                (isinstance(op, self.ExtendOperation) and op.position.is_bundled)
            ):
                if op.item.require_voucher and op.voucher is None:
-                    if getattr(op, 'voucher_ignored', False):  # todo??
+                    if getattr(op, 'voucher_ignored', False):
                        raise CartError(error_messages['voucher_redeemed'])
                    raise CartError(error_messages['voucher_required'])

@@ -580,39 +440,88 @@ class CartManager:
                        raise CartError(error_messages['voucher_redeemed'])
                    raise CartError(error_messages['voucher_required'])

-            if op.seat and op.count > 1:
+            if not op.item.is_available() or (op.variation and not op.variation.is_available()):
+                raise CartError(error_messages['unavailable'])
+
+            if op.item.media_policy in (Item.MEDIA_POLICY_NEW, Item.MEDIA_POLICY_REUSE_OR_NEW):
+                mt = MEDIA_TYPES[op.item.media_type]
+                if not mt.medium_created_by_server:
+                    raise CartError(error_messages['media_usage_not_implemented'])
+            elif op.item.media_policy == Item.MEDIA_POLICY_REUSE:
+                raise CartError(error_messages['media_usage_not_implemented'])
+
+            if not op.item.all_sales_channels:
+                if self._sales_channel.identifier not in (s.identifier for s in op.item.limit_sales_channels.all()):
+                    raise CartError(error_messages['unavailable'])
+
+            if op.variation and not op.variation.all_sales_channels:
+                if self._sales_channel.identifier not in (s.identifier for s in op.variation.limit_sales_channels.all()):
+                    raise CartError(error_messages['unavailable'])
+
+            if op.subevent and op.item.pk in op.subevent.item_overrides and not op.subevent.item_overrides[op.item.pk].is_available():
+                raise CartError(error_messages['not_for_sale'])
+
+            if op.subevent and op.variation and op.variation.pk in op.subevent.var_overrides and \
+                    not op.subevent.var_overrides[op.variation.pk].is_available():
+                raise CartError(error_messages['not_for_sale'])
+
+            if op.item.has_variations and not op.variation:
+                raise CartError(error_messages['not_for_sale'])
+
+            if op.variation and op.variation.item_id != op.item.pk:
+                raise CartError(error_messages['not_for_sale'])
+
+            if op.voucher and not op.voucher.applies_to(op.item, op.variation):
+                raise CartError(error_messages['voucher_invalid_item'])
+
+            if op.voucher and op.voucher.seat and op.voucher.seat != op.seat:
+                raise CartError(error_messages['voucher_invalid_seat'])
+
+            if op.voucher and op.voucher.subevent_id and op.voucher.subevent_id != op.subevent.pk:
+                raise CartError(error_messages['voucher_invalid_subevent'])
+
+            if op.subevent and not op.subevent.active:
+                raise CartError(error_messages['inactive_subevent'])
+
+            if op.subevent and op.subevent.presale_start and time_machine_now(self.real_now_dt) < op.subevent.presale_start:
+                raise CartError(error_messages['not_started'])
+
+            if op.subevent and op.subevent.presale_has_ended:
+                raise CartError(error_messages['ended'])
+
+            seated = self._is_seated(op.item, op.subevent)
+            if (
+                seated and (
+                    not op.seat or (
+                        op.seat.blocked and
+                        self._sales_channel.identifier not in self.event.settings.seating_allow_blocked_seats_for_channel
+                    )
+                )
+            ):
+                raise CartError(error_messages['seat_invalid'])
+            elif op.seat and not seated:
+                raise CartError(error_messages['seat_forbidden'])
+            elif op.seat and op.seat.product != op.item:
+                raise CartError(error_messages['seat_invalid'])
+            elif op.seat and op.count > 1:
                raise CartError('Invalid request: A seat can only be bought once.')

-            if isinstance(op, self.AddOperation):
-                is_addon = op.addon_to
-                is_bundled = op.addon_to == "FAKE"
-            else:
-                is_addon = op.position.addon_to
-                is_bundled = op.position.is_bundled
+            if op.subevent:
+                tlv = self.event.settings.get('payment_term_last', as_type=RelativeDateWrapper)
+                if tlv:
+                    term_last = make_aware(datetime.combine(
+                        tlv.datetime(op.subevent).date(),
+                        time(hour=23, minute=59, second=59)
+                    ), self.event.timezone)
+                    if term_last < time_machine_now(self.real_now_dt):
+                        raise CartError(error_messages['payment_ended'])

-            try:
-                _check_position_constraints(
-                    event=self.event,
-                    item=op.item,
-                    variation=op.variation,
-                    voucher=op.voucher,
-                    subevent=op.subevent,
-                    seat=op.seat,
-                    sales_channel=self._sales_channel,
-                    already_in_cart=isinstance(op, self.ExtendOperation),
-                    cart_is_expired=isinstance(op, self.ExtendOperation),
-                    real_now_dt=self.real_now_dt,
-                    item_requires_seat=self._is_seated(op.item, op.subevent),
-                    is_addon=is_addon,
-                    is_bundled=is_bundled,
-                )
-                # Quota, seat, and voucher availability is checked for in perform_operations
-                # Price changes are checked for in extend_expired_positions
-            except CartPositionError as e:
-                if e.args[0] == error_messages['voucher_required'] and getattr(op, 'voucher_ignored', False):
-                    # This is the case where someone clicks +1 on a voucher-only item with a fully redeemed voucher:
-                    raise CartPositionError(error_messages['voucher_redeemed'])
-                raise
+        if isinstance(op, self.AddOperation):
+            if op.item.category and op.item.category.is_addon and not (op.addon_to and op.addon_to != 'FAKE'):
+                raise CartError(error_messages['addon_only'])
+
+            if op.item.require_bundling and not op.addon_to == 'FAKE':
+                raise CartError(error_messages['bundled_only'])

    def _get_price(self, item: Item, variation: Optional[ItemVariation],
                   voucher: Optional[Voucher], custom_price: Optional[Decimal],
@@ -632,7 +541,7 @@ class CartManager:
            else:
                raise e

-    def _extend_expired_positions(self):
+    def extend_expired_positions(self):
        requires_seat = Exists(
            SeatCategoryMapping.objects.filter(
                Q(product=OuterRef('item'))
@@ -695,14 +604,10 @@ class CartManager:
                quotas=quotas, subevent=cp.subevent, seat=cp.seat, listed_price=listed_price,
                price_after_voucher=price_after_voucher,
            )
-            try:
-                self._check_item_constraints(op)
-            except CartPositionError as e:
-                self._operations.append(self.RemoveOperation(position=cp))
-                err = error_messages['positions_removed'] % str(e)
+            self._check_item_constraints(op)

            if cp.voucher:
-                self._voucher_use_diff[cp.voucher] += 1
+                self._voucher_use_diff[cp.voucher] += 2

            self._operations.append(op)
        return err
@@ -892,7 +797,7 @@ class CartManager:
                    custom_price_input_is_net=False,
                    voucher_ignored=False,
                )
-                self._check_item_constraints(bop)
+                self._check_item_constraints(bop, operations)
                bundled.append(bop)

            listed_price = get_listed_price(item, variation, subevent)
@@ -931,7 +836,7 @@ class CartManager:
                custom_price_input_is_net=self.event.settings.display_net_prices,
                voucher_ignored=voucher_ignored,
            )
-            self._check_item_constraints(op)
+            self._check_item_constraints(op, operations)
            operations.append(op)

        self._quota_diff.update(quota_diff)
@@ -1070,7 +975,7 @@ class CartManager:
                    custom_price_input_is_net=self.event.settings.display_net_prices,
                    voucher_ignored=False,
                )
-                self._check_item_constraints(op)
+                self._check_item_constraints(op, operations)
                operations.append(op)

        # Check constraints on the add-on combinations
@@ -1267,9 +1172,7 @@ class CartManager:
                op.position.delete()

            elif isinstance(op, (self.AddOperation, self.ExtendOperation)):
-                if isinstance(op, self.ExtendOperation) and (op.position.pk in deleted_positions or not op.position.pk):
-                    continue  # Already deleted in other operation
-                # Create a CartPosition for as many items as we can
+                # Create a CartPosition for as much items as we can
                requested_count = quota_available_count = voucher_available_count = op.count

                if op.seat:
@@ -1440,8 +1343,6 @@ class CartManager:
                        addons.delete()
                        op.position.delete()
                    elif available_count == 1:
-                        if op.price_after_voucher != op.position.price_after_voucher:
-                            self.price_change_for_extended = True
                        op.position.expires = self._expiry
                        op.position.max_extend = self._max_expiry_extend
                        op.position.listed_price = op.listed_price
@@ -1460,11 +1361,6 @@ class CartManager:
                        deleted_positions.add(op.position.pk)
                        addons.delete()
                        op.position.delete()
-                        if op.position.is_bundled:
-                            deleted_positions |= {a.pk for a in op.position.addon_to.addons.all()}
-                            deleted_positions.add(op.position.addon_to.pk)
-                            op.position.addon_to.addons.all().delete()
-                            op.position.addon_to.delete()
                    else:
                        raise AssertionError("ExtendOperation cannot affect more than one item")
            elif isinstance(op, self.VoucherOperation):
@@ -1528,7 +1424,7 @@ class CartManager:
            self._sales_channel.identifier,
            [
                (cp.item_id, cp.subevent_id, cp.subevent.date_from if cp.subevent_id else None, cp.line_price_gross,
-                 cp.addon_to, cp.is_bundled, cp.listed_price - cp.price_after_voucher)
+                 bool(cp.addon_to), cp.is_bundled, cp.listed_price - cp.price_after_voucher)
                for cp in positions
            ]
        )
@@ -1543,24 +1439,15 @@ class CartManager:

        return diff

-    def _remove_parents_if_bundles_are_removed(self):
-        removed_positions = {op.position.pk for op in self._operations if isinstance(op, self.RemoveOperation)}
-        for op in self._operations:
-            if isinstance(op, self.RemoveOperation):
-                if op.position.is_bundled and op.position.addon_to_id not in removed_positions:
-                    self._operations.append(self.RemoveOperation(position=op.position.addon_to))
-                    removed_positions.add(op.position.addon_to_id)
-
    def commit(self):
        self._check_presale_dates()
        self._check_max_cart_size()

        err = self._delete_out_of_timeframe()
-        err = self._extend_expired_positions() or err
+        err = self.extend_expired_positions() or err
        err = err or self._check_min_per_voucher()

        self._extend_expiry_of_valid_existing_positions()
-        self._remove_parents_if_bundles_are_removed()
        err = self._perform_operations() or err
        self.recompute_final_prices_and_taxes()

@@ -1816,12 +1703,7 @@ def extend_cart_reservation(self, event: Event, cart_id: str=None, locale='en',
            try:
                cm = CartManager(event=event, cart_id=cart_id, sales_channel=sales_channel)
                cm.commit()
-                return {
-                    "success": cm.num_extended_positions,
-                    "expiry": cm._expiry,
-                    "max_expiry_extend": cm._max_expiry_extend,
-                    "price_changed": cm.price_change_for_extended,
-                }
+                return {"success": cm.num_extended_positions, "expiry": cm._expiry, "max_expiry_extend": cm._max_expiry_extend}
            except LockTimeoutException:
                self.retry()
        except (MaxRetriesExceededError, LockTimeoutException):
@@ -121,7 +121,7 @@ class CrossSellingService:
            self.sales_channel,
            [
                (cp.item_id, cp.subevent_id, cp.subevent.date_from if cp.subevent_id else None, cp.line_price_gross,
-                 cp.addon_to, cp.is_bundled,
+                 bool(cp.addon_to), cp.is_bundled,
                 cp.listed_price - cp.price_after_voucher)
                for cp in self.cartpositions
            ],
@@ -47,6 +47,7 @@ from urllib.parse import urljoin, urlparse
 from zoneinfo import ZoneInfo

 import requests
+from bs4 import BeautifulSoup
 from celery import chain
 from celery.exceptions import MaxRetriesExceededError
 from django.conf import settings
@@ -221,7 +222,7 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
                    'invoice_company': ''
                })
        renderer = ClassicMailRenderer(None, organizer)
-        body_plain = render_mail(template, context, placeholder_mode=SafeFormatter.MODE_RICH_TO_PLAIN)
+        content_plain = body_plain = render_mail(template, context)
        subject = str(subject).format_map(TolerantDict(context))
        sender = (
            sender or
@@ -315,7 +316,6 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La

        with override(timezone):
            try:
-                content_plain = render_mail(template, context, placeholder_mode=None)
                if plain_text_only:
                    body_html = None
                elif 'context' in inspect.signature(renderer.render).parameters:
@@ -751,11 +751,11 @@ def mail_send(*args, **kwargs):
    mail_send_task.apply_async(args=args, kwargs=kwargs)


-def render_mail(template, context, placeholder_mode=SafeFormatter.MODE_RICH_TO_PLAIN):
+def render_mail(template, context):
    if isinstance(template, LazyI18nString):
        body = str(template)
-        if context and placeholder_mode:
-            body = format_map(body, context, mode=placeholder_mode)
+        if context:
+            body = format_map(body, context, mode=SafeFormatter.MODE_IGNORE_RICH)
    else:
        tpl = get_template(template)
        body = tpl.render(context)
@@ -763,8 +763,6 @@ def render_mail(template, context, placeholder_mode=SafeFormatter.MODE_RICH_TO_P


 def replace_images_with_cid_paths(body_html):
-    from bs4 import BeautifulSoup
-
    if body_html:
        email = BeautifulSoup(body_html, "lxml")
        cid_images = []
@@ -32,7 +32,6 @@ from pretix.base.services.mail import mail_send_task
 from pretix.base.services.tasks import ProfiledTask, TransactionAwareTask
 from pretix.base.signals import notification
 from pretix.celery_app import app
-from pretix.helpers.celery import get_task_priority
 from pretix.helpers.urls import build_absolute_uri


@@ -89,18 +88,12 @@ def notify(logentry_ids: list):
        for um, enabled in notify_specific.items():
            user, method = um
            if enabled:
-                send_notification.apply_async(
-                    args=(logentry.id, notification_type.action_type, user.pk, method),
-                    priority=get_task_priority("notifications", logentry.organizer_id),
-                )
+                send_notification.apply_async(args=(logentry.id, notification_type.action_type, user.pk, method))

        for um, enabled in notify_global.items():
            user, method = um
            if enabled and um not in notify_specific:
-                send_notification.apply_async(
-                    args=(logentry.id, notification_type.action_type, user.pk, method),
-                    priority=get_task_priority("notifications", logentry.organizer_id),
-                )
+                send_notification.apply_async(args=(logentry.id, notification_type.action_type, user.pk, method))

        notification.send(logentry.event, logentry_id=logentry.id, notification_type=notification_type.action_type)

@@ -81,7 +81,7 @@ from pretix.base.models.tax import TAXED_ZERO, TaxedPrice, TaxRule
 from pretix.base.payment import GiftCardPayment, PaymentException
 from pretix.base.reldate import RelativeDateWrapper
 from pretix.base.secrets import assign_ticket_secret
-from pretix.base.services import cart, tickets
+from pretix.base.services import tickets
 from pretix.base.services.invoices import (
    generate_cancellation, generate_invoice, invoice_qualified,
    invoice_transmission_separately, order_invoice_transmission_separately,
@@ -130,9 +130,6 @@ class OrderError(Exception):


 error_messages = {
-    'positions_removed': gettext_lazy(
-        'Some products can no longer be purchased and have been removed from your cart for the following reason: %s'
-    ),
    'unavailable': gettext_lazy(
        'Some of the products you selected were no longer available. '
        'Please see below for details.'
@@ -185,6 +182,14 @@ error_messages = {
        'The voucher code used for one of the items in your cart is not valid for this item. We removed this item from your cart.'
    ),
    'voucher_required': gettext_lazy('You need a valid voucher code to order one of the products.'),
+    'some_subevent_not_started': gettext_lazy(
+        'The booking period for one of the events in your cart has not yet started. The '
+        'affected positions have been removed from your cart.'
+    ),
+    'some_subevent_ended': gettext_lazy(
+        'The booking period for one of the events in your cart has ended. The affected '
+        'positions have been removed from your cart.'
+    ),
    'seat_invalid': gettext_lazy('One of the seats in your order was invalid, we removed the position from your cart.'),
    'seat_unavailable': gettext_lazy('One of the seats in your order has been taken in the meantime, we removed the position from your cart.'),
    'country_blocked': gettext_lazy('One of the selected products is not available in the selected country.'),
@@ -739,37 +744,12 @@ def _check_positions(event: Event, now_dt: datetime, time_machine_now_dt: dateti
            deleted_positions.add(cp.pk)
            cp.delete()

-    sorted_positions = list(sorted(positions, key=lambda c: (-int(c.is_bundled), c.pk)))
+    sorted_positions = sorted(positions, key=lambda c: (-int(c.is_bundled), c.pk))

    for cp in sorted_positions:
        cp._cached_quotas = list(cp.quotas)

-    for cp in sorted_positions:
-        try:
-            cart._check_position_constraints(
-                event=event,
-                item=cp.item,
-                variation=cp.variation,
-                voucher=cp.voucher,
-                subevent=cp.subevent,
-                seat=cp.seat,
-                sales_channel=sales_channel,
-                already_in_cart=True,
-                cart_is_expired=cp.expires < now_dt,
-                real_now_dt=now_dt,
-                item_requires_seat=cp.requires_seat,
-                is_addon=bool(cp.addon_to_id),
-                is_bundled=bool(cp.addon_to_id) and cp.is_bundled,
-            )
-            # Quota, seat, and voucher availability is checked for below
-            # Prices are checked for below
-            # Memberships are checked in _create_order
-        except cart.CartPositionError as e:
-            err = error_messages['positions_removed'] % str(e)
-            delete(cp)
-
    # Create locks
-    sorted_positions = [cp for cp in sorted_positions if cp.pk and cp.pk not in deleted_positions]  # eliminate deleted
    if any(cp.expires < now() + timedelta(seconds=LOCK_TRUST_WINDOW) for cp in sorted_positions):
        # No need to perform any locking if the cart positions still guarantee everything long enough.
        full_lock_required = any(
@@ -794,12 +774,15 @@ def _check_positions(event: Event, now_dt: datetime, time_machine_now_dt: dateti

    # Check availability
    for i, cp in enumerate(sorted_positions):
-        if cp.pk in deleted_positions or not cp.pk:
+        if cp.pk in deleted_positions:
            continue

+        if not cp.item.is_available() or (cp.variation and not cp.variation.is_available()):
+            err = err or error_messages['unavailable']
+            delete(cp)
+            continue
        quotas = cp._cached_quotas

-        # Product per order limits
        products_seen[cp.item] += 1
        if cp.item.max_per_order and products_seen[cp.item] > cp.item.max_per_order:
            err = error_messages['max_items_per_product'] % {
@@ -809,7 +792,6 @@ def _check_positions(event: Event, now_dt: datetime, time_machine_now_dt: dateti
            delete(cp)
            break

-        # Voucher availability
        if cp.voucher:
            v_usages[cp.voucher] += 1
            if cp.voucher not in v_avail:
@@ -824,14 +806,48 @@ def _check_positions(event: Event, now_dt: datetime, time_machine_now_dt: dateti
                delete(cp)
                continue

-        # Check duplicate seats in order
-        if cp.seat in seats_seen:
-            err = err or error_messages['seat_invalid']
+        if cp.subevent and cp.subevent.presale_start and time_machine_now_dt < cp.subevent.presale_start:
+            err = err or error_messages['some_subevent_not_started']
            delete(cp)
            break

+        if cp.subevent:
+            tlv = event.settings.get('payment_term_last', as_type=RelativeDateWrapper)
+            if tlv:
+                term_last = make_aware(datetime.combine(
+                    tlv.datetime(cp.subevent).date(),
+                    time(hour=23, minute=59, second=59)
+                ), event.timezone)
+                if term_last < time_machine_now_dt:
+                    err = err or error_messages['some_subevent_ended']
+                    delete(cp)
+                    break
+
+        if cp.subevent and cp.subevent.presale_has_ended:
+            err = err or error_messages['some_subevent_ended']
+            delete(cp)
+            break
+
+        if (cp.requires_seat and not cp.seat) or (cp.seat and not cp.requires_seat) or (cp.seat and cp.seat.product != cp.item) or cp.seat in seats_seen:
+            err = err or error_messages['seat_invalid']
+            delete(cp)
+            break
        if cp.seat:
            seats_seen.add(cp.seat)
+
+        if cp.item.require_voucher and cp.voucher is None and not cp.is_bundled:
+            delete(cp)
+            err = err or error_messages['voucher_required']
+            break
+
+        if (cp.item.hide_without_voucher or (cp.variation and cp.variation.hide_without_voucher)) and (
+                cp.voucher is None or not cp.voucher.show_hidden_items or not cp.voucher.applies_to(cp.item, cp.variation)
+        ) and not cp.is_bundled:
+            delete(cp)
+            err = error_messages['voucher_required']
+            break
+
+        if cp.seat:
            # Unlike quotas (which we blindly trust as long as the position is not expired), we check seats every
            # time, since we absolutely can not overbook a seat.
            if not cp.seat.is_available(ignore_cart=cp, ignore_voucher_id=cp.voucher_id, sales_channel=sales_channel.identifier):
@@ -839,13 +855,34 @@ def _check_positions(event: Event, now_dt: datetime, time_machine_now_dt: dateti
                delete(cp)
                continue

-        # Check useful quota configuration
+        if cp.expires >= now_dt and not cp.voucher:
+            # Other checks are not necessary
+            continue
+
        if len(quotas) == 0:
            err = err or error_messages['unavailable']
            delete(cp)
            continue

+        if cp.subevent and cp.item.pk in cp.subevent.item_overrides and not cp.subevent.item_overrides[cp.item.pk].is_available(time_machine_now_dt):
+            err = err or error_messages['unavailable']
+            delete(cp)
+            continue
+
+        if cp.subevent and cp.variation and cp.variation.pk in cp.subevent.var_overrides and \
+                not cp.subevent.var_overrides[cp.variation.pk].is_available(time_machine_now_dt):
+            err = err or error_messages['unavailable']
+            delete(cp)
+            continue
+
+        if cp.voucher:
+            if cp.voucher.valid_until and cp.voucher.valid_until < time_machine_now_dt:
+                err = err or error_messages['voucher_expired']
+                delete(cp)
+                continue
+
        quota_ok = True
+
        ignore_all_quotas = cp.expires >= now_dt or (
            cp.voucher and (
                cp.voucher.allow_ignore_quota or (cp.voucher.block_quota and cp.voucher.quota is None)
@@ -877,7 +914,7 @@ def _check_positions(event: Event, now_dt: datetime, time_machine_now_dt: dateti
            })

    # Check prices
-    sorted_positions = [cp for cp in sorted_positions if cp.pk and cp.pk not in deleted_positions]  # eliminate deleted
+    sorted_positions = [cp for cp in sorted_positions if cp.pk and cp.pk not in deleted_positions]
    old_total = sum(cp.price for cp in sorted_positions)
    for i, cp in enumerate(sorted_positions):
        if cp.listed_price is None:
@@ -908,13 +945,13 @@ def _check_positions(event: Event, now_dt: datetime, time_machine_now_dt: dateti
            delete(cp)
            continue

-    sorted_positions = [cp for cp in sorted_positions if cp.pk and cp.pk not in deleted_positions]  # eliminate deleted
+    sorted_positions = [cp for cp in sorted_positions if cp.pk and cp.pk not in deleted_positions]
    discount_results = apply_discounts(
        event,
        sales_channel.identifier,
        [
            (cp.item_id, cp.subevent_id, cp.subevent.date_from if cp.subevent_id else None, cp.line_price_gross,
-             cp.addon_to, cp.is_bundled, cp.listed_price - cp.price_after_voucher)
+             bool(cp.addon_to), cp.is_bundled, cp.listed_price - cp.price_after_voucher)
            for cp in sorted_positions
        ]
    )
@@ -1630,7 +1667,7 @@ class OrderChangeManager:
    MembershipOperation = namedtuple('MembershipOperation', ('position', 'membership'))
    CancelOperation = namedtuple('CancelOperation', ('position', 'price_diff'))
    AddOperation = namedtuple('AddOperation', ('item', 'variation', 'price', 'addon_to', 'subevent', 'seat', 'membership',
-                                               'valid_from', 'valid_until', 'is_bundled', 'result'))
+                                               'valid_from', 'valid_until', 'is_bundled'))
    SplitOperation = namedtuple('SplitOperation', ('position',))
    FeeValueOperation = namedtuple('FeeValueOperation', ('fee', 'value', 'price_diff'))
    AddFeeOperation = namedtuple('AddFeeOperation', ('fee', 'price_diff'))
@@ -1642,18 +1679,6 @@ class OrderChangeManager:
    AddBlockOperation = namedtuple('AddBlockOperation', ('position', 'block_name', 'ignore_from_quota_while_blocked'))
    RemoveBlockOperation = namedtuple('RemoveBlockOperation', ('position', 'block_name', 'ignore_from_quota_while_blocked'))

-    class AddPositionResult:
-        _position: Optional[OrderPosition]
-
-        def __init__(self):
-            self._position = None
-
-        @property
-        def position(self) -> OrderPosition:
-            if self._position is None:
-                raise RuntimeError("Order position has not been created yet. Call commit() first on OrderChangeManager.")
-            return self._position
-
    def __init__(self, order: Order, user=None, auth=None, notify=True, reissue_invoice=True, allow_blocked_seats=False):
        self.order = order
        self.user = user
@@ -1858,7 +1883,7 @@ class OrderChangeManager:

    def add_position(self, item: Item, variation: ItemVariation, price: Decimal, addon_to: OrderPosition = None,
                     subevent: SubEvent = None, seat: Seat = None, membership: Membership = None,
-                     valid_from: datetime = None, valid_until: datetime = None) -> 'OrderChangeManager.AddPositionResult':
+                     valid_from: datetime = None, valid_until: datetime = None):
        if isinstance(seat, str):
            if not seat:
                seat = None
@@ -1917,11 +1942,8 @@ class OrderChangeManager:
        self._quotadiff.update(new_quotas)
        if seat:
            self._seatdiff.update([seat])
-
-        result = self.AddPositionResult()
        self._operations.append(self.AddOperation(item, variation, price, addon_to, subevent, seat, membership,
-                                                  valid_from, valid_until, is_bundled, result))
-        return result
+                                                  valid_from, valid_until, is_bundled))

    def split(self, position: OrderPosition):
        if self.order.event.settings.invoice_include_free or position.price != Decimal('0.00'):
@@ -2540,7 +2562,6 @@ class OrderChangeManager:
                    'valid_from': op.valid_from.isoformat() if op.valid_from else None,
                    'valid_until': op.valid_until.isoformat() if op.valid_until else None,
                })
-                op.result._position = pos
            elif isinstance(op, self.SplitOperation):
                position = position_cache.setdefault(op.position.pk, op.position)
                split_positions.append(position)
@@ -26,7 +26,7 @@ from decimal import Decimal

 from django.dispatch import receiver
 from django.utils.formats import date_format
-from django.utils.html import escape, mark_safe
+from django.utils.html import escape
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _

@@ -123,10 +123,6 @@ class BaseRichTextPlaceholder(BaseTextPlaceholder):
    def identifier(self):
        return self._identifier

-    @property
-    def allowed_in_plain_content(self):
-        return False
-
    @property
    def required_context(self):
        return self._args
@@ -198,33 +194,6 @@ class SimpleButtonPlaceholder(BaseRichTextPlaceholder):
        return f'{text}: {url}'


-class MarkdownTextPlaceholder(BaseRichTextPlaceholder):
-    def __init__(self, identifier, args, func, sample, inline):
-        super().__init__(identifier, args)
-        self._func = func
-        self._sample = sample
-        self._snippet = inline
-
-    @property
-    def allowed_in_plain_content(self):
-        return self._snippet
-
-    def render_plain(self, **context):
-        return self._func(**{k: context[k] for k in self._args})
-
-    def render_html(self, **context):
-        return mark_safe(markdown_compile_email(self.render_plain(**context), snippet=self._snippet))
-
-    def render_sample_plain(self, event):
-        if callable(self._sample):
-            return self._sample(event)
-        else:
-            return self._sample
-
-    def render_sample_html(self, event):
-        return mark_safe(markdown_compile_email(self.render_sample_plain(event), snippet=self._snippet))
-
-
 class PlaceholderContext(SafeFormatter):
    """
    Holds the contextual arguments and corresponding list of available placeholders for formatting
@@ -605,7 +574,7 @@ def base_placeholders(sender, **kwargs):
            'invoice_company', ['invoice_address'], lambda invoice_address: invoice_address.company or '',
            _('Sample Corporation')
        ),
-        MarkdownTextPlaceholder(
+        SimpleFunctionalTextPlaceholder(
            'orders', ['event', 'orders'], lambda event, orders: '\n' + '\n\n'.join(
                '* {} - {}'.format(
                    order.full_code,
@@ -635,7 +604,6 @@ def base_placeholders(sender, **kwargs):
                    {'code': 'OPKSB', 'secret': '09pjdksflosk3njd', 'hash': 'stuvwxy2z'}
                ]
            ),
-            inline=False,
        ),
        SimpleFunctionalTextPlaceholder(
            'hours', ['event', 'waiting_list_entry'], lambda event, waiting_list_entry:
@@ -650,13 +618,12 @@ def base_placeholders(sender, **kwargs):
            'code', ['waiting_list_voucher'], lambda waiting_list_voucher: waiting_list_voucher.code,
            '68CYU2H6ZTP3WLK5'
        ),
-        MarkdownTextPlaceholder(
+        SimpleFunctionalTextPlaceholder(
            # join vouchers with two spaces at end of line so markdown-parser inserts a <br>
            'voucher_list', ['voucher_list'], lambda voucher_list: '  \n'.join(voucher_list),
-            '68CYU2H6ZTP3WLK5  \n7MB94KKPVEPSMVF2',
-            inline=False,
+            '    68CYU2H6ZTP3WLK5\n    7MB94KKPVEPSMVF2'
        ),
-        MarkdownTextPlaceholder(
+        SimpleFunctionalTextPlaceholder(
            # join vouchers with two spaces at end of line so markdown-parser inserts a <br>
            'voucher_url_list', ['event', 'voucher_list'],
            lambda event, voucher_list: '  \n'.join([
@@ -671,7 +638,6 @@ def base_placeholders(sender, **kwargs):
                ) + '?voucher=' + c
                for c in ['68CYU2H6ZTP3WLK5', '7MB94KKPVEPSMVF2']
            ]),
-            inline=False,
        ),
        SimpleFunctionalTextPlaceholder(
            'url', ['event', 'voucher_list'], lambda event, voucher_list: build_absolute_uri(event, 'presale:event.index', kwargs={
@@ -690,13 +656,13 @@ def base_placeholders(sender, **kwargs):
            'comment', ['comment'], lambda comment: comment,
            _('An individual text with a reason can be inserted here.'),
        ),
-        MarkdownTextPlaceholder(
+        SimpleFunctionalTextPlaceholder(
            'payment_info', ['order', 'payments'], _placeholder_payments,
-            _('The amount has been charged to your card.'), inline=False,
+            _('The amount has been charged to your card.'),
        ),
-        MarkdownTextPlaceholder(
+        SimpleFunctionalTextPlaceholder(
            'payment_info', ['payment_info'], lambda payment_info: payment_info,
-            _('Please transfer money to this bank account: 9999-9999-9999-9999'), inline=False,
+            _('Please transfer money to this bank account: 9999-9999-9999-9999'),
        ),
        SimpleFunctionalTextPlaceholder(
            'attendee_name', ['position'], lambda position: position.attendee_name,
@@ -753,13 +719,13 @@ def base_placeholders(sender, **kwargs):
        ))

    for k, v in sender.meta_data.items():
-        ph.append(MarkdownTextPlaceholder(
+        ph.append(SimpleFunctionalTextPlaceholder(
            'meta_%s' % k, ['event'], lambda event, k=k: event.meta_data[k],
-            v, inline=True,
+            v
        ))
-        ph.append(MarkdownTextPlaceholder(
+        ph.append(SimpleFunctionalTextPlaceholder(
            'meta_%s' % k, ['event_or_subevent'], lambda event_or_subevent, k=k: event_or_subevent.meta_data[k],
-            v, inline=True,
+            v
        ))

    return ph
@@ -787,7 +753,7 @@ def get_available_placeholders(event, base_parameters, rich=False):
        if not isinstance(val, (list, tuple)):
            val = [val]
        for v in val:
-            if isinstance(v, BaseRichTextPlaceholder) and not rich and not v.allowed_in_plain_content:
+            if isinstance(v, BaseRichTextPlaceholder) and not rich:
                continue
            if all(rp in base_parameters for rp in v.required_context):
                params[v.identifier] = v
@@ -801,11 +767,7 @@ def get_sample_context(event, context_parameters, rich=True):
        sample = v.render_sample(event)
        if isinstance(sample, PlainHtmlAlternativeString):
            context_dict[k] = PlainHtmlAlternativeString(
-                '<{el} class="placeholder" title="{title}">{plain}</{el}>'.format(
-                    el='span',
-                    title=lbl,
-                    plain=escape(sample.plain),
-                ),
+                sample.plain,
                '<{el} class="placeholder placeholder-html" title="{title}">{html}</{el}>'.format(
                    el='div' if sample.is_block else 'span',
                    title=lbl,
@@ -813,13 +775,13 @@ def get_sample_context(event, context_parameters, rich=True):
                )
            )
        elif str(sample).strip().startswith('* ') or str(sample).startswith('  '):
-            context_dict[k] = mark_safe('<div class="placeholder" title="{}">{}</div>'.format(
+            context_dict[k] = '<div class="placeholder" title="{}">{}</div>'.format(
                lbl,
                markdown_compile_email(str(sample))
-            ))
+            )
        else:
-            context_dict[k] = mark_safe('<span class="placeholder" title="{}">{}</span>'.format(
+            context_dict[k] = '<span class="placeholder" title="{}">{}</span>'.format(
                lbl,
                escape(sample)
-            ))
+            )
    return context_dict
@@ -174,9 +174,7 @@ def apply_discounts(event: Event, sales_channel: Union[str, SalesChannel],

    :param event: Event the cart belongs to
    :param sales_channel: Sales channel the cart was created with
-    :param positions: Tuple of the form ``(item_id, subevent_id, subevent_date_from, line_price_gross, addon_to_id, is_bundled, voucher_discount)``
-                      ``addon_to_id`` does not have to be the proper ID, any identifier is okay, even ``True``/``False`` are accepted, but
-                      a better result may be given if addons to the same main product have the same distinct value.
+    :param positions: Tuple of the form ``(item_id, subevent_id, subevent_date_from, line_price_gross, is_addon_to, is_bundled, voucher_discount)``
    :param collect_potential_discounts: If a `defaultdict(list)` is supplied, all discounts that could be applied to the cart
    based on the "consumed" items, but lack matching "benefitting" items will be collected therein.
    The dict will contain a mapping from index in the `positions` list of the item that could be consumed, to a list
@@ -198,9 +196,9 @@ def apply_discounts(event: Event, sales_channel: Union[str, SalesChannel],
    ).prefetch_related('condition_limit_products', 'benefit_limit_products').order_by('position', 'pk')
    for discount in discount_qs:
        result = discount.apply({
-            idx: PositionInfo(item_id, subevent_id, subevent_date_from, line_price_gross, addon_to, voucher_discount)
+            idx: PositionInfo(item_id, subevent_id, subevent_date_from, line_price_gross, is_addon_to, voucher_discount)
            for
-            idx, (item_id, subevent_id, subevent_date_from, line_price_gross, addon_to, is_bundled, voucher_discount)
+            idx, (item_id, subevent_id, subevent_date_from, line_price_gross, is_addon_to, is_bundled, voucher_discount)
            in enumerate(positions)
            if not is_bundled and idx not in new_prices
        }, collect_potential_discounts)
@@ -27,6 +27,7 @@ from decimal import Decimal
 from xml.etree import ElementTree

 import requests
+import vat_moss.id
 from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 from zeep import Client, Transport
@@ -41,142 +42,14 @@ logger = logging.getLogger(__name__)
 error_messages = {
    'unavailable': _(
        'Your VAT ID could not be checked, as the VAT checking service of '
-        'your country is currently not available. We will therefore need to '
-        'charge you the same tax rate as if you did not enter a VAT ID.'
+        'your country is currently not available. We will therefore '
+        'need to charge VAT on your invoice. You can get the tax amount '
+        'back via the VAT reimbursement process.'
    ),
    'invalid': _('This VAT ID is not valid. Please re-check your input.'),
    'country_mismatch': _('Your VAT ID does not match the selected country.'),
 }

-VAT_ID_PATTERNS = {
-    # Patterns generated by consulting the following URLs:
-    #
-    #  - http://en.wikipedia.org/wiki/VAT_identification_number
-    #  - http://ec.europa.eu/taxation_customs/vies/faq.html
-    #  - https://euipo.europa.eu/tunnel-web/secure/webdav/guest/document_library/Documents/COSME/VAT%20numbers%20EU.pdf
-    #  - http://www.skatteetaten.no/en/International-pages/Felles-innhold-benyttes-i-flere-malgrupper/Brochure/Guide-to-value-added-tax-in-Norway/?chapter=7159
-    'AT': {  # Austria
-        'regex': '^U\\d{8}$',
-        'country_code': 'AT'
-    },
-    'BE': {  # Belgium
-        'regex': '^(1|0?)\\d{9}$',
-        'country_code': 'BE'
-    },
-    'BG': {  # Bulgaria
-        'regex': '^\\d{9,10}$',
-        'country_code': 'BG'
-    },
-    'CH': {  # Switzerland
-        'regex': '^\\dE{9}$',
-        'country_code': 'CH'
-    },
-    'CY': {  # Cyprus
-        'regex': '^\\d{8}[A-Z]$',
-        'country_code': 'CY'
-    },
-    'CZ': {  # Czech Republic
-        'regex': '^\\d{8,10}$',
-        'country_code': 'CZ'
-    },
-    'DE': {  # Germany
-        'regex': '^\\d{9}$',
-        'country_code': 'DE'
-    },
-    'DK': {  # Denmark
-        'regex': '^\\d{8}$',
-        'country_code': 'DK'
-    },
-    'EE': {  # Estonia
-        'regex': '^\\d{9}$',
-        'country_code': 'EE'
-    },
-    'EL': {  # Greece
-        'regex': '^\\d{9}$',
-        'country_code': 'GR'
-    },
-    'ES': {  # Spain
-        'regex': '^[A-Z0-9]\\d{7}[A-Z0-9]$',
-        'country_code': 'ES'
-    },
-    'FI': {  # Finland
-        'regex': '^\\d{8}$',
-        'country_code': 'FI'
-    },
-    'FR': {  # France
-        'regex': '^[A-Z0-9]{2}\\d{9}$',
-        'country_code': 'FR'
-    },
-    'GB': {  # United Kingdom
-        'regex': '^(GD\\d{3}|HA\\d{3}|\\d{9}|\\d{12})$',
-        'country_code': 'GB'
-    },
-    'HR': {  # Croatia
-        'regex': '^\\d{11}$',
-        'country_code': 'HR'
-    },
-    'HU': {  # Hungary
-        'regex': '^\\d{8}$',
-        'country_code': 'HU'
-    },
-    'IE': {  # Ireland
-        'regex': '^(\\d{7}[A-Z]{1,2}|\\d[A-Z+*]\\d{5}[A-Z])$',
-        'country_code': 'IE'
-    },
-    'IT': {  # Italy
-        'regex': '^\\d{11}$',
-        'country_code': 'IT'
-    },
-    'LT': {  # Lithuania
-        'regex': '^(\\d{9}|\\d{12})$',
-        'country_code': 'LT'
-    },
-    'LU': {  # Luxembourg
-        'regex': '^\\d{8}$',
-        'country_code': 'LU'
-    },
-    'LV': {  # Latvia
-        'regex': '^\\d{11}$',
-        'country_code': 'LV'
-    },
-    'MT': {  # Malta
-        'regex': '^\\d{8}$',
-        'country_code': 'MT'
-    },
-    'NL': {  # Netherlands
-        'regex': '^\\d{9}B\\d{2}$',
-        'country_code': 'NL'
-    },
-    'NO': {  # Norway
-        'regex': '^\\d{9}MVA$',
-        'country_code': 'NO'
-    },
-    'PL': {  # Poland
-        'regex': '^\\d{10}$',
-        'country_code': 'PL'
-    },
-    'PT': {  # Portugal
-        'regex': '^\\d{9}$',
-        'country_code': 'PT'
-    },
-    'RO': {  # Romania
-        'regex': '^\\d{2,10}$',
-        'country_code': 'RO'
-    },
-    'SE': {  # Sweden
-        'regex': '^\\d{12}$',
-        'country_code': 'SE'
-    },
-    'SI': {  # Slovenia
-        'regex': '^\\d{8}$',
-        'country_code': 'SI'
-    },
-    'SK': {  # Slovakia
-        'regex': '^\\d{10}$',
-        'country_code': 'SK'
-    },
-}
-

 class VATIDError(Exception):
    def __init__(self, message):
@@ -191,57 +64,13 @@ class VATIDTemporaryError(VATIDError):
    pass


-def normalize_vat_id(vat_id, country_code):
-    """
-    Accepts a VAT ID and normaizes it, getting rid of spaces, periods, dashes
-    etc and converting it to upper case.
-
-    Original function from https://github.com/wbond/vat_moss-python
-    Copyright (c) 2015 Will Bond <will@wbond.net>
-    MIT License
-    """
-    if not vat_id:
-        return None
-
-    if not isinstance(vat_id, str):
-        raise TypeError('VAT ID is not a string')
-
-    if len(vat_id) < 3:
-        raise ValueError('VAT ID must be at least three character long')
-
-    # Normalize the ID for simpler regexes
-    vat_id = re.sub('\\s+', '', vat_id)
-    vat_id = vat_id.replace('-', '')
-    vat_id = vat_id.replace('.', '')
-    vat_id = vat_id.upper()
-
-    # Clean the different shapes a number can take in Switzerland depending on purpse
-    if country_code == "CH":
-        vat_id = re.sub('[^A-Z0-9]', '', vat_id.replace('HR', '').replace('MWST', ''))
-
-    # Fix people using GR prefix for Greece
-    if vat_id[0:2] == "GR" and country_code == "GR":
-        vat_id = "EL" + vat_id[2:]
-
-    # Check if we already have a valid country prefix. If not, we try to figure out if we can
-    # add one, since in some countries (e.g. Italy) it's very custom to enter it without the prefix
-    if vat_id[:2] in VAT_ID_PATTERNS and re.match(VAT_ID_PATTERNS[vat_id[0:2]]['regex'], vat_id[2:]):
-        # Prefix set and prefix matches pattern, nothing to do
-        pass
-    elif re.match(VAT_ID_PATTERNS[cc_to_vat_prefix(country_code)]['regex'], vat_id):
-        # Prefix not set but adding it fixes pattern
-        vat_id = cc_to_vat_prefix(country_code) + vat_id
-    else:
-        # We have no idea what this is
-        pass
-
-    return vat_id
-
-
 def _validate_vat_id_NO(vat_id, country_code):
    # Inspired by vat_moss library
+    if not vat_id.startswith("NO"):
+        # prefix is not usually used in Norway, but expected by vat_moss library
+        vat_id = "NO" + vat_id
    try:
-        vat_id = normalize_vat_id(vat_id, country_code)
+        vat_id = vat_moss.id.normalize(vat_id)
    except ValueError:
        raise VATIDFinalError(error_messages['invalid'])

@@ -275,7 +104,7 @@ def _validate_vat_id_NO(vat_id, country_code):
 def _validate_vat_id_EU(vat_id, country_code):
    # Inspired by vat_moss library
    try:
-        vat_id = normalize_vat_id(vat_id, country_code)
+        vat_id = vat_moss.id.normalize(vat_id)
    except ValueError:
        raise VATIDFinalError(error_messages['invalid'])

@@ -283,10 +112,11 @@ def _validate_vat_id_EU(vat_id, country_code):
        raise VATIDFinalError(error_messages['invalid'])

    number = vat_id[2:]
+
    if vat_id[:2] != cc_to_vat_prefix(country_code):
        raise VATIDFinalError(error_messages['country_mismatch'])

-    if not re.match(VAT_ID_PATTERNS[cc_to_vat_prefix(country_code)]['regex'], number):
+    if not re.match(vat_moss.id.ID_PATTERNS[cc_to_vat_prefix(country_code)]['regex'], number):
        raise VATIDFinalError(error_messages['invalid'])

    # We are relying on the country code of the normalized VAT-ID and not the user/InvoiceAddress-provided
@@ -345,12 +175,9 @@ def _validate_vat_id_EU(vat_id, country_code):

 def _validate_vat_id_CH(vat_id, country_code):
    if vat_id[:3] != 'CHE':
-        raise VATIDFinalError(error_messages['country_mismatch'])
+        raise VATIDFinalError(_('Your VAT ID does not match the selected country.'))

-    try:
-        vat_id = normalize_vat_id(vat_id, country_code)
-    except ValueError:
-        raise VATIDFinalError(error_messages['invalid'])
+    vat_id = re.sub('[^A-Z0-9]', '', vat_id.replace('HR', '').replace('MWST', ''))
    try:
        transport = Transport(
            cache=SqliteCache(os.path.join(settings.CACHE_DIR, "validate_vat_id_ch_zeep_cache.db")),
@@ -113,11 +113,6 @@ def assign_automatically(event: Event, user_id: int=None, subevent_id: int=None)

        lock_objects(quotas, shared_lock_objects=[event])
        for wle in qs:
-            # add this event to wle.item as it is not yet cached and is needed in check_quotas
-            wle.item.event = event
-            if wle.variation:
-                wle.variation.item = wle.item
-
            if (wle.item_id, wle.variation_id, wle.subevent_id) in gone:
                continue
            ev = (wle.subevent or event)
@@ -180,19 +180,6 @@ DEFAULTS = {
            widget=forms.CheckboxInput(attrs={'data-display-dependency': '#id_settings-customer_accounts'}),
        )
    },
-    'customer_accounts_require_login_for_order_access': {
-        'default': 'False',
-        'type': bool,
-        'form_class': forms.BooleanField,
-        'serializer_class': serializers.BooleanField,
-        'form_kwargs': dict(
-            label=_("Require login to access order confirmation pages"),
-            help_text=_("If enabled, users who were logged in at the time of purchase must also log in to access their order information. "
-                        "If a customer account is created while placing an order, the restriction only becomes active after the customer "
-                        "account is activated."),
-            widget=forms.CheckboxInput(attrs={'data-display-dependency': '#id_settings-customer_accounts'}),
-        )
-    },
    'customer_accounts_link_by_email': {
        'default': 'False',
        'type': bool,
@@ -642,40 +629,13 @@ DEFAULTS = {
        'form_kwargs': dict(
            label=_("Ask for VAT ID"),
            help_text=format_lazy(
-                _("Only works if an invoice address is asked for. VAT ID is only requested from business customers "
-                  "in the following countries: {countries}."),
+                _("Only works if an invoice address is asked for. VAT ID is never required and only requested from "
+                  "business customers in the following countries: {countries}"),
                countries=lazy(lambda *args: ', '.join(sorted(gettext(Country(cc).name) for cc in VAT_ID_COUNTRIES)), str)()
            ),
            widget=forms.CheckboxInput(attrs={'data-checkbox-dependency': '#id_invoice_address_asked'}),
        )
    },
-    'invoice_address_vatid_required_countries': {
-        'default': ['IT', 'GR'],
-        'type': list,
-        'form_class': forms.MultipleChoiceField,
-        'serializer_class': serializers.MultipleChoiceField,
-        'serializer_kwargs': dict(
-            choices=lazy(
-                lambda *args: sorted([(cc, gettext(Country(cc).name)) for cc in VAT_ID_COUNTRIES], key=lambda c: c[1]),
-                list
-            )(),
-        ),
-        'form_kwargs': dict(
-            label=_("Require VAT ID in"),
-            choices=lazy(
-                lambda *args: sorted([(cc, gettext(Country(cc).name)) for cc in VAT_ID_COUNTRIES], key=lambda c: c[1]),
-                list
-            )(),
-            help_text=format_lazy(
-                _("VAT ID is optional by default, because not all businesses are assigned a VAT ID in all countries. "
-                  "VAT ID will be required for all business addresses in the selected countries."),
-            ),
-            widget=forms.CheckboxSelectMultiple(attrs={
-                "class": "scrolling-multiple-choice",
-                'data-display-dependency': '#id_invoice_address_vatid'
-            }),
-        )
-    },
    'invoice_address_explanation_text': {
        'default': '',
        'type': LazyI18nString,
@@ -1,65 +0,0 @@
-#
-# This file is part of pretix (Community Edition).
-#
-# Copyright (C) 2014-2020  Raphael Michel and contributors
-# Copyright (C) 2020-today pretix GmbH and contributors
-#
-# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
-# Public License as published by the Free Software Foundation in version 3 of the License.
-#
-# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
-# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
-# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
-# this file, see <https://pretix.eu/about/en/license>.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
-# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
-# details.
-#
-# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
-# <https://www.gnu.org/licenses/>.
-#
-from datetime import datetime
-
-from django import template
-from django.utils.html import format_html
-from django.utils.timezone import get_current_timezone
-
-from pretix.base.i18n import LazyExpiresDate
-from pretix.helpers.templatetags.date_fast import date_fast
-
-register = template.Library()
-
-
-@register.simple_tag
-def html_time(value: datetime, dt_format: str = "SHORT_DATE_FORMAT", **kwargs):
-    """
-    Building a <time datetime='{html-datetime}'>{human-readable datetime}</time> html string,
-    where the html-datetime as well as the human-readable datetime can be set
-    to a value from django's FORMAT_SETTINGS or "format_expires".
-
-    If attr_fmt isn’t provided, it will be set to isoformat.
-
-    Usage example:
-    {% html_time event_start "SHORT_DATETIME_FORMAT" %}
-    or
-    {% html_time event_start "TIME_FORMAT" attr_fmt="H:i" %}
-    """
-    if value in (None, ''):
-        return ''
-    value = value.astimezone(get_current_timezone())
-    attr_fmt = kwargs["attr_fmt"] if kwargs else None
-
-    try:
-        if not attr_fmt:
-            date_html = value.isoformat()
-        else:
-            date_html = date_fast(value, attr_fmt)
-
-        if dt_format == "format_expires":
-            date_human = LazyExpiresDate(value)
-        else:
-            date_human = date_fast(value, dt_format)
-        return format_html("<time datetime='{}'>{}</time>", date_html, date_human)
-    except AttributeError:
-        return ''
@@ -26,8 +26,7 @@ from babel.numbers import format_currency
 from django import template
 from django.conf import settings
 from django.template.defaultfilters import floatformat
-
-from pretix.base.i18n import get_babel_locale
+from django.utils import translation

 register = template.Library()

@@ -60,10 +59,13 @@ def money_filter(value: Decimal, arg='', hide_currency=False):
    if hide_currency:
        return floatformat(value, f"{places}g")

-    try:
-        locale = Locale(get_babel_locale())
-    except UnknownLocaleError:
-        locale = "en"
+    locale_parts = translation.get_language().split("-", 1)
+    locale = locale_parts[0]
+    if len(locale_parts) > 1 and len(locale_parts[1]) == 2:
+        try:
+            locale = Locale(locale_parts[0], locale_parts[1].upper())
+        except UnknownLocaleError:
+            pass

    try:
        return format_currency(value, arg, locale=locale)
@@ -32,20 +32,18 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations under the License.

-import html
 import re
 import urllib.parse

 import bleach
 import markdown
-from bleach import DEFAULT_CALLBACKS, html5lib_shim
-from bleach.linkifier import build_email_re
+from bleach import DEFAULT_CALLBACKS
+from bleach.linkifier import build_email_re, build_url_re
 from django import template
 from django.conf import settings
 from django.core import signing
 from django.urls import reverse
 from django.utils.functional import SimpleLazyObject
-from django.utils.html import escape
 from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.safestring import mark_safe
 from markdown import Extension
@@ -54,8 +52,6 @@ from markdown.postprocessors import Postprocessor
 from markdown.treeprocessors import UnescapeTreeprocessor
 from tlds import tld_set

-from pretix.helpers.format import SafeFormatter, format_map
-
 register = template.Library()


@@ -125,23 +121,6 @@ ALLOWED_ATTRIBUTES = {

 ALLOWED_PROTOCOLS = {'http', 'https', 'mailto', 'tel'}

-
-def build_url_re(tlds=tld_set, protocols=html5lib_shim.allowed_protocols):
-    # Differs from bleach regex by allowing { and } in URL to allow placeholders in URL parameters
-    return re.compile(
-        r"""\(*  # Match any opening parentheses.
-        \b(?<![@.])(?:(?:{0}):/{{0,3}}(?:(?:\w+:)?\w+@)?)?  # http://
-        ([\w-]+\.)+(?:{1})(?:\:[0-9]+)?(?!\.\w)\b   # xx.yy.tld(:##)?
-        (?:[/?][^\s\|\\\^`<>"]*)?
-            # /path/zz (excluding "unsafe" chars from RFC 3986,
-            # except for # and ~, which happen in practice)
-        """.format(
-            "|".join(sorted(protocols)), "|".join(sorted(tlds))
-        ),
-        re.IGNORECASE | re.VERBOSE | re.UNICODE,
-    )
-
-
 URL_RE = SimpleLazyObject(lambda: build_url_re(tlds=sorted(tld_set, key=len, reverse=True)))

 EMAIL_RE = SimpleLazyObject(lambda: build_email_re(tlds=sorted(tld_set, key=len, reverse=True)))
@@ -342,50 +321,27 @@ class LinkifyAndCleanExtension(Extension):
        )


-def markdown_compile_email(source, allowed_tags=None, allowed_attributes=ALLOWED_ATTRIBUTES, snippet=False, context=None):
-    if allowed_tags is None:
-        allowed_tags = ALLOWED_TAGS_SNIPPET if snippet else ALLOWED_TAGS
-
-    context_callbacks = []
-    if context:
-        # This is a workaround to fix placeholders in URL targets
-        def context_callback(attrs, new=False):
-            if (None, "href") in attrs and "{" in attrs[None, "href"]:
-                # Do not use MODE_RICH_TO_HTML to avoid recursive linkification.
-                # We want to esacpe the end result, however, we need to unescape the input to prevent & being turned
-                # to &amp;amp; because the input is already escaped by the markdown parser.
-                attrs[None, "href"] = escape(format_map(
-                    html.unescape(attrs[None, "href"]),
-                    context=context,
-                    mode=SafeFormatter.MODE_RICH_TO_PLAIN
-                ))
-            return attrs
-
-        context_callbacks.append(context_callback)
-
+def markdown_compile_email(source, allowed_tags=ALLOWED_TAGS, allowed_attributes=ALLOWED_ATTRIBUTES):
    linker = bleach.Linker(
        url_re=URL_RE,
        email_re=EMAIL_RE,
-        callbacks=context_callbacks + DEFAULT_CALLBACKS + [truelink_callback, abslink_callback],
+        callbacks=DEFAULT_CALLBACKS + [truelink_callback, abslink_callback],
        parse_email=True
    )
-    exts = [
-        'markdown.extensions.sane_lists',
-        'markdown.extensions.tables',
-        EmailNl2BrExtension(),
-        LinkifyAndCleanExtension(
-            linker,
-            tags=set(allowed_tags),
-            attributes=allowed_attributes,
-            protocols=ALLOWED_PROTOCOLS,
-            strip=snippet,
-        )
-    ]
-    if snippet:
-        exts.append(SnippetExtension())
    return markdown.markdown(
        source,
-        extensions=exts
+        extensions=[
+            'markdown.extensions.sane_lists',
+            'markdown.extensions.tables',
+            EmailNl2BrExtension(),
+            LinkifyAndCleanExtension(
+                linker,
+                tags=set(allowed_tags),
+                attributes=allowed_attributes,
+                protocols=ALLOWED_PROTOCOLS,
+                strip=False,
+            )
+        ]
    )


@@ -93,9 +93,7 @@ def timeline_for_event(event, subevent=None):
        description=format_lazy(
            '{} ({})',
            pgettext_lazy('timeline', 'End of ticket sales'),
-            pgettext_lazy('timeline', 'automatically because the event is over and no end of presale has been configured')
-        ) if not ev.presale_end else (
-            pgettext_lazy('timeline', 'End of ticket sales')
+            pgettext_lazy('timeline', 'automatically because the event is over and no end of presale has been configured') if not ev.presale_end else ""
        ),
        edit_url=ev_edit_url + '#id_presale_end_0'
    ))
@@ -36,8 +36,9 @@ class DownloadView(TemplateView):
    def object(self) -> CachedFile:
        try:
            o = get_object_or_404(CachedFile, id=self.kwargs['id'], web_download=True)
-            if not o.allowed_for_session(self.request):
-                raise Http404()
+            if o.session_key:
+                if o.session_key != self.request.session.session_key:
+                    raise Http404()
            return o
        except (ValueError, ValidationError):   # Invalid URLs
            raise Http404()
@@ -22,7 +22,7 @@
 import pycountry
 from django.http import JsonResponse
 from django.shortcuts import get_object_or_404
-from django.utils.translation import gettext, pgettext, pgettext_lazy
+from django.utils.translation import pgettext
 from django_countries.fields import Country
 from django_scopes import scope

@@ -36,28 +36,6 @@ from pretix.base.settings import (
    COUNTRIES_WITH_STATE_IN_ADDRESS, COUNTRY_STATE_LABEL,
 )

-VAT_ID_LABELS = {
-    # VAT ID is a EU concept and Switzerland has a distinct, but differently-named concept
-    # Translators: Only translate to French (IDE) and Italien (IDI), otherwise keep the same
-    "CH": pgettext_lazy("tax_id_swiss", "UID"),
-
-    # Awareness around VAT IDs differes by EU country. For example, in Germany the VAT ID is assigned
-    # separately to each company and only used in cross-country transactions. Therefore, it makes sense
-    # to call it just "VAT ID" on the form, and people will either know their VAT ID or they don't.
-    # In contrast, in Italy the EU-compatible VAT ID is not separately assigned, but is just "IT" + the national tax
-    # number (Partita IVA) and also used on domestic transactions. So someone who never purchased something international
-    # for their company, might still know the value, if we call it the right way and not just "VAT ID".
-
-    # Translators: Translate to only "P.IVA" in Italian, keep second part as-is in other languages
-    "IT": pgettext_lazy("tax_id_italy", "VAT ID / P.IVA"),
-    # Translators: Translate to only "ΑΦΜ" in Greek
-    "GR": pgettext_lazy("tax_id_greece", "VAT ID / TIN"),
-    # Translators: Translate to only "NIF" in Spanish
-    "ES": pgettext_lazy("tax_id_spain", "VAT ID / NIF"),
-    # Translators: Translate to only "NIF" in Portuguese
-    "PT": pgettext_lazy("tax_id_portugal", "VAT ID / NIF"),
-}
-

 def _info(cc):
    info = {
@@ -69,12 +47,7 @@ def _info(cc):
            'required': 'if_any' if cc in COUNTRIES_WITH_STATE_IN_ADDRESS else False,
            'label': COUNTRY_STATE_LABEL.get(cc, pgettext('address', 'State')),
        },
-        'vat_id': {
-            'visible': cc in VAT_ID_COUNTRIES,
-            'required': False,
-            'label': VAT_ID_LABELS.get(cc, gettext("VAT ID")),
-            'helptext_visible': True,
-        },
+        'vat_id': {'visible': cc in VAT_ID_COUNTRIES, 'required': False},
    }
    if cc not in COUNTRIES_WITH_STATE_IN_ADDRESS:
        return {'data': [], **info}
@@ -151,10 +124,4 @@ def address_form(request):
                        "required": transmission_type.identifier == selected_transmission_type and k in required
                    }

-            if is_business and country in event.settings.invoice_address_vatid_required_countries and info["vat_id"]["visible"]:
-                info["vat_id"]["required"] = True
-            if info["vat_id"]["required"]:
-                # The help text explains that it is optional, so we want to hide that if it is required
-                info["vat_id"]["helptext_visible"] = False
-
    return JsonResponse(info)
@@ -45,7 +45,7 @@ from django.core.exceptions import NON_FIELD_ERRORS, ValidationError
 from django.db.models import Prefetch, Q, prefetch_related_objects
 from django.forms import formset_factory, inlineformset_factory
 from django.urls import reverse
-from django.utils.functional import cached_property, lazy
+from django.utils.functional import cached_property
 from django.utils.html import escape, format_html
 from django.utils.safestring import mark_safe
 from django.utils.timezone import get_current_timezone_name
@@ -53,7 +53,7 @@ from django.utils.translation import gettext, gettext_lazy as _, pgettext_lazy
 from django_countries.fields import LazyTypedChoiceField
 from django_scopes.forms import SafeModelMultipleChoiceField
 from i18nfield.forms import (
-    I18nForm, I18nFormField, I18nFormSetMixin, I18nTextarea, I18nTextInput,
+    I18nForm, I18nFormField, I18nFormSetMixin, I18nTextInput,
 )
 from pytz import common_timezones

@@ -207,7 +207,6 @@ class EventWizardBasicsForm(I18nModelForm):
            'Sample Conference Center\nHeidelberg, Germany'
        )
        self.fields['slug'].widget.prefix = build_absolute_uri(self.organizer, 'presale:organizer.index')
-        self.fields['tax_rate']._required = True  # Do not render as optional because it is conditionally required
        if self.has_subevents:
            del self.fields['presale_start']
            del self.fields['presale_end']
@@ -928,7 +927,6 @@ class InvoiceSettingsForm(EventSettingsValidationMixin, SettingsForm):
        'invoice_address_asked',
        'invoice_address_required',
        'invoice_address_vatid',
-        'invoice_address_vatid_required_countries',
        'invoice_address_company_required',
        'invoice_address_beneficiary',
        'invoice_address_custom_field',
@@ -1311,17 +1309,9 @@ class MailSettingsForm(FormPlaceholderMixin, SettingsForm):
    mail_text_order_invoice = I18nFormField(
        label=_("Text"),
        required=False,
-        widget=I18nTextarea,  # no Markdown supported
-        help_text=lazy(
-            lambda: str(_(
-                "This will only be used if the invoice is sent to a different email address or at a different time "
-                "than the order confirmation."
-            )) + " " + str(_(
-                "Formatting is not supported, as some accounting departments process mail automatically and do not "
-                "handle formatted emails properly."
-            )),
-            str
-        )()
+        widget=I18nMarkdownTextarea,
+        help_text=_("This will only be used if the invoice is sent to a different email address or at a different time "
+                    "than the order confirmation."),
    )
    mail_subject_download_reminder = I18nFormField(
        label=_("Subject sent to order contact address"),
@@ -1489,9 +1479,6 @@ class MailSettingsForm(FormPlaceholderMixin, SettingsForm):
        'mail_subject_resend_all_links': ['event', 'orders'],
        'mail_attach_ical_description': ['event', 'event_or_subevent'],
    }
-    plain_rendering = {
-        'mail_text_order_invoice',
-    }

    def __init__(self, *args, **kwargs):
        self.event = event = kwargs.get('obj')
@@ -1510,7 +1497,7 @@ class MailSettingsForm(FormPlaceholderMixin, SettingsForm):
        self.event.meta_values_cached = self.event.meta_values.select_related('property').all()

        for k, v in self.base_context.items():
-            self._set_field_placeholders(k, v, rich=k.startswith('mail_text_') and k not in self.plain_rendering)
+            self._set_field_placeholders(k, v, rich=k.startswith('mail_text_'))

        for k, v in list(self.fields.items()):
            if k.endswith('_attendee') and not event.settings.attendee_emails_asked:
@@ -1970,13 +1957,6 @@ class EventFooterLinkForm(I18nModelForm):
    class Meta:
        model = EventFooterLink
        fields = ('label', 'url')
-        widgets = {
-            "url": forms.URLInput(
-                attrs={
-                    "placeholder": "https://..."
-                }
-            )
-        }


 class BaseEventFooterLinkFormSet(I18nFormSetMixin, forms.BaseInlineFormSet):
@@ -61,10 +61,6 @@ from pretix.base.models import (
    SubEvent, SubEventMetaValue, Team, TeamAPIToken, TeamInvite, Voucher,
 )
 from pretix.base.signals import register_payment_providers
-from pretix.base.timeframes import (
-    DateFrameField,
-    resolve_timeframe_to_datetime_start_inclusive_end_exclusive,
-)
 from pretix.control.forms import SplitDateTimeField
 from pretix.control.forms.widgets import Select2, Select2ItemVarQuota
 from pretix.control.signals import order_search_filter_q
@@ -1223,129 +1219,6 @@ class OrderPaymentSearchFilterForm(forms.Form):
        return qs


-class QuestionAnswerFilterForm(forms.Form):
-    STATUS_VARIANTS = [
-        ("", _("All orders")),
-        (Order.STATUS_PAID, _("Paid")),
-        (Order.STATUS_PAID + 'v', _("Paid or confirmed")),
-        (Order.STATUS_PENDING, _("Pending")),
-        (Order.STATUS_PENDING + Order.STATUS_PAID, _("Pending or paid")),
-        ("o", _("Pending (overdue)")),
-        (Order.STATUS_EXPIRED, _("Expired")),
-        (Order.STATUS_PENDING + Order.STATUS_EXPIRED, _("Pending or expired")),
-        (Order.STATUS_CANCELED, _("Canceled"))
-    ]
-
-    status = forms.ChoiceField(
-        choices=STATUS_VARIANTS,
-        required=False,
-        label=_("Order status"),
-    )
-    item = forms.ChoiceField(
-        choices=[],
-        required=False,
-        label=_("Products"),
-    )
-    subevent = forms.ModelChoiceField(
-        queryset=SubEvent.objects.none(),
-        required=False,
-        empty_label=pgettext_lazy('subevent', 'All dates'),
-        label=pgettext_lazy("subevent", "Date"),
-    )
-    date_range = DateFrameField(
-        required=False,
-        include_future_frames=True,
-        label=_('Event date'),
-    )
-
-    def __init__(self, *args, **kwargs):
-        self.event = kwargs.pop('event')
-        super().__init__(*args, **kwargs)
-        self.initial['status'] = Order.STATUS_PENDING + Order.STATUS_PAID
-
-        choices = [('', _('All products'))]
-        for i in self.event.items.prefetch_related('variations').all():
-            variations = list(i.variations.all())
-            if variations:
-                choices.append((str(i.pk), _('{product} – Any variation').format(product=str(i))))
-                for v in variations:
-                    choices.append(('%d-%d' % (i.pk, v.pk), '%s – %s' % (str(i), v.value)))
-            else:
-                choices.append((str(i.pk), str(i)))
-        self.fields['item'].choices = choices
-
-        if self.event.has_subevents:
-            self.fields["subevent"].queryset = self.event.subevents.all()
-            self.fields['subevent'].widget = Select2(
-                attrs={
-                    'data-model-select2': 'event',
-                    'data-select2-url': reverse('control:event.subevents.select2', kwargs={
-                        'event': self.event.slug,
-                        'organizer': self.event.organizer.slug,
-                    }),
-                    'data-placeholder': pgettext_lazy('subevent', 'All dates')
-                }
-            )
-            self.fields['subevent'].widget.choices = self.fields['subevent'].choices
-        else:
-            del self.fields['subevent']
-
-    def clean(self):
-        cleaned_data = super().clean()
-        subevent = cleaned_data.get('subevent')
-        date_range = cleaned_data.get('date_range')
-
-        if subevent is not None and date_range is not None:
-            d_start, d_end = resolve_timeframe_to_datetime_start_inclusive_end_exclusive(now(), date_range, self.event.timezone)
-            if (
-                (d_start and not (d_start <= subevent.date_from)) or
-                (d_end and not (subevent.date_from < d_end))
-            ):
-                self.add_error('subevent', pgettext_lazy('subevent', "Date doesn't start in selected date range."))
-        return cleaned_data
-
-    def filter_qs(self, opqs):
-        fdata = self.cleaned_data
-
-        subevent = fdata.get('subevent', None)
-        date_range = fdata.get('date_range', None)
-
-        if subevent is not None:
-            opqs = opqs.filter(subevent=subevent)
-
-        if date_range is not None:
-            d_start, d_end = resolve_timeframe_to_datetime_start_inclusive_end_exclusive(now(), date_range, self.event.timezone)
-            opqs = opqs.filter(
-                subevent__date_from__gte=d_start,
-                subevent__date_from__lt=d_end
-            )
-
-        s = fdata.get("status", Order.STATUS_PENDING + Order.STATUS_PAID)
-        if s != "":
-            if s == Order.STATUS_PENDING:
-                opqs = opqs.filter(order__status=Order.STATUS_PENDING,
-                                   order__expires__lt=now().replace(hour=0, minute=0, second=0))
-            elif s == Order.STATUS_PENDING + Order.STATUS_PAID:
-                opqs = opqs.filter(order__status__in=[Order.STATUS_PENDING, Order.STATUS_PAID])
-            elif s == Order.STATUS_PAID + 'v':
-                opqs = opqs.filter(
-                    Q(order__status=Order.STATUS_PAID) |
-                    Q(order__status=Order.STATUS_PENDING, order__valid_if_pending=True)
-                )
-            elif s == Order.STATUS_PENDING + Order.STATUS_EXPIRED:
-                opqs = opqs.filter(order__status__in=[Order.STATUS_PENDING, Order.STATUS_EXPIRED])
-            else:
-                opqs = opqs.filter(order__status=s)
-
-        if s not in (Order.STATUS_CANCELED, ""):
-            opqs = opqs.filter(canceled=False)
-        if fdata.get("item", "") != "":
-            i = fdata.get("item", "")
-            opqs = opqs.filter(item_id__in=(i,))
-
-        return opqs
-
-
 class SubEventFilterForm(FilterForm):
    orders = {
        'date_from': 'date_from',
@@ -974,7 +974,7 @@ class EventCancelForm(FormPlaceholderMixin, forms.Form):
        self._set_field_placeholders('send_subject', ['event_or_subevent', 'refund_amount', 'position_or_address',
                                                      'order', 'event'])
        self._set_field_placeholders('send_message', ['event_or_subevent', 'refund_amount', 'position_or_address',
-                                                      'order', 'event'], rich=True)
+                                                      'order', 'event'])
        self.fields['send_waitinglist_subject'] = I18nFormField(
            label=_("Subject"),
            required=True,
@@ -998,7 +998,7 @@ class EventCancelForm(FormPlaceholderMixin, forms.Form):
            ))
        )
        self._set_field_placeholders('send_waitinglist_subject', ['event_or_subevent', 'event'])
-        self._set_field_placeholders('send_waitinglist_message', ['event_or_subevent', 'event'], rich=True)
+        self._set_field_placeholders('send_waitinglist_message', ['event_or_subevent', 'event'])

        if self.event.has_subevents:
            self.fields['subevent'].queryset = self.event.subevents.all()
@@ -474,7 +474,6 @@ class OrganizerSettingsForm(SettingsForm):
        'customer_accounts',
        'customer_accounts_native',
        'customer_accounts_link_by_email',
-        'customer_accounts_require_login_for_order_access',
        'invoice_regenerate_allowed',
        'contact_mail',
        'imprint_url',
@@ -1025,13 +1024,6 @@ class OrganizerFooterLinkForm(I18nModelForm):
    class Meta:
        model = OrganizerFooterLink
        fields = ('label', 'url')
-        widgets = {
-            "url": forms.URLInput(
-                attrs={
-                    "placeholder": "https://..."
-                }
-            )
-        }


 class BaseOrganizerFooterLinkFormSet(I18nFormSetMixin, forms.BaseInlineFormSet):
@@ -308,8 +308,8 @@ class VoucherBulkForm(VoucherForm):
    )
    Recipient = namedtuple('Recipient', 'email number name tag')

-    def _set_field_placeholders(self, fn, base_parameters, rich=False):
-        placeholders = get_available_placeholders(self.instance.event, base_parameters, rich=rich)
+    def _set_field_placeholders(self, fn, base_parameters):
+        placeholders = get_available_placeholders(self.instance.event, base_parameters)
        ht = format_placeholders_help_text(placeholders, self.instance.event)

        if self.fields[fn].help_text:
@@ -345,7 +345,7 @@ class VoucherBulkForm(VoucherForm):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self._set_field_placeholders('send_subject', ['event', 'name'])
-        self._set_field_placeholders('send_message', ['event', 'voucher_list', 'name'], rich=True)
+        self._set_field_placeholders('send_message', ['event', 'voucher_list', 'name'])

        with language(self.instance.event.settings.locale, self.instance.event.settings.region):
            for f in ("send_subject", "send_message"):
@@ -814,7 +814,7 @@ class OrganizerPluginStateLogEntryType(LogEntryType):
            if app and hasattr(app, 'PretixPluginMeta'):
                return {
                    'href': reverse('control:organizer.settings.plugins', kwargs={
-                        'organizer': logentry.organizer.slug,
+                        'organizer': logentry.event.organizer.slug,
                    }) + '#plugin_' + logentry.parsed_data['plugin'],
                    'val': app.PretixPluginMeta.name
                }
@@ -126,9 +126,7 @@
                    {% endif %}
                    <a class="navbar-brand" href="{% url "control:index" %}">
                        <img src="{% static "pretixbase/img/pretix-icon-white-mini.svg" %}" />
-                        <span>
-                            {{ settings.PRETIX_INSTANCE_NAME }}
-                        </span>
+                        {{ settings.PRETIX_INSTANCE_NAME }}
                    </a>
                </div>
                <ul class="nav navbar-nav navbar-top-links navbar-left flip hidden-xs">
@@ -55,7 +55,7 @@
                <div class="col-md-2">
                    {% bootstrap_field formset.empty_form.overwrite layout='inline' form_group_class="" %}
                </div>
-                {{ formset.empty_form.value_map.as_hidden }}
+                {{ f.value_map.as_hidden }}
                <div class="col-md-2 text-right flip">
                    <i class="fa fa-warning hidden" data-toggle="tooltip" title=""></i>
                    <button type="button" class="btn btn-default hidden" data-edit-value-map data-toggle="modal"
@@ -43,7 +43,6 @@
                {% bootstrap_field form.invoice_name_required layout="control" %}
                {% bootstrap_field form.invoice_address_company_required layout="control" %}
                {% bootstrap_field form.invoice_address_vatid layout="control" %}
-                {% bootstrap_field form.invoice_address_vatid_required_countries layout="control" %}
                {% bootstrap_field form.invoice_address_beneficiary layout="control" %}
                {% bootstrap_field form.invoice_address_not_asked_free layout="control" %}
                {% bootstrap_field form.invoice_address_custom_field layout="control" %}
@@ -20,20 +20,35 @@
        </div>
        <form class="panel-body filter-form" action="" method="get">
            <div class="row">
-                 <div class="col-md-2 col-xs-6">
-                     {% bootstrap_field form.status %}
-                 </div>
-                 <div class="col-md-3 col-xs-6">
-                     {% bootstrap_field form.item %}
-                 </div>
-            {% if has_subevents %}
-                <div class="col-md-3 col-xs-6">
-                    {% bootstrap_field form.subevent %}
+                <div class="col-lg-2 col-sm-6 col-xs-6">
+                    <select name="status" class="form-control">
+                        <option value="" {% if request.GET.status == "" %}selected="selected"{% endif %}>{% trans "All orders" %}</option>
+                        <option value="p" {% if request.GET.status == "p" %}selected="selected"{% endif %}>{% trans "Paid" %}</option>
+                        <option value="pv" {% if request.GET.status == "pv" %}selected="selected"{% endif %}>{% trans "Paid or confirmed" %}</option>
+                        <option value="n" {% if request.GET.status == "n" %}selected="selected"{% endif %}>{% trans "Pending" %}</option>
+                        <option value="np" {% if request.GET.status == "np" or "status" not in request.GET %}selected="selected"{% endif %}>{% trans "Pending or paid" %}</option>
+                        <option value="o" {% if request.GET.status == "o" %}selected="selected"{% endif %}>{% trans "Pending (overdue)" %}</option>
+                        <option value="e" {% if request.GET.status == "e" %}selected="selected"{% endif %}>{% trans "Expired" %}</option>
+                        <option value="ne" {% if request.GET.status == "ne" %}selected="selected"{% endif %}>{% trans "Pending or expired" %}</option>
+                        <option value="c" {% if request.GET.status == "c" %}selected="selected"{% endif %}>{% trans "Canceled" %}</option>
+                    </select>
                </div>
-                <div class="col-md-4 col-xs-6">
-                    {% bootstrap_field form.date_range %}
+                <div class="col-lg-5 col-sm-6 col-xs-6">
+                    <select name="item" class="form-control">
+                        <option value="">{% trans "All products" %}</option>
+                        {% for item in items %}
+                            <option value="{{ item.id }}"
+                                    {% if request.GET.item|add:0 == item.id %}selected="selected"{% endif %}>
+                                {{ item.name }}
+                            </option>
+                        {% endfor %}
+                    </select>
                </div>
-            {% endif %}
+                {% if request.event.has_subevents %}
+                    <div class="col-lg-5 col-sm-6 col-xs-6">
+                        {% include "pretixcontrol/event/fragment_subevent_choice_simple.html" %}
+                    </div>
+                {% endif %}
            </div>
            <div class="text-right">
                <button class="btn btn-primary btn-lg" type="submit">
@@ -132,7 +132,6 @@
                        <legend>{% trans "Customer accounts" %}</legend>
                        {% bootstrap_field sform.customer_accounts layout="control" %}
                        {% bootstrap_field sform.customer_accounts_native layout="control" %}
-                        {% bootstrap_field sform.customer_accounts_require_login_for_order_access layout="control" %}
                        {% bootstrap_field sform.customer_accounts_link_by_email layout="control" %}
                        {% bootstrap_field sform.name_scheme layout="control" %}
                        {% bootstrap_field sform.name_scheme_titles layout="control" %}
@@ -144,14 +144,23 @@
        </div>
        <div class="panel-body">
            <p>
-                {% trans "If you lose access to your devices, you can use one of the following keys to log in. We recommend to store them in a safe place, e.g. printed out or in a password manager. Every token can be used at most once." %}
+                {% blocktrans trimmed %}
+                    If you lose access to your devices, you can use one of your emergency tokens to log in.
+                    We recommend to store them in a safe place, e.g. printed out or in a password manager.
+                    Every token can be used at most once.
+                {% endblocktrans %}
            </p>
-            <p>{% trans "Unused tokens:" %}</p>
-            <ul>
-                {% for t in static_tokens %}
-                    <li><code>{{ t.token }}</code></li>
-                {% endfor %}
-            </ul>
+            {% if static_tokens_device %}
+                <p>
+                    {% blocktrans trimmed with generation_date_time=static_tokens_device.created_at %}
+                        You generated your emergency tokens on {{ generation_date_time }}.
+                    {% endblocktrans %}
+                </p>
+            {% else %}
+                <p>
+                    {% trans "You don't have any emergency tokens yet." %}
+                </p>
+            {% endif %}
            <a href="{% url "control:user.settings.2fa.regenemergency" %}" class="btn btn-default">
                <span class="fa fa-refresh"></span>
                {% trans "Generate new emergency tokens" %}
@@ -165,7 +165,7 @@
                                {% if v.budget|default_if_none:"NONE" != "NONE" %}
                                    <br>
                                    <small class="text-muted">
-                                        {{ v.budget_used|money:request.event.currency }} / {{ v.budget|money:request.event.currency }}
+                                        {{ v.budget_used_orders|money:request.event.currency }} / {{ v.budget|money:request.event.currency }}
                                    </small>
                                {% endif %}
                            </td>
@@ -60,6 +60,7 @@ from pretix.base.models import (
 )
 from pretix.base.services.quotas import QuotaAvailability
 from pretix.base.timeline import timeline_for_event
+from pretix.control.forms.event import CommentForm
 from pretix.control.signals import (
    event_dashboard_widgets, user_dashboard_widgets,
 )
@@ -340,8 +341,6 @@ def welcome_wizard_widget(sender, **kwargs):


 def event_index(request, organizer, event):
-    from pretix.control.forms.event import CommentForm
-
    subevent = None
    if request.GET.get("subevent", "") != "" and request.event.has_subevents:
        i = request.GET.get("subevent", "")
@@ -98,6 +98,7 @@ from pretix.control.views.mailsetup import MailSettingsSetupView
 from pretix.control.views.user import RecentAuthenticationRequiredMixin
 from pretix.helpers.database import rolledback_transaction
 from pretix.multidomain.urlreverse import build_absolute_uri, get_event_domain
+from pretix.plugins.stripe.payment import StripeSettingsHolder
 from pretix.presale.views.widget import (
    version_default as widget_version_default,
 )
@@ -829,8 +830,8 @@ class MailSettingsPreview(EventPermissionRequiredMixin, View):
        return locales

    # get all supported placeholders with dummy values
-    def placeholders(self, item, rich=True):
-        return get_sample_context(self.request.event, MailSettingsForm.base_context[item], rich=rich)
+    def placeholders(self, item):
+        return get_sample_context(self.request.event, MailSettingsForm.base_context[item])

    def post(self, request, *args, **kwargs):
        preview_item = request.POST.get('item', '')
@@ -851,14 +852,6 @@ class MailSettingsPreview(EventPermissionRequiredMixin, View):
                                msgs[self.supported_locale[idx]] = prefix_subject(self.request.event, format_map(
                                    bleach.clean(v), self.placeholders(preview_item), raise_on_missing=True
                                ), highlight=True)
-                            elif preview_item in MailSettingsForm.plain_rendering:
-                                msgs[self.supported_locale[idx]] = mark_safe(
-                                    format_map(
-                                        conditional_escape(v),
-                                        self.placeholders(preview_item, rich=False),
-                                        raise_on_missing=True
-                                    ).replace("\n", "<br />")
-                                )
                            else:
                                placeholders = self.placeholders(preview_item)
                                msgs[self.supported_locale[idx]] = format_map(
@@ -1673,8 +1666,6 @@ class QuickSetupView(FormView):
                                         'or take your event live to start selling!'))

        if form.cleaned_data.get('payment_stripe__enabled', False):
-            from pretix.plugins.stripe.payment import StripeSettingsHolder
-
            self.request.session['payment_stripe_oauth_enable'] = True
            return redirect(StripeSettingsHolder(self.request.event).get_connect_url(self.request))

@@ -188,8 +188,6 @@ class LicenseCheckView(StaffMemberRequiredMixin, FormView):
            return None, None
        try:
            for k, v in pkg.metadata.items():
-                if k == "License-Expression":
-                    license = v
                if k == "License":
                    license = v
                if k == "Home-page":
@@ -65,7 +65,7 @@ from pretix.api.serializers.item import (
 )
 from pretix.base.forms import I18nFormSet
 from pretix.base.models import (
-    CartPosition, Item, ItemCategory, ItemProgramTime, ItemVariation,
+    CartPosition, Item, ItemCategory, ItemProgramTime, ItemVariation, Order,
    OrderPosition, Question, QuestionAnswer, QuestionOption, Quota,
    SeatCategoryMapping, Voucher,
 )
@@ -74,7 +74,6 @@ from pretix.base.models.items import ItemAddOn, ItemBundle, ItemMetaValue
 from pretix.base.services.quotas import QuotaAvailability
 from pretix.base.services.tickets import invalidate_cache
 from pretix.base.signals import quota_availability
-from pretix.control.forms.filter import QuestionAnswerFilterForm
 from pretix.control.forms.item import (
    CategoryForm, ItemAddOnForm, ItemAddOnsFormSet, ItemBundleForm,
    ItemBundleFormSet, ItemCreateForm, ItemMetaValueForm, ItemProgramTimeForm,
@@ -661,26 +660,46 @@ class QuestionMixin:
        return ctx


-class QuestionView(EventPermissionRequiredMixin, ChartContainingView, DetailView):
+class QuestionView(EventPermissionRequiredMixin, QuestionMixin, ChartContainingView, DetailView):
    model = Question
    template_name = 'pretixcontrol/items/question.html'
    permission = 'can_change_items'
    template_name_field = 'question'

-    @cached_property
-    def filter_form(self):
-        return QuestionAnswerFilterForm(event=self.request.event, data=self.request.GET)
-
    def get_answer_statistics(self):
        opqs = OrderPosition.objects.filter(
            order__event=self.request.event,
        )
-        if self.filter_form.is_valid():
-            opqs = self.filter_form.filter_qs(opqs)
-
        qs = QuestionAnswer.objects.filter(
            question=self.object, orderposition__isnull=False,
        )
+
+        if self.request.GET.get("subevent", "") != "":
+            opqs = opqs.filter(subevent=self.request.GET["subevent"])
+
+        s = self.request.GET.get("status", "np")
+        if s != "":
+            if s == 'o':
+                opqs = opqs.filter(order__status=Order.STATUS_PENDING,
+                                   order__expires__lt=now().replace(hour=0, minute=0, second=0))
+            elif s == 'np':
+                opqs = opqs.filter(order__status__in=[Order.STATUS_PENDING, Order.STATUS_PAID])
+            elif s == 'pv':
+                opqs = opqs.filter(
+                    Q(order__status=Order.STATUS_PAID) |
+                    Q(order__status=Order.STATUS_PENDING, order__valid_if_pending=True)
+                )
+            elif s == 'ne':
+                opqs = opqs.filter(order__status__in=[Order.STATUS_PENDING, Order.STATUS_EXPIRED])
+            else:
+                opqs = opqs.filter(order__status=s)
+
+        if s not in (Order.STATUS_CANCELED, ""):
+            opqs = opqs.filter(canceled=False)
+        if self.request.GET.get("item", "") != "":
+            i = self.request.GET.get("item", "")
+            opqs = opqs.filter(item_id__in=(i,))
+
        qs = qs.filter(orderposition__in=opqs)
        op_cnt = opqs.filter(item__in=self.object.items.all()).count()

@@ -727,11 +746,9 @@ class QuestionView(EventPermissionRequiredMixin, ChartContainingView, DetailView

    def get_context_data(self, **kwargs):
        ctx = super().get_context_data()
-        ctx['items'] = self.object.items.exists()
-        ctx['has_subevents'] = self.request.event.has_subevents
+        ctx['items'] = self.object.items.all()
        stats = self.get_answer_statistics()
        ctx['stats'], ctx['total'] = stats
-        ctx['form'] = self.filter_form
        return ctx

    def get_object(self, queryset=None) -> Question:
@@ -38,7 +38,6 @@ from datetime import timedelta

 from django.conf import settings
 from django.contrib import messages
-from django.http import Http404
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.functional import cached_property
@@ -86,7 +85,6 @@ class BaseImportView(TemplateView):
            filename='import.csv',
            type='text/csv',
        )
-        cf.bind_to_session(request, "modelimport")
        cf.file.save('import.csv', request.FILES['file'])

        if self.request.POST.get("charset") in ENCODINGS:
@@ -139,10 +137,7 @@ class BaseProcessView(AsyncAction, FormView):

    @cached_property
    def file(self):
-        cf = get_object_or_404(CachedFile, pk=self.kwargs.get("file"), filename="import.csv")
-        if not cf.allowed_for_session(self.request, "modelimport"):
-            raise Http404()
-        return cf
+        return get_object_or_404(CachedFile, pk=self.kwargs.get("file"), filename="import.csv")

    @cached_property
    def parsed(self):
@@ -151,7 +146,7 @@ class BaseProcessView(AsyncAction, FormView):
        else:
            charset = None
        try:
-            reader = parse_csv(self.file.file, 1024 * 1024, charset=charset)
+            return parse_csv(self.file.file, 1024 * 1024, charset=charset)
        except UnicodeDecodeError:
            messages.warning(
                self.request,
@@ -160,16 +155,7 @@ class BaseProcessView(AsyncAction, FormView):
                    "Some characters were replaced with a placeholder."
                )
            )
-            reader = parse_csv(self.file.file, 1024 * 1024, "replace", charset=charset)
-        if reader and reader._had_duplicates:
-            messages.warning(
-                self.request,
-                _(
-                    "Multiple columns of the CSV file have the same name and were renamed automatically. We "
-                    "recommend that you rename these in your source file to avoid problems during import."
-                )
-            )
-        return reader
+            return parse_csv(self.file.file, 1024 * 1024, "replace", charset=charset)

    @cached_property
    def parsed_list(self):
@@ -3016,7 +3016,7 @@ class EventCancel(EventPermissionRequiredMixin, AsyncAction, FormView):
            return _('All orders have been canceled.')
        else:
            return _('The orders have been canceled. An error occurred with {count} orders, please '
-                     'check all uncanceled orders.').format(count=value["failed"])
+                     'check all uncanceled orders.').format(count=value)

    def get_success_url(self, value):
        if settings.HAS_CELERY:
@@ -3097,7 +3097,7 @@ class EventCancelConfirm(EventPermissionRequiredMixin, AsyncAction, FormView):
            return _('All orders have been canceled.')
        else:
            return _('The orders have been canceled. An error occurred with {count} orders, please '
-                     'check all uncanceled orders.').format(count=value["failed"])
+                     'check all uncanceled orders.').format(count=value)

    def get_success_url(self, value):
        return reverse('control:event.cancel', kwargs={
@@ -2583,7 +2583,7 @@ class LogView(OrganizerPermissionRequiredMixin, PaginationMixin, ListView):
    def get_queryset(self):
        # technically, we'd also need to sort by pk since this is a paginated list, but in this case we just can't
        # bear the performance cost
-        qs = self.request.organizer.logentry_set.filter(event=None).select_related(
+        qs = self.request.organizer.all_logentries().select_related(
            'user', 'content_type', 'api_token', 'oauth_application', 'device'
        ).order_by('-datetime')
        qs = qs.exclude(action_type__in=OVERVIEW_BANLIST)
@@ -247,7 +247,7 @@ class BaseEditorView(EventPermissionRequiredMixin, TemplateView):
        cf = None
        if request.POST.get("background", "").strip():
            try:
-                cf = CachedFile.objects.get(id=request.POST.get("background"), web_download=True)
+                cf = CachedFile.objects.get(id=request.POST.get("background"))
            except CachedFile.DoesNotExist:
                pass

@@ -38,8 +38,7 @@ from collections import OrderedDict
 from zipfile import ZipFile

 from django.contrib import messages
-from django.http import Http404
-from django.shortcuts import redirect
+from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.functional import cached_property
 from django.utils.translation import get_language, gettext_lazy as _
@@ -95,8 +94,6 @@ class ShredDownloadView(RecentAuthenticationRequiredMixin, EventPermissionRequir
            cf = CachedFile.objects.get(pk=kwargs['file'])
        except CachedFile.DoesNotExist:
            raise ShredError(_("The download file could no longer be found on the server, please try to start again."))
-        if not cf.allowed_for_session(self.request):
-            raise Http404()

        with ZipFile(cf.file.file, 'r') as zipfile:
            indexdata = json.loads(zipfile.read('index.json').decode())
@@ -114,7 +111,7 @@ class ShredDownloadView(RecentAuthenticationRequiredMixin, EventPermissionRequir
        ctx = super().get_context_data(**kwargs)
        ctx['shredders'] = self.shredders
        ctx['download_on_shred'] = any(shredder.require_download_confirmation for shredder in shredders)
-        ctx['file'] = cf
+        ctx['file'] = get_object_or_404(CachedFile, pk=kwargs.get("file"))
        return ctx


@@ -569,7 +569,7 @@ def category_select2(request, **kwargs):
        page = 1

    qs = request.event.categories.filter(
-        Q(name__icontains=i18ncomp(query)) | Q(internal_name__icontains=query)
+        name__icontains=i18ncomp(query)
    ).order_by('name')

    total = qs.count()
@@ -49,12 +49,14 @@ from django.db import transaction
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.crypto import get_random_string
+from django.utils.decorators import method_decorator
 from django.utils.functional import cached_property
 from django.utils.html import format_html
 from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django.views import View
+from django.views.decorators.cache import never_cache
 from django.views.generic import FormView, ListView, TemplateView, UpdateView
 from django_otp.plugins.otp_static.models import StaticDevice
 from django_otp.plugins.otp_totp.models import TOTPDevice
@@ -85,8 +87,9 @@ logger = logging.getLogger(__name__)


 class RecentAuthenticationRequiredMixin:
-    max_time = 3600
+    max_time = 900

+    @method_decorator(never_cache)
    def dispatch(self, request, *args, **kwargs):
        tdelta = time.time() - request.session.get('pretix_auth_login_time', 0)
        if tdelta > self.max_time:
@@ -289,16 +292,13 @@ class User2FAMainView(RecentAuthenticationRequiredMixin, TemplateView):
        ctx = super().get_context_data()

        try:
-            ctx['static_tokens'] = StaticDevice.objects.get(user=self.request.user, name='emergency').token_set.all()
+            ctx['static_tokens_device'] = StaticDevice.objects.get(user=self.request.user, name='emergency')
        except StaticDevice.MultipleObjectsReturned:
-            ctx['static_tokens'] = StaticDevice.objects.filter(
+            ctx['static_tokens_device'] = StaticDevice.objects.filter(
                user=self.request.user, name='emergency'
-            ).first().token_set.all()
+            ).first()
        except StaticDevice.DoesNotExist:
-            d = StaticDevice.objects.create(user=self.request.user, name='emergency')
-            for i in range(10):
-                d.token_set.create(token=get_random_string(length=12, allowed_chars='1234567890'))
-            ctx['static_tokens'] = d.token_set.all()
+            ctx['static_tokens_device'] = None

        ctx['devices'] = []
        for dt in REAL_DEVICE_TYPES:
@@ -631,7 +631,8 @@ class User2FARegenerateEmergencyView(RecentAuthenticationRequiredMixin, Template
        self.request.user.update_session_token()
        update_session_auth_hash(self.request, self.request.user)
        messages.success(request, _('Your emergency codes have been newly generated. Remember to store them in a safe '
-                                    'place in case you lose access to your devices.'))
+                                    'place in case you lose access to your devices. You will not be able to view them '
+                                    'again here.\n\nYour emergency codes:\n- ' + '\n- '.join(t.token for t in d.token_set.all())))
        return redirect(reverse('control:user.settings.2fa'))


@@ -87,7 +87,7 @@ class VoucherList(PaginationMixin, EventPermissionRequiredMixin, ListView):

    @scopes_disabled()  # we have an event check here, and we can save some performance on subqueries
    def get_queryset(self):
-        qs = Voucher.annotate_budget_used(self.request.event.vouchers.exclude(
+        qs = Voucher.annotate_budget_used_orders(self.request.event.vouchers.exclude(
            Exists(WaitingListEntry.objects.filter(voucher_id=OuterRef('pk')))
        ).select_related(
            'item', 'variation', 'seat'
@@ -1,62 +0,0 @@
-#
-# This file is part of pretix (Community Edition).
-#
-# Copyright (C) 2014-2020  Raphael Michel and contributors
-# Copyright (C) 2020-today pretix GmbH and contributors
-#
-# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
-# Public License as published by the Free Software Foundation in version 3 of the License.
-#
-# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
-# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
-# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
-# this file, see <https://pretix.eu/about/en/license>.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
-# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
-# details.
-#
-# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
-# <https://www.gnu.org/licenses/>.
-#
-from django.conf import settings
-
-THRESHOLD_DOWNGRADE_TO_MID = 50
-THRESHOLD_DOWNGRADE_TO_LOW = 250
-
-
-def get_task_priority(shard, organizer_id):
-    """
-    This is an attempt to build a simple "fair-use" policy for webhooks and notifications. The problem is that when
-    one organizer creates e.g. 20,000 orders through the API, that might schedule 20,000 webhooks and every other
-    organizer will need to wait for these webhooks to go through.
-
-    We try to fix that by building three queues: high-prio, mid-prio, and low-prio. Every organizer starts in the
-    high-prio queue, and all their tasks are routed immediately. Once an organizer submits more than X jobs of a
-    certain type per minute, they get downgraded to the mid-prio queue, and then – if they submit even more – to the
-    low-prio queue. That way, if another organizer has "regular usage", they are prioritized over the organizer with
-    high load.
-    """
-    from django_redis import get_redis_connection
-
-    if not settings.HAS_REDIS:
-        return settings.PRIORITY_CELERY_HIGH
-
-    # We use redis directly instead of the Django cache API since the Django cache API does not support INCR for
-    # nonexistant keys
-    rc = get_redis_connection("redis")
-
-    cache_key = f"pretix:task_priority:{shard}:{organizer_id}"
-
-    # Make sure counters expire after a while when not used
-    p = rc.pipeline()
-    p.incr(cache_key)
-    p.expire(cache_key, 60)
-    new_counter = p.execute()[0]
-
-    if new_counter >= THRESHOLD_DOWNGRADE_TO_LOW:
-        return settings.PRIORITY_CELERY_LOW
-    elif new_counter >= THRESHOLD_DOWNGRADE_TO_MID:
-        return settings.PRIORITY_CELERY_MID
-    else:
-        return settings.PRIORITY_CELERY_HIGH
@@ -25,9 +25,7 @@ from django.utils import translation
 from django.utils.translation import gettext_noop
 from django_countries import Countries, collator
 from django_countries.fields import CountryField
-from phonenumbers import (
-    COUNTRY_CODE_TO_REGION_CODE, REGION_CODE_FOR_NON_GEO_ENTITY,
-)
+from phonenumbers.data import _COUNTRY_CODE_TO_REGION_CODE

 from pretix.base.i18n import get_babel_locale, get_language_without_region

@@ -42,10 +40,6 @@ class CachedCountries(Countries):
        django-countries performs a unicode-aware sorting based on pyuca which is incredibly
        slow.
        """
-        # Starting in django-countries 8.1, django-countries implemented a similar caching, but only on object level.
-        # We keep our caching for now for the added caching to the cache store. Unfortunately we can't really avoid
-        # the double-caching on object level if we want the caches od be used in a sensible order. We could re-evaluate
-        # and drop this in the future if it ever causes bugs or memory issues.
        cache_key = "countries:all:{}".format(get_language_without_region())
        if self.cache_subkey:
            cache_key += ":" + self.cache_subkey
@@ -90,6 +84,8 @@ class FastCountryField(CountryField):
            *self._check_backend_specific_checks(**kwargs),
            *self._check_validators(),
            *self._check_deprecation_details(),
+            *self._check_multiple(),
+            *self._check_max_length_attribute(**kwargs),
        ]


@@ -111,11 +107,9 @@ def get_phone_prefixes_sorted_and_localized():
    val = []

    locale = Locale(translation.to_locale(language))
-    for prefix, values in COUNTRY_CODE_TO_REGION_CODE.items():
+    for prefix, values in _COUNTRY_CODE_TO_REGION_CODE.items():
        prefix = "+%d" % prefix
        for country_code in values:
-            if country_code == REGION_CODE_FOR_NON_GEO_ENTITY:
-                continue
            country_name = locale.territories.get(country_code)
            if country_name:
                val.append((prefix, "{} {}".format(country_name, prefix)))
@@ -22,8 +22,6 @@
 import logging
 from string import Formatter

-from django.utils.html import conditional_escape
-
 logger = logging.getLogger(__name__)


@@ -42,14 +40,14 @@ class SafeFormatter(Formatter):
    Customized version of ``str.format`` that (a) behaves just like ``str.format_map`` and
    (b) does not allow any unwanted shenanigans like attribute access or format specifiers.
    """
+    MODE_IGNORE_RICH = 0
    MODE_RICH_TO_PLAIN = 1
    MODE_RICH_TO_HTML = 2

-    def __init__(self, context, raise_on_missing=False, mode=MODE_RICH_TO_PLAIN, linkifier=None):
+    def __init__(self, context, raise_on_missing=False, mode=MODE_IGNORE_RICH):
        self.context = context
        self.raise_on_missing = raise_on_missing
        self.mode = mode
-        self.linkifier = linkifier

    def get_field(self, field_name, args, kwargs):
        return self.get_value(field_name, args, kwargs), field_name
@@ -57,28 +55,22 @@ class SafeFormatter(Formatter):
    def get_value(self, key, args, kwargs):
        if not self.raise_on_missing and key not in self.context:
            return '{' + str(key) + '}'
-        return self.context[key]
-
-    def _prepare_value(self, value):
-        if isinstance(value, PlainHtmlAlternativeString):
-            if self.mode == self.MODE_RICH_TO_PLAIN:
-                return value.plain
+        r = self.context[key]
+        if isinstance(r, PlainHtmlAlternativeString):
+            if self.mode == self.MODE_IGNORE_RICH:
+                return '{' + str(key) + '}'
+            elif self.mode == self.MODE_RICH_TO_PLAIN:
+                return r.plain
            elif self.mode == self.MODE_RICH_TO_HTML:
-                return value.html
-        else:
-            value = str(value)
-            if self.mode == self.MODE_RICH_TO_HTML:
-                value = conditional_escape(value)
-                if self.linkifier:
-                    value = self.linkifier.linkify(value)
-            return value
+                return r.html
+        return r

    def format_field(self, value, format_spec):
        # Ignore format_spec
-        return super().format_field(self._prepare_value(value), '')
+        return super().format_field(value, '')


-def format_map(template, context, raise_on_missing=False, mode=SafeFormatter.MODE_RICH_TO_PLAIN, linkifier=None):
+def format_map(template, context, raise_on_missing=False, mode=SafeFormatter.MODE_IGNORE_RICH):
    if not isinstance(template, str):
        template = str(template)
-    return SafeFormatter(context, raise_on_missing, mode=mode, linkifier=linkifier).format(template)
+    return SafeFormatter(context, raise_on_missing, mode=mode).format(template)
@@ -229,8 +229,7 @@ def get_language_score(locale):
    if not catalog:
        score = 1
    else:
-        source_strings = [k[1] if isinstance(k, tuple) else k for k in catalog.keys()]
-        score = len(set(source_strings)) or 1
+        score = len(list(catalog.items())) or 1
    return score


@@ -1,210 +0,0 @@
-#
-# This file is part of pretix (Community Edition).
-#
-# Copyright (C) 2014-2020  Raphael Michel and contributors
-# Copyright (C) 2020-today pretix GmbH and contributors
-#
-# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
-# Public License as published by the Free Software Foundation in version 3 of the License.
-#
-# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
-# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
-# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
-# this file, see <https://pretix.eu/about/en/license>.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
-# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
-# details.
-#
-# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
-# <https://www.gnu.org/licenses/>.
-#
-from urllib.parse import quote, urlencode
-
-import text_unidecode
-from django.utils.safestring import mark_safe
-from django.utils.translation import gettext_lazy as _
-
-
-def dotdecimal(value):
-    return str(value).replace(",", ".")
-
-
-def commadecimal(value):
-    return str(value).replace(".", ",")
-
-
-def generate_payment_qr_codes(
-        event,
-        code,
-        amount,
-        bank_details_sepa_bic,
-        bank_details_sepa_name,
-        bank_details_sepa_iban,
-):
-    out = []
-    for method in [
-        swiss_qrbill,
-        czech_spayd,
-        euro_epc_qr,
-        euro_bezahlcode,
-    ]:
-        data = method(
-            event,
-            code,
-            amount,
-            bank_details_sepa_bic,
-            bank_details_sepa_name,
-            bank_details_sepa_iban,
-        )
-        if data:
-            out.append(data)
-
-    return out
-
-
-def euro_epc_qr(
-        event,
-        code,
-        amount,
-        bank_details_sepa_bic,
-        bank_details_sepa_name,
-        bank_details_sepa_iban,
-):
-    if event.currency != 'EUR' or not bank_details_sepa_iban:
-        return
-
-    return {
-        "id": "girocode",
-        "label": "EPC-QR",
-        "qr_data": "\n".join(text_unidecode.unidecode(str(d or '')) for d in [
-            "BCD",   # Service Tag: ‘BCD’
-            "002",   # Version: V2
-            "2",     # Character set: ISO 8859-1
-            "SCT",   # Identification code: ‘SCT‘
-            bank_details_sepa_bic,   # AT-23 BIC of the Beneficiary Bank
-            bank_details_sepa_name,  # AT-21 Name of the Beneficiary
-            bank_details_sepa_iban,  # AT-20 Account number of the Beneficiary
-            f"{event.currency}{dotdecimal(amount)}",  # AT-04 Amount of the Credit Transfer in Euro
-            "",      # AT-44 Purpose of the Credit Transfer
-            "",      # AT-05 Remittance Information (Structured)
-            code,    # AT-05 Remittance Information (Unstructured)
-            "",      # Beneficiary to originator information
-            "",
-        ]),
-    }
-
-
-def euro_bezahlcode(
-        event,
-        code,
-        amount,
-        bank_details_sepa_bic,
-        bank_details_sepa_name,
-        bank_details_sepa_iban,
-):
-    if not bank_details_sepa_iban or bank_details_sepa_iban[:2] != 'DE':
-        return
-    if event.currency != 'EUR':
-        return
-
-    qr_data = "bank://singlepaymentsepa?" + urlencode({
-        "name": str(bank_details_sepa_name),
-        "iban": str(bank_details_sepa_iban),
-        "bic": str(bank_details_sepa_bic),
-        "amount": commadecimal(amount),
-        "reason": str(code),
-        "currency": str(event.currency),
-    }, quote_via=quote)
-    return {
-        "id": "bezahlcode",
-        "label": "BezahlCode",
-        "qr_data": mark_safe(qr_data),
-        "link": qr_data,
-        "link_aria_label": _("Open BezahlCode in your banking app to start the payment process."),
-    }
-
-
-def swiss_qrbill(
-        event,
-        code,
-        amount,
-        bank_details_sepa_bic,
-        bank_details_sepa_name,
-        bank_details_sepa_iban,
-):
-    if not bank_details_sepa_iban or not bank_details_sepa_iban[:2] in ('CH', 'LI'):
-        return
-    if event.currency not in ('EUR', 'CHF'):
-        return
-    if not event.settings.invoice_address_from or not event.settings.invoice_address_from_country:
-        return
-
-    data_fields = [
-        'SPC',
-        '0200',
-        '1',
-        bank_details_sepa_iban,
-        'K',
-        bank_details_sepa_name[:70],
-        event.settings.invoice_address_from.replace('\n', ', ')[:70],
-        (event.settings.invoice_address_from_zipcode + ' ' + event.settings.invoice_address_from_city)[:70],
-        '',
-        '',
-        str(event.settings.invoice_address_from_country),
-        '',  # rfu
-        '',  # rfu
-        '',  # rfu
-        '',  # rfu
-        '',  # rfu
-        '',  # rfu
-        '',  # rfu
-        str(amount),
-        event.currency,
-        '',  # debtor address
-        '',  # debtor address
-        '',  # debtor address
-        '',  # debtor address
-        '',  # debtor address
-        '',  # debtor address
-        '',  # debtor address
-        'NON',
-        '',  # structured reference
-        code,
-        'EPD',
-    ]
-
-    data_fields = [text_unidecode.unidecode(d or '') for d in data_fields]
-    qr_data = '\r\n'.join(data_fields)
-    return {
-        "id": "qrbill",
-        "label": "QR-bill",
-        "html_prefix": mark_safe(
-            '<svg class="banktransfer-swiss-cross" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 19.8 19.8">'
-            '<path stroke="#fff" stroke-width="1.436" d="M.7.7h18.4v18.4H.7z"/><path fill="#fff" d="M8.3 4h3.3v11H8.3z"/>'
-            '<path fill="#fff" d="M4.4 7.9h11v3.3h-11z"/></svg>'
-        ),
-        "qr_data": qr_data,
-        "css_class": "banktransfer-swiss-cross-overlay",
-    }
-
-
-def czech_spayd(
-        event,
-        code,
-        amount,
-        bank_details_sepa_bic,
-        bank_details_sepa_name,
-        bank_details_sepa_iban,
-):
-    if not bank_details_sepa_iban or not bank_details_sepa_iban[:2] in ('CZ', 'SK'):
-        return
-    if event.currency not in ('EUR', 'CZK'):
-        return
-
-    qr_data = f"SPD*1.0*ACC:{bank_details_sepa_iban}*AM:{dotdecimal(amount)}*CC:{event.currency}*MSG:{code}"
-    return {
-        "id": "spayd",
-        "label": "SPAYD",
-        "qr_data": qr_data,
-    }
@@ -100,11 +100,3 @@ class FontFallbackParagraph(Paragraph):
                if (original_font.endswith("Bd") or original_font.endswith(" B")) and "bold" in styles:
                    return family + " B"
                return family
-
-
-def register_ttf_font_if_new(name, path):
-    from reportlab.pdfbase import pdfmetrics
-    from reportlab.pdfbase.ttfonts import TTFont
-
-    if name not in pdfmetrics.getRegisteredFontNames():
-        pdfmetrics.registerFont(TTFont(name, path))
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-01-05 12:13+0000\n"
+"POT-Creation-Date: 2025-11-20 10:37+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -140,7 +140,7 @@ msgstr ""
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:267
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:284
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:317
-#: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:343
+#: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:341
 msgid "Confirming your payment …"
 msgstr ""

@@ -344,7 +344,7 @@ msgstr ""
 msgid "close"
 msgstr ""

-#: pretix/static/pretixbase/js/addressform.js:101
+#: pretix/static/pretixbase/js/addressform.js:98
 #: pretix/static/pretixpresale/js/ui/main.js:529
 msgid "required"
 msgstr ""
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-01-05 12:13+0000\n"
+"POT-Creation-Date: 2025-11-20 10:37+0000\n"
 "PO-Revision-Date: 2021-09-15 11:22+0000\n"
 "Last-Translator: Mohamed Tawfiq <mtawfiq@wafyapp.com>\n"
 "Language-Team: Arabic <https://translate.pretix.eu/projects/pretix/pretix-js/"
@@ -144,7 +144,7 @@ msgstr "المتابعة"
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:267
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:284
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:317
-#: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:343
+#: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:341
 msgid "Confirming your payment …"
 msgstr "جاري تأكيد الدفع الخاص بك …"

@@ -359,7 +359,7 @@ msgstr "لا"
 msgid "close"
 msgstr "إغلاق"

-#: pretix/static/pretixbase/js/addressform.js:101
+#: pretix/static/pretixbase/js/addressform.js:98
 #: pretix/static/pretixpresale/js/ui/main.js:529
 msgid "required"
 msgstr "مطلوب"
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-01-05 12:13+0000\n"
+"POT-Creation-Date: 2025-11-20 10:37+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -140,7 +140,7 @@ msgstr ""
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:267
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:284
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:317
-#: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:343
+#: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:341
 msgid "Confirming your payment …"
 msgstr ""

@@ -344,7 +344,7 @@ msgstr ""
 msgid "close"
 msgstr ""

-#: pretix/static/pretixbase/js/addressform.js:101
+#: pretix/static/pretixbase/js/addressform.js:98
 #: pretix/static/pretixpresale/js/ui/main.js:529
 msgid "required"
 msgstr ""
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-01-05 12:13+0000\n"
+"POT-Creation-Date: 2025-11-20 10:37+0000\n"
 "PO-Revision-Date: 2025-10-31 17:00+0000\n"
 "Last-Translator: Núria Masclans <nuriamasclansserrat@gmail.com>\n"
 "Language-Team: Catalan <https://translate.pretix.eu/projects/pretix/pretix-"
@@ -141,7 +141,7 @@ msgstr "Continua"
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:267
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:284
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:317
-#: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:343
+#: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:341
 msgid "Confirming your payment …"
 msgstr "Confirmant el teu pagament…"

@@ -345,7 +345,7 @@ msgstr "No"
 msgid "close"
 msgstr "Tanca"

-#: pretix/static/pretixbase/js/addressform.js:101
+#: pretix/static/pretixbase/js/addressform.js:98
 #: pretix/static/pretixpresale/js/ui/main.js:529
 msgid "required"
 msgstr "requerit"
@@ -7,9 +7,9 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-01-05 12:13+0000\n"
-"PO-Revision-Date: 2026-01-08 04:00+0000\n"
-"Last-Translator: Jiří Pastrňák <jiri@pastrnak.email>\n"
+"POT-Creation-Date: 2025-11-20 10:37+0000\n"
+"PO-Revision-Date: 2025-09-08 18:57+0000\n"
+"Last-Translator: Alois Pospíšil <alois.pospisil@gmail.com>\n"
 "Language-Team: Czech <https://translate.pretix.eu/projects/pretix/pretix-js/"
 "cs/>\n"
 "Language: cs\n"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n"
-"X-Generator: Weblate 5.15.1\n"
+"X-Generator: Weblate 5.13\n"

 #: pretix/plugins/banktransfer/static/pretixplugins/banktransfer/ui.js:56
 #: pretix/plugins/banktransfer/static/pretixplugins/banktransfer/ui.js:62
@@ -141,7 +141,7 @@ msgstr "Pokračovat"
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:267
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:284
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:317
-#: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:343
+#: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:341
 msgid "Confirming your payment …"
 msgstr "Potvrzuji vaši platbu …"

@@ -345,7 +345,7 @@ msgstr "Ne"
 msgid "close"
 msgstr "zavřít"

-#: pretix/static/pretixbase/js/addressform.js:101
+#: pretix/static/pretixbase/js/addressform.js:98
 #: pretix/static/pretixpresale/js/ui/main.js:529
 msgid "required"
 msgstr "povinný"
@@ -416,7 +416,7 @@ msgstr ""

 #: pretix/static/pretixbase/js/asynctask.js:276
 msgid "If this takes longer than a few minutes, please contact us."
-msgstr "Pokud akce trvá déle než několik minut, kontaktujte nás."
+msgstr ""

 #: pretix/static/pretixbase/js/asynctask.js:331
 msgid "Close message"
@@ -734,7 +734,7 @@ msgstr ""

 #: pretix/static/pretixpresale/js/ui/cart.js:49
 msgid "Cart expired"
-msgstr "Rezervace košíku vypršela"
+msgstr "Nákupní košík vypršel"

 #: pretix/static/pretixpresale/js/ui/cart.js:58
 #: pretix/static/pretixpresale/js/ui/cart.js:84
@@ -753,23 +753,27 @@ msgstr[2] ""

 #: pretix/static/pretixpresale/js/ui/cart.js:83
 msgid "Your cart has expired."
-msgstr "Platnost rezervace vašeho košíku vypršela."
+msgstr "Nákupní košík vypršel."

 #: pretix/static/pretixpresale/js/ui/cart.js:86
+#, fuzzy
+#| msgid ""
+#| "The items in your cart are no longer reserved for you. You can still "
+#| "complete your order as long as they’re available."
 msgid ""
 "The items in your cart are no longer reserved for you. You can still "
 "complete your order as long as they're available."
 msgstr ""
-"Produkty v nákupním košíku již nejsou rezervovány. Svou objednávku se přesto "
-"můžete pokusit dokončit, některé položky však už nemusí být dostupné."
+"Produkty v nákupním košíku již nejsou pro vás rezervovány. Pokud je lístek "
+"stále dostupný, můžete objednávku dokončit."

 #: pretix/static/pretixpresale/js/ui/cart.js:87
 msgid "Do you want to renew the reservation period?"
-msgstr "Chcete obnovit rezervaci košíku?"
+msgstr ""

 #: pretix/static/pretixpresale/js/ui/cart.js:90
 msgid "Renew reservation"
-msgstr "Obnovit rezervaci"
+msgstr ""

 #: pretix/static/pretixpresale/js/ui/main.js:194
 msgid "The organizer keeps %(currency)s %(amount)s"
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-01-05 12:13+0000\n"
+"POT-Creation-Date: 2025-11-20 10:37+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -141,7 +141,7 @@ msgstr ""
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:267
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:284
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:317
-#: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:343
+#: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:341
 msgid "Confirming your payment …"
 msgstr ""

@@ -345,7 +345,7 @@ msgstr ""
 msgid "close"
 msgstr ""

-#: pretix/static/pretixbase/js/addressform.js:101
+#: pretix/static/pretixbase/js/addressform.js:98
 #: pretix/static/pretixpresale/js/ui/main.js:529
 msgid "required"
 msgstr ""
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
luelista	b8d97abec1	Apply suggestion from @luelista	2026-02-18 17:20:12 +01:00
Mira Weller	db87065cdb	fix test case for regenerate 2fa tokens	2025-11-25 18:07:53 +01:00
Mira Weller	5ba66a370e	show emergency codes only once after generating (4.10)	2025-11-25 13:05:05 +01:00
Mira Weller	9fd9defbd7	never cache pages with RecentAuthenticationRequiredMixin (4.8)	2025-11-25 12:42:10 +01:00
Mira Weller	fcc40c16aa	reduce default RecentAuthenticationRequiredMixin timeout to 15 min (4.7)	2025-11-25 12:42:09 +01:00